On 10 April, the Federal Financial Supervisory Authority (BaFin) published its circular 3/2017 (GW), which sets forth new standards for video identification in Germany.
As such, this replaces circular 1/2014 (GW) hitherto in force. With the new requirements, the intention is to further tighten process security. IDnow, the German expert for identification, has played a crucial role in developing specific measures.
With the approval of video identification, Germany became a pioneer in 2014 and set a benchmark for online identification in compliance with the law. The process makes it possible for companies and customers alike to quickly and securely identify themselves via a user-friendly video chat. Since then, virtually the entire financial community has been using the process successfully and has seen the benefits gained from significant increases in conversion rates. IDnow, international expert for video identification and electronic signature, worked in close coordination with leading bodies and was part of the technical working group whose results paved the way for the new circular.
Michael Sittek, Managing Director at IDnow: "We're delighted that the new circular tightens the security of video identification even further, without compromising user-friendliness. BaFin, BSI (Federal Office for Information Security), other participating ministries and authorities, as well as financial institutions and identity providers collaborated constructively to further improve a forward-looking online identification method. This will consolidate Germany as a financial hotspot and, moreover, act as a role model for whole Europe." Armin Bauer, Managing Director at IDnow adds: "Given that IDnow was part of the task force that worked on the new regulations, we've already completed the technical development and are able to offer our customers compliance with the new requirements even before the transitional period expires."
No reference transfer and social media query
Circular 1/2014 (GW) has been in force to date, regulating remote identification via video chat for the first time. Last year, circular 4/2016 was published and quickly suspended soon afterwards. It contained some critical aspects such as reference transfer, the query from social media channels, as well as the restriction to credit institutions pursuant to §1 Para. 1 KWG (German Banking Act), which caused such uproar amongst financial institutions and identity providers. Fortunately, such restrictions have not been included in the new circular. All companies subject to the German Money Laundering Act (GwG) can continue to use video identification to legitimise their customers. Circular 4/2016 has now been definitively repealed.
The essential new features of the BaFin circular 3/2017 (GW) - Video identification process:
• Verification of the security features from three different categories: Identity documents usually have different types of security features. To ensure that a visual inspection can also be performed adequately under white light, the visual inspections are set forth in the current BaFin circular. The inspection of security features must be satisfactorily concluded for three of the four categories: 1) Optically diffractive features (holograms), 2) Personalisation technology, 3) Material and 4) Security printing. Identity documents with few security features are therefore excluded from the process. The absolute majority of the identity documents do, however, meet these requirements without any problems.
• In the future, as a measure against phishing and social engineering, identity experts need to get confirmation of the purpose of the identification. This should, amongst other things, counteract cases in which fraudsters recruit persons as app testers and let them “test” the identification app in their own name. By using psychological questions and observations during the identification process, identity experts should be able to correctly ascertain the plausibility of the information in the identity document, the information relating to the person being identified in the conversation, as well as the given intention of the person to be identified.
• A new feature is the mandatory end-to-end encryption for secure communication between the user and the identity expert. As a result, the questionable use of Skype or similar services will no longer be permitted in the future.
• There is another verification step which is intended to prevent computer-supported manipulation of the identity document. In doing so, the person to be identified must move the identity document, or partially conceal it with their finger. By using still images, the authenticity of the process should be verified.
Moreover, specific training measures and cycles for identity experts, as well as other technical and procedural measures, have been stipulated which do not, however, imply any essential changes to the first BaFin circular 1/2014.
The new circular comes into force on 15 June 2017.