Regulatory compliance for identity verification in Europe: it’s important, it’s mandatory, and… it’s complex.
The European regulatory landscape is rapidly changing — with harmonization firmly in mind. However, with Member States empowered to interpret delivery, and eIDAS 2.0 and expected European Banking Authority (EBA) updates arriving soon, know your customer (KYC) compliance in the EU still has a long way to go before it resembles the dream of ‘ever closer union’ to facilitate harmonious business expansion into new markets.
Let’s start with a little background on EU regulations, before diving into where things are headed, and what this means for identity verification.
The three components of EU regulations
There are three key components which make up the EU regulatory landscape:
Regulations are the legal skeleton and framework for implementation, such as eIDAS, eIDAS 2.0, the AML directive and regulation, and the EBA guidelines. These are a mix of enabling, prohibitive, binding and non-binding rules, regulations, and guidelines that apply across all EU Member States. They are the principal driving force toward regulatory harmonization across Europe. See more on each below.
Alongside regulations are the technical standards, putting meat on the bones of those broadly technology-agnostic regulations. Legislating, particularly at the EU level, takes a very long time to come together (eIDAS 2.0 for example, has been four years in the making), and so to be effective in the face of rapid technological change, that legislation is written to be adaptable, rather than reflecting a moment in technological time.
Standards are more easily adapted over time, meaning harmonized and interoperable solutions can be developed that meet a common framework for technical compliance across the life cycle of the regulation.
As far as regulations and technical standards go for harmonization, so far so good, right? We’ve got a uniform regime in place, until domestic legislation comes into play.
However, because of the way the EU is constituted, Member States ‘clothe’ these harmonized EU regulations and standards to accommodate their own domestic legislative and regulatory regimes. For example, France’s answer to eIDAS — PVID — requires certification within France (rather than demonstrating compliance with the EU regulation) and is not replicated anywhere else in the Union.
This leads to significant divergence.
Let’s dive more into that landscape in its current form, give you insight into the future direction, and outline how businesses can adapt and find the right partner to meet their compliance obligations at the EU and Member State level.
Where EU compliance regulation is today
eIDAS dates from 2014 and established the pan-European framework electronic ID, qualified electronic signatures and trust services, which must comply with eIDAS under the supervision of a relevant supervisory body of an EU member State.
The second version updates eIDAS, embracing new types of electronic trust services such as certificates of authentication for electronic documents, and sets requirements for eIDAS high-level security standards and obligations. Crucially it also establishes the EU Digital Identity Wallet (EUDI), to be recognised EU-wide by all businesses operating in the EU. Member States have 30 months from entry into force to not only provide their citizens with an EUDI wallet, but also be able to recognize those of every other Member State (mid-2026 at the earliest).
These are a series of directives and regulations providing a pan-European framework for anti-money laundering and counter-terrorist financing. They set out enhanced KYC and customer due diligence (CDD) requirements to identify ultimate beneficial ownership, politically exposed persons (PEPs), and conduct enhanced due diligence (EDD) for high-risk countries.
EBA guidelines for remote customer onboarding
These support the delivery of AML, setting out common EU standards for risk-sensitive initial customer due diligence policies, processes and governance, and the requirement for financial institutions when choosing remote customer onboarding tools to ensure compliance with AML/CTF regimes.
Learn more with our experts in this on-demand webinar: Harmonization or Fragmentation? Strategies for successful EU compliance.
Where EU regulatory compliance is headed
Despite these attempts for greater harmonization, the EU operating environment is becoming even less aligned for a number of reasons:
Why EU regulation is so complex:
- EU laws still sit above fragmented national regulatory regimes for regulated sectors, ID requirements, and recognition of domestic standards.
- Member States have a significant degree of autonomy in the implementation of EU regulations and guidance, allowing significant divergence — national laws implementing the EBA guidelines will be the latest manifestation of this divergence.
- Old methods persist: eIDs and EUDI will have slow implementation and uptake so multiple legacy products and verification methods will exist in tandem from the most modern (EUDI) to traditional face-to-face/ in-branch verification.
What this means for identity verification
Adaptable identity verification (IDV) solutions that can comply with divergent practical and regulatory requirements across jurisdictions are crucial to regulated businesses seeking to do business across Europe.
Your choice of IDV partner should be a global provider who is proficient in the challenges of multi-jurisdictional compliance and able to respond to them.
Today, we have a multitude of methods for verification, from eID, video, and Qualified Electronic Signature (QES) to traditional face-to-face as part of the digital identity verification ecosystem. The long-term goal of eIDAS 2.0 is to push the overwhelming majority of EU consumers into using EU digital identity via the wallet, and for regulated entities to accept the EUDI as the primary means of ID and credential verification within the EU.
But in the interim, we can see a proliferation of those existing methods of verification persisting alongside both the EUDI and with the piecemeal use of its component elements as well (such as enhanced biometrics, reusable cloud-based identities, etc) across different regulatory environments, providers, and consumers.
So, what should you look for when selecting an onboarding compliance service?
How to choose an identity verification partner for EU regulatory compliance
The risk and cost of non-compliance are too high to implement solutions that don’t meet requirements. Standards are critical to helping you select the right solution, and recent standards for identity proofing are a good thing for the crowded IDV space since they allow businesses to distinguish between high and low-quality solutions.
Check the certifications carried by an identity verification partner you choose.
Quality of service
If you use a compliant solution that provides a bad user experience or only covers only a small portion of your customer’s scope, you will lose a significant portion of your business.
Primarily, the solution needs to provide global coverage to support all customers. This means document type and document issuing countries that are supported, with a demonstrated level of performance.
Capture experience is a key selection criteria. Businesses (and identity providers like Onfido) have a responsibility to create a verification experience that any good customer can get through with minimal friction on the first attempt. This benefits both the customer — who’ll have a great experience — and the business — who’ll see less drop-off. For example, Onfido SmartCapture makes it easy with a great UI, real-time feedback to prevent blur and glare, accessibility functions, cross-device functionality, and easy out-of-the-box integration for your business. All of that, with advanced fraud detection signals built right in.
Flexibility and scalability
In our field, regulations and technologies are moving fast. To preserve your competitive advantage, you need to quickly launch new products and services. Choose a partner who can support your expansion to new markets and stays on the cutting edge of technology, regulations and market trends.
Onfido’s Compliance Suite for your regulatory needs
Meet complex local regulatory needs with an off-the-shelf solution. Onfido’s Compliance Suite is an all-in-one compliance solution to help businesses meet complex local regulatory needs through a single platform. Combining Onfido’s core ETSI-compliant identity verification solution with new support for Qualified Electronic Signature (QES) allows businesses to create a flexible and compliant end-to-end workflow for onboarding, and unlocking growth opportunities across Europe.
Now, with QES and One-time Password (OTP) Onfido delivers an end-to-end identity proofing solution for Europe. This powerful combination offers AML/CFT-regulated businesses a simple, eIDAS-compliant way to scale and remotely onboard users in multiple geographies in an otherwise complex regulatory environment. The pan-EU offering has recently passed the conformity assessment body (CAB) audit, which thoroughly assesses compliance for market access, ensuring trust and security in an increasingly digitized world.
Address regulation with confidence, build a high-performing, seamless onboarding experience that converts through a single, unified UX, and future-proof your business with the ability to scale across Europe with IDV that doesn’t lock you into one market. All with advanced fraud protection and a great customer experience.