What is a PVID provider?
In order to fight against identity theft on the Internet and fraud in a more global way, the ANSSI published on March 1, 2021 a set of requirements allowing the evaluation of the security level of the services of “Remote Identity Verification Providers” (RIVP) and, finally, to certify them.
You can freely download this repository on the ANSSI website (here).
In order to learn more about this repository, you can download the free replay of our webinar “PPVID provider: what’s new for customer onboarding?“
Any questions? Let’s talk about it!
Why a new certification in France and why PVID?
The certified PVID provider will receive an ANSSI security visa. This label will allow the entire ecosystem to know that an identity verification solution has been rigorously audited and can – in fact – be considered reliable.
This will help highly regulated organizations and companies – such as banks or insurance companies – to choose their suppliers. Especially in the context of the Fight Against Money Laundering and Terrorist Financing (LCB-FT), when they wish to implement the 5th additional vigilance measure of the monetary and financial code. The choice of a PVID (Remote Identity Verification Provider) certified service provider will then be mandatory to ensure the compliance of its KYC (Know Your Customer) process.
What should we remember about the PVID standard?
It defines a two-step level of assurance: substantial and high.
- At the high level, attackers are considered to have a “high attack potential”. This level will – a priori – be reserved for state needs, where the risks are the highest.
- At the substantial level, attackers are considered to have a “moderate attack potential”. The security of the solution must be guaranteed and equivalent to the face-to-face meeting you could have with your banker or any employee in charge of verifying your identity, your information, your documents, with the sole purpose of avoiding fraud.
The substantial level is therefore suitable for the vast majority of uses, such as opening an online bank account (e-KYC), taking out an insurance policy, receiving a qualified electronic registered letter, signing electronically at a distance at the qualified level (equivalent to a handwritten signature), etc.For these reasons, the ANSSI has defined security requirements including
- A complete video acquisition of the user (no photo, neither for the ID document nor for the biometrics) at a high resolution level (720p).
- Systematic human control in addition to automatic control (called hybrid control).
- A follow-up and advanced training of the operators validating the identifications
- An audited infrastructure meeting high security criteria.
Are you concerned by this new standard?
This is the case if you are subject to LCB-FT regulations. A Remote Identity Verification Provider will allow you to meet your “KYC” obligations and compliance, when the business relationship is entered into remotely. However, you should not forget that other solutions exist to ensure your compliance, such as the qualified electronic signature under the European eIDAS regulation.
But you will also be indirectly concerned if you want to offer your customers an online trust service governed by the European eIDAS regulation, such as electronic registered mail or qualified electronic signature. Indeed, in France, the Trust Service Provider (TSP) must integrate a PVID solution or be certified as a PVID Provider if he wants to implement a qualified remote service.
PVID and RGPD: What are the risks?
The ANSSI consulted the CNIL on several occasions during the drafting of the standards, which include a number of requirements directly related to the protection of personal data.In practice, the anonymization of identification elements (video) must be carried out after 96 hours on the application servers.At the same time, the legal archiving of documents and proof of identity is mandatory. No duration is specified in the ANSSI specifications, but a period of 7 years seems to be a good compromise and consistent with other regulations.
Who are the PVID Providers?
At the end of August 2022, no industry has completed the PVID provider certification process.
To know the list of providers in the process of certification, you can visit the official page of the ANSSI..
When will Netheos be PVID certified?
Specialized in identity verification since 2013, Netheos is currently being evaluated for certification, and referenced on the official page of the ANSSI.
Faced with the final publication of the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information, a French organization) requirements and in view of its specificities, it seemed coherent to us to take 6 months to make our technologies evolve in its direction before submitting our application. So in September 2021, we filed our application, with a newly patented technology that combines security and customer experience. We are now in the final stage of the certification process.
Already used by several major French accounts, our “Facematch” solutions aim to:
Accompany the end user step by step, in particular through explanatory videos and contextual advice,
Minimize false positives, i.e. cases of blocking visible to the customer,
To stop the profession’s most sophisticated state-of-the-art fraud and usurpation.
These solutions are accessible directly via API or via our Trust & Sign offer which, once integrated, allows our customers to access a vast catalog of trust services. Some offers also meet LCB-FT regulatory obligations, such as the qualified signature (under the 6th vigilance measure of the Monetary and Financial Code) or the substantial level digital identity of the Post Office (exempting the implementation of 2 measures vigilance).
As identity is now understood in the broadest sense, other Trust & Sign services will allow you to get to know your customers better, such as the automated analysis of supporting documents / customer data or the Sepamail Diamond query to verify bank details.
Netheos is a French company, a subsidiary of Namirial since 2021, a European group of Italian origin with more than 800 employees spread over 25 countries for an annual turnover of 100 Million Euros.
Currently, no provider is yet certified.