“Developing a Digital Identity Solution for Use by the Financial Sector Based Around eIDAS Trust Services” was published on 15 September 2021. Yes, almost three years ago. I came across this only as I started researching the relationship between eIDAS2 and AML-related regulations in the EU. Although it is quite old, it still seems to be worthwhile to review it so that I can put the new package on the AML, which was incidentally adopted by the council on May 31 this year, a month ago, in the context, together with eIDAS2 which went into force on May 20.
Key points of “Developing a Digital Identity Solution for Use by the Financial Sector Based Around eIDAS Trust Services”
Regulatory Environment
- The eIDAS 2.0 proposal and AML Regulation proposal will transform the regulatory landscape for portable customer identities, with major impacts on client onboarding and the financial sector:
- Creation of digital identity wallets (EDIWs) that will be accepted for customer onboarding and payment authorization
- Extended range of electronically attested attributes
- Unification and further harmonization of customer due diligence (CDD) attributes
CDD Data Diversity
- Identity attributes are only a fraction of the information needed by financial institutions to comply with CDD requirements, limiting the practical use of portability solutions focused on core ID attributes only. CDD data typically includes identity, status, and credit/risk-related attributes, with the latter being less standardized and more service provider-specific.
CDD Data Custody
- Two broad CDD data portability scenarios are identified:
- Bank-centric (delegated custody) portability, where an existing bank maintains CDD data and transfers it to a relying party
- User-centric (self-custody) portability, leveraging European digital identity wallets (EDIWs) introduced by eIDAS 2.0
Roles for Financial Institutions
- Banks and other financial institutions can play various roles in the eIDAS 2.0 ecosystem:
- On the CDD data receiving side, they will have to accept EDIWs for onboarding and payment authorization
- On the CDD data providing side, they can be providers of identity attributes and electronically attested attributes, subject to certain requirements
Considerations for CDD Portability Solutions
- Beyond minimum compliance, CDD portability solutions for the financial sector will be driven by three key questions:
- Does it address the commercial imperative?
- How is value shared by the solution?
- Does it justify the implied deployment complexity and related costs?
Open EDIW Proposal
- A solution based on existing open and mature standards is presented, complying with the EDIW specifications, including offline functionality. It supports payment authorization processes, multiple identity profiles, electronically attested attributes, and privacy-enhancing features.
CDD Exchange Frameworks
- Possible CDD data exchange framework arrangements are described, from bilateral interactions to KYC utility frameworks. Addressing governance, economic sustainability, and liability allocation are prerequisites for successful deployment.
Liability Allocation
- The importance of a clear liability allocation framework for CDD data portability cannot be underestimated, given the centrality of identity in business interactions and the magnitude of the risks involved.
Practical Implementation Proposals
- Key proposals include:
- Involving the financial sector in EDIW specification developments and considering a Bank-led Open EDIW
- Having Obliged Entities officially listed as ‘Recognised Designated Entities’
- Recognizing the role of CDD data custodians
- Clarifying liability allocation provisions
CDD Exchange Framework
CDD Exchange Frameworks are systems or arrangements designed to facilitate the secure and efficient exchange of Customer Due Diligence (CDD) data among financial institutions and potentially other entities while ensuring compliance with applicable regulatory requirements.
Types of CDD Exchange Frameworks
- Bilateral Agreements: Each participant enters into individual agreements with other participants for CDD data exchange. This approach can be lengthy and complex due to the need for numerous bespoke agreements.
- Scheme Model: A more integrated approach where a central scheme defines common guidelines and standards for CDD data exchanges. This scheme standardizes processes, handles liability allocation, and sets pricing provisions, similar to the models used by payment schemes like VISA or Mastercard.
- KYC Utility Model: In this model, a central KYC utility manages the CDD data on behalf of the participating financial institutions, serving as a counterparty for all data exchanges. This utility handles the CDD data processing and outsourcing, thus simplifying compliance and operational efficiency for member institutions but is less suited for facilitating broad CDD data portability outside the utility.
Key Considerations for Frameworks
- Governance: Effective governance is critical to ensure trust, transparency, and fairness among participants. It includes setting clear admission criteria, preventing conflicts of interest, and establishing processes for rules adoption and fee transparency.
- Economic Sustainability: The framework must offer a sustainable economic model, ensuring that service providers are compensated adequately and that there are clear financial incentives for participation.
- Liability Allocation: Clear rules must be established for liability allocation to manage risks associated with incorrect or fraudulent data. Liability could be strict, fault-based, or a combination, and needs to be clearly understood and agreed upon by all parties.
Practical Implementation in Europe
- The frameworks require significant standardization efforts, especially for attributes beyond core identity data.
- Financial institutions could act as CDD data custodians, providing verified attested attributes via European Digital Identity Wallets (EDIWs) and orchestrating multi-party utility models for managing broader CDD processes.
By considering these models and aspects, financial institutions can better handle the complexities involved in exchanging CDD data while ensuring regulatory compliance and operational efficiency.
Efforts to standardize Customer Due Diligence (CDD) data
Efforts to standardize Customer Due Diligence (CDD) data attributes beyond core identity data include:
- Use of EDIWs: European Digital Identity Wallets (EDIWs) will play a crucial role in standardizing the range of electronic attributes and enhancing the interoperability of CDD data across the EU financial sector.
- Harmonization Efforts: Under the AMLR proposal, the future AML Authority has a mandate to specify the list of attributes required for standard, simplified, and enhanced CDD processes aimed at unifying CDD data attributes across the EU.
- Industry Initiatives: Various KYC-sharing initiatives such as the INVIDEM initiative in the Nordic region and the KUBE project in Belgium are working towards standardization of CDD data attributes to facilitate smoother CDD data exchanges.
These efforts collectively aim to streamline the treatment of both core identity and additional status or risk-related attributes required for comprehensive due diligence in the financial sector.
What are CDD Custodians?
The roles of Customer Due Diligence (CDD) data custodians are multifaceted and can be summarized as follows:
- Data Segregation: CDD data custodians are required to segregate client CDD data from their own data, preventing commingling.
- Data Security: They must ensure that CDD data is securely maintained and protected from loss, theft, or compromise.
- Data Integrity and Consent: Custodians are tasked with keeping CDD data up to date, maintaining its integrity, and ensuring that it is only used for the purposes consented to by the data owner.
- Verification and Source Reliability: They need to ensure that the CDD data originates from reliable and independent sources. This involves a responsibility to continuously monitor and verify the data according to AML/CFT requirements.
- Transfer Protocols: CDD data custodians must not transfer data to third parties without the explicit consent of the data owner, adhering to GDPR and banking secrecy rules.
- Operational Responsibilities: These duties include acting with care when selecting sub-custodians, avoiding conflicts of interest, and ensuring clients can exercise their rights over the data.
These roles broadly ensure that custodians manage CDD data responsibly, complying with regulatory requirements and maintaining data integrity and security.
What Transfer Protocols are discussed?
The transfer protocols discussed are briefly mentioned under the responsibilities of CDD data custodians and in the context of overall data security and control mechanisms:
- NFC and Bluetooth (BLE): These protocols are used for secure electronic data exchange, particularly in offline scenarios where an internet connection is not available (e.g., point-of-sale payments).
- General Secure Communication: While specific mention of other protocols isn’t detailed, secure communication using SSL/TLS protocols aligning with X509 standard certificates implies underlying secure data exchange mechanisms.
These protocols facilitate the secure transmission of sensitive personal data, ensuring data privacy and integrity.