In France, remote identity verification has become a very important practice to ensure compliance with current legislation. Professional establishments in the financial sector are obliged to apply this methodology by following strict measures to combat various frauds and money laundering, two scourges whose scale is estimated at around 90 billion euros a year.
In addition to the legal aspect, this method based onArtificial Intelligence automation can also enable companies tosignificantly optimize their online underwriting processes. A recent study, for example, showed that the average time taken to verify a person’s identity remotely is 3.2 times less than for the manual version.
Remote identity verification, a regulatory obligation
What is identity verification?
Identity verification is the process of verifying a person’s identity. It can be carried out physically, in a bank branch for example, or remotely, via online services. When opening a bank account on the Internet, for example, the bank needs to ensure that the applicant is who he or she claims to be. For companies in highly regulated sectors such as banking, insurance, fintech etc., this is a legal obligation known as KYC, the acronym for “Know Your Customer”. For other sectors, such as real estate, healthcare or education, it’s an internal need to know their customers for administrative or solvency reasons. Remote identity verification (RIV) requires the use of tools that guarantee the authenticity of the information and documents provided.
What's the difference between a control and an identity check?
While the two terms are often used in the context of security and personal identification, they have slightly different meanings.
An identity check is generally carried out by authorities such as the police, to ensure that a person is who they claim to be. The authorized agent generally checks the person’s identity documents, such as passport or identity card.
Identity checks can be carried out in a variety of situations, such as when subscribing to an Internet service, setting up a bank account or purchasing a regulated product. This procedure involves checking the applicant’s supporting documents (ID card, passport, etc.) and personal details such as address or date of birth, and sometimes includes additional security measures, such as biometric authentication or SMS OTP.
Verifying customer identity: a regulatory obligation for companies
Professional establishments in many sectors, such as banks, insurance companies, fintechs and crypto-currency platforms, are obliged to verify the identity of their customers before subscribing to any of their offers. This obligation, known as “Know Your Customer“, is designed to combat money laundering, terrorist financing and identity theft. The AMF (Autorité des Marchés Financiers), the institution responsible for overseeing these procedures, has introduced a series of measures, known as “directives”, to ensure greater transparency in financial transactions and better combat LCB-FT fraud. The 5th Directive, transposed into French law in February 2020, is the one that directly concerns the VID procedure. In order to integrate a customer onboarding path (an entry into a digital relationship), regulated establishments must use a tool that complies with 2 of the following 6 additional vigilance measures (article. R561-5-2):
- Obtain a copy of at least one identity document.
- Verification and certification by an independent third party (notaries, bailiffs, etc.).
- Prove that the customer has already made a 1st payment associated with a bank account (European or equivalent) in his/her name.
- Obtain confirmation of identity from another bank/insurance company.
- Use a means of identity verification by a Remote Identity Verification Provider (PVID) in compliance with the ANSSI-certified standards.
- Verify identity by Electronic Registered Letter (ERL) or Qualified Electronic Signature with eIDAS-certified Qualified Electronic Signature (QES).
PVID and QES offers, which are demanding and highly regulated, must include facial recognition methods that are 100% automated (Facematch with life detection) or 50% shared with a human service responsible for fraud control (as is the case with the specialists at Netheos) in order to guarantee a sufficient degree of confidence. They must also incorporate computerized systems for checking receipts and electronic signatures.
The limits of face-to-face identity verification
What are the main disadvantages of physical identity verification?
Ensuring that a person is who they claim to be is a crucial process in the fight against various types of fraud when subscribing to a service on the Internet. However, the traditional physics method has significant limitations that can compromise its effectiveness:
- Bad UX: To open a bank account, for example, people have to physically go to the bank to provide their supporting documents. What’s more, limited agency opening hours can make the process difficult for those who work or have family commitments.
- Security risks: Verifying identity face-to-face is often prone to human error. Agents dedicated to this task may misinterpret identity documents or be unable to detect false papers. Applicants may also provide incorrect or falsified information during verification. These errors can lead to inconsistent results and compromise the accuracy of the approach.
- Operational and financial disadvantages: The face-to-face procedure is often long, tedious and costly. Without any automation capability, agents have to check paper proofs one by one, preventing them from concentrating on other, higher value-added tasks. What’s more, professional establishments need to have qualified and empowered staff, thus considerably increasing human costs.
Why is physical identity verification considered an insecure method?
Verifying a person’s profile in person is considered an unsafe method, due to the risk of identity theft. Official documents such as identity cards or passports can easily be falsified. Fraudsters can use this evidence to pass themselves off as other people and access benefits not intended for them.
Remote identity verification: benefits and use cases
What are the main advantages of remote identity verification?
VID offers many advantages, the main ones being the following:
- Improved security: thanks to facial recognition and the use of artificial intelligence, VID enables better detection of fraud and reduces the risk of human error. Personal information is also better protected thanks to more secure procedures.
- Automation: VID enables faster processing of requests. This means employees can focus on higher value-added tasks. Automation also reduces human costs.
- Improved UX: customers can subscribe to a service from home, at any time of day, without having to visit a branch. This simplifies and improves the purchasing process
- Compliance with regulatory standards: to comply with the “Know Your Customer” procedure to combat money laundering and the financing of terrorism (LCB-FT), companies in the financial sector must use a tool certified by ANSSI. PVID Facematch or simplified Facematch with Qualified Electronic Signature (QES) are then 2 possible options. Highly regulated, they offer a high degree of protection.
- Data traceability: VID keeps track of the data exchanged between the parties to guarantee their reliability.
Remote identity verification: use cases by business sector
VID can be used in a wide range of applications, depending on the sector of activity and the regulations governing it. Here are the main use cases:
- Financial sector and fintech: opening a bank account, applying for a loan, monetary transactions, opening a trading account, checking the solvency of investors.
- Insurance: taking out an insurance policy, making a claim
- Crypto-currency: create an account on a crypto-currency trading platform, buy or sell crypto-currencies.
- Online gambling: create a player account and confirm their age, deposit or withdraw money.
- eSport: tournament registration, player age confirmation, winnings validation.
- Ecommerce: evaluation of buyer or seller profiles (depending on legislation concerning the sale of certain types of goods), payment validation.
- Real estate: property rentals, property sales, credit checks.
- Health: creation of medical files, videoconferencing medical consultations
- Education: enrolment in degree programs, issue of training certificates.
Understanding the remote identity verification process
The different stages of remote identity verification
The VID process consists of 5 steps, 1 of which is optional:
- Collect the individual’s confidential data: This data can be collected via a web form or a dedicated mobile application. They may include surname, first name, date of birth, address, telephone number and e-mail address.
- Collect identification from the individual: Acceptable identification may vary according to local regulations and the needs of the establishment. They usually include passports, identity cards and driving licenses.
- Verify the official voucher collected: This step can be carried out manually or automatically using Artificial Intelligence tools such as those offered by Netheos. During this stage, 4 conditional points are checked:
- Document quality
- Verification of the type of document (CNI, Passport, Residence permit)
- Consistency of the document with confidential information provided by the user
- Authenticity of the document
- Compare the passport photo with the person’s face (Facematch). This crucial step ensures that the individual is who he or she claims to be. Depending on the level of confidence required, 3 Facematch solutions are available:
- photo
- video simplified
- PVID certified
- In the case of the PVID solution, a 5th step is necessary, involving the use of a human service specialized in the fight against identity and document fraud. This is particularly true of Netheos, with its team of experts based in France. They will then manually check the supporting documents before giving their final approval.
Documents accepted for remote identity verification
In most cases, proofs accepted for VID include passport, NIC and driver’s license. These are considered reliable proofs that are difficult to falsify.
However, some providers may accept other forms of proof, such as resident cards, social security cards or business cards.
Remote identity verification solutions guide
List of leading remote identity verification solutions
The most commonly used methods include, in ascending order of safety guarantee:
- Photo or video Facematch: based on AI technology, this method, also known as “facial recognition”, involves comparing the photo of the identity document of the person to be verified with his or her “selfie” photo or a short sequence of his or her face filmed live. It is generally used for low-risk situations, such as subscribing to services provided by public or private non-financial institutions (health, real estate, education, etc.).
- SEPAmail DIAMOND: This application verifies the bank details provided by an account holder to a direct debit or credit transfer originator. Following a first payment with a bank account in the cardholder’s name, the cardholder is integrated into the SEPAmail network. Its profile is then automatically recognized as authentic and does not require the use of a Facematch. Today, this method is mostly used in groups.
- eIDAS Qualified Electronic Signature: this service involves using a simplified Facematch (photo or video) and then digitally signing the document by SMS OTP (One Time Password). Certified by the European eIDAS (Electronic IDentification Authentication and trust Services) regulation, this method is accompanied by a so-called qualified certificate, which provides legal proof of identity verification, giving it the same degree of guarantee as physical verification. Also used in the financial sector, its Facematch is less demanding and offers a smoother user experience than the PVID repository.
- PVID Facematch: this version of Facematch meets the strict requirements of the ANSSI standard, and is produced by a PVID-certified company. It is used for situations involving a “substantial” or “high” degree of risk of identity theft or alteration, specific to companies in the financial sector (banks, insurance companies, fintech, crypto-currencies, etc.) which must combat money laundering and the financing of terrorism (LCB-FT). As of April 2023, none of the 10 companies in the running had obtained certification. Netheos has passed the 3 audits relating to the standard with flying colors, and is now awaiting the National Agency’s final decision on certification(https://www.ssi.gouv.fr/administration/produits-certifies/prestataires-de-verification-didentite-a-distance-pvid/).
How do you choose the right solution?
The choice of VID method depends on the level of security required and your company’s sector of activity. Companies in the financial sector must therefore choose a system that complies with LCB-FT regulations (Facematch PVID, QES, SEPAmail Diamond or La Poste’s Digital Identity). Non-financial public or private companies can make do with simplified Facematch technology.
It is also important to consider the management of confidential data. Service providers must comply with RGPD and data protection standards in order to avoid any risks related to identity theft.
Last but not least, the choice of technology must also take into account the online purchasing journey, and offer a fluid, fast experience to avoid frustration or abandonment.