While more and more products and services are sold to consumers fully over the internet if makes us wonder “who are those people consuming these services” and “if we can be sure if they are who they claim to be”?
This may not be a big issue if you create a profile in Tinder but it’s definitely an issue in processes where money or delicate information is exchanged. Especially in banking and financial services.
Estonian legislation about opening bank accounts is quite strict by demanding that for the identity verification process the client and the banks representative have to be physically in the same location. While countries like Germany and Poland interpret the EU regulation 2005/60/EG in a way that having a video transmission of the person to be identifies equals to physical meeting then Estonian legislation does not leave that much interpretation room.
However, this is about to change. Estonian Government is making preparations to allow opening bank accounts from distance. This change in legislation is strongly driven by Estonias e-residency program, which will allow basically anyone in the world to apply for Estonia’s e-residency. Don’t confuse this with citizenship. Estonia’s e-residency will allow people to consume Estonia’s’ digital e-services like starting a company online, declaring and paying taxes online, using digital signature for signing personal or company documents or purchasing property online, etc. Anyone can apply for the card and pick it up from Estonian embassies around the world. The big idea is, that anyone could run their business using Estonia’s digital e-services while being anywhere in the world.
All this is nice but if you have to come to Estonia to open a bank account for your company, it’s a bit pointless, isn’t it. Therefore the change in legislation.
The exact requirements and guidelines for the identity verification and legitimation process are not finalized yet but one of the major issues is definitely going to be the security and integrity of the online identity verification process.
So, what’s the issue here? Issue is that how much room for interpretation can the legislation gives to banks and service providers in the identity verification procedures while still guaranteeing sufficient security and integrity standards?
Leading opinions to give this identification process an extra layer of security seem to include some sort of video component procedure. If a video transmission is going to be used to add security for such identity check there are two leading options for this also. Automated process and live process. Lets take a look at both of these options.
Automated process is where a person receives instructions to follow certain procedure of verification in front of his/her webcam. This process is recorded and collected information will be analyzed and if everything seems to be ok, then the process is approved. No human interaction from the bank side is made during this automated process.
Live-online verification and legitimation process includes a banks representative controlling the procedure from the banks side and instructing the person to follow guidelines. Technology wise the data is collected pretty much the same way as in automated procedures, but in live process the Banks representative will observe the procedure, ask additional questions and data to verify the identity of the customer. Banks representative will make a decision during the session if any additional verification methods have to be use to identify this client.
While automated process is usually less expensive for the banks and can even be offered by 3rd party vendors there are security issues to address. Live-solution offers more control and flexibility to the bank but has usually a larger price tag on it. Lets look at the security aspects in the following sections. For following evaluation we asked advice from a Wiretraps‘ leading cyber security expert Joseph Carson (CISSP, CSPO, ITIL).
The main issue with this automated-approach is the integrity of the process. For example when one of the identifications is found invalid then it raises a major integrity failure with all identifications done via the same process, since an automated system is consistent it would result in all identifications ever issues to be required to be re-verified or reissued. This approach works great if you never have integrity failures, though you should always have a system that can deal with failures. And you have to expect that failures will occur.
For example if you think of the same process with recalls like the recent Mars incident this would result in the same situation with this systematic approach.
Quote “An international recall of a range of chocolate bars has been announced by Mars because of fears that customers could choke on pieces of plastic.
The recall, which affects 55 countries, could end up costing the company tens of millions of dollars.”
If the online identity verification procedure service is issued by a 3rd party provider the integrity issue may be even larger. In case of an identification failure occurs in the 3rd Party service provider, then Any identification process done by the same 3rd party vendor have to be retaken. This applies even if the identification mistake was made in the identification verification process for another (banks) client.
No matter what input is used whether it is a form, a digital photo, signature or so forth in this process it must have a human element to reduce the risk of total integrity loss of the system. If there is no human element, video does not add any additional reduction in integrity failures if they occur. This is a main reason why production lines add quality checks or process’s that limit or reduce the systematic failures when they occur.
Live-online verification process is more costly to banks but it is better than previous automated approaches. This is because it limits and reduces the potential integrity failure of the process and system. As a human element is added while the additional overhead may seem increased at initial concept it results in a better systematic loss if an integrity failure ever occurs meaning that both liability and recall situation is limited by this process. For example it should be very limited input required from the agent involvement to keep the systematic consistency of the process though it provides a quality check and additional verification in the process. This means if there is ever a systematic or integrity failure in such a method it means only the identifications ever made by this particular agent is placed in question meaning that it is not an entire loss in integrity.
While all systems can add whatever authentication, encryption and availability the main cause for concern from a security perspective here is the potential loss of system integrity during a failure. For example just like the recent high profile Cyber breaches, the largest cost in the events was the loss in the integrity of the data meaning it had to be recollected again and all data verified. This is the biggest risk to any system is when the data can no longer be guaranteed of authenticity and accuracy.
Cost issue of these identity verification processes is not an issue to the larger banks but it is a concern to FinTech providers who’s’ business may depend on having low client acquisition costs. Automated and maybe limited online identification processes are cheaper than live-solutions (like LiveBank) but the real question here is, that “how much are you willing to pay if the integrity failure happens”?
Therefore, however tempting automated identification systems may seem, in Estonias e-residency bank account opening case a Live verification solution with a human element is a must choice.
Written by Joseph Carson, CISSP, CSPO, ITIL