ETSI certified IDV with Qualified Electronic Signature
The EU regulatory landscape is challenging for organizations to navigate, with a patchwork of local regulations, eIDAS regulation, sector-specific guidelines and the continuously evolving threats of fraud.
Onfido offers a product package to help customers seeking compliance with specific AML regulations by providing Qualified Electronic Signature in combination with Onfido's ETSI certified identity verification services. In particular:
- ETSI TS 119 461
- ETSI EN 319 401
- eIDAS Regulation EU 2014/910
Qualified Electronic Signature is available through our early access programme. To enable this package on your account, you will need to contact your Customer Success Manager or Account Manager. Alternatively, contact Client Support.
For Qualified Electronic Signature, customers are required to integrate the following products and features within Onfido’s Real Identity Platform:
- Core Studio integration
- Configuring ETSI certified IDV workflows
- Configuring Qualified Electronic Signature and One-time Password tasks
- Downloading the signed evidence file and associated media after each workflow completion
- Downloading the signed document and Trust Services Contract after each workflow completion
- Onfido Smart Capture SDKs and API (see version compatibility here)
Onfido Studio is a tool for building, managing, and deploying identity verification journeys. Build workflows visually using our no-code Workflow Builder tool, in a format similar to flow charts or process diagrams.
Onfido Studio offers a number of benefits including:
- Automated, smart decision making through no-code workflows
- Customized and flexible user verification flows
- Scalability to new markets and user requirements
You will use Studio to build Qualified Electronic Signature compliant workflows for the different regulatory contexts you require.
You can read more about Studio here. For customers who have an existing Classic integration who wish to implement Qualified Electronic Signature, the steps required to migrate to Studio are documented here.
While not strictly required, Onfido generally recommends that customers configure and maintain separate workflows for each regulated country they operate in, as IDV requirements tend to differ from one country to the next.
This will make it easier to maintain and optimize your workflows over time, while making the necessary changes to remain compliant.
To get started more easily, Onfido will provide you with a pre-approved workflow template that you can easily import into Studio.
Note: Templates are provided for guidance and informational purposes only. Check that they meet your regulatory or business needs in the context of your specific business case.
There are three configuration parameters that have a direct impact on the Qualified Electronic Signature capture task interface language:
- The SDK initialization language parameter, which determines the language of SDK text. You can find more information in our Web, iOS and Android reference documentation
The two Qualified Electronic Signature capture task input parameters:
- Country of operation: this parameter sets the user acceptance screen texts for checks boxes, the Trust Services Contract, terms and conditions and privacy notice
- Document to sign URL: this parameter indirectly sets the language of the document to sign
It is your responsibility to ensure these parameters are aligned to provide a unified language experience to the user.
In addition to ETSI certified IDV required tasks, Qualified Electronic Signature compliant workflows should include the following Studio tasks:
- Qualified Electronic Signature capture task
- Qualified Electronic Signature verification task
- One-time Password capture task
- One-time Password verification task
For each completed Qualified Electronic Signature workflow, when all requisite checks have been cleared and the user has been issued a Qualified Electronic Certificate, Onfido will apply the user's Qualified Electronic Signature to the document the user has agreed to sign and makes this available to clients.
Onfido customers must provide to users the signed document and the Trust Services Contract accepted by its users
Signed documents are provided in PDF format and are signed using the PDF Advanced Electronic Signatures (PAdES) standard, which is eIDAS-compliant. This ensures that the file:
- has been signed by the user
- has not been modified following signature
How do I download a signed document?
See our API documentation: Retrieve Workflow Run Signed Document
How do I validate the signature of a signed document?
Signed documents are signed with a qualified certificate. To validate this signature, open the document in Adobe Acrobat Reader or similar app that supports signature validation.
For Acrobat Reader, at the top of the document there should be a signature validation message saying: "Signed and all signatures are valid".
Clicking the "Signature Panel" will provide detailed information showing that the file has been signed by the user.
How long is the signed document stored for?
Onfido applies the same data deletion policy to signed documents as it does to Applicants and Checks, and will store the signed document for the lifetime of the applicant's data. Customers are responsible for retrieving the file via the relevant endpoints and store it as long as it is needed.
For each completed identity verification workflow, whether approved or rejected, Onfido generates, signs and stores a full audit trail (evidence file) of the end-to-end IDV process performed through Onfido.
Clients are required to download the evidence file and all associated media from the verification and retain this information for the period required by applicable law in which the client operates. You can read more about the Evidence file here.
To ensure the best performance, we highly recommend that customers use the latest versions of our Smart Capture SDKs and API.
The following minimum versions are required for Qualified Electronic Signature, and are subject to change over time to ensure compliance as regulatory requirements evolve:
You can read more about the Smart Capture SDK here.
V3.6 or above. You can find the API reference here.
By integrating Qualified Electronic Signature, you will need to agree to and comply with additional terms alongside your existing client services agreement, including:
- You must inform your users, in a clear and comprehensive manner, of the precise terms and conditions provided by the Qualified Trust Service Provider governing use of Qualified Electronic Signature ("Trust Service Contract"). Onfido has embedded the Trust Service Contract into the SDK workflow.
- You must ensure that your users accept the Trust Service Contract prior to issuance of a Qualified Electronic Signature.
- You must provide your users with a copy of the Trust Service Contract accepted by them upon issuance of a Qualified Electronic Signature, as well as the signed document.
- You must ensure that you download and retain the evidence files provided by Onfido for the period required by applicable law in which you operate.
- You must inform Onfido without delay of any situation of illegitimate use of qualified certificates; where the requirements under which the qualified certificate were issued are no longer met; and of any requests for revocation or suspension of qualified certificates.
Onfido's ETSI certified IDV product package has been certified by an EU-accredited Conformity Assessment Body (CAB) against the following EU standards and regulations:
- eIDAS Regulation (UE) 910/2014 Art. 24.1d - Remote identification service component
- ETSI EN 319 401 v2.3.1 - Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers
- ETSI TS 119 461 v1.1.1 - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects
Onfido achieved the comprehensive certification by completing an extensive audit process, meeting strict criteria which verifies that the solutions adhere to the highest security, interoperability and assurance standards, and that Onfido is a mature, reputable and established provider.
Our certification allows Onfido to act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP) and means that customers conforming to AML requirements in Europe will be able to use our solution, in combination with other trust services, to operate across the EU.
If you require confirmation of this certification for audit or regulatory application purposes, we are able to share it with you. Please contact your Customer Success Manager or Account Manager.