Remote Identity Verification
In my latest article, I have written about the possibility of e-contracting based on a strong identity verification. But what does Identity Verification mean in practice and what makes it so complex? In this article, I will mention some of the important aspects of this very controversial topic focusing primarily on the legal issues.
When I mention remote identification to my clients, it turns out that everybody has very different ideas on what that actually means. It is simple right? Just verify the identity of a person online. What makes it so difficult? – they ask.
Well, first of all, a business can have many different objectives when they need to verify someone’s identity in the digital space. As a primary objective, the law may require you to do this in order to provide a certain range of online services. One of the most notable of these laws is the often-referenced AML or Anti-Money Laundering Regulation of the EU. AML is an important legal framework as it “de iure” introduces the possibility of remote identity verification in the regulatory logic of financial and other services providers in order to contract customers. As all regulatory frameworks, the AML is strict yet quite vague when it comes to defining how this should be done. The AML generously leaves it to national regulators to come up with the exact method of doing this. Needless to say, this generates chaotic and incoherent sub-regulations on the national level and a lot of confusion for businesses as to how they should actually implement this. I have seen one case when a national regulator of a business asked its members on Facebook how they would do this and enacted a regulation based on a few dozen responses stating this as an “audited” procedure. Needless to say, that this is not only confusing but jeopardizes the very purpose of the original EU regulation to require a well-defined identity verification procedure. Yet one must adhere to the law, right?
Regulators in general tend to impose an increasingly strict set of rules on businesses operating in the digital space when it comes to remote ID identification and age verification. In some countries, adult content is now inaccessible unless you prove your age. And no, clicking on the “I am over 18” is insufficient. There are e-commerce scenarios like tobacco, where identity verification is a must. Crypto wallet providers fall under the AML-5 for the first time and face significant difficulties operating fully digital and across borders when it comes to ID verification. The gambling industry has the same problem. One thing is common in all of these cases: they are regulated in many different ways in many different countries. This makes it extremely complex to tackle ID verification if your business operates across borders.
In some instances, ID verification is not particularly regulated by a specific law, but it is simply a business requirement. Examples include entering into a contractual relationship with a customer or proceed with a legal case in an e-commerce scenario where identities have to be known and a simple Facebook registration is no longer enough. Take GDPR compliance for instance: a customer approaches a telecommunications firm to get information on the personal data the company has on file on him. GDPR requires the telecom company to reply and inform the customer on all data that is on file about that customer. In order to do this remotely and in the digital space, the telecom service provider has to perform an ID verification to know exactly who is requiring this information. Simple right? This applies to any other e-commerce service provider operating in the digital space. Take Airbnb or Amazon for instance. All goes smoothly until there is a legal claim for damage or theft for example they have to settle. Once a legal case is filed, these e-commerce service providers have to identify all stakeholders in a “very legal” way to proceed with the claims.
In general, all businesses operating in the digital space sooner or later bump into the necessity to perform identity verification online. In a digital transformation project, the legal cloud and logic will have to be designed first according to how the business is regulated and what are the legal risks involved. The first step is always the definition of the so called “Legal Layer”. Then comes the Technology Layer. The complexity is putting the technology components together in a way that fulfills legal compliance. This is true to identity verification as well. You can do this many different ways, but you have to piece them together in a way that assures you legal compliance. Again, there is a logic to be implemented. Do not expect one single technology component to fulfill regulatory compliance for you. In each and every case, it is different, and you have to do the job of well-preparing the digital legal logic first. Do not try to save time here!