ETSI certified IDV with Qualified Electronic Signature
Start here
Introduction
The EU regulatory landscape is challenging for organizations to navigate, with a patchwork of local regulations, eIDAS regulation, sector-specific guidelines and the continuously evolving threats of fraud.
Onfido offers a product package to help customers seeking compliance with specific AML regulations by providing Qualified Electronic Signature in combination with Onfido's ETSI certified identity verification services. In particular:
- ETSI TS 119 461
- ETSI EN 319 401
- eIDAS Regulation EU 2014/910
To learn more about the ETSI IDV standards and KYC in Europe, please see our certification announcement and the EU KYC requirements whitepaper.
Qualified Electronic Signature (our product package)
Getting Started
Qualified Electronic Signature is available through our early access programme. To enable this package on your account, you will need to contact your Customer Success Manager or Account Manager. Alternatively, contact Client Support.
Integration Requirements
For Qualified Electronic Signature, customers are required to integrate the following products and features within Onfido’s Real Identity Platform:
- Onfido Studio
- Core Studio integration
- Configuring ETSI certified IDV workflows
- Configuring Qualified Electronic Signature and One-time Password tasks
- Downloading the evidence folder after each workflow completion
- Downloading the signed document and Trust Services Contract after each workflow completion
- Onfido Smart Capture SDKs and API (see version compatibility here)
Onfido Studio Integration
Onfido Studio is a tool for building, managing, and deploying identity verification journeys. Build workflows visually using our no-code Workflow Builder tool, in a format similar to flow charts or process diagrams.
Onfido Studio offers a number of benefits including:
- Automated, smart decision making through no-code workflows
- Customized and flexible user verification flows
- Scalability to new markets and user requirements
You will use Studio to build Qualified Electronic Signature compliant workflows for the different regulatory contexts you require.
Onfido generally recommends that clients configure and maintain separate workflows for each regulated IDV context, as requirements tend to differ from one country to the next. This will make it easier to maintain, analyse and optimise your workflow performance over time, while making the necessary changes to remain compliant.
To get started with your ETSI certified IDV with Qualified Electronic Signature workflow, select a template from the Template modal in the Workflow Builder. The templates have been designed for use in different countries, therefore select the template that best suits your needs - for example the "ETSI Certified IDV with QES and OTP for France 🇫🇷" template.
After selecting the template, your workflow will look similar to the one pictured below. You may then wish to add additional verifications, or make further changes as needed.
You can learn more about Studio here. For customers who have an existing Classic integration who want to implement Qualified Electronic Signature, the steps required to migrate to Studio are documented here.
Country-specific workflows
While not strictly required, Onfido generally recommends that customers configure and maintain separate workflows for each regulated country they operate in, as IDV requirements tend to differ from one country to the next.
This will make it easier to maintain and optimize your workflows over time, while making the necessary changes to remain compliant.
To get started more easily, Onfido will provide you with a pre-approved workflow template that you can easily import into Studio.
Note: Templates are provided for guidance and informational purposes only. Check that they meet your regulatory or business needs in the context of your specific business case.
Language configuration
There are three configuration parameters that have a direct impact on the Qualified Electronic Signature capture task interface language:
- The SDK initialization language parameter, which determines the language of SDK text. You can find more information in our Web, iOS and Android reference documentation
- The two Qualified Electronic Signature capture task input parameters:
- Country of operation: this parameter sets the user acceptance screen texts for checks boxes, the Trust Services Contract, terms and conditions and privacy notice
- Document to sign URL: this parameter indirectly sets the language of the document to sign
It is your responsibility to ensure these parameters are aligned to provide a unified language experience to the user.
Onfido Verification Suite
In addition to ETSI certified IDV required tasks, Qualified Electronic Signature compliant workflows should include the following Studio tasks:
- Qualified Electronic Signature capture task
- Qualified Electronic Signature verification task
- One-time Password capture task
- One-time Password verification task
Detailed information about each workflow task can be found by clicking the links above, or by reading our Qualified Electronic Signature report guide or our One-time Password report guide.
Signed document
For each completed Qualified Electronic Signature workflow, when all requisite checks have been cleared and the user has been issued a Qualified Electronic Certificate, Onfido will apply the user's Qualified Electronic Signature to the document the user has agreed to sign and makes this available to clients.
Onfido customers must provide to users the signed document and the Trust Services Contract accepted by its users
Signed documents are provided in PDF format and are signed using the PDF Advanced Electronic Signatures (PAdES) standard, which is eIDAS-compliant. This ensures that the file:
- has been signed by the user
- has not been modified following signature
How are signed documents downloaded?
See our API documentation: Retrieve Workflow Run Signed Document
How can the signature of a signed document be validated?
Signed documents are signed with a qualified certificate. To validate this signature, open the document in Adobe Acrobat Reader or similar app that supports signature validation.
For Acrobat Reader, at the top of the document there should be a signature validation message saying: "Signed and all signatures are valid".
Clicking the "Signature Panel" will provide detailed information showing that the file has been signed by the user.
How long is the signed document stored for?
Onfido applies the same data deletion policy to signed documents as it does to Applicants and Checks, and will store the signed document for the lifetime of the applicant's data. Customers are responsible for retrieving the file via the relevant endpoints and store it as long as it is needed.
Evidence folder
For each completed identity verification workflow, whether approved or rejected, Onfido generates an evidence folder, a compressed directory which contains a signed and stored full audit trail (evidence file), as well as all collected media of the end-to-end IDV process performed through Onfido.
Clients are required to download the evidence folder from the verification and retain this information for the period required by applicable law in which the client operates. You can read more about the Evidence folder here.
Onfido Smart Capture SDKs & API Compatibility
To ensure the best performance, we highly recommend that customers use the latest versions of our Smart Capture SDKs and API.
Smart Capture SDKs
The following minimum SDK versions are required for Qualified Electronic Signature, and are subject to change over time to ensure compliance as regulatory requirements evolve:
- iOS 32.1.0 or above
- Android 21.2.2 or above
- Web 14.39.0 or above
- Flutter 8.0.0 or above
- React Native 13.2.0 or above
To authenticate the SDK when integrating ETSI certified IDV with Qualified Electronic Signature, customers must use SDK tokens obtained from the workflow run payload returned by the API when a workflow run is created, as documented here.
You can read more about the Smart Capture SDK here.
Onfido API
V3.6 or above. You can find the API reference here.
Additional Obligations
By integrating Qualified Electronic Signature, you will need to agree to and comply with additional terms alongside your existing client services agreement, including:
- You must inform your users, in a clear and comprehensive manner, of the precise terms and conditions provided by the Qualified Trust Service Provider governing use of Qualified Electronic Signature ("Trust Service Contract"). Onfido has embedded the Trust Service Contract into the SDK workflow.
- You must ensure that your users accept the Trust Service Contract prior to issuance of a Qualified Electronic Signature.
- You must provide your users with a copy of the Trust Service Contract accepted by them upon issuance of a Qualified Electronic Signature, as well as the signed document.
- You must ensure that you download and retain the evidence folder provided by Onfido for the period required by applicable law in which you operate.
- You must inform Onfido without delay of any situation of illegitimate use of qualified certificates; where the requirements under which the qualified certificate were issued are no longer met; and of any requests for revocation or suspension of qualified certificates.
Certification Process
Onfido's ETSI certified IDV product package has been certified by an EU-accredited Conformity Assessment Body (CAB) against the following EU standards and regulations:
- eIDAS Regulation (UE) 910/2014 Art. 24.1d - Remote identification service component
- ETSI EN 319 401 v2.3.1 - Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers
- ETSI TS 119 461 v1.1.1 - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects
Onfido achieved the comprehensive certification by completing an extensive audit process, meeting strict criteria which verifies that the solutions adhere to the highest security, interoperability and assurance standards, and that Onfido is a mature, reputable and established provider.
Our certification allows Onfido to act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP) and means that customers conforming to AML requirements in Europe will be able to use our solution, in combination with other trust services, to operate across the EU.
If you require confirmation of this certification for audit or regulatory application purposes, we are able to share it with you. Please contact your Customer Success Manager or Account Manager.