Digital images and selfies have been a staple for online verification for many years. However, Electronic IDentification has warned that they are no longer KYC/AML compliant.
The RegTech company outlined that there are three security levels for registration and identity proofing in KYC.
The US Department of Commerce, through the National Institute of Standards and Technology, defined a baseline on digital identity verification, as a result of the levels of fraud in KYC and AML processes. This helped establish three levels of security, low (IAL1), medium (IAL2) and high (IAL3).
Starting with IAL3, this is the equivalent to face-to-face identification and is suitable for online and remote account creation. In this level, human intervention is required and there needs to be a high-resolution, continuous video transmission. There is no room for a simple static selfie.
As for IAL2, these encompass solutions that take ID images and selfies, as long as they combine them with other high-level evidence of the person’s identity beyond the images of an identity document or recording the user’s face. These other pieces of evidence include invoices, addresses or background checks.
Electronic IDentification said, “The second level is insecure, inefficient and unreliable. In the European Union, for privacy and security reasons, these methods are not allowed for many reasons at any risk level. In addition, the difficulty in processing personal data, even of a public nature, is a problem for entities to process them with the express consent of the persons concerned.”
Finally, IAL1 does not require evidence collection, validation, verification or biometric collection. Due to this, this method is only usable for low-risk operations.
Why Digital images and selfies are not compliant
Electronic IDentification outlined two main reasons as to why digital images and selfies are not compliant with KYC and identity verification standards.
It said, “Their low technical-security level, the weakness of the electronic proof provided at the KYC (Know Your Customer) process, and the low-reliability verification selfie solutions perform, in relation to their lack of integrity, cause these types of solutions not to meet the requirements demanded by legislation and the various regulations.”
The other reason is the security level provided in identification and ID verification through a selfie is not enough to meet the standards of the regulations. It stated that no non-face identification procedures in Europe allow using selfie identification solutions for KYC.
For example, the AML5 Directive and the eIDAS Regulation set tight parameters for KYC. The AML5 Directive relies on eIDAS technology to protect the market. It said, “The combination of both creates a unique regulatory framework that condemns selfies and allows the adoption of video identification solutions for processes of new contracting of services and opening accounts fully online and secure, thus homogenising the European Digital Single Market.”
Similarly, the eIDAS Regulation has built strong protections to ensure correct levels of security in electronic identification and eSignatures.
Read the full report here.
Copyright © 2022 FinTech Global
Copyright © 2018 RegTech Analyst