Seasons greetings and welcome to Onfido’s Policy Corner, your regular briefing on key global policy updates from the world of digital identity, regulatory compliance, AI, and data privacy. The EU has taken huge steps forward with the finalization of the text for eIDAS 2.0 and the AI Act.
Speaking of AI, following last month’s AI fraud survey, Onfido published its annual Fraud Report in November 2023. AI has opened up new avenues for fraudsters across the identity verification landscape, and while it remains one of the most secure ways of verifying identity, we saw a 31X increase in deepfake attempts compared to the previous year. This increase has been powered by the ubiquity of online tools and generative AI, such as face-swapping apps that are aiding fraudsters.
Biometric verification solutions such as Onfido Motion leverage liveness technology designed to intercept sophisticated attack methods like deepfakes, injection attacks, display attacks, and 2D/3D masks. Onfido also unveiled its world-leading Fraud Lab, which generates thousands of fraud samples and synthetic identities to keep our proprietary Atlas™ AI a step ahead of professional fraud.
The challenges posed by rapidly developing deepfake technology, and Onfido’s solutions to them are key demonstrations of why AI regulation needs to balance itself between the challenges of today and the potential existential challenges we’ll face in the future. Keep reading to learn how the final version of the EU AI Act balances the two.
EU
eIDAS 2.0
The final text of the amended EU eIDAS (electronic IDentification Authentication and trust Services) Regulation 2.0 was published this month. In terms of impact, the regulation has the potential to be as globally transformative in the eIDV (electronic identity verification) space as GDPR was to data protection, via the creation of a universally available and universally recognized EU Digital Identity Wallet (EUID).
All private services operating in the EU that are legally required to authenticate their users are required to recognize and accept the EUID.
However, the regulation is not the golden ticket to harmonization it was originally envisioned to be. Ultimately, Member States are permitted a significant degree of national autonomy in implementation and so will continue to build on the existing fragmented ID verification framework across EU member states. In the short to medium term, this is likely to cause further divergence in Member State verification requirements and create a more fractured landscape — the opposite of the intended purpose of eIDAS 2.0.
As a result, we expect significant delays to entry into force. Once the regulation has been confirmed by the Parliament and Council, member states will have 30 months to enter the regulation into force, meaning a mid-2026 date at the very earliest.
AI Act
On 9 December 2023, negotiators from the European Parliament and Council Presidency came to a surprise agreement on the EU AI Act — the final version of the world’s first comprehensive legal framework on AI.
The requirements of the Act differ depending on the risk level. Biometric recognition and access to key services such as financial services place ID verification in the high-risk bracket, and will place a significant onus on companies to eliminate bias insofar as is reasonably practicable; a fundamental rights impact; and transparency obligations. With significant penalties in place for violations of the Act, expertise in regulatory and technical compliance will be essential to ensure conformity.
The hurried conclusion of the Act will require technical refinement and coherence checks before being submitted to the member states for approval. We expect to see a final text of the act published in the first quarter of 2024.
UK
The Online Safety Act
Ofcom published its guidance for protecting children from online pornography under the Online Safety Act. Protecting children from accessing harmful content online will be the gold standard for enforcing user verification under the Online Safety Act. We look forward to sharing our expertise in this space as part of Ofcom’s consultation on the guidance.
UK Online Fraud Charter
The UK Online Fraud Charter was also published this month. The charter was signed by a number of significant online marketplaces and social media giants. Its provisions are largely common sense and best practice. The charter is voluntary, and its real value will be seen in its uptake by other providers in the coming months.
Our EU KYC requirements guide looks at the regulations and standards that impact KYC, considerations for businesses choosing solutions, and what the future may have in store.