finma now permits a way to perform digital identification without video or bank transfer. The chosen technology (reading an NFC chip) is technically sound but of limited practical relevance since it is limited to passports.
finma just released a draft update of the current circular on online and video identification. In the circular, finma lays out the procedures that have to be followed to identify a natural person in compliance with the Swiss anti money laundering act. The current draft amends the aspect of the circular concerned with online identification, i.e. the identification process without a video interview. In the current circular, online identification must be combined with a bank transfer. Only then, is an online identification sufficient to open a new bank account (i.e. the person is considered to be fully identified). According to the draft, it is now possible to replace the bank transfer with the scan of an RFID chip of a compliant government issued document.
From a technical standpoint this is a very sound approach, since RFID chips on most current passports (not all) are as secure as the chip on a payment card. It is possible to verify that the chip was issued by a government and that the information on it has not been changed. This verification is cryptographically sound, i.e. there is no reasonable way to fake the chip or the data on it. On the downside, there are several practical hurdles to using this technology for onboarding purposes:
- Swiss ID cards don’t have a chip. Passports do, but in our experience, they are used in around 1% of the onboarding cases.
- To read the data from the chip, reading the machine readable zone (MRZ) of the document beforehand is necessary because the password to access the chip is encoded in the MRZ. So there is always an additional step for the user.
- National ID cards of other countries are less standardized than travel passports. For example, German ID cards (the „Perso“), which are as widely used as the Swiss ID cards, require an additional key to access the data which is in the visual zone of the document.
- Reading the chip data is only possible with a native app on the device, requiring the user to install an app.
- As of today, signature law has not been updated and therefore qualified signatures (required for consumer credit cases) are still not possible.
Almost as an aside, the notes which accompany the draft contain another important clarification: Declarations of beneficial ownership do not require a hand written signature. In digital terms this means that there is no requirement for a qualified signature (which in turn would have required video ident or personal presence per current law). This is relevant in so far, as it opens up many transactions to video-free identification procedures, especially in the b2b domain, where beneficial ownership is often a crucial point to be established.
In summary, the update is of limited immediate relevance for identification and onboarding scenarios in the financial services industry. However, looking into the future, there is considerable potential in this approach:
- Mid- to long-term, the Swiss ID card will get an NFC chip (not yet in 2021 but probably some time before 2025) and with 10% yearly renewal rate, every Swiss citizen should have an NFC-capable document in their wallet by 2035.
- With a change in the digital signature legislation, allowing qualified signatures in combination NFC would make video obsolete and could make digital signatures much more usable.
- Moving from probabilistic to (almost) deterministic security features is a paradigm shift with substantial long term impact on the digital identification landscape.
Links: finma information on the draft
fidentity provides software for compliant digital customer identification according to finma rules. The user just takes a selfie and scans their ID document. This can take place on any cell phone in the standard browser without app. Using artificial intelligence (AI), fidentity checks the authenticity of the documents and extracts all data. The identification is completed in real time and all relevant documentation is provided to the financial intermediary in real time.
fidentity is audited according to the ISAE300 standard.
fidentity – Compliant Onboarding – Fast and Convenient