When exiting the first wave of Covid-19 it is crucial to leverage the options we have to digitalize what we can. This is really a case that makes huge sense in the normal sense and really, really should be executed on immediately.

1. Leveraging eIDAS for
eKYC Purposes
Practical considerations
in time of crisis
Meeting 5/5-2020
• Ronny Khan
• rkh@dnb.no
• Stephane Mouy
• sgmouy@stephanemouy.com

2. Agenda
• Introduction
• Rationale for eIDAS Trust Services.
• Other steps to be taken.
• Suggested first steps.
• Discussion.
• Next steps.
Ronny Khan & Stephane Mouy 2

3. Introduction
• This is a continuation of the EU eID/KYC expert group.
• We are a few former members that just don’t know
when to stop.
• We are not in a position to ever make any money
out of this.
• Neither will our employer.
• So we are not doing pre-sales or anything of the
sort. We only have knowledge and a desire to see
improvements.
• There is a lot that needs to be done.
• We are focusing here on one low hanging fruit and will
suggest intermediate steps.
• Next suggestion would be to fix remote
identification for onboarding.
Ronny Khan & Stephane Mouy 3

4. The eID/KYC
expert group
is gone…
… but KYC
problems
remain
• There are severe impediments on having a real
single market for financial services with cross border
competition.
• 'Competitiveness and regulatory sovereignty in
relation to technology finance require a more
harmonised framework' (ROFIEG Report 2019-12)
• 'Where to start' is important
• Directly aiming for a ‘Grand eKYC bargain’
appears unrealistic in the current environment
• Doing nothing means leaving the initiative to
GAFAs and other actors – loss of EU sovereignty
• Proposed approach – practical and pragmatic steps
are preferred
• Overall philosophy : ‘leverage existing eIDAS
solutions to strengthen eKYC processes’
Ronny Khan & Stephane Mouy 4

5. In these
extraordinary
circumstances '
out of the box'
thinking is
needed and
'recycling' bring
s value
• A second wave of COVID-19 is likely – putting additional
strain on already battered EU economies
• On the (more) positive side, the pandemic is forcing a
rethink of how digital tools can facilitate business
interactions, including for KYC matters
• In this hugely difficult context, innovations must be
frugal and make the best use of what already exists
• No 'grand scheme' requiring complex deployments
please, rather focus on incremental improvements
directly related to existing tools and processes
Ronny Khan & Stephane Mouy 5

6. eIDAS Trust
Services are
legally
recognised
versatile
instruments
• eIDAS Trust Services : e-signature, e-seals, e-
registered letters, e-time stamps and website
authentication
• eIDAS Trust Services are regulated – especially
for high-end ‘Qualified Trust Services’ issued by
accredited ‘qualified trust service
providers’ and legally recognised on a cross-
border basis.
• Qualified Trust Services are based upon
‘Qualified Certificates’ defined by the eIDAS
Regulation (esp. Annexes I & III) which are
digital attestation mechanisms using industry-
standard formats (e.g. XAdES, CAdEs, PAdES)
• More importantly, Trust services are recognised
for AML purposes
Ronny Khan & Stephane Mouy 6

7. Basic approach
Reuse the
PSD2 model
PSD2 implementation : defines a
way for the AISP to interact
with the banks in a secure way
Proposal is to replicate the PSD2
model' so that the new service
provider can safely interact with
the existing KYC custodians
Ronny Khan & Stephane Mouy 7

8. • As with PSD2 qualified certificates will
be issued by trust service providers to
eligible entities.
• These certificates will serve as
authentication and to secure the data
towards a KYC custodian.
• This will standardize what is happening
in the market today with KYC utilities.
• It gives regulators a clear point of
control (revocation) and clear
traceability behind the usage of
qualified certificates.
How would this work
in practice?
Ronny Khan & Stephane Mouy 8

9. Basic customer
experience
with eIDAS
authentication
(What the client sees
When login in with his/her
new service provider)
Ronny Khan & Stephane Mouy 9

10. Basic customer
experience
without eIDAS
authentication
New service provider
New service provider
Existing Service Provider
KYC custodian
Existing Service Provider
KYC custodian
Ronny Khan & Stephane Mouy 10

11. The proposal
has no impact
on Privacy &
AML liability
rules which
remain fully
applicable
• Privacy (GDPR) - no change to client consent requirements
• AML rules : the new service provider(KYC relying party) is fully
responsible and has to apply AML rules
• Independently assesses the risk-factors of the
contemplated customer relationship (Risk-based approach)
• Independently determines which KYC data is required
• Independently determines when KYC data needs to be
refreshed (reverified) as part of ongoing CDD processes
• Is fully responsible vis a vis regulatory authorities in line
with FATF Recommendation 17
Cannot rely on the KYC custodian for these
Ronny Khan & Stephane Mouy 11

12. Where does
trust services
fit in ?
(some example
scenarios)
Ronny Khan & Stephane Mouy 12

13. Explained
• Identity proofing is separated from the rest of the user
data by design and purpose when an electronic
identity is used. So it is normally not feasible to get KYC
data from the IDP.
• Even if this by chance this is possible the protocol does
not accommodate the transport of this data.
• By nature the definition KYC data will not reach
stability immediately but be a moving target.
• Since identity is a multi stakeholder value chain
changes are complicated and take time.
• Trust services keep this 'out of band' (outside
authentication flow and the authentication value
chain) and separately managed which only needs to be
aligned point to point. (Between the parties)
• This could be a quick win temporary step.
• There is no hard requirements on end user
authentication (when not using eidas) but obviously
some requirements should be in place.
Ronny Khan & Stephane Mouy 13

14. The eIDAS
interoperabily
framework
relates identity
providers &
service
providers
Identity
Provider
Service
Provider
Upon request of the User, the Identity provider sends a SAML
assertion (XML document) containing the User autorisation to
the Service provider, with both ends having to exact same
configuration for the SAML authentication to work
Ronny Khan & Stephane Mouy 14

15. Remaining
problems
• What is KYC data ?
• What are the KYC data and how is it represented ?
• Are a PDF with proof of identity proofing required ?
• What other attributes are needed and how are the reliability
expressed ?
• What are the consent requirements?
• For eIDAS this would be done by presentation of a signed consent
form.
• For non eIDAS it can be solved by one-time authorisation codes.
• It could even be done on trust with the new service
provider warranting that it has obtained User consent and this is
trusted by the KYC custodian.
• Eligibility
• Who qualifies for the usage of such services ?
• What is the business model? How are costs and revenues shared?
• We don’t try to answer this. It might be bilateral agreed or mandated
as for free by local regulators to improve competition.
Ronny Khan & Stephane Mouy 15

16. KYC Data
standardisation
• We propose to start this track in parallel as this
is broadly speaking an independent matter.
• We do not propose to synchronize “finish to finish”.
• Institutions can start using the Trust Service
approach subject to a risk-based approach
without a finalized standard.
• They do not get a free pass but can use this
based on their own risk assessment and in
dialogue with the competent authority.
• Domestic temporary standards can be
implemented as intermediate steps while still on
the right track for the final solution. Domestic
requirements on what KYC data is are usually
resolvable.
Ronny Khan & Stephane Mouy 16

17. User consent
• Can be defined as the responsibility of the new service
provider – mutual trust approach
• The existing service provider (KYC custodian)
assumes that this responsibility has been honoured.
• Can be dealt with by explicit authorisation code or signed
artefact.
• In this scenario the authentication flow needs to be
expanded to include a one-time code or a signed
attribute presented to existing service provider (KYC
custodian).
• This might be an eIDAS signed statement to the effect
of allowing sharing. In this what the IDP produces is a
signed artefact and not an authentication.
• This would probably be required when opening up to
other entities beyond highly regulated entities.
Ronny Khan & Stephane Mouy 17

18. Eligibility
• Ideally all 'obliged entities' (entities subject to
AML requirements) should be able to use this.
• As a starting scope this is too large in terms
of risk and governance of certificate issuing.
• We suggest starting by focusing on easier
scenarios which correspond to the majority of
use cases.
• A suggested approach is to allow this for
account holding financial institutions now and
expand in later interactions.
• With strong proof of consent it should be
possible to expand the availability of usage.
Ronny Khan & Stephane Mouy 18

19. Suggested
timeline for
Pre-Pilot Phase
This can be done
before the
Summer recess
§ "Assessment" is getting a second opinion or broadly evaluate the
approach suggested here.
§ "Consultation" is reaching out for feedback and comments broadly. Can
run in parallel with the analysis if required.
§ "Analysis" is to determine the details of the solution, regulatory
implications, summary from the consultation and estimate costs.
§ "Report" is preparing and presentation of a summary report. Much of this
should be done continually.
§ "Report assessment" is evaluation and decision on if to commit on the
implementation phase.
Ronny Khan & Stephane Mouy 19

20. Next steps data
standardisation
The process must be initiated.
• This can be done within the EU or outside.
• Our recommendation would be to get this done outside
by standardisation organisation (e.g. ISO)
• Stakeholders like the EBA has de facto control over ISO
work on financial standardisation and can review results
rather than use stretched resources to do the work
themselves.
• If we directly approach ISO or other standard-setting
bodies, there is a strong possibility we will not be
prioritised ('Thank you very much for your interest'…)
• The EU Commission has the clout and influence
required to activate the process.
• In Norway we made an online application for covid-19
depositing directly to the recipients account in 3 weeks.
Normal turnaround would be 3 years. So thing can
happen fast with high-level stakeholder involvement.
Ronny Khan & Stephane Mouy 20

21. Thank you for
your attention
Stephane Mouy
sgmouy@stephanemouy.com
https://sgmconsultingservices.com
Ronny Khan
rkh@dnb.no
https://bit.ly/3985fpF
Ronny Khan & Stephane Mouy 22

22. Reserve slides
Ronny Khan & Stephane Mouy 23

23. Why this is (still)
urgent– Life or death
• The last great Pandemic had 3 waves
during a year.
• This is one of many careful studies
that all concur.
• Wave 2 and 3 was much worse than
wave 1.
• This particular study is from
Denmark which was neutral
thus not explainable by
collateral effect of the war.
• Now this might not happen this time
but it would be foolish not to prepare
when there is still time.
• It is certain beyond question that
there will be more waves, the only
debatable question are the
magnitude.
Ronny Khan & Stephane Mouy 24

24. Recent study
Recommendations
• States, territories, and tribal health
authorities should plan for the worst-case
scenario (Scenario 2), including no vaccine
availability or herd immunity.
• Government agencies and healthcare
delivery organizations should develop
strategies to ensure adequate protection
for healthcare workers when disease
incidence surges.
• Government officials should develop
concrete plans, including triggers for
reinstituting mitigation measures, for
dealing with disease peaks when they
occur.
• Risk communication messaging from
government officials should incorporate
the concept that this pandemic will not
be over soon and that people need
to be prepared for possible periodic
resurgences of disease over the next 2 years
Ronny Khan & Stephane Mouy 25

25. PSD2 Model
explained
Use of qualified certificates is regulated for PDS2
implementation
• Established by EU Implementing Regulation
2018/389 (art. 34) and based on EBA Regulatory
Technical Standards
• Confirmed by EBA opinion 2018-7
• Leading to specific technical specifications (ETSI
TS 119 495 – 2018 11)
Ronny Khan & Stephane Mouy 26

26. Defining
urgency
Compensation of lost revenue due to Covid-19
• On the 24 March the prime minister of Norway reached out for assistance. A completely new
solution was needed for compensation of lost revenue for businesses.
• This solution needed to be self served web based where the manager of the businesses could
apply for compensation
• The system needed automatically to retrieve the historic turn around for the company and
approve, disapprove or refer to a case worker.
• The case worker should have a suitable interface to finally reject or accept the application.
• If approved money should be transferred and be available the next business day at latest.
• On the 17 of April this was operational and public available.
Establishing secure remote on-boarding for EU subjects.
• A bit later a need was discovered for non Norwegian citizens who are entitled to benefits but
unable to apply. They would not have a suitable electronic id and in person applications was out
of the question as well as impossible as they where and are stranded in their home country.
• This system is undergoing final testing and is expected to become public available within days.
So non of these happens in a vacuum, Norway has a fully deployed electronic ID system and there
have been a huge effort on remote on boarding with specifications earlier.
But as stated by the stakeholders, this would normally have taken 3 years not 3 weeks. The efforts
includes amending/changing regulations and laws.
So this is urgency and this is what is possible if you really think something is urgent.
Ronny Khan & Stephane Mouy 27

27. With eIdas
Ronny Khan & Stephane Mouy 28

28. Ronny Khan & Stephane Mouy 29