PVID PROVIDER: Netheos in the process of being certified by the ANSSI
What is a PVID provider?
In order to fight identity theft on the Internet and fraud more generally, theANSSI (Agence Nationale de la Sécurité des Systèmes d’Information, a French organization) published on 1er March 2021, a set of requirements to assess the security level of Remote Identity Verification Services (RIVS) and, ultimately, to certify them.
You can freely download this PVID repository on the ANSSI website.
In order to learn more about this repository, you can watch the free replay of our webinar “PVID Provider: what’s new for customer onboarding ?“
Why a new certification in France and why PVID?
The certified PVID provider will receive a certification issued by the ANSSI. This label will allow the entire ecosystem to know thatan identity verification solution has been rigorously audited and can thus be – in fact – considered reliable.
This certification will help highly regulated organizations and companies – such as banks and insurance companies – to choose their suppliers. In particular in the context of the fight against money laundering and terrorist financing(AML/CFT), when they wish to implement the 5th additional due diligence measure of the monetary and financial code. The choice of a PVID (Remote Identity Verification Provider) certified provider will then be mandatory to ensure the compliance of its KYC (Know Your Customer)process.
Are you concerned by this new standard?
This is the case if you are subject to AML/CFT regulations. A Remote Identity Verification Provider will allow the implementation of a response to your “KYC” obligations and the configuration of your compliance, when the business relationship is entered remotely. However, you should not forget that other solutions exist to ensure your compliance, such as the qualified electronic signature under the European eIDAS regulation.
But you will also be indirectly concerned if you wish to offer your customers a digital trust service governed by the European eIDAS regulation, such as electronic registered mail or qualified electronic signature. In France, the Trusted Service Provider (TSP) must integrate a PVID solution or be certified as a PVID Provider if he wants to implement a qualified remote service.
What should we remember about the PVID standard?
It defines a two-step guarantee level: substantial and high.
Attackers are considered to have a "high attack potential". This level will be - a priori - reserved for state needs, where the risks are highest.
Attackers are considered to have a "moderate attack potential". The security of the solution must be guaranteed and equivalent to the face-to-face meeting you could have with your banker or any employee in charge of verifying your identity, your information, your documents, with the sole purpose of avoiding fraud.
The substantial level is therefore suitable for the vast majority of uses, such as opening an online bank account (e-KYC), taking out an insurance policy, receiving a qualified electronic registered letter, signing electronically at a distance at the qualified level (equivalent to a handwritten signature), etc.
For these reasons, the ANSSI has defined security requirements, including
- A complete video acquisition of the user (no photo, neither for the ID document nor for the biometrics) at a high resolution level (720p).
- A systematic human control in addition to the automatic control (called hybrid control).
- A follow-up and advanced training of the operators validating the identifications
- An audited infrastructure that meets high security standards.
PVID and RGPD: What do you need to do to be compliant?
The ANSSI has consulted the CNIL on several occasions during the drafting of the reference framework, which integrates a certain number of requirements directly related to the RGPD.
In practice, the anonymization of the identification elements (video) must be achieved after 96 hours on the application servers.
At the same time, the legal archiving of documents and proof of identity is mandatory. No duration is specified in the ANSSI specifications, but 7 years seems to be a good compromise and consistent with other regulations.
Who are the PVID Providers?
Currently, no industry has completed the PVID provider certification process. To know the list of the providers in the process of certification, you can go to the official page of the ANSSI
At , no provider is yet certified
When will Netheos be PVID certified?
A specialist in identity verification since 2013, Netheos is currently being evaluated for PVID certification, and referenced on the official ANSSI page.
Faced with the definitive publication of the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information, a French organization) requirements framework and in view of its specificities, it seemed coherent to us to take 6 months to make our technologies evolve in its direction before submitting our file and trying to provide a coherent response. So in September 2021, we filed it with a newly patented technology that combines security and customer experience. We are now in the final stage of the certification process.
Already used by several major French accounts, our “Facematch” solutions aim to :
- To accompany the end user step by step, notably through explanatory videos and contextual advice,
- To reduce false positives as much as possible, i.e. blocking cases visible to the client,
- To stop the most sophisticated fraud and usurpation of the state of the art of the profession.
These solutions are accessible directly via API or via our offer Trust & Sign which, when integrated with our configuration support team, allows our customers to access a extensive catalog of trusted services. Some offers also meet the LCB-FT regulatory obligations, such as the qualified signature (under the 6th vigilance measure of the monetary and financial code) or the substantial level digital identity of the French Post Office (exempting the implementation of 2 vigilance measures).
Today, identity is understood in the broadest sense, and other Trust & Sign services will help you to get to know your customers better, such as the automated analysis of credentials / customer data or the interrogation of Sepamail Diamond query to verify a bank account number.