30 May 2017
eID and trust services play a key role in meeting regulatory obligations in the financial sector
n the quest to build a Digital Single Market, the need for convenient and secure cross-border online transactions is becoming increasingly stronger. That is why the financial sector is keeping a close eye on the eIDAS Regulation: the tools it provides may allow to easily meet the legal obligations of sector-specific legislation such as the Payment Services Directive 2 (PSD2), the Anti-Money Laundering Directive 4 (AMLD 4) and its upcoming revision (AMLD 5) which is currently being negotiated by the EU co-legislators.
In this blog, I will discuss the need of legislative alignment between eIDAS and the sector-specific rules with Andrea Servida, Head of Unit ‘eGovernment and Trust’ at DG CONNECT at the European Commission. It is the third and final blog in the series about eIDAS, after blogs on the Regulation itself and the importance of trust.
As of 29 September 2018, EU citizens and businesses will be able to use their national electronic identification means to access online public services across the EU, provided that these means have been ‘notified’ by their member state for cross-border use. What is more, electronic identity (eID) is not just about accessing public services, it can also provide trust, security and convenience for businesses and their customers. This is made possible by the eIDAS Regulation, which introduced a set of rules for electronic identification and trust services for digital transactions. Andrea Servida headed the Task Force that shaped the proposal for the Regulation. He is now responsible for fostering understanding and awareness about the transformative nature of the eIDAS Regulation across various sectors in the digital realm.
eID: the value driver for innovation in the digital world
eID has been singled out as a major enabler to drive innovation in the FinTech and RegTech industry, allowing for quicker, cost-effective, and seamless identification processes, while retaining the risk reduction and compliance requirements the financial industry imposes. However, eID will be widely used only once it is recognised as a suitable tool to meet regulatory requirements concerning the identification and authentication of persons (natural or legal) as required under the AMLD4 or PSD2. Servida wrote this in his blog published on the eIDAS Observatory.
Coherence required between PSD2, AMLD4 (and 5) and eIDAS
According to Servida, it is no longer only a matter of raising awareness and promoting the positive message about eID. The challenge for the EU now is to stimulate the coherence between regulatory and policy frameworks that would allow its deployment across different sectors. Two frameworks that the financial sector must cope with are PSD2 and AMLD4 (and the upcoming 5) which put a big pressure on the banks to meet stricter requirements. eID and trust services may play a key role in meeting those regulatory obligations on security and identification related to know-your-customer (KYC) in digital on-boarding activities, as well as strong authentication of parties to electronic payment transactions.
Promoting interoperability and re-use of eID
One of the key issues of reaching regulatory alignment was the possibility to use or to rely on electronic identification means in full equivalence of what is accepted under the Anti-Money Laundering Directive. Servida: “In July 2016, the Commission proposed an amendment aimed at clarifying the usage options of eID means as required in this Directive. This shows that, when we have a regulated environment such as the payment sector, we need to make sure that there is regulatory alignment and in this respect, we are working within the Commission and with the European authorities to accomplish that.”
The same challenge applied for the PSD2, says Servida. “We have been talking to the European Banking Authority (EBA) and other regulatory bodies in the member states, because we consider that the use of notified eID means under eIDAS could give legal certainty in relation to the strong authentication requirements that are introduced by the PSD2 and reflected in the draft Regulatory Technical Standards (RTS) on strong customer authentication and secure and common communications developed by EBA.” Since the eID means are regulated and can be mutually recognised across the EU thanks to the eIDAS Regulation, the value really kicks in. “This provides the perspective of the Digital Single Market: one big market in which it is possible to identify parties with no prior trust relationship to interact with an appropriate level of security.
The practical implications for the financial institutions
What does it mean in practice? When finally adopted, it would be possible to use ‘notified’ eID means of appropriate assurance level for secure remote cross-border identification of customers, thus facilitating banks’ compliance with the new know-your-customer requirement. Servida wrote this in his blog on the financial sector. “As eID means of assurance level HIGH carry the legal value associated to a strong identity proofing and authentication which in ‘offline’ reality includes a step of an in-person verification, by relying on such eID means a natural (or legal) person will be able to open and operate a bank account in another EU country online, without undergoing a face-to-face identity verification in a branch.” To this end, in the recently adopted Consumer Financial Services Action Plan, eIDAS is well profiled to harness the potential of eID to transform the sector and actions are proposed to facilitate the cross-border use of eID and KYC portability based on eIDAS to enable banks to identify customers digitally.
Still a new window of opportunities opening up for our digital society.