Reacting to EBA guidelines on remote onboarding: trust service providers call for aligned requirements across the EU
In an effort to harmonize identity proofing within the EU, the European Banking Authority (EBA) recently published new guidelines on remote onboarding. They have a strong effect on trust service providers, who must go hand in hand with such requirements. But trust service providers aim to make onboarding both reliable and user-friendly - something that regulatory bodies often tend to overlook.
In March, trust service providers responded to the newest guidelines with a joint statement. ZealiD took part in it as well, working alongside Ariadnext, ElectronicID, IDnow, Innovalor, Signicat, SK ID Solutions, and Ubble.
Responding to recently proposed guidelines, leading trust service providers pointed out some inconsistencies with earlier regulatory updates:
- TSI TS 119 461 Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects (July 2021)
- ENISA report: Remote ID proofing – analysis of methods to carry out identity proofing remotely (March 2021)
- ENISA report: Remote identity proofing: Attacks & countermeasures (January 2022)
In their address to the EBA, trust service providers stressed the need for consistency between national and international regulatory requirements. Referring to the current situation, they noted that EBA guidelines fall below existing national AML requirements. In practice, that means that trust service providers can't rely on those guidelines alone to ensure compliance throughout the EU. To reach this conclusion, they used the ENISA report (March 2021), which recorded the requirements for remote onboarding across European countries at the time.
Drawing on this observation, trust service providers encouraged the EBA to align their guidelines with ETSI TS 119 461 requirements. The latter represents a consensus reached by many experts, including national security authorities and supervisory bodies, actors in the trust services industry, and providers of identity proofing services
According to trust service providers, consistent regulations would allow them to offer uniform services across sectors, optimizing their investments. For instance, onboarding for a financial service could be used directly for onboarding to a qualified trust service. In a bigger picture, aligned requirements are also important for the European Digital Identity Wallet.
As a final note, trust service providers also noted that they already have technologies and/or services that fulfill the requirements of the ETSI TS 119 461 standard.
“Much of the EBA guidelines are at a high level and fail to provide what the finance industry really needs namely to widely adopt the eIDAS and ETSI standards that already exist. Identity, authentication, and e-signature are already regulated in the EU. Reading EBA guidelines it seems that this is inventing the wheel. What is needed now is for the EU commission further designates, backed by eIDAS 2.0, the remote identification standards. This area is now dominated by national state-of-the-art such as German VDG and French PVID. They effectively address the issue of clear requirements but need to be replaced by the EU commission pointing at e.g. ETSI TS 119 461 as state-of-the-art and then including it to the conformity assessment order, and supervisory notification schemes included under eIDAS. Otherwise, we will continue to see what is not a level playing field in EU on trust service provisioning” says Founder and CEO of ZealiD Philip Hallenborg.