identificación electrónica

This post is also available in: Español

Royal Decree Law 28/2020, of September 22, on Remote Working, which we have discussed in other posts, included an amendment to Spanish Act 59/2003 on Electronic Signature (Ley de Firma Electrónica) on specifying the electronic identification methods that provide an equivalent level of security to in-person identification.

The debate on security and reliability in using video-identification or electronic identification systems for people in different locations started some years ago, particularly after Regulation (EU) 910/2014 of July 23 on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”) came into effect and introduced some provisions in this area (although specifically for citizens’ access to online public sector services). It is also an issue that has come to the fore in the current health crisis due to restrictions on mobility and physical distancing.

On this occasion, although video-identification performed, for example, by video-conference is not expressly authorized, the amendment to the Electronic Signature Act provides that, by ministerial order, “(…) the technical conditions and requirements applicable to the identification methods that provide individuals equivalent security in terms of reliability will be determined” in the context of issuing qualified certificates.

It does not appear to be a great step forward. What this change does appear to suggest, however, is that the legislator has sought to lay the foundations for permanently authorizing these mechanisms, which were provisionally accepted during the State of Emergency. Royal Decree Law 11/2020, of March 31, adopting additional emergency measures to face the social and economic impact of COVID-19 already authorized issuing electronic certificates identifying applicants by video-conference, based on the customer video-identification procedures in non-face-to-face transactions authorized by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) in 2016.

According to the European Commission’s eID Group of Experts (Commission expert Group on electronic identification and remote Know-Your-Customer processes) — which has been studying the adequate identification mechanisms to allow financial institutions to implement digital on-boarding solutions complying with their KYC (know-your-customer) processes and money laundering requirements — there are several types of video-identification mechanisms, with different levels of security and associated risks. One of the most popular is video-conference systems in which a trained agent is present simultaneously or asynchronously (that is, when the agent is not present during the broadcast).

These mechanisms are not risk free since impersonation, forgery, alteration of documents or other cases of fraud are possible, and they must, therefore, be performed through sufficiently secure solutions or accompanied by other risk mitigation mechanisms. Mobile applications for capturing national identification documents are also taking off, along with the use of dynamic selfies with biometric checks, the use of eIDAS digital identities and other alternatives that companies consider including in view of a legal framework that is still incomplete, lacks harmonization and is constantly evolving.

Therefore, until that ministerial order is approved, a degree of uncertainty will remain in Spain regarding the risks associated with using some video-identification systems. It will also be interesting to see how the new Spanish Trust Services Act (Ley de Servicios de Confianza), which is still being processed, finally addresses this issue.

Author: Claudia Morgado

This post is also available in: Español



40 artículos