Effective 1 June 2021, the Swiss Financial Market Supervisory Authority FINMA adapted its due diligence requirements in connection with client onboarding. To identify persons online, it is now permitted to scan the chips in identity documents instead of doing a bank transfer! This fits in the growing adoption of NFC as an essential component for digital identity verification that we see happening worldwide.
These changes follow a broad public consultation by FINMA for the partial revision of the FINMA “Video and online identification” Circular to keep up to date with new technological developments. The possibility of using chip-based data from biometric identity documents was universally welcomed, and many respondents were keen to see further alleviations in the identification process, as FINMA mentions in its press release. The use of NFC and should enable companies to "offer smooth onboarding for clients".
It is interesting to see that, in addition to reading out the data, their authenticity and integrity must also be checked, according to the FINMA guidelines. In the consultation some organisations requested to omit this step, but FINMA has taken the position that authenticity and integrity are important elements. "Without successful verification against the certificates, the data read from the chip cannot be classified as trustworthy", according to FINMA. Also, suggestions to add that optical verification of the identity document in combination with biometric verification might be sufficient were declined.
We strongly agree with this point of view, as reading a chip without verification is not to be trusted and that optical verification of identity documents can be manipulated easily. In our blog you can read more on the wide range of security mechanisms in chipped identity documents.
The changing point of view of FINMA is in line with several developments worldwide that emphasise the importance of NFC based identity verification. In March, UK's HM Land Registry published its new standard for identity verification, including chip reading and verification. They take a similar standpoint as FINMA, in a different domain, building upon UK Good Practice 45 (check our blog on GP 45 for more details).