The 21 CFR Part 11 standard, for which TrustCloud has successfully passed a compliance audit, promotes and ensures the correct use of electronic signatures and records.
TrustCloud has obtained the ETSI 119 461 certification, a certification which sets the best security practices for identity verification in trusted services, particularly in qualified electronic signatures.
reated not too long ago and as stated by the European Telecommunications Standards Institute (ETSI) in 2021, ETSI 119 461 raises the minimum security levels in the context of identity verification. In this way, it aligns with the most current requirements of eIDAS (electronic identification, authentication and trust services).
The most demanding KYC processes must rely on ETSI-compliant solutions, hence its importance.
Making digital transactions stronger
The primary goal of the protocol is to ensure that identity validation is carried out with the same level of security as in-person verification processes. By establishing a battery of rigorous requirements, ETSI aims to meet the international community’s expectations for ensuring and strengthening trust in digital transactions. The regulatory framework is a very useful tool for identity verification services to operate with all guarantees in Europe.
The standard outlines best-practice requirements for performing tasks such as collecting attributes and electronic evidence, verifying them, and linking the actions taken to the applicant’s true identity. ETSI 119 461 also specifies the way in which identification processes should be constructed by combining different means to achieve the correct result.
Identification: the five areas of operation
The ETSI standard divides the identity verification process into five separate tasks, each of which is addressed separately and in detail:
- Initiation: The process begins with the activation of identity verification, establishing the context and parameters for validation.
- Collection of identification evidence: Obtain proof of the applicant’s identity. This may include presenting official documents in a valid format.
- Validation of identification evidence: Here, the necessary checks are made to determine the authenticity and validity of the presented identification evidence.
- Matching with the data provided by the applicant: The coherence between the information provided by the applicant during the process and the data found in the identification evidence is verified. Any discrepancy or inconsistency may be an indication of forgery or attempted fraud.
- Displaying the verification result: The positive or negative conclusion about the identity of the interested party is presented based on the presented and analyzed credentials.
These five steps, outlined in the ETSI standard, establish a clear and structured process for identity verification, ensuring that every critical aspect of validation is meticulously addressed.
The identity verification process can be performed using different types of identity documents, such as government-issued cards, digital images of these, or eIDs (electronic identifications). ETSI sets specific requirements for each type and means of identification. It also emphasizes that near field communication (NFC) verification is more secure than other document authentication solutions.
The ETSI 119 461 standard points out that a single image of the identity document no longer provides sufficient evidence. Instead, it suggests recording a short video that captures the different details of the document, allowing for more thorough inspection and validation. It is evident that verification based on a single identification photograph is still a standard practice in the industry, underscoring that ETSI requirements still need to be met and adopted.
This relevant framework focuses on remote authentication carried out by trusted service providers. It serves, therefore, to audit these services through the methodology used in remote identity checks.
Addressing risks and fighting fraud
The security requirements detailed in the ETSI 119 461 standard reflect a comprehensive view of current challenges in online identity verification. This standard has been designed to proactively address the most common threats that can undermine the integrity of authentication processes. The first category of risk, counterfeit evidence, underscores the importance of protecting systems against attempts to tamper with documents and manipulated or false identity credentials that could be used for unauthorized access or fraud.
The second category, focusing on identity impersonation, emphasizes the need to prevent the misuse of legitimate identification evidence belonging to third parties, which could lead to fraudulent transactions or account usurpation.
However, the ETSI 119 461 standard is not limited to traditional risks. It also addresses operational risks that may arise in the identity verification process, such as communication failures, synchronization issues, or unexpected interruptions. It also recognizes the risks of social engineering, which includes psychological manipulation tactics used by attackers to deceive users and obtain sensitive information.
The wide range of risks addressed in the standard demonstrates how ETSI 119 461 is a forward-thinking response to the ever-evolving threats in the field of identity verification.
By integrating these requirements into its processes and systems, TrustCloud demonstrates a total commitment to the security of its users and sets an exemplary standard in the industry for maintaining the integrity and reliability of its identity verification services.