As from 15 June 2017 video identification will become even more secure, since this is the date when the BaFin Circular 3/2017 (GW) – Video Identification Process comes into force.
In April, the German Federal Financial Supervisory Authority (BaFin) laid out new standards in the circular with regards to the existing process for customer identification via video chat. For example, it will now become obligatory to record the entire identification process on video in order to be able to verify it at any time. Further requirements are the end-to-end encryption of the video identification and the verification of other security attributes. The identity expert IDnow has summarised the most important new aspects.
In Germany, it has been possible since 2014 to identify customers in a legally secure way by video chat in order to open a bank account online, for example. There has been a positive reaction in the sector to the new BaFin Circular since it endorses video identification and increases its security even further, without compromising on user-friendliness. Moreover, it has resolved some critical points that threatened to restrict the process. Thorsten Höche, Board Member and Senior Legal Adviser of the Banking Association, gave his view on the new circular: "Based on experience, online identification is a secure and verifiable process for customer identification outside of bank branches. With the new guidelines, the identification process may take a little longer, however it's an acceptable price to pay for increased security and transparency. The user-friendliness of the process won't be further compromised by this."
See below, for a summary of the most important new technical and organisational features included in the BaFin Circular 3/2017 (GW) - Video Identification Process:
Video recording: In the future, the entire identification process will have to be recorded both acoustically and visually, and stored. This means that continuous video recordings will now be obligatory. According to the BaFin, recordings by way of burst shots or screenshots are not sufficient, since they do not guarantee that every single step has been documented. The recordings must be stored for a minimum of five years after termination of the business relationship. As such, in the event of a review or check by the BaFin, an individual identification will be verifiable. The BaFin also asserts that no data protection conflict arises as a result, given that pursuant to § 8 of the German Money Laundering Act, it is permitted to record the process completely and permanently, even without blackening parts of the identity document. This results in an increase in the data volume per identification process to approximately 10 MB which requires banks and identification providers to have the corresponding server capacities for storing the recordings and the identification information.
End-to-end encryption: The communication between the user and the identity expert must be carried out using an end-to-end encryption and run with a minimum of 2,048 bits. Services such as Skype or iChat and connections using more limited encryption are therefore no longer allowed. The basis for this are the recommendations in Technical Directive TR-02102 issued by the Federal Office for Information Technology Security (BSI) and the requirements for cryptographic processes.
Visual inspection of security features: In the future, a random selection of three security features from various categories will have to be verified that are discernible under white light. These, for example, include holograms, the changeable laser image and the security printing on the identity document. To counteract tampering, the identity experts must perform the visual inspection with the help of enlarged sections of still images. In this regard, it is important to issue high-resolution images in order to effortlessly detect security features such as the guilloche structures and microprints. Identity documents which do not contain the required security features will no longer be permitted for identification purposes.
Other changes are an automated validity and plausibility verification of the identity document information, the movement of the identity document in front of the camera and the confirmation of the reason for the identification process. Further requirements are related to training measures and cycles for the identity experts which represent minor changes to the process hitherto used.
In the run-up to the publication of the BaFin Circular 3/2017 the identity expert IDnow worked in close coordination with the most relevant bodies. According to Managing Director Armin Bauer, "We participated in drawing up the new measures within the framework of a technical working group." "We've already been implementing many of the new requirements with IDnow Video-Ident from the very start. That's why we developed a patented software that we use to generate high-resolution images. It's precisely with these stricter requirements that this technology has become more important than ever for verifying the guilloches. Apart from that, we make it easier for banks to implement the new requirements by offering them sufficient storage space for the required video recordings on our own corporate servers in Germany."
Michael Sittek, Managing Director at IDnow, adds: "Our new process was submitted to BaFin for inspection. They confirmed in writing that all the process steps within the IDnow solution meet the requirements of Circular 3/2017 (GW). We've trained our identity experts to implement the new procedure in such a way that for end customers identification continues to be as quick and straightforward as always."
The new regulations come into force on 15 June 2017.
Contributed | what does this mean?