[Unofficial translation] RULES ON THE TECHNICAL REQUIREMENTS FOR VIDEO-BASED ELECTRONIC IDENTIFICATION DEVICES
Author: mag. Mateja Vraničar Erman l.r.; Secretary for finance
The translation was provided by dr. Igor Kolar (legal advisor at Ministry of justice of the Republic of Slovenia and GDPR expert from Blockchain Think Tank Slovenia).
Pursuant to Article 27 of the Prevention of Money Laundering and Terrorist Financing Act (Official Gazette of the Republic of Slovenia, №68/16), the Minister of Finance hereby issues the following RULES on the technical requirements for video-based electronic identification devices
These rules lay down the minimal technical requirements for video-based electronic identification devices and the procedure for their use for determining and verifying the identity of a customer as part of the customer due diligence process by obliged persons under Article 4 of the Prevention of Money Laundering and Terrorist Financing Act [The AML Act].
For the purposes of these Rules:
1. »video-based electronic identification« shall mean the procedure for determining and verifying the identity of a customer using video-based electronic identification devices, as part of the customer due diligence process;
2. »screen capture« shall mean the graphical representation of the contents of the screen (the visual part of the video-based electronic identification process), prepared and saved in electronic form and of the appropriate quality for the purposes of verification and storage;
3. »official personal identification document« for the purposes of video-based electronic identification shall mean an official personal document with a biometric photograph as well as additional optical and other security markings that qualify at least as identical to holographs or markings that change their appearance with the movement of the document and can thus be clearly identified and verified during the screen capture;
4. »biometric photograph« from point 3 shall mean a photograph subject to the requirements laid down by the Ministry of internal affairs as required for the issuance of a biometric passports, personal documents or drivers’ licenses regarding the format, brightness, sharpness, contrast and the quality of the photograph, position of the head, facial expression, eyes, direction of view, and the use of glasses and hats.
(qualifications of the provider)
(1) The person conducting video-based electronic identification on behalf of the obliged person must be adequately trained and capable.
(2) Adequate training entails at the very least:
- familiarity with legislation on the prevention of money laundering and terrorist financing and on the protection of personal data;
- understanding of the technical requirements and the functioning of devices for video-based electronic identification;
- familiarity with the features of official personal documents;
- familiarity with the practical application of video-based electronic identification, including the verification of the security features of official personal documents and/or the use of appropriate software for such verification, determination of authenticity of the gathered data and detection of oddities and inconsistencies in the behaviour of the clients subjected to video-based electronic identification.
(3) The obliged subject or the person conducting video-based electronic identification on their behalf shall document the qualification process in such a manner as to allow for its latter verification.
(1) Video-based electronic identification shall be conducted in a designated room that is separate from the other rooms of the obliged person or the person conducting video-based electronic identification on their behalf.
(2) Access to the designated room shall be continuously monitored and allowed only to persons tasked with video-based identification.
(prior consent of the customer)
(1) At the start of the video-based identification procedure, the customer shall be asked to provide express consent to the procedure, as well as separate consent for the creation and storage of the audio recording and for the creation and storage of screen captures depicting their person and their official personal document.
(2) The validity of the consent under the previous paragraph shall be subject to the conditions for the validity of consent under Article 7 of [the GDPR].
(3) If the customer does not provide consent as required by this Article, the video-based identification process shall be terminated and the customer shall be referred to conduct identity verification under one of the other means allowed by the AML Act.
(1) Personal data, documentation and screen captures created using the video-based identification procedure shall be collected and processed for the purpose of prevention and detection of money laundering and financing of terrorism, and shall fully conform to the rules laid down in Articles 31, 127. and 128. of the AML Act, which determine the use of personal data, documentation and screen captures as well as the obligations of providing the required notices regarding the processing of personal data to the customer.
(2) The obliged person and/or the person conducting a video-based electronic identification process shall store the data from the previous paragraph in conformance with the rules of Article 129 of the AML Act.
(organizational and technical requirements)
(1) Video-based electronic identification shall be conducted using video-based electronic identification devices that allow for the transfer of video and audio in real-time and without interruptions.
(2) The audio of the entire conversation with the customer, or at the very least the part of the conversation conducted as part of the video-based electronic identification process, must be recorded.
(3) Video-based electronic identification shall be conducted using the appropriate technical equipment allowing for encrypted video transfer along the entire communications path (end-to-end encryption), so as to prevent the interception of the video traffic. Encryption is to be done using encryption and key management algorithms with no known security vulnerabilities and using encryption keys of the appropriate lengths.
(4) All data acquired during the video-based electronic identification process shall be adequately protected to prevent unauthorized access or use.
(5) The quality of the transferred video and audio must be sufficient as to allow for the unambiguous determination and verification of the identity of the customer.
(the verification process)
(1) During the video-based identification process, [several] screen captures must be made, clearly showing:
1. the face of the customer undergoing the verification process;
2. the front side of the customer’s personal identification document, or if the relevant data is on some other side, the side holding that data;
3. the back side of the customer’s personal identification document, or if the relevant data is on some other side, the side holding that data.
(2) The quality of the video captures must be of sufficient quality to allow for the complete and unambiguous identification of the customer and the information presented on their personal identification document.
(3) The customer undergoing video-based identification shall at the request of the person conducting the video-based electronic identification move their head in various directions and will read the complete serial number of their personal information document, so as to allow for the verification of the photo and other data contained in the official personal identification document.
(4) The person conducting video-based electronic identification must take the following steps to verify the authenticity of the official personal document and the data contained on it:
1. visually checking for the presence of optical security features of the document, including holographic and other equivalent security features (ie. security threads, variable colours and similar), and ensuring that these features are clearly still visible while the document is being flipped both horizontally and vertically;
2. verifying the formal markings on the official personal document (graphic design, font size, font spacing, choice of typography and so on);
3. verifying any customer data the obliged person might already have with the data on the official person document;
4. verifying the validity of the official personal documents and of its alphanumerical serial number;
5. visually checking the document for signs that the photo might have been changed, that the laminate surrounding on the official personal document is not damaged, and that there are no security features visible that would indicate the document has been damaged;
6. checking the logical consistency of the data on the document (e.g. the validity of the dates of issuance and expiry, that the date of birth is correct, the consistency of the data, etc.).
(5) The verification of the optical security features and formal marks of the official personal documents from points 1 and 2 of the previous paragraph may be conducted with the aid of an appropriate software solution.
(6) The person conducting the video-based electronic identification process shall verify that the customer’s photo, their personal description (if available) and other data on the official personal document match the customer that initiated the video-based electronic identification, and that they are logically consistent (e.g. by comparing the appearance of the customer in the video transmission with their photo in the official personal document, or by comparing other data in the official personal document with any other data that the obliged person might already have access to).
(7) The person conducting video-based electronic identification shall verify that the customer has a valid reason for choosing a video-based identification procedure, and shall make sure that the customer had not done so due to the undue influence of third parties. In doing so, they shall take into account the customer’s response to the questions as well as their general demeanour during the identification process.
(unique identification number)
(1) The person conducting the video-based electronic identification shall message to the customer via email or SMS a special and unique identification number that has been centrally designated to be used in this very video-based electronic identification process.
(2) The customer shall upon receipt of the identification number relay that number back to the person conducting the video-based electronic identification process by using the video link.
(3) The successful receipt of the unique identification number concludes the video-based electronic identification process.
(obligation to terminate the video-based electronic identification)
(1) Unless otherwise provided in paragraph two of this Article, the video-based electronic identification process shall immediately be terminated if:
1. poor lighting or audio conditions on the side of the customer or the poor quality of the transmitted video or audio prevent the identification and the verification of the customer;
2. it is not possible to prepare a screen capture of adequate quality to allow for the visual verification of the customer or their official personal document and the data contained in that document;
3. any mismatches or other inconsistencies are found during the verification of the authenticity of the official personal document;
4. doubt exists regarding the identity of the customer;
5. there exists a possibility of undue third party influence on the expressed will of the customer and therefore the validity of the consent they provided.
(2) In cases under points 4 or 5 of the previous paragraph or under Article 17 of the AML act arise, the obliged person shall continue with the identification process, and shall, once having completed it, determine, whether circumstances exist that would mandate the notification of the incident to the national AML authority under Article 69 of the AML Act.
(using a third party provider)
(1) If the obliged person uses a third-party provider to conduct the video-based electronic identification process, they shall be responsible that the third party provider implements all the necessary security measures laid down in these Rules. The responsibility to ensure compliance with the provisions of these Rules remains with the obliged person.
The obliged person must act with due care while contracting, conducting, or terminating their relationship with the third party provider, and must specify the obligations of the third party provider in writing. In doing so, the obliged person must also take into account the requirements of the General Data Protection Regulation regarding the use of processors.
(2) The fact that video-based electronic identification was contracted out to a third party shall not adversely affect the quality of the obliged person’s internal controls or disrupt the inspection processes of the respective regulatory agencies.
(entry into force)
These rules enter into application on the next day after publication in the Official Journal of the Republic of Slovenia.
Ljubljana, on May the 4th 2018