Machine Assisted Manual Vetting to eIDAS Qualified Signatures
This White Paper is designed for industry professionals in finance, insurance, electronic signing and workflow platform industries. It describes the ZealiD App registration process that users need to perform. For more details please contact firstname.lastname@example.org.
The Game Changer - ZealiD App
ZealiD is an innovative QTSP that has designed its ZealiD app to leverage the eIDAS framework and the qualified signature to solve the three major pains related to digital service provisioning for finance and insurance providers:
- Remote Registration: ZealiD App provides a compliant, user friendly and cost effective onboarding that is accepted by all AML regulations and financial supervisory authorities in the EU
- Digital Contract Signing: ZealiD App creates remote certificates for the user that allows the user to electronically sign documents and transactions with a qualified signature that the user controls with Touch or FaceID. It is a persistent service that lasts 10 years minimum.
- Authentication: with ZealiD app, the user can access personal or otherwise sensitive data as well as authorizing transactions with a secure means of authentication that is compliant with personal data protection legislation (e.g. GDPR) and emerging financial regulation (e.g. PSD2).
A Certified System
ZealiD remote user registration consists of a number of modules in a certified system. No module by itself meets the requirements set forth in the policy (explained in Appendix I below). It is the combination of the modules in a certified system, and the fulfilment of the policy as audited by an accredited eIDAS conformity assessment body (CAB) that leads to the user registration for qualified certificates and signatures. The formal description of how ZealiD as an eIDAS Trust Service Provider carries out this process can be found under TRA Service practice statements (“TSPS”) at www.zealid.com/repository.
The Registration Process
ZealiD will register the natural person remotely based on a subscriber self-service online process interacting with a machine and manual processes. The manual process is carried out by ZealiD’s own registration officers.
The full name, the date and the place of birth, nationality, unique personal identifiers, email, and mobile phone numbers are provided as evidence to ZealiD. This is achieved by a module-based approach. There are five modules in the TRA Service:
Module 1 - Bank Account Data
ZealiD is a pioneer in using the new system of EU open banking (PSD2) to identify natural persons to eIDAS highest standards. Any ZealiD applicant with a bank account from one of over 400 connected and in production banks in 26 EU countries can register with ZealiD. For unbanked, there is a certified backup video conference route to registration. To see our account information service provider license (PSD2) and latest supported third party banks please go to www.zealid.com/coverage.
The user will select language > country and from the country list, ZealiD then shows a search box (or if >12 options search list for supported banks for each country (offering 90% of 18+ population coverage across EU).
Once the user selects a bank, the user will be asked to sign-in (authenticate) with whatever method that the bank has provided for secure sign-in. When the user signs in to the bank with ZealiD app the user consents to sharing the bank account data with ZealiD.
ZealiD is authorized by law to process the bank account data. The bank access module will typically take about 1 minute.
Module 2 - Liveness
An integral part of our registration process is to determine that a natural person is physically present in front of the ZealiD app and smartphone camera at the time of registration. To demonstrate liveness ZealiD uses a certified technology called “liveness”. Liveness technology is specifically designed to reduce threats from impersonation, masks and replay attack vectors.
The user will be asked to hold the smartphone in front of their face. The liveliness module will use the user facing camera and ask the user to move it toward the face. The check is completed within 5 seconds and allows ZealiD to determine physical presence with an ultra high accuracy. Please refer to our repository for more information on Liveness checks.
Module 3 - ID document video
ZealiD certified method of identity verification is unique in that it uses dual sources of identity - one being the ID document, the other being the authenticated account information from a licensed bank. ZealiD uses state of the art computing technology to perform a number of operations designed to capture the texts but also the document format. In the final self service module, the user is asked to place either a government issued ID document or a Passport in front of her. ZealiD App will turn on the smartphone flash and generate a pattern for the user to move the smartphone over the flash-lit ID document.
Concluding the Self Service Process
The third module is the last user facing module. The user is asked to sign the subscriber agreement, terms and conditions and an acceptance of an electronic certificate. And with this the registration process moves to Module 4 and the user is holding for final processing.
Module 4 - Registration Officer Vetting
To comply with the ZealiD Policy (see below Appendix I), ZealiD has some 1000+ requirements to satisfy. A key set of requirements arise from state-of-the-art national legislation on remote identification (ZealiD German BnetzA VDG). To conform with the relevant requirements, all registrants are processed by ZealiD employed registration officers and a certified operations center performing a number of critical functions. These include but are not limited to checking secure elements of ID documents and comparing ID document picture with high resolution picture captured as part of liveness checks.
The manual vetting process shall take no more than 4 minutes to complete.
Upon completion and approval of the registration process, the user is asked to sign the subscriber agreement, terms and conditions and an acceptance of an electronic certificate. And with this the registration process moves to Module 4 and the user is holding for final processing.
Module 5 - Quality Assurance Sampling
To guarantee that the ZealiD registration process performs to ZealiD Policy requirements, Zealid will sample a small number of users and send them to an external certified video conference. ZealiD will compare the results from the external party with the results from the ZealiD Modules 1-4 and ensure that there is no deviation in identification results.
Data Output - Best in Class Know Your Customer
ZealiD’s registration process generates some of the best data available for know your customer processes. Subject to user consent and explicit authorization, ZealiD can deliver the following data following registration:
- Personal Name (s)
- Email address
- Mobile phone number
- Date and Place of Birth
- Registered Address
- Account information data
- Electronic Bank Statement (including IBAN)
- Electronic copy of ID Document (.jpg)
- Selfie picture
Appendix I - ZealiD Legality and ServiceFoundation
The eIDAS regulation (EU N°910/2014) came into force in 2016. With eiDAS, the EU has regulated the way EU citizens’ electronic signatures and identities shall be created, audited and supervised. In doing so, the EU has created one of the most powerful frameworks to power the digital economy. With eIDAS, esigantures and identities are recognized across national borders and public authorities and courts alike are mandated to accept their legal validity.
The Gold Standard in Remote Registration
The beauty of the eIDAS regulation is that it for the first time opens for true cross border recognition and interoperability. The fulfilment of eIDAS regulation on so called Trust Services is linked to specific standards issued by the European Telecommunications Standards Institute (ETSI). ETSI is an independent, not-for-profit, standardization organization in the ICT industry in Europe.
ETSI standards not only guarantee technology, quality, security and consumer protection, but they also provide the commercial sector with a future-proof, EU wide compliant set of services that can be procured from competing suppliers under the scrutiny of the eIDAS audit and national supervision systems.
All EU countries have national regulation and supervisory guidance to finance and insurance service providers in the field of remote identification following anti-money laundering (AML) legislation. Although there has been long time harmonization with money laundering directives, eIDAS electronic signatures have been adopted in almost all EU countries as a compliant means of remote registration. Never before in the history of the EU, has one method of registration been compliant in all member states. That method is the qualified electronic signature (QeS).
The eIDAS esignatures constitute a future proof, compliant and robust foundation on which finance and insurance service providers should build their services on. Adoption of eIDAS compliant services means minimizes the risks of fraud, money-laundering, malpractice and loss or theft of personal data.
Qualified Signature & Trust Services
The qualified signature (QeS) is the esignature with the highest level of assurance and security. The signature falls under strict standards and audits and is not a “black box” type of technology. It is a perfect match with finance and insurance industry needs because of its “compliance by design” characteristics.
ZealiD - an Innovative QTSP
The QeS is provided by a qualified trust service provider (QTSP). ZealiD is a QTSP notified in Sweden. Furthermore, ZealiD holds an account service provider license under Swedish PSD2 regulation. ZealiD is regulated, audited and supervised by the Swedish Financial Supervisory Authority, the Swedish Post and Telecoms authority and the Swedish Data Protection Authority. Supervision and audit is carried out according to the most demanding IT security, management system, personal data protection, liability and accessibility requirements.
ZealiD Policy Overview
For ZealiD to be trustworthy and compliant, we need to meet the registration requirements placed on Trust Service Provider in eIDAS article 24, paragraph 1d, and further in ETSI standards. ZealiD registration is designed to comply and conform with:
- ETSI standards 319 401, 319 411-1 and 319 411-2.
- Remote signatures EN EN 419 241-1 and 2
- State of the Art Remote Identification legislation in the EU: ZealiD has chosen German law and Bundesnetzagentur VDG 11§
- Second Payment Services Directive (PSD2) and Swedish implementation in Lag (2010:751) om betaltjänster
- Relevant ISO 27001 standards
- Other national provisions