Identity Proofing as a Standard

This month marks the first anniversary of the new ETSI standard for Identity Proofing as a Service (ETSI TS 119 461). What is the relevance of this standard and how is it transforming the business of remote identity verification? What can we expect to come out of it in the coming years? In this article, I give brief answers to the most important issues around the ETSI standard for Identity Proofing and its impact on the digital ecosystem.

The European Telecommunications Standards Institute published the standards of identity proofing as a trusted service component within the context of providing electronic signatures exactly a year ago in 2021. However, its implications go far beyond the electronic signature landscape for two main reasons:

1. This is the world’s first de facto standard on how to perform remote identity proofing in the digital world. Throughout my career, I have seen hundreds of different approaches to identity verification scenarios from all over the world. Regulators have been trying hard to regulate this not-so-simple market. But it is not the regulators’ task to define the technical details of methods of performing identity proofing. This is the gap the new standard now fills.
2. It gives way to identity proofing as a trusted service component in any digital process even outside of the electronic signature domain. Identity proofing is the cornerstone of starting a relationship with any client in the digital world. It is, therefore, the single most important pillar of trust when it comes to doing business online.

Identity proofing as a trusted service

So what does “trusted service” mean? The term “trusted” was primarily introduced by the eIDAS regulation. From a legal point of view, a service is trusted when the result of that service has an immediate legal effect and is court admissible. To translate this to practical terms: if identity verification is done by a trusted service provider, the resulting verification data is considered to be legally credible and valid, and its results are only questionable in court. This has a significant impact on the current identity-proofing landscape because it means that identity-proofing obligations can be outsourced to trusted service providers who are liable for the data they provide. In simple terms, AML compliance can be achieved simply by outsourcing the risky job and liability of providing identity information in an onboarding scenario like opening a bank account or registering an online player.

This is very good news for the financial sector, the gambling sector, and numerous other regulated market sectors where compliance is a must. Companies in those sectors no longer have to invest big amounts of money and other resources into creating their own processes for identity verification. Also gone is the constant fear of the possibility of non-compliance.

ETSI standard opens up new markets for identity proofing

In addition, the new ETSI standard for identity proofing opens up new market segments in unregulated sectors like travel, healthcare, rent, real estate, etc. Let’s face it, integrating an identity verification process, operating its infrastructure, and bearing its risks is neither cheap nor easy. Consequently, in the past small and medium-sized markets had no real possibility to implement such solutions even if they wanted to. This was due to the lack of easily accessible pay-as-you-go services as identity verification service providers were concentrating on big fish such as commercial banks. Little attention was paid to the unregulated SME sector.

This is about to change as we will see the emergence of Identity Proofing Service Providers (IPSPs) who will have been audited according to the ETSI standard for identity proofing and will have received the “trusted” conformity assessment certificate. Such service providers will have to undergo a scrupulous audit procedure by certified auditors on a regular basis as well as meet the high demand for security and fraud prevention measures.