The decision of the Authority for the Digitization of Romania (ADR) no. 1119 of November 24, 2021.
We mention that the provisions will enter into force one month from the date of publication, respectively on December 24, 2021.
The document sets out the minimum technical and security requirements for regulating, recognizing, approving or accepting the remote identification procedure using video means by identification service providers, as a form of “electronic identification” as defined in the eIDAS Regulation.
According to the Norms, the identification of the person remotely by video means represents the process of identifying and verifying the identity of the natural person, based on the presented documents, the captured images and / or the information communicated by the natural person, using video means.
The activity of identifying the person remotely by video means by the profile service providers, registered in Romania, can be performed only after obtaining the approval issued by the Romanian Digitization Authority. ADR will issue the approval according to the model in annex no. 4 of Decision 564/2021, within 30 calendar days from the submission of the complete documentation.
According to the normative act, the identification of the person at a distance using video means is done with the help of a system. To verify the identity of the person remotely using video means are used both identity documents, whose image is captured through video, and data or information obtained from credible and independent sources, insofar as they are available, including on the basis of agreements / partnerships between public or private institutions and providers of identification services, for example: databases of public sector bodies, private databases containing information from public authorities, audit reports, tax documents, account statements, etc.
The consultation of data sources is carried out in compliance with the applicable data protection requirements for the personal information of the data subject, respectively of the person subject to remote identification by video means, prior to performing a data processing activity.
It is forbidden to use the data / information obtained by the identification service providers in the process of identifying the person remotely by video means from various sources for other purposes, without informing / agreeing the person or other legal provisions in this regard.
The normative act stipulates, among other things, that payment service providers, credit institutions and non-banking financial institutions wishing to use video means to identify remote customers, in compliance with the applicable legal requirements in preventing and combating money laundering and terrorist financing, have the obligation to notify ADR 30 days before the use of video means to identify remote customers
The notification will be accompanied by the following documents:
- description of the technical solution and of the equipment used in the process of identifying the person at a distance using video means (may be included in the documentation for approving the financial payment instrument with remote access);
- audit report specifying compliance with the requirements of these rules, prepared by an auditor from the list of IT auditors published on the Authority’s website (references to identification using video media may be included in the audit report prepared for the instrument’s approval) financial payment with remote access);
- a third party liability insurance policy, amounting to 100,000 euros, to cover the damages caused by the incorrect identification of the client (the insurance policy must be valid / renewed for the entire period that the payment service provider uses the method identification of the person remotely using video means);
- the declaration of the legal representative that the payment service provider has policies and procedures for identifying and reducing the risk associated with the identification method, including specialized personnel in accordance with the provisions of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for the modification and completion of some normative acts, with the subsequent modifications and completions;
- the list of standards recommended by ETSI and the European Commission, if they have been defined at EU level, on the basis of which the video identification is made;
- a statement on the own responsibility of the legal representative of the payment service provider showing that the provider has adopted and implemented procedures regarding the protection of personal data in the process of identifying the person remotely using video means, in accordance with the legislation in domain.
It is important to note that if the payment service provider, credit institution or non-bank financial institution will use, to identify the person remotely using video means, services and / or systems / processes provided by a third party verification of the identity of a qualified trust service provider, will submit instead of the aforementioned documents a copy of the contract concluded with the third party / trusted service provider, as well as the declaration of the legal representative that it has internal policies and procedures regarding their use.
If the technical solution used by the payment service provider, credit institution or non-bank financial institution to identify the person remotely using video means is used by a trusted service provider for the purpose of providing qualified reliable services, it is it is mandatory for the payment service provider, credit institution or non-bank financial institution to submit to the Authority the conformity assessment report of the solution, prepared by a conformity assessment body, in accordance with the provisions of the eIDAS Regulation.
In the process of verifying the identity of the person remotely using video means, the services provided by third parties based on a contract can be used.
The third party who identifies the person remotely using video means on behalf of another entity is obliged to comply with the provisions of these rules.
The list of third parties who can remotely identify the person using video means will be managed by the Authority and published on its website.
The contract for the provision of remote identification services using video means, concluded by a third party with public or private entities, will contain clauses regarding the modalities of compensating the injured persons, in case of a possible damage.
The procedure regarding the registration / deletion of third parties in / from the list of third party verification, as well as the registration requirements is detailed in annex no. 3 of the ADR Decision 564/2021.
Decision ADR 564/2021 stipulates that remote identification using video means can be performed by automated means of verification, without a human operator, or by means of verification with a human operator.
Remote identification using video equipment made with a human operator can only be performed by trained personnel. The persons who have attributions and responsibilities in the process of identifying the person at a distance using video means will benefit or will be obliged to attend professional training courses or annual training programs, organized externally or internally. The training of the personnel designated for the remote identification of the person using video means is the responsibility of the legal representative of the identification service provider or of a person designated by the legal representative in this respect.
The attributions and responsibilities of the personnel who carry out the identification of the person at a distance using video means will be established by an administrative act of the person who has the competence of appointment and will be provided in the job description. Remote identification using video means made by automated means of verification, without human operator, will use digital means in accordance with the standards in force, the provisions of these rules regarding trained personnel or human operator not applying in this case.
In the process of identifying the person remotely using video means are allowed only the identity documents, clearly identifiable and within the validity period, issued by a competent public authority.
We mention that these documents are specified in the Methodological Norms.
When verifying the identity documents, the following aspects will be taken into account, but not limited to them:
- the condition of the identity document, ensuring that it is not damaged or has no detectable elements of forgery;
- the existence of optical / visual security elements, as the case may be;
- to ask the person who goes through the remote person identification procedure using video means to tilt the document horizontally and / or vertically in front of the video identification device;
- verification of at least three security elements from different categories;
- checking other elements, if necessary, such as: document format, font size and spacing and typographic font, depending on the type of document analyzed;
- checking the content of the individual characteristics found in the document, namely, comparing the primary and secondary photographs – the photo taken with laser printing with the ghost one (monochrome).
When verifying the person’s identity, the following aspects are taken into account, but not limited to them:
- to ensure that the photograph and the elements inscribed on the identity document correspond to the person who goes through the procedure of identifying the person at a distance using video means;
- to ensure that the information contained in the identification document is correct and valid, in relation to the person who goes through the procedure of identifying the person at a distance using video means;
- to ensure that the information provided by the person who goes through the procedure of identifying the person remotely using video means is correct;
- the type and sequence of questions asked in the identification process cannot be identical in the consecutive identification sessions, if applicable, in the absence of the information mentioned in letter a), b), c) or f);
- in case the remote identification of the person by video methods is done automatically, the requests or video sequences must contain a random element in order to prevent the risk of pre-recording the remote identification process by video methods;
- to cross-check the information provided by the person who goes through the procedure of identifying the person remotely using video means and the information resulting from the automatic calculation of the reading of MRZ characters, when possible;
- to request, if necessary, other documents and / or information through which to verify the identity.
During the process of identifying the person remotely using video means, it is mandatory to use an additional authentication factor, by sending to the person who goes through the procedure of identifying the person remotely using video means a one-time code (One Time Password – OTP) or by sending a link with a limited duration, specially created for this purpose, generated individually (by e-mail or SMS).
The remote person identification procedure can be completed only if the OTP transmission and validation has been completed or only if the link transmission and access has been completed.
The entire process of identifying the person remotely using video means, in all its stages, must be recorded and stored. All audio-video recordings, data and information related to the respective process of identifying the person will be kept in a form allowed in court proceedings.
Transitional measures:
Providers of remote identification services by video means have the obligation to comply with their obligations under these rules within 240 days from the date of their publication in the Official Gazette of Romania, Part I.
Transitional measures: Legal basis: Decision ADR 564/2021 for the approval of the Norms regarding the regulation, recognition, approval or acceptance of the procedure for identifying the person remotely using video means.