Conditions for qualification of Remote Identity Verification Providers

The qualification of Remote Identity Verification Providers ["Prestataires de Vérification d'Identité à Distance (PVID)"] is provided for in j) of article 6 of Sovereign Order No. 8.504 of 18 February 2021 implementing article 24 of Law no. 1.435 of 8 November 2016 on the fight against technological crime, amended by Sovereign Order No. 10.350 of 25 January 2024. Since this amendment, the Director of the Monegasque Digital Security Agency (AMSN) has also been responsible for k) the qualification of Secure Administration and Maintenance Service Providers ["Prestataires d'Administration et de Maintenance Sécurisées (PAMS)"] and l) the qualification of Information Systems Security Support and Consultancy Service Providers ["Prestataires d'Accompagnement et de Conseil en Sécurité des systèmes d'information"(PACS)].

A remote identity verification service has the same purpose as a face-to-face identity verification service, i.e. to verify that the identity document presented by the user is genuine and that the user is the legitimate holder of the identity document.

The PVID qualification attests to the high level of effectiveness in the fight against identity and document fraud (identity theft or alteration).

Ministerial Decree no. 2024-164 of 22 March 2024 (JDM no. 8688 of 29 March 2024) sets out the conditions for issuing the PVID qualification.

Examples of cases where a PVID may be used include the creation of a qualified electronic signature, the opening of online financial accounts, secure digital customer onboarding (the process of entering into a remote relationship), etc.

* * *

¤ Qualification is awarded by the Director of the AMSN after the service provider's compliance with the requirements of the French PVID standard published by the Agence Nationale de Sécurité des Systèmes d'Information (ANSSI) has been verified by a body recognised by the ANSSI as competent to assess PVIDs.

The French PVID standard can be downloaded from the French website > https://cyber.gouv.fr/sites/de....

The list of organisations recognised by ANSSI to assess PVIDs is available on the French website > https://cyber.gouv.fr/voir-les....

The two levels of guarantee provided for by the said standard attest to remote identity verification that meets the security objectives defined by the eIDAS Regulation (EU):

• the substantial guarantee level aims to substantially reduce the risk of identity theft or alteration. The service must guarantee equivalence in terms of reliability with a face-to-face meeting carried out as part of access to a public or private service requiring proof of identity (for example, by a person with general training in comparing faces and detecting altered or falsified identity documents, but who does not have any sophisticated tools). The service must be resistant to an attacker with a moderate attack potential;
  
• the high level of guarantee aims to prevent the risk of identity theft or alteration. The service must guarantee that it is equivalent in terms of reliability to a face-to-face physical check carried out as part of the process of issuing an identity document (e.g. carried out by a person trained in the fight against identity fraud and equipped with specific tools for confirming the authenticity of identity documents and trained in face comparison). The service must be resistant to an attacker with a high attack potential.

The standard formulates requirements applicable to PVIDs, whether the remote identity verification services are asynchronous (the identification data verification phase is carried out at a different time from the identification data acquisition phase), synchronous with human interaction (allows interaction between the user and the operator during the identification data acquisition or verification phase, for example, an operator guides the user during the acquisition of identification data), synchronous without human interaction, internal or external.

The standard do not cover:

• remote identity verification of legal entities or the link between natural persons and legal entities;
• remote identity verification based on mechanisms other than face comparison;
• verification of additional data acquired by the remote identity verification service (data transmitted to the business service in the remote identity verification result but on which no verification is performed within the scope of the standard).

¤ The assessment of a PVID requires three areas of expertise:

• conformity assessment;
• computer testing of the effectiveness of the service in terms of biometrics;
• physical testing of the effectiveness of the biometric component of the service.

An applicant service provider may choose several recognised assessment bodies in order to cover all the required areas of expertise.

¤ The Director of the AMSN may, after hearing the interested party's explanations or after being duly called upon to provide them, suspend for a specified period or even withdraw the qualification of remote identity verification service provider in the event that the aforementioned set of requirements is no longer complied with.