Identity verification (IDV) is fast-developing to meet heightened customer expectations of digital access and better combat sophisticated identity fraud. In a short 10 years we’ve moved from regulated industries conducting verification in person (in a branch or store) to identity proofing being 100% remote by default — with users verifying identity documents and biometric data via their smart device or computer.
As new identity technologies emerge, regulations have had to quickly adapt, and Europe is leading the way. The European Union has recently updated or is in the process of updating a number of pivotal know your customer (KYC) and anti-money laundering (AML) regulations, including eIDAS and AMLD, both of which impact which identity verification technologies businesses are able to use. Increasingly, these guidelines and regulations are directly or indirectly pointing to external technical standards as a reference for product performance, processes, and policies of identity providers — that’s where ETSI comes in.
What are the ETSI standards for identity proofing?
The European Telecommunications Standards Institute (ETSI) produces “globally applicable standards for ICT-enabled systems, applications and services deployed across all sectors of industry and society.” In 2021 ETSI released a technical standard related to identity verification:
- ETSI TS 119 461: describes standards for the management and operation of a solution, and identity proofing service requirements.
- ETSI EN 319 401: describes standards for electronic signatures and infrastructures to support the eIDAS regulation.
Conforming to ETSI for IDV requires an extensive audit process covering product performance and functionality. Products must meet specific criteria that prove they meet the required standards of security, interoperability and assurance. ETSI also assesses the maturity of the provider to ensure they have robust processes in place to support their customers and end users.
The benefits of ETSI identity proofing compliant solutions
ETSI standards are not yet fully embedded within regulations across the entirety of the EU. Many Member States still have their own local regulation that is yet to be updated to make reference to ETSI. However, partnering with an ETSI IDV compliant provider still has a number of important benefits for businesses offering, or planning to offer regulated services:
Alignment with EU regulations
ETSI standards, including ETSI EN 319 401 and ETSI TS 119 461, align with EU regulations such as the General Data Protection Regulation (GDPR) and the eIDAS Regulation. By adhering to the recommended protocols and guidelines, you can demonstrate your commitment to protecting personal data, and gaining the trust and confidence of your end-users while avoiding potential penalties associated with non-compliance.
These standards signify a higher level of security for online ID verification processes. ETSI standards encompass robust authentication measures, secure storage of personal data, and adherence to encryption protocols. ETSI certified providers are also assessed on business maturity, for example showing they have dedicated teams for security, and processes in place around change and risk management. By partnering with a provider that prioritizes security, you can minimize the risk of identity theft, data breaches, and fraudulent activities, safeguarding your business and your end-users' sensitive information.
Seamless user experience
A provider that adheres to ETSI standards strives to offer a seamless and user-friendly experience during the identification verification process. ETSI EN 319 401, in particular, focuses on conceptual models and standardized terminology, ensuring clear communication among stakeholders. By partnering with a provider that implements these standards, you can offer a streamlined onboarding experience to your customers and reduce friction.
Interoperability and cross-border transactions
ETSI standards promote interoperability between different EU Member States. Partnering with a provider that complies with ETSI TS 119 461 and ETSI EN 319 401 enables efficient cross-border transactions and verification processes. This means solutions are built to integrate with the broader technical ecosystem, and that individuals from various EU countries can easily and securely verify their identities when accessing your services.
Trust and reputation
Choosing a provider that meets ETSI standards minimizes reputational risk, since the provider is audited against policy and process as well as product performance. An ETSI certified IDV provider needs to have robust processes, giving customers peace of mind that their vendor is of a certain maturity.
Who does the ETSI standards for identity proofing?
ETSI standards for identity proofing continue to be integrated into various European guidelines and legislation. Currently, they are referred to specifically by the eIDAS framework that seeks to harmonize identity proofing and trust services across the EU, the EU AML directives, and EBA (European Banking) guidelines. This means that ETSI applies to a large number of regulated industries, including financial services, insurance, and gaming — with the scope rapidly increasing. However, unregulated businesses still benefit from using an ETSI certified IDV solution that adheres to industry best practice, meets benchmarks for product performance, and provides a mature level of support.
Our guide looks at the regulations and standards that impact KYC, how we expect them to change, and key considerations for businesses conducting KYC.
What actions should businesses take to be compliant with the ETSI identity verification standard?
Businesses should assess the regulatory landscape and identify how developing standards are likely to affect them. Until changes to the AML directives are in place (likely towards the end of 2026) countries can still retain their own accredited national IDV schemes. Therefore businesses should identify partners who can meet both short and long term requirements — two key metrics that will help inform this decision are:
- Product performance
- The ability of a solution to accurately verify a customer identity while providing an excellent user experience with high pass rates, and quick turnaround times.
- Legal and standards compliance
- ETSI technical standards for IDV are becoming increasingly integral to this, and will likely become fundamental to compliance.
Partnering with Onfido to navigate EU compliance
In the EU's digital landscape, where secure and reliable online ID verification is crucial, selecting a provider that meets ETSI standards offers numerous benefits. From enhanced security and compliance with regulations to a seamless user experience and improved reputation, these standards provide a solid foundation for reliable identification verification processes. As technology standards and IDV methods are harmonized across the EU, ETSI compliance will become more and more important.
At Onfido, we’re committed to meeting long-term compliance requirements both inside and out of the EU. We’re certified to the following standards, which means institutions and businesses can use Onfido’s ETSI certified identity verification in any EU market in combination with other compliant products or trust services to achieve local regulatory compliance:
- Remote identification service component (according to Regulation (UE) 910/2014 Art. 24.1d).
Additional applicable standards and regulation:
- Commission Implementing Regulation (EU) 2015/1502
- Romanian specific regulation (Decision no. 564/2021)
- ETSI EN 319 401 v2.3.1
- ETSI TS 119 461 v.1.1.1