The potential of electronic identification under eIDAS in the banking sector
Over the past year, the European Commission has been exploring how electronic identification under eIDAS could be leveraged by the banking sector to comply with Know-Your-Customers' (KYC) requirements under the fourth Anti-Money Laundering Directive (4th AMLD); and to guarantee strong authentication requirements of parties in the context of the revised Payment Services Directive (PSD2). In parallel, banks are playing an increasing role as providers of electronic identity. The regulatory obligations and security needs to which they are subject in terms of identity verification have placed banks and financial institutions in a strategic position. More and more institutions are exploring how they could leverage the procedures that they have put in place to verify customers’ identity for other parties by acting as identity providers. eIDAS-based eIDs offer the possibility to provide a strong authentication of users (natural and legal persons), based on ID information endorsed by governmental authorities across Europe.
The European Union (EU) is a key promoter of initiatives for digitalising the identity verification process of individuals and companies in their relationships with public and private services. The eIDAS Regulation (EU) 910/2014, on electronic identification, authentication and trust services, aims at making national eID schemes interoperable accross Europe in order to facilitate access to online services. eIDAS is primarily designed to tackle identification challenges experienced by digital public services. Yet, Member States are also encouraged to support the voluntary reuse of eIDAS-based eIDs by the private sector.
The European Commission has therefore decided to explore how the banking sector can leverage eIDAS-based eIDs, as service providers and as identity providers in a short paper. The following sections shows the potential and the limitations of eIDAS-based eID schemes for tackling the identity verification challenges experienced in the banking sector.
Banks as service providers
Banks and financial institutions are subject to important regulatory requirements to secure transactions and guarantee market transparency. At the EU level, the Anti-Money Laundering and Payment Service Directives request banks to verify the identity of their customers (KYC procedure, strong procedure), including those from other Member States in order to assess potential risks of illegal intentions, e.g. engaging in money laundering activities or terrorism financing.
When providing financial services, banks face the following types of challenges and risks:
- Cost | Keeping up-to-date ID proofing systems requires human and technological resources. Banks also incur significant fines for not complying with their legal obligations;
Identity attribute correctness and availability | Banks may need to rely on secondary data attributes (e.g. declared address) to comply with KYC’ requirements, as citizens may not hold primary ID documents containing these information;
- Security | ID checking procedures need to be able to prevent fake identity application and unauthorised use by individuals seeking to defraud account holders;
- User experience | Complex ID proofing requirements and procedures are often among the factors that explain why international banks still fail to provide a seamless user experience to cross-border customers.
The reuse by banks of eID schemes recognised within the eIDAS network to perform KYC could bring the following advantages:
- Increased security and correctness about the information shared, its authenticity (endorsed by governments) and protection against fraud. As a results, banks may experience reduced legal and reputation risks linked to the reduction of fraud and errors;
- Costs and time saving linked to the speed and automated identity verification process based on eIDs, which enable a reduction of face-to-face onboarding costs;
- Larger customer base, as banks would overcome current challenges in onboarding foreign customers.
However, some limitation of the reuse of eIDAS-based eIDs persist. There is currently a lack of clarity about the terms and conditions (e.g. price, contractual and liability regime) for the private sector to reuse the eIDs available across borders via the eIDAS network. There is also a discrepancy between identity data collected by eIDAS and data required for KYC processes. A specific eID and KYC working group established by the European Commission has started tackling this issue. Finally, the solutions developed by government and available within the eIDAS network may still not match the current state-of-the-art user experience currently required by the banking and financial sector.
Bank as identity providers
The provision of identity to citizens is no longer the exclusive prerogative of governments. Based on their current activities, banks and financial institutions are very well placed to take the role of identity provider in the eIDAS ecosystem, either as part of a public or private-led federation of identity providers or by directly offering online banking credentials to their customers.
Banks participating in a public-led eID scheme can benefit by leveraging their investments in KYC process and digital authentication solution to issue reusable digital credentials as part of a federated eID scheme (e.g. SPID federation in Italy) to access eGovernment services.
In private-led eID schemes (such as BankID in Sweden), banks can also leverage their investments in KYC process and authentication solution. As far as public-led eID schemes are concerned, banks enjoy more freedom as they are not subject to government authorisations or restrictions. Moreover, they can prevent disruptions in the user experience across multiple service providers. Currently, no private-led eID scheme has been recognised by EU Member States within the eIDAS network but a future possibility is not ruled out. Private-led schemes may also seek interoperability with eIDAS solutions to allow a one-off verification at the beginning when creating the digital identity.
The European Commission should continue supporting multi-stakeholder dialogue in this domain, notably via the work of the Expert Group on electronic identification and remote Know-Your-Customer processes; encourage Member States to clarify national positions on the reuse of eIDAS eID and to agree on a common commercial model for the reuse; together with the Member States, work on harmonised conditions on the use of eIDAS by banks as IdPs in public and private-led networks.
Member States should encourage reuse of eIDAS solutions by banks and clarify the conditions for ensuring integration with private services; provide banking-specific attributes needed for KYC procedures; and improve eIDAS user experience to attract more users.
Banks should consider eIDAS solutions as a tool for improving security and trustworthiness of financial services; strengthen cooperation with the Commission and the Member States to define common commercial conditions for reuse (also based on cost assessment taking into account cross-border services) and consumption of eIDAS solutions as IdPs.
If you want to read more about the potential of eID for the banking sector and access the full report, please consult our eBanking community:
This page has no comments.