CSC Best Practices: Roundtable on ID Verification How to meet customer needs & tackle regulatory challenges?

By Elisa Van Ruiten

On 16 October 2020, the Cloud Signature Consortium hosted a member-only virtual roundtable: ID Verification: How to meet customer needs & tackle regulatory challenges? The event was moderated by John Jolliffe, Senior Manager of Strategic Development, Document Cloud at Adobe, and the international panel featured four CSC members, whose companies are innovating in the field of identity verification: Francesco Vetrano of Intesi Group in Italy, Vijay Kumar of eMudhra in India, Carrie Peter of Impression Signatures in South Africa, and Ionut Florea of certSIGN in Romania. In addition to innovation, they each spoke about the challenges they face, sharing insights and best practices from around the globe, and the role CSC can play going forward.

Opportunities for CSC leadership

As a growing association in an evolving field, CSC has many opportunities to take the lead. There was enthusiastic agreement amongst all participants on the positive role of the CSC specification and its potential. There was also discussion about the need for mutual recognition between trust service providers, ensuring an equal level of confidence in using any individual trust provider if they are complying with the same set of standards.

It was also clear that CSC is perfectly poised to be an industry thought leader in this domain and should continue along its path of being the drivers of global standards and integration. In fact, regulators in India are already looking to see what CSC recommends and is referenced at as “the” standard. Although there is still a long way to go, as Vijay Kumar of eMudhra pointed out, ‘CSC can be a great forum to standardize this subject by bringing in best practices to be followed’.

A look at best practices in innovation and regulation in the ID verification space

Looking at the subject from an European perspective, Francesco Vetrano discussed Intesi Group’s journey from a formal identification (ID) procedure that was not responsive to customer needs, to a more market-oriented one that integrates ID providers from the public and private sectors. Through special agreements with the main ID providers in Europe, Intesi Group is able to reach a wide range of users by leveraging their existing digital identity, bypassing an additional authentication step, and allowing the user to sign more easily. As Francesco explains, ‘The electronic ID verification integrated in the signing flow allows any cloud signature provider to offer seamless access to electronic signatures to any citizen who already has got an eID with a public, private or corporate identity provider. The eSignature service is easier and for everyone. And that is our daily target in Intesi Group.’ Although any validation and modification needs to be notified to their supervisory body, Francesco said good communication is key. While Intesi Group may be flagged if there is non-compliance, they do not have any big regulatory issues due to daily interaction with the regulator. And while their supervisory body is open to innovation, change happens slowly, as they want to see how it is done elsewhere first.

Looking to Asia, eMudhra handles an extremely high volume of online ID verification as the largest service provider in India. Vijay said their daily customer acquisition rate reaches 5,000 users per day during the normal period and 10-15,000 per day during the peak season between September and October. On a global scale, eMudhra operates trust services in more than five countries under regulatory framework, and is globally accredited for general purposes, including signing, TLS, and SMIME. Having begun providing virtual identification since 2018, a successful transition that has proven helpful in pandemic times, has led to a six-step ID verification process. It consists of the submission of an online request and electronic documents by users, automated and human checks, electronic verifications, and online checks with the Business and Personal Tax Registries. Their regulatory process is governed by the Indian Information Technology Act, wherein the government regulator is proactive about implementing improvements in order to facilitate easy use for the public. This includes a system of legally valid identity vetting and electronic signature use, with re-verification required every two years.

Joining the discussion from South Africa, Carrie Peter discussed Impression Signatures layering and risk-based approach under South Africa’s Electronic Communications and Transactions Act. Impression Signatures innovates by taking an agile approach, meeting customer budgets and end users needs wherever they are, whether WhatsApp or “feature phones”. According to Carrie, ‘No single factor or process ensures that identity verification is accurate beyond doubt or error, even face-to-face verification can be compromised with enough effort and investment. It is only through layering of multiple controls, that a relying party can be reasonably assured that the accurate identification has taken place.’ Because South Africa has some challenges with facial biometrics due to racial biases, Impression Signatures has developed methods to use fingerprint verification to a very high level of certainty. Some facial recognition can also be used and is triangulated with document verification. Despite infrastructure challenges, Carrie said Impression Signatures is always complying with international standards and strives to achieve the highest level of security available.

Back in Europe, Ionut Florea spoke about certSIGN operating under eIDAS regulation, which sometimes limits their innovation potential. Methods of ID verification at the international level must provide equivalent assurance to physical verification, which can vary widely across Europe. Ionut finds that most supervisory bodies seem reluctant to accept much risk and, therefore, tend to avoid innovation, but he says that clear standards and legal framework are needed all over Europe. As a Qualified Trust Service Provider (QTSP), certSIGN adapts to whatever is allowed, using video wherever possible. certSIGN customers ask for a complete digital journey, from online onboarding for remote electronic signing to e-archiving, with COVID-19 accelerating the desire for these services. Due to current regulations, certSIGN has had to take a safer, more straightforward approach involving video ID solutions that can be tested and integrated into their QTSP system. However, they have planned for a more long-term approach of self-sovereign identity for businesses, in which each business will exist in its own silo and users will have full control over their identity data.

The roundtable showcased the great potential and importance of CSC, both now and into the future. As CSC President, Andrea Valle, commented, ‘The Identity Verification roundtable has been a great opportunity for many of us to discuss a very hot topic these days. With COVID-19 changing the way we run ordinary business, remote identification and electronic identity proofing are now essential to many online services that our community of members serves. We understood how critical it is from the great contributions from the presenters, and this is certainly going to inspire our technical work and our role as market drivers moving forward.’

Interested in hearing more or missed the roundtable the first time? CSC will be holding an external event on ID Verification on 3 December from 2-3:30pm. Register here.