Compliance & Regulations

General Data Protection Regulation (GDPR)

What is it?

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.

Who is Impacted:

Any companies that collects data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25, 2018. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.

Impact on Identity Verification:

For many industries, companies often have to establish trust in digital identity verification solutions that can guarantee “the person claiming a particular identity is in fact the person to whom the identity was assigned.” But, this imposes strict requirements on the vendor that is managing person information, including images of government-issued IDs, biometric and other personal information.

“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Beyond the secure handling of PII data, there are additional considerations when the outcome of that verification results in an “automatic refusal of an online credit application or e-recruiting practices.” Fully automated verification solutions that fail to give the data subject the right to “to obtain human intervention on the part of the (data) controller, to express his or her point of view and to contest the decision” (Article 22(3) GDPR) are not allowed under GDPR.

Learn More >

How Jumio Can Help
Jumio is GDPR compliant and can help companies meet their GDPR obligations by May 2018.

GDPR categorizes data holders into two groups: processors and controllers.
  • Controllers collect, process, store, and basically "own" the data and the relationship with EU citizens.

  • Processors are essentially sub-contractors of controllers who may process, store, and utilize EU citizen data on behalf of a controller.

There are additional required measures, processes, and documentation requirements for controllers. Jumio is considered a data processor.

Moreover, Jumio is also PCI-DSS compliant. This means that we’ve adopted a strict set of security standards designed to ensure that identity and PII-related information are encrypted, stored and maintained in a secure and vetted environment.

Statement of Compliance: Jumio uses the European data privacy directives as the baseline for its data privacy compliance globally. Effective February 1, 2018 all necessary steps to achieve GDPR compliance have been completed. Jumio’s data privacy compliance program is applicable to all categories of personal data, including biometric data.

Revised Payment Service Directive (PSD2)

What is it?

It’s the second iteration of the Payment Services Directive (PSD) implemented by the European Union and it affects both individual consumers and businesses. PSD2 enables bank customers to use third-party providers to manage their finances. PSD2 went live in January 2018 and has implications for all companies in Europe that deal with payments, ranging from how to regulate the emergence of Third Party Providers (TPPs) to the need for strong customer authentication (SCA).

This is done by supporting innovation and opening up APIs to banks and other payment institutions to also lower the cost of end users using card-based payment channels. The Directive requires that all Member States implement these rules as national law by January 2018.

Who is Impacted:

The rules and guidelines of PSD2 applies to modern payment services, including banks, credit unions, fintech companies, and payment companies (e.g., third party payment service providers, account servicing payment service providers, and payment information service providers) based in the European Union.

All European banks are required to share their customers’ account information with any third party a customer chooses, and provide easily accessible APIs – enabling non-bank companies to process bill payments, make account transfers, analyze spending, and provide a wide range of other services traditionally handled by banks; all while the money involved remains in the same bank accounts.

Impact on Identity Verification:

PSD2 sets out very specific standards for secure electronic identity verification, in order to keep customers’ funds and personal identities safe. The European Banking Federation encourages trust in digital identity verification tools that can guarantee “the person claiming a particular identity is in fact the person to whom the identity was assigned.”

Under PSD2 “account servicing payment service providers”—primarily banks—are forced to open up three sets of APIs giving registered third-parties access to customer accounts. The customer must give permission to the bank using two-factor authentication, a process PSD2 refers to as “Strong Customer Authentication” (SCA), before the third-party is allowed access. Most access to customer accounts, including card payments, is covered under this process—sometimes even when the customer is directly querying their own account details.

One of the major implications of PSD2 is the focus on improving security in the payments space by emphasising strong customer authentication. An important element of SCA is two-factor authentication. Most consumers are aware of this even if they don’t know it by that name. It’s for those situations where inputting the username and password by themselves aren’t considered secure enough, so additional steps are required. Obvious examples of such an approach are additional questions that only a consumer would know, such as “what’s my mother’s maiden name?” New approaches to two-factor authentication are emerging (e.g., biometric recognition or fingerprint activation).

How Jumio Can Help
Jumio’s online identification solutions enable EU banks to incorporate the necessary PSD2 safeguards to ensure that each customer’s identity is verified before each interaction with a third-party service provider. PSD2 requires that EU banks have a process of establishing the identity of the customer including determining to an appropriate level of assurance certain information (attributes) such as name, address and date of birth. Jumio helps these banks establish authentication credentials that allow their customers to assert their identity in the future without needing to redo the relatively expensive identification process each time.

Know Your Customer (KYC)

What is it?

The process of knowing your customer, otherwise referred to as KYC, is what businesses do in order to verify the identity of their clients either before or during the time that they start doing business with them. The term KYC can also reference the regulated bank practices that are similarly used to verify clients’ identities.

Who is Impacted:

Banks and companies of all sizes have become big supporters of KYC. It is increasingly common for banking institutions, credit companies, and insurance agencies to require that their customers provide them with detailed information in order to ensure that they are not involved with corruption, bribery, or money laundering.

Impact on Identity Verification:

Many financial institutions begin their KYC procedures by simply collecting basic data and information about their customers, ideally using online identity verification.
KYC refers to the steps taken by a financial institution (or business) to:

  • Establish the identity of the customer
  • Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
  • Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities.

Once this basic data is collected, banks generally compare it to lists of individuals that are known for corruption, on a list of sanctions, suspected of being involved with a crime, or at a high risk of partaking in bribery or money laundering. Financial institutions also look at lists of Politically Exposed Persons, or PEPs. According to the European Banking Federation, “Technologies allowing for digital on-boarding should also be considered as equivalent and valid identification methods.”

How Jumio Can Help
Jumio enables financial organizations to fulfil their KYC (Know Your Customer) obligations with fast and accurate online ID and identity verification. Our solutions have helped banks and other financial institutions replace slow, ineffective, and manual KYC processes with more automated solutions that can be embedded within the online account setup and onboarding experience.

Anti-Money Laundering (AML)

What is it?

Anti-money laundering (AML) is a term mainly used in the financial and legal industries to describe the legal controls that require financial institutions and other regulated entities to prevent, detect, and report money laundering activities. Anti money laundering (AML) refers to a set of procedures, laws and regulations designed to stop the practice of generating income through illegal actions. Though anti-money-laundering laws cover a relatively limited number of transactions and criminal behaviors, their implications are far-reaching.

Who is Impacted:

AML regulations require financial institutions issuing credit or allowing customers to open accounts to complete due-diligence procedures to ensure they are not aiding in money-laundering activities. It’s up to financial institutions that issue credit or allow customers to open accounts to investigate customers to ensure they are not taking part in a money-laundering scheme. They must verify where large sums of money originated, monitor suspicious activities and report material cash transactions.

Impact on Identity Verification:

After the Fourth Anti-Money Laundering Directive recognizes that “Accurate identification and verification of data of natural and legal persons is essential for fighting money laundering or terrorist financing. Latest technical developments in the digitalization of transactions and payments enable a secure remote or electronic identification.” Translation, the European Commission (and other governing bodies) are becoming more comfortable with online identity verification as a means of AML compliance.

How Jumio Can Help
Jumio’s online identity verification solutions are among the most cost-effective ways of responding to the demands of their ever mobile-centric and technically savvy customers with an easy to use and secure identity authentication experience. Additionally, Jumio’s solutions help banks and other financial institutions support the ongoing AML on a global scale since our identity verification solutions are already in compliance with the most comprehensive regulations.

4th Anti-Money Laundering Directive

What Is It:

The purpose of the Directive is to remove any ambiguities in the previous legislation and improve consistency of anti-money laundering (AML) and counter terrorist financing (CTF) rules across all EU Member States. The European Union’s Fourth Anti-Money Laundering Directive became effective in June 2017. The Directive includes some fundamental changes to the anti-money laundering procedures, including changes to CDD, a central register for beneficial owners and a focus on risk assessments.

The main modification points to note are:

  • Emphasis on ultimate beneficial ownership and enhanced customer due diligence
  • Expanded definition of a politically exposed person to domestic PEPs
  • Cash payment threshold lowered to €10,000 (US$11,250)
  • Expanded to include the entire gambling sector beyond just casinos
  • Enhanced risk-based approach, requiring evidence-based measures

However, with proper preparation and training, the transition to the new regime should be seamless for most firms. The rules for politically-exposed persons (“PEPs”) are no longer limited to persons outside the UK. Local PEPs will now be subject to the same scrutiny as foreign PEPs. The Directive puts a heavy emphasis on employing a risk-based approach to money laundering at every level. It directs states to commission national risk assessments, firms to develop risk-based policies, and practitioners to conduct CDD in a risk-based manner.

Who is Impacted:

Under the Directive, corporations and other legal entities will be required to maintain accurate and current information on their beneficial ownership. They must provide that information to the government. That information on beneficial ownership will be held by each member state in a central register that will be accessible to banks, law firms and “any person or organisation that can demonstrate a legitimate interest”.

Impact on Identity Verification:

The new rules allow companies to verify customers remotely using electronic means. In fact, the Directive promotes and encourages the use of electronic ID verification)::

“ … in particular with regard to notified electronic identification schemes and means that offer high-level secure tools and provide a benchmark against which assessing the identification methods set up at a national level may be checked.” European Money Laundering Directive 4.1

How Jumio Can Help
Jumio enables European merchants, financial institutions and other obligated entities with the online verification tools needed to comply with AMLD 4.1. Jumio’s online identification solutions allows for quicker, cost-effective, and seamless identification processes, while retaining the risk reduction and compliance requirements the financial industry demands. Our identity solutions replace the cumbersome paper bound procedures of outdated, manual high-touch methods with new digital data techniques and procedures.

Payment Card Industry (PCI-DSS) Compliance

What is it?

PCI DSS compliance is adherence to a set of specific security standards that were developed to protect sensitive card information during and after a financial transaction and "to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally."

Who is Impacted:

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. That is, the standard applies to all organizations, which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands. PCI defines a 12-step process that vendors need to adhere to show that they are taking the necessary steps to avoid online access or compromise to their card processing data. Failure to achieve PCI compliance could cause a retailer to face substantial penalties, which can exceed $500,000, depending on the volume of transactions processed.

Impact on Identity Verification:

While it is not mandatory for online identity verification providers to comply with PCI DSS, consider the value of the data they are handling -- legitimate government issued IDs (e.g., passports and driver’s licenses). These images can fetch up to $20 on the dark web. Black market dealers can inflict considerable damage armed with valid driver's licenses and passports, including opening new credit cards or getting a major loan in the victim's name. This means that online identity verification vendors are sitting on a treasure trove of valuable PII information which must be managed appropriately and strictly protected from potential data breaches.

How Jumio Can Help
Jumio is PCI DSS Level 1 compliant and regularly conducts security audits, vulnerability scans and penetration tests to ensure compliance with security best practices and standards. To demonstrate PCI compliance a yearly on-site validation assessment by a QSA is carried out. Jumio carries the security controls established to achieve PCI compliance over to PII data which is of comparable sensitivity and has extended the scope of such controls to cover and protect all systems used to transmit/process/store PII data.

Because Jumio has complied with PCI-DSS strict security standards, our customers can have greater confidence that their data – be it credit card, PII, or government-issued IDs – is handled in a secure manner throughout its lifetime. Jumio extracts, redacts (masks), and stores merchant's credit card information while adhering to PCI DSS, reducing customers' internal processing and operational costs.

Electronic IDentification, Authentication and Trust Services (eIDAS)

What Is It:

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the internal market. It is a set of standards for electronic identification and trust services for electronic transactions in the European Single Market.  

Who is Impacted:

Any person or company who operates at the European level and uses electronic signatures for identity validation must ensure that it complies with eIDAS. eIDAS regulates electronic signatures, electronic transactions, involved bodies and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services. Both the signatory and recipient have access to a higher level of convenience and security. Instead of relying on traditional methods, such as mail, facsimile service, or appearing in person to submit paper-based documents, they may now perform transactions across borders (e.g., using “1-click” technology).

Impact on Identity Verification:

Article 8 of the new regulation establishes three levels of assurance for identification schemes that are directly proportional to their legal value - low, substantial and high. Whatever the assurance level, States who have notified an identity scheme become liable for it, the registration of data operators, and identity and authentication providers included in the notified scheme.

eIDAS regulations are worded vaguely because they cannot commit to a certain type of technology or validation process. As a result, definitions are open to interpretation. eIDAS make it easier to use electronic signatures and ensure that their legal standing is uniform across the Union. While making no specific technology recommendations, there are guidelines for time stamping, electronic seals, electronic delivery and website authentication.

How Jumio Can Help
Jumio’s online identity verification solutions were developed to meet the demands of companies in highly regulated sectors such as the financial industry. We help EU firms to comply with eIDAS, but do so in a proactive manner in order to respond as well to constant changes in the market. Our AI-powered technologies are much better than in-person identity verification. To begin with, Jumio’s remote identity verification solutions help companies quickly, accurately, and compliantly verify their online customers and dramatically reduce abandonment rates during the account onboarding process.

Jumio’s identity verification solutions offer higher reliability and confidence rates than in-person verification systems. Our solutions not only verify identity and confirm that the individual is real through the use of functions such as liveness detection and biometric facial recognition; they also check the security measures used in documents to prevent falsification.

Get Started

Let a Jumio expert show you how easy it can be to integrate Netverify’s suite of verification solutions to your website or mobile experience. Start by requesting more information and we’ll be in touch shortly.