Compliance Archives • Veridas

Interview: “Compliance for us is not just about meeting legal requirements; it’s about exceeding them to provide assurance to our users and clients”

Juan Fernando C. Bulgarelli — Wed, 08 May 2024 07:39:23 +0000

Leire Arbona Puértolas, Director of Legal and Compliance, has been honored with the prestigious Women in Biometrics Award by the Security Industry Association (SIA) for 2024.

This award recognizes Leire’s outstanding contributions to the biometrics industry, where her work in merging legal integrity with technological innovation has set new privacy and data protection standards.

Leire is celebrated alongside notable awardees Melissa Conley from TSA, Heather Haller from FBI, and Caitlin Kneapler from DHS, all of whom have significantly enhanced global security. The awards ceremony will take place at the SIA GovSummit on May 21 in Washington, D.C., an event that brings together top government and private sector professionals to discuss critical security issues.

SIA serves as the leading trade association for global security solution providers. With over 1,400 member companies, SIA plays a critical role in promoting industry growth through advocacy, the development of open standards, and hosting high-level conferences such as ISC expos and the Securing New Ground conference.

Below is a short interview with Leire:

What inspired you to pursue a career in legal and compliance within the biometric technology field?

“The thrill of entering a sector where the laws are still being shaped truly drew me in. I was captivated by the challenge and opportunity to innovate in legislation, especially at the intersection of technology and law. In biometric technology, where advancements happen rapidly, regulations are critical to understand and adapt to these technologies. This field requires not just knowing the limits but creatively defining the “how to” and “how not to”—guiding how technologies can be integrated responsibly into our lives while ensuring that tech development and regulation advance hand in hand.”
Can you describe the journey to founding the Legal and Compliance department at Veridas?

“When I joined Veridas in 2017, it was immediately evident that to innovate responsibly with biometric technologies; we required a strong legal framework that was deeply integrated with every facet of our operations. Establishing the Legal and Compliance department became a foundational and unifying step for the company. From the outset, every department at Veridas understood and embraced the importance of embedding compliance, privacy, and legal considerations into the development of our technologies. This collective commitment has been crucial in building trust and ensuring that our products always uphold the highest privacy and security standards.”
What challenges have you faced in your role, and how have you overcome them?

“One of the overarching challenges—and indeed a challenge for any jurist in this field—is mastering the technology we need to regulate. It’s essential to step beyond traditional legal boundaries and deeply understand the technologies at their core. You cannot effectively regulate what you do not fully comprehend. My approach has been continuously learning about our technologies, maintaining proactive relationships with international regulators, and dynamically adapting policies.”
How do you ensure Veridas complies with international laws on data protection (GDPR, CCPA AIA,…) and artificial intelligence?

“Compliance for us is not just about meeting legal requirements; it’s about exceeding them to assure our users and customers. We implement rigorous data protection measures and regularly review our compliance frameworks in light of new legislation. Education and training within our team are also crucial.”
As a woman in technology, what has been your experience in this male-dominated industry?

“It has been both challenging and rewarding. Diversity in tech is crucial for creating balanced and innovative solutions. I focus on mentoring young women in the field, advocating for diversity and inclusion, enriching our industry and promoting better decision-making processes. At Veridas, I feel fortunate; the team of men and women alike have always supported me. This sense of equality within our company has been instrumental in allowing me to contribute my best work and help lead the way forward.”
What role do you believe biometric technology will play in the future of identity verification?

“Biometric technology is not only transforming identity verification by making it more secure and accessible but is also playing a pivotal role in enhancing inclusivity across various sectors. We are already seeing significant impacts where technology ensures that everyone, including those who have traditionally faced marginalization, such as people with disabilities, can assert their identity conveniently and securely. For example, in Mexico, pensioners can now give proof of life from home using voice biometrics. In Spain, residents of the San José Residence in Navarra for people with disabilities experience greater autonomy and comfort by being able to open their own bedroom door using facial biometrics. These examples underline biometrics’ potential to close the disability gap, promising a future where technology empowers all individuals without compromising their privacy.”
What does winning the Women in Biometrics Award mean to you and your future goals?

“Winning this award is an incredible honor that validates our efforts in ethical technology implementation. It reinforces my commitment to continue advocating for responsible biometric solutions that respect user privacy and contribute positively to society. Looking forward, I aim to influence further global standards and legislation around biometrics and digital identity.”
How do you balance the need for innovation with the imperative of privacy in the development of new biometric technologies?

“Innovation and privacy are not adversaries; when approached wisely, they complement and enhance each other. At Veridas, we commit to designing biometric solutions that embed privacy from the start, adhering to the principles of privacy-by-design and privacy-by-default. This approach means integrating strong data protection features from the product’s initial design phase and throughout its lifecycle. Moreover, understanding the technology thoroughly dispels misconceptions and enables us to leverage its benefits effectively. I believe it is our duty as leaders in the industry to demystify how biometric technologies work, ensuring that both the public and regulators can make informed decisions about their use.”
What key trends do you anticipate in biometric technology regulations over the next few years?

“As biometric technologies continue integrating into our daily lives, I foresee a significant shift towards more comprehensive and ethically-focused regulations. We are moving beyond basic data protection to address how these technologies can be used responsibly. The future of biometric regulation will likely include stricter enforcement on ethical practices, ensuring technologies are secure, private, inclusively designed, and environmentally responsible. This shift is about embracing a holistic view of what it means to use technology ethically, considering the wider impacts on society.”
Can you share an example of a project at Veridas that you found particularly challenging or rewarding?

“One of the most rewarding projects has been aligning our practices with the Artificial Intelligence Act (AIA). This regulatory framework is crafted at a pivotal time when we (developers, regulators, and citizens) have a robust understanding of biometric technologies, which allows us to discuss risks and applications from a well-informed and ethical standpoint. The AIA explicitly recognizes our right to use biometrics voluntarily for identity verification while setting clear boundaries against its use for indiscriminate surveillance. Working on this has reflected our commitment to ethical practices and positioned Veridas at the forefront of compliance and innovation in biometric technologies.”
How do you foster a culture of compliance and ethical practice within Veridas?

“At Veridas, fostering a culture of compliance isn’t just a policy; it’s a core part of our identity that permeates every level of the organization, from the newest developer to the CEO. We approach compliance as an integral aspect of our product design and business model. We don’t just sell technology; we sell technology crafted from the deepest commitment to compliance. This means starting from ‘how yes’—always looking for ways to enable and empower through our solutions while adhering to ethical and compliance standards.”
Looking ahead, how do you plan to influence the broader conversation about biometrics and privacy?

“I plan to continue engaging in dialogue at international forums and with regulatory bodies to advocate for fair and responsible biometric practices. Sharing our experiences and challenges at Veridas helps shape a more informed discussion about the future of biometrics. Additionally, contributing to industry publications and participating in standard-setting organizations will influence how biometric technologies are perceived and regulated globally.”
How do the GDPR and the AIA work together to enhance European privacy and identity protection?

“The GDPR and the AIA form a formidable partnership in establishing benchmarks for privacy and responsible technology use across Europe. The GDPR serves as the foundation for data protection, mandating transparency, consent, and the protection of individual rights. Meanwhile, the AIA extends beyond mere ethical considerations to provide a comprehensive framework that evaluates the risks associated with implementing various types of artificial intelligence, including biometric systems. This approach ensures holistic protection of fundamental rights and ethics in the digital age. Together, they ensure AI-driven technologies respect privacy and foster trust, vital for maintaining user confidence. This regulatory synergy is crucial for the sustainable growth of European tech and serves as a model that could influence similar frameworks internationally. As we’ve seen with GDPR’s impact on privacy laws in Latin America, the principles set by the GDPR and AIA could inspire analogous regulatory developments in the U.S., guiding the ethical implementation of AI across diverse legal landscapes.”
How do you see the GDPR and AIA collaboration influencing Veridas’s strategy and product development?

“At Veridas, we’re not just complying with regulations; we’re utilizing them to define clear boundaries—’ this yes and this no’—which help us create trusted solutions that enable individuals to prove who they are simply by being who they are. Our adherence to these strict standards of compliance under both GDPR and the newly integrated AIA provides us with a distinct competitive edge, as it assures our clients of our commitment to responsible and innovative technology. This dual compliance is more than a legal requirement; it’s a cornerstone of our value proposition in the European and global markets.”

Veridas Passive Facial Liveness Detection Achieves iBeta Levels 1 and 2

Juan Fernando C. Bulgarelli — Thu, 18 Apr 2024 08:08:00 +0000

Veridas’ passive facial liveness test has reached iBeta Levels 1 and 2 in compliance with the ISO/IEC 30107-3 standard for Presentation Attack Detection (PAD), attaining the same level of security previously granted to its active liveness test.
Veridas has achieved the highest level of security from iBeta with a passive solution deployed in browser environments, marking a significant technical advancement in the industry.
The passive facial liveness test allows for frictionless verification. The system evaluates the captured image in the background without requiring the user to perform any specific action or movement.

Veridas, a leading Spanish company in identity verification and biometric authentication, has achieved iBeta Levels 1 and 2 for its passive facial liveness detection solution according to the ISO/IEC 30107-3 standard. This technological milestone shows Veridas’ commitment to fraud prevention at all levels and offering effective, secure, and reliable identity solutions.

This achievement, reached in browser environments, presents higher technical complexity—as camera control is limited—reduces dependency on the device type used and ensures an optimal user experience.

A Growing Necessity

Identity fraud has increased, and businesses and public institutions must respond promptly and effectively. In 2023 alone, identity fraud cost North American citizens $43 billion, an increase of 13% compared to the previous year. The emergence of Generative Artificial Intelligence is a very positive development regarding business opportunities and innovation capacity, but it has also introduced significant risks, especially in identity. According to Gartner, in 2023, the number of deepfake attacks detected increased tenfold.

In this context, it is crucial to have secure and reliable identity verification processes. An essential component of these processes is the liveness test, which aims to ensure that the person undergoing the verification is genuine and not using fraudulent techniques such as photos, 3D masks, or deepfake technologies.

Passive vs. Active Liveness Tests

Liveness tests can be of two types: active and passive, depending on the experience induced in the user undergoing the process.

Active: The user must perform a specific and random action, also known as a challenge, such as moving their head or smiling, which varies in each process.
Passive: The system analyzes the captured image in the background without requiring the user to perform any specific action during the verification process.

“Obtaining iBeta Level 1 and 2 for our passive liveness detection solution reflects a technological milestone and our unwavering commitment to the most demanding global standards. This achievement consolidates Veridas’ position at the forefront of security and biometric authentication, reaffirming our dedication to combating identity fraud with the utmost precision and reliability across all digital platforms,” stated Carlos Arana, CTO of Veridas.

Veridas, which already holds Levels 1 and 2 of iBeta for its active liveness solution — where users must perform specific and random actions like moving their head or smiling — demonstrates its commitment to the ISO/IEC 30107-3 PAD standard for its passive liveness test. This technological milestone adds to the recent participation in the NIST PAD evaluation, which solidifies Veridas’ commitment to independently assessing its solutions based on the highest security standards.

Artificial Intelligence Regulation: Between Innovation and Legislation, Spain’s Pioneering Role

Leire Arbona — Mon, 20 Nov 2023 13:23:56 +0000

In a significant step toward the Artificial Intelligence Regulation, Spain has published Royal Decree 817/2023, marking a milestone in adapting “high-risk” technological solutions to European standards.

This royal decree establishes a controlled testing environment, known as the Sandbox, where companies can practice how to meet the compliance requirements of the proposed Regulation of the European Parliament and the Council and the best practices defined within that framework.

“Among the respected voices influencing this process is Veridas”

In essence, the regulatory AI sandbox establishes a framework where companies with ‘high-risk’ technological solutions can identify and ‘test,’ along with competent authorities, the guidelines of best practices and guides that will be applicable under the future AI Regulation.

Certain remote biometric identification systems (“at a distance”) could be included in high-risk classification. However, the European Artificial Intelligence Regulation is in its final stages of definition and approval, so the list of systems classified as high risk is still undefined.

Adapting to the Real Needs of Businesses

The peculiarity of artificial intelligence regulation in Spain lies in the fact that many companies eligible to participate in Sandbox calls already have solutions implemented in the market. This requires careful design to ensure that these tests are beneficial and consistent.

Veridas participated in the public consultation for developing this royal decree, with 15 of its 18 proposed changes being incorporated into the final text. This again recognizes Veridas’ role as one of the most respected voices in Spain in regulating artificial intelligence systems.

“Veridas reaffirms its role as one of the most recognized voices in Spain in the regulation of artificial intelligence systems”

In this line, Veridas has proposed that participating companies, with their solutions deployed in the market, find their space in the testing environment, providing positive feedback that recognizes their efforts in terms of other certifications and compliance with standards.

In line with these goals, adapting solutions to European standards and ensuring confidentiality and intellectual property protection during tests must be an essential objective.

Veridas has advocated for clarity and adaptability in artificial intelligence (AI) regulation. The most relevant aspect is that the sandbox is attractive and usable for eligible companies. Furthermore, it is necessary to increase collaboration between the competent body and the participating company to adjust quality management criteria to each technology and specific case.

Towards an Ethical and Responsible Ecosystem

The ‘Real Decreto 817/2023’ marks a significant milestone in advancing artificial intelligence regulation in Spain.

This opens the doors to a controlled testing environment where solutions can be effectively integrated, providing valuable feedback to participating companies and supervisory authorities in defining and standardizing the requirements under the Artificial Intelligence Regulation.

In conclusion, Spain is proactively anticipating what will come in the coming months and years with the European Artificial Intelligence Regulation. Undoubtedly, this is positive for Spain’s role in concretizing its application and for developers and users, providing certainty about the future.

Adapting to European standards and safeguarding confidentiality, privacy, and intellectual property are essential to building an ethical and responsible AI ecosystem.

Regulation of Artificial Intelligence in Europe and Spain

After more than four years of intense work by European bodies, we are now in the final stage before approving the European Artificial Intelligence Regulation. The prologue stage is ending, with intense negotiations in various areas, and it is expected that in the coming weeks or months, at the latest, we will finally have an artificial intelligence regulation.

In Spain, steps are being taken to get ahead of the European regulation. For this purpose, a regulatory sandbox has recently been created to allow companies to test how the requirements of the Artificial Intelligence Regulation work and make adjustments to their systems. This will also serve for competent supervisory authorities to define those good practices and compliance guidelines that will be established later in a general way for everyone.

The greatest achievements and challenges of the Sandbox, according to Veridas

High-risk systems are not yet fully defined in the European regulation. Therefore, they may vary, but certainly, these companies will be able to initiate processes that will allow them to adapt and test how they will be in practice in the real application of the regulation. Certainly, it is a challenge, a very necessary challenge. And Spain has taken a step forward to anticipate what is coming and to plan for the future.”

The future of AI regulation in Spain

Veridas is very proud to say that the Royal Decree that will regulate these regulatory sandboxes has taken into account some of the contributions we made in the consultation phase, all of them aimed precisely at recognizing that these systems are already in use and that, therefore, a lot of work has already been done by all companies for their adaptation, certification, and guarantees of ethics, compliance, and transparency.

All of this has been incorporated by referencing the use of those standards and certifications prior to the sandbox being an adaptation process and not a development one, and ultimately, also protecting all industrial intellectual property, and all the know-how that exists in companies, which is a lot. This will be reflected not only in the sandbox but will be a long-term effort throughout the application of the regulation.

Veridas achieves high-category National Security Scheme (NSS) compliance certification

Leire Arbona — Tue, 08 Aug 2023 10:21:50 +0000

Information Security is a top priority in today’s digital environment. At Veridas, we are proud to announce that we have obtained the National Security Scheme (ENS) high category compliance certification, issued by OCA Global. This certification is a testament to our continued commitment to the security and privacy of the information we handle, both internally and for our valued customers.

A track record of compliance and safety:

Since 2020, we have maintained a rigorous focus on information security by achieving ISO/IEC 27001 certification. In 2021, we achieved ENS Medium category, followed by UK TrustFramework compliance in 2022 and, in early 2023, SOC 2 Type II certification. These certifications have enabled us to reinforce our position as a market leader in digital identity verification and authentication in both the physical and digital world.

Our most recent achievement of high-level ENS compliance certification propels us towards further security excellence. This certification covers our information security management system that supports all our activities, from design and development to deployment, production, maintenance, enhancement and marketing of our products and services.

The National Security Scheme (ENS) establishes a security policy for the use of electronic media and sets out the principles and minimum requirements for the adequate protection of information. Although it was initially conceived for the Spanish Electronic Administration, this system has been adopted by numerous private entities that provide services to the Public Administrations. The ENS provides greater detail and requirements for the implementation and maintenance of a solid Information Security system.

Guaranteed security for the Public Administration

This year, we have decided to raise our certification to the high category of ENS, the maximum possible. This is of great importance as we have more and more clients in the field of Public Administrations, and this certification provides them with the necessary guarantee and security to use our technology in any environment and process.

In addition, we have been agile in adapting to the changes derived from Royal Decree 311/2022, of May 3, which modified the regulations governing the ENS last year. At Veridas, we keep up to date and comply with the latest standards and requirements to ensure the safety of our products and services.

Obtaining this high-category compliance certification from the National Security Scheme (ENS) reinforces our position as a reliable provider of technology solutions for both public administrations and any company wishing to use our technology. Our customers can have full confidence that Veridas complies with the highest standards of information security and privacy, providing a trusted environment for the use of our technology in any process and in any environment. We are committed to continuing to provide innovative and secure solutions that drive our customers’ growth and success.

Trust Veridas with your RTW and Rent checks – the government does

Sabrina Gross — Tue, 18 Jul 2023 11:19:16 +0000

The Digital Identity and Attributes Trust Framework (DIATF) is a groundbreaking initiative driven by the UK government to digitise identity verification – and for good reason.

Hiring people and acquiring tenants used to be a little risky, as documents were easily forged, errors crept in through manual systems and the entire undertaking took a long time and cost a lot of money. Now thanks to the DIATF, employers and landlords can use IDsp’s to ensure the people they are hiring or housing are who they say they are.

However, to make sure the chosen IDsp is capable and reliable itself of doing this work, it must be certified by the government to do so, after proving its ability through rigorous audits.

Veridas is proud to be an early government certified partner (from December 2022) and one of the first to be certified in the UK as well as the USA. The certification means that Veridas’ governance, systems and policies meet the trust standards set by the government to deliver a safe and seamless, reliable service for all.

There are many benefits to digital identity verification for all parties – employers and employees, landlords and tenants as well as for stakeholders across many other industries.

The time involved in authenticating a person is cut down dramatically, allowing humans to do their jobs, the cost of carrying out the check manually is reduced and the information gathered is guaranteed to be correct and validated. This takes considerable stress off of business owners (previously it would have been their responsibility to detect fraud) and delivers a more convenient process for employees and tenants.

If you are ready to partner with one of the UK’s few government-certified IDsp’s and gain the confidence of security, speed and cost efficiency in your RTW and rent checks, please reach out to one of our experts for a demo that suits you and your business specifically.

How to comply with the ‘Fan Stands’ law in Football stadiums?

Marta Morrás — Thu, 16 Feb 2023 10:08:16 +0000

In 2015, the Spanish Professional National Football League issued a notification to its affiliated teams communicating the implementation of new regulations to increase security and the recognition of people in the so-called “fan stands”.

In spite of this regulation, at present, tickets are nominal and verified only in the visiting stands of the stadiums in Spain. That is why both La Liga and some police forces, such as the Ertzaintza in the Basque Country, have asked their clubs to start installing identification controls to comply with the regulations.

What is the law on the Fan Stand in football stadiums?

The regulation on the Fan Stand is a regulation that obliges first and second-division clubs in Spain to comply with certain requirements to maintain order and safety in stadiums. It is an adaptation to Law 19/2007 of 11 July, against violence, racism, xenophobia and intolerance in sport.

The aim of this regulation is to identify all fans attending these sectors of the stadiums so that, in the event of any type of infringement of the law, they can be distinguished for the corresponding defense.

What does it consist of?

The regulations include five points:

The characteristics and location of the supporters’ stand: to determine the size, location and characteristics of these stands, which must be differentiated from the rest of the stadium’s sectors.
The description of the biometric access project: incorporation of a biometric reading system in the access to the same, as well as the need to develop an internal regulation.
The conditions to be included in the season ticket formalisation documents for these sectors, which include that access to this area can only be granted with a season ticket purchased and registered with the club, acceptance that the season ticket is non-transferable, the willingness to have more exhaustive identity checks, the display of supporting materials subject to the regulations and the penalties that a fan who does not comply with these requirements may face.
Technical coordination between clubs and La Liga for the operation of this regulation.
The processing of personal data, in accordance with the provisions of the Ley Orgánica de Protección de datos de carácter personal.

What is the aim?

The aim of this regulation is to achieve full identification of fans attending the supporters’ stands in order to avoid unwanted and unlawful situations that have been seen in and around football stadiums.

On many occasions, the individuals committing these offenses could not be identified and could not be banned from entering football stadiums. This regulation prevents those who have committed offenses on sports fields and have been sanctioned by the authorities from being kept away from sporting events, thus ensuring the safety of all.

How to comply with the regulations on the Fan Stands?

Veridas offers an access control system with biometrics that allows football clubs to comply 100% with the regulations, guaranteeing a comfortable and simple user experience for all its users.

This solution is already in operation in several Spanish LaLiga clubs such as Club Atlético Osasuna or Málaga Club de Fútbol.

On-Device Biometrics cannot be considered a valid element for Strong Customer Authentication as ruled by the European Banking Authority (EBA)

Leire Arbona — Tue, 14 Feb 2023 11:12:11 +0000

The European Banking Authority (EBA) has just set a precedent for using device biometrics as an element of strong authentication. The following article will review this resolution, its implications for the financial sector, and the correct application of the Payment Services Directive (PSD2).

What is PSD2, and why is it so important?

The Payment Services Directive, also known as PSD2, is an EU directive that regulates payment services and their providers within the framework of the European Union. Its main objective is to increase competition, innovation, and security in the payment services sector while protecting the rights and interests of consumers.

PSD2 obliges payment service providers to follow new rules, such as Strong Customer Authentication (SCA) for electronic payments, and opens the market to new players, such as fintech, by allowing them to access bank account information with the customer’s consent. The directive has been implemented in all EU member states.

Strong Customer Authentication implies that customers must provide two or more forms of authentication from different categories to complete an online transaction, these categories being:

Knowledge factors: something the user “knows,” such as a password, an answer to a secret question, or a PIN code.
Possession factors: something the user “has,” such as a credit card, a SIM card, or an OTP message.
Inherence factors: something the customer “is,” such as the face, voice, iris, or fingerprint biometrics.

SCA aims to reduce the risk of fraud and ensure that customers are who they say they are before making a payment. Simply put, SCA is an additional layer of security to protect customer payment information and prevent unauthorized transactions.

What is the role of the European Banking Authority?

The European Banking Authority (EBA) is an independent EU agency responsible for improving the regulation of the banking sector across the European Union. Its main tasks include developing and adopting technical standards and guidelines and conducting assessments to ensure effective and consistent prudential regulation and supervision across the European banking sector.

In this regard, recital 17 of EBA Regulation (EU) nº 1093/2010 states that “The purpose and tasks of the Authority – to assist the competent national supervisory authorities in the consistent interpretation and application of Union rules and to contribute to the financial stability necessary for financial integration – are closely linked to the objectives of the Union acquis in relation to the internal market for financial services.”

The EBA acts within the scope of different legislative texts applicable to the banking sector. One of these legislative texts is the Payment Services Directive (PSD2) mentioned above. Every day, the EBA publishes press releases, consultations, answers to questions submitted by various stakeholders, etc.

What is the EBA's position on device biometrics (Q&A 6145)?

On January 31, 2023, the EBA responded to a question submitted by a credit institution regarding the use of mobile device biometrics.

The question was as follows, “Does authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment services user is tokenizing a card in an e-wallet solution such as Apple Pay?” (….) Would the SCA requirement be met if one element of SCA (possession) is present during token issuance and the other element (knowledge (PIN entry) or inherence (fingerprint or facial recognition) had been applied when the payment services user unlocked his or her mobile device?”

And the answer given by the EBA in this regard represents a turning point in the use of on-device biometrics as an element of solid authentication, formulated as follows: “Unlocking a cell phone with biometric data (e.g., a fingerprint), or with a PIN/password, should not be considered a valid SCA element to add a payment card to a digital wallet if the mobile device’s screen lock mechanism is not under the control of the issuer or if the payer has not been previously associated through an SCA with the credential used to unlock the phone.”

In other words, it means that the use of mobile authentication mechanisms (fingerprint, password pattern, facial biometrics…) cannot be considered secure if the entity in charge of ensuring the verification of the user’s identity does not control those authentication mechanisms or cannot ensure that the legitimate user is using those authentication mechanisms.

What are the differences between on-device biometrics (FaceID, TouchID, etc.) and Veridas cloud-biometrics?

The authentication processes of companies such as Apple (FaceID, TouchID, etc.) are based on biometric technology, upon which users can access using their fingerprint or facial recognition.

To activate this biometric authentication method, it is only necessary to register the different biometric factors once the device has been purchased, without establishing any link between the official identity of the registering user and the biometric factor.

In addition, more than one biometric factor can be registered on each device, which means that different people can use their biometrics to unlock the same terminal. This, and the fact that companies that use these methods do not have any visibility over the processes executed on the device, means that any person with their biometrics registered on the device could operate with it.

That is why the EBA insists that a biometric solution that is not controlled by the card issuer or that has not been previously associated with the customer’s official identity cannot be used as an element of Strong Customer Authentication. It is impossible for a financial institution or any other company to be sure that the person who owns the account is the one who is using the service if it relies on biometric systems that do not meet these requirements.

In contrast, Veridas biometric authentication technology always starts with an initial identity verification process, where the person’s official identity is validated. Veridas has state-of-the-art solutions that certify that the identity document presented is real and has not been tampered with or forged, that the person presenting it is the same person who appears on the document, and that they are genuinely present in the process. All this is done with technology certified by the most prestigious international organizations, such as the National Institute of Standards and Technology (NIST), or by iBeta about proof of life.

Once this identity is verified, our customers can deploy many authentication use cases based on facial and voice biometrics engines, from access to private customer areas or mobile applications to physical access to corporate environments or sports venues.

In all these processes, our customers have complete control of them, both in their initial configuration and subsequent implementation, so they can verify that the person accessing or operating, thanks to biometric authentication, is the account owner. In this way, they strictly comply with the requirements of the EBA in its previously mentioned response.

Increase security and reduce identity fraud with Veridas technology

Veridas always ensures its biometric solutions’ transparency, compliance, and reliability. We rely on proprietary and fully automated technology to remotely verify identities and authenticate them in both the physical and digital space.

Our solutions are critical to prevent fraud, reducing operational costs, improving customer experience (thereby increasing customer acquisition rates), and ensuring maximum compliance with all applicable regulations.

Do not hesitate to contact us if you want to learn more about the biometric technology revolutionizing the payment industry.

Veridas pioneers the diagnosis of compliance with the ethical principles of its Artificial Intelligence system

Miguel Zarraluqui — Thu, 22 Dec 2022 12:10:09 +0000

Veridas has just become one of the first companies at a national level to carry out a ‘Diagnosis on the ethical principles of Artificial Intelligence’ with the support of PwC, a pioneering firm in this type of work. This diagnosis consists of analyzing the formal compliance with the ethical principles of artificial intelligence systems of companies and the ethical, legal, and technical framework on which these systems are developed.

Spanish and European regulation as a starting point

As regulatory starting points, we considered the National Artificial Intelligence Strategy (ENIA) of December 2020 and the European Commission’s proposed regulation on artificial intelligence (AI Act) of April 2021, which was presented as “a bill that aims to establish a regulation on AI, and to which companies will have to start complying in less than two years.“

More recently, on February 23, 2022, the European Union approved a proposal for a Directive on Corporate Sustainability Due Diligence, which aims to promote sustainable and responsible business behavior along global supply chains.

The proposed directive seeks to impose a series of obligations on companies concerning human rights and environmental impact, even defining the payment of fines and compensation by companies to people affected by the consequences of the adverse effects.

Based on the ethical, legal, and technical framework established in the current regulations and market standards, PwC developed a work program to diagnose whether organizations formally comply with these ethical principles, mainly covering the following areas:

Privacy and Data Governance.
Safety and Security: reliability, robustness, and accuracy.
Responsibility and Accountability.
Transparency and explainability.
Principle of fairness.
Focus on the human being: Human control and surveillance.
Promotion of values and human rights.
Environmental sustainability.

"The socioeconomic impact of artificial intelligence is evident. The continuous advances in research and application of this technology, in which the machine tries to replicate human capabilities such as reasoning, learning, creativity, or the ability to plan, have made it clear that its adoption must be a priority for all companies if they wish to remain competitive over the next decade.

However, the adoption of this technology has a major challenge that companies must know how to manage; the high impact that AI applications already have on our lives highlights the fact that never in history has it been such a priority to ensure a responsible and ethical use of technology."

Tamer Davut, Partner at PwC

Veridas, blazing a trail in the Artificial Intelligence sector

Veridas strengthens its commitment to be at the forefront of transparency, auditing, and reliability of its biometric solutions.

Leire Arbona, director of the Legal and Compliance department of Veridas, describes the company’s commitment with the following words:

"Since the creation of Veridas, it was clear to us that trust in this type of solutions must always be based on transparency and compliance, not only with legal and technical standards but also with the highest ethical values. This diagnostic work is another example of Veridas' evolution in this regard and our commitment to improving it continually.”

Leire Arbona, Legal & Compliance Director

To the constant evaluation of solutions in their technical aspect by prestigious international institutions such as the National Institute of Standards and Technology (NIST) or in their legal aspect for compliance with current regulations on data protection or prevention of money laundering, among many others, we now add this diagnosis of an ethical nature.

Precisely these three aspects, legal, technical and ethical, are the three fundamental pillars of any “trustworthy” AI. Specifically:

Legality: compliance with applicable laws and regulations.
Ethics: ensuring adherence to ethical principles and values.
Robustness: both technically and socially, even with good intentions, AI systems can cause unintended harm.

In this assignment, we have not only been observing the ethical regulations of the European Commission or the Government of Spain, but we have also focused on other relevant sources of information, such as the AI Risk Management Proposal published by NIST or use cases published by specialized media such as Harvard Business Review or MIT Technology Review.

“We have learned a lot in this process, having another independent view of our solutions and processes that have undoubtedly left us with many ideas on how to continue improving,” said Arbona.

In short, this diagnosis helps Veridas to position itself at the forefront of compliance with the ethical principles of Artificial Intelligence systems.

A legal and regulatory framework open to improvement

Through the work carried out in recent months, it has become clear that there are still areas for improvement in drafting regulations related to environmental and ethical issues.

For example, it has become clear that there is a need for guidance on documenting and auditing the compliance of artificial intelligence systems with the aforementioned ethical principles.

We have also become aware of the importance of rigorously documenting the risk analysis of artificial intelligence systems. In this regard, the NIST recommendations could be taken as a reference. However, it would be good to have a similar guide proposed by the European Commission.

The field of artificial intelligence is an ecosystem experiencing exponential growth; therefore, governments must tackle its regulation promptly. This will prevent the emergence of inappropriate and undesirable behavior by individuals or entities wishing to misuse the constant technological evolution we are facing.

The 7 keys that the European Banking Authority (EBA) stipulates for the use of Remote Customer Onboarding Solutions

Leire Arbona — Tue, 13 Dec 2022 10:51:26 +0000

The European Banking Authority (EBA) published on November 22, 2022, its Guidelines on the use of Remote Customer Onboarding Solutions.

This is the final version of the Guidelines submitted for public consultation a year ago and whose responses have helped finalize the guidelines that represent European confidence in a quality technology increasingly used by credit and financial institutions. Veridas participated in the public consultation process by contributing its proposals as a supplier with long experience in the sector.

What is the EBA, and what does it do?

The European Banking Authority (EBA) is a regulatory agency of the European Union that works to ensure the smooth functioning of the EU banking system. It is responsible for developing and implementing rules and regulations to protect the stability and integrity of the EU financial sector and for fostering cooperation between national banking regulators. The EBA also monitors developments in the banking sector and advises and guides the European Commission and other EU institutions on financial regulation.

What is the aim of the Guidelines?

The objective of these Guidelines is to set out “set out the steps credit and financial institutions should take when choosing remote customer onboarding tools and what [such institutions] should do to satisfy themselves that the chosen tool is adequate and reliable (…) and that it enables them to comply effectively with their initial Customer Due Diligence obligations”.

Thus, provided that the conditions set out therein are met, and to the extent permitted by national legislation, which may further specify the content of these Guidelines, the choice of the technological solutions to be used will be the responsibility of the credit and financial institutions. In this regard, it should be noted that the Guidelines are “technology neutral,” which the EBA considers “important to foster ongoing innovation and to ensure that the AML/CFT principles and procedures set out in these guidelines remain relevant and applicable.”

What are the Guidelines?

The Guidelines are divided into seven reference topics:

Internal policies and procedures: focuses on the entity’s knowledge of the remote onboarding process implemented and procedures for operating and monitoring it, even before it starts using it.
Acquisition of information: Focuses on obtaining the data necessary to verify the customer’s identity and the quality of the data needed to ensure the reliability of the process.
Document authenticity and integrity: It includes the security checks that must be made on the identity document presented in the process to validate its authenticity and integrity.
Matching customer identity as part of the verification process: The correspondence between the holder of the identity document presented and the person carrying out the process must be verified. For this purpose, the Guidelines propose the use of biometrics. They also establish the minimum requirements to be met in the process depending on whether there is a synchronous interaction between the customer and the financial institution’s agent (video call process) or whether it is a non-interactive process (usually known as the video-identification process).
Reliance on third parties and outsourcing: Credit and financial institutions are allowed to outsource, in whole or in part, the process of verifying the identity of their customers while maintaining responsibility for the process, its definition, and supervision.
ICT and security risk management: Reference is made to other guidelines published by the EBA about identifying and managing risks inherent to onboarding processes, which credit and financial institutions must take into account and implement.
Compliance where credit and financial institutions use trust services: Allowing the use of trust services and electronic identification, it is indicated that it is necessary to analyze how such solutions comply with the requirements established in the Guidelines in case it is necessary to apply compensatory measures.

A further step in the regulation of onboarding services

Ultimately, these Guidelines are intended to help national authorities learn more about non-face-to-face customer onboarding processes to make the most of them, establishing “a common understanding by competent authorities and credit and financial institutions on the steps [the latter] should take to ensure safe and effective remote customer onboarding practices that are in line with the applicable AML/CFT legal and data protection framework.”

In Europe, some countries have had regulation in this area for many years, while others have been regulating it in greater detail more recently. The Guidelines are in line with the tools and processes that many credit and financial institutions are already using, but it is expected that in some countries, some regulatory changes or more details in the existing ones will be necessary.

When will these guidelines be applicable?

The Guidelines will be applicable six months after publication in the official EU languages on the EBA website, but within a shorter period (two months after publication), competent national authorities will have to report whether they comply or intend to comply with the Guidelines.

The Spanish Senate recognizes biometrics as the only way to guarantee the identity of individuals certainly

Marta Morrás — Tue, 13 Dec 2022 08:57:06 +0000

In April 2021, Eduardo Azanza, CEO of Veridas, participated in the “Study paper on the adoption of a regulation of new technological, disruptive and social realities” framed in the Committee on Economic Affairs and Digital Transformation in the Spanish Senate.

In his intervention, as an expert in biometrics and Artificial Intelligence, Eduardo explained the role of biometric technologies in guaranteeing one of the fundamental rights of human beings: the right to identity.

Last October 14, 2022, the El Diario de Sesiones del Senado published a summary of all the sessions where he highlighted that among the different authentication elements established by Regulation (EU) No. 910/2014 of the European Parliament and the Council on electronic identification and trust services, biometrics “is the only one that can guarantee with certainty the identity of individuals”.

This is a very relevant conclusion that differentiates authentication elements and elevates biometrics above knowledge or possession-based systems. These systems, such as passwords or keys, are only anchored on a presumed identity.

Authentication elements

The European Union recognizes three elements of authentication:

Knowledge (something you know): a password, first and last name, your address, your ID number….
Possession (something you have): A cell phone, a coordinate card….
Inheritance (something you are): Your face or voice, biometrics.

Methods based on knowledge or possession are fragile to fraud and can be stolen or hacked. However, biometrics is an element that is unique to each person. Thanks to highly accurate biometric systems, individuals can exercise their real identity in both the physical and digital worlds.

Biometrics as a transforming ingredient of society

Modern biometric technology is accurate, easy to use, and guarantees the security and privacy of citizens, enabling univocal identification in the digital and physical space.

It also facilitates interactions with public administrations and companies, saving time, resources, and unnecessary travel, thus reducing the carbon footprint of each transaction.

As with any technology, the use of biometrics must be properly regulated, but its use is undoubtedly transforming society, leaving behind the digital divide, increasing security, and improving the user experience.

Veridas digital onboarding, first to meet Spanish’ National Cryptologic Center (CCN) new requirements for issuance of qualified certificates

Leire Arbona — Wed, 31 Aug 2022 05:07:04 +0000

Veridas has become the first company in Spain to successfully pass the qualification tests required by the new National Cryptologic Center (CCN) guidelines for its Digital Onboarding solution.

This critical achievement will allow those Qualified Trust Service Providers (QTSPs) that use Veridas technology to comply with the regulation required for issuing qualified digital certificates.

This requirement will come into force from March 1, 2023. It will be mandatory for any QTSP that wants to continue operating in Spanish territory and wishes to perform identity verification before issuing qualified certificates in a non-presential way. And, for the moment, only Veridas has a qualified solution for this purpose.

What is the CCN Security Guide, and why is it important?

To understand the role played by the CCN Security Guide in issuing qualified electronic certificates, it is necessary to go back to 2014, in the context of the regulations approved by the European Parliament.

Through the eIDAS regulation (regulation no. 910/2014), concerning electronic identification and trust services for electronic transactions in the internal market, the European Parliament opens the door for issuers of qualified electronic certificates to use for the verification of the identity of applicants “other identification methods recognised at national level which provide equivalent assurance in terms of reliability to physical presence. The equivalent assurance shall be confirmed by a conformity assessment body” (Article 24.1.d)

More recently, in 2020, Spain passed Law 6/2020, dated November 11, to regulate certain aspects of electronic trust services. In this law, reference is made to a new order where “other conditions and technical requirements for remote identity verification and, if applicable, other specific attributes of the person requesting a qualified certificate will be determined by other identification methods such as videoconferencing or video-identification that provide equivalent security in terms of reliability to physical presence as assessed by a conformity assessment body” (Article 7.2)

This order, ETD/465/2021, was finally approved on May 6, 2021, and it regulates remote video identification methods for issuing qualified electronic certificates. But on a technical level, and this is where the National Cryptologic Center comes into play, it was complemented by Annex F.11 on Video identification tools of the TIC Security Guide CCN-STIC-140.

This first version of the annex has recently undergone modifications, making it much more demanding in its technical requirements. Veridas has passed the tests carried out by DEKRA, one of the world’s leading organizations in the TIC sector (Testing, Inspection, Certification), both for the previous version and the new version of Annex F.11 of March 2022, a prerequisite for qualification by the CCN.

What are the requirements of the new version of CCN Annex F.11?

Annex F.11, as last amended in March 2022, distinguishes between Fundamental Security Requirements (RFS in its Spanish acronym) – which includes reference to the assessment of the Biometric Evaluation Module (MEB in its Spanish acronym) -, validation of submitted documents and optional Fundamental Security Requirements. Veridas has been evaluated by DEKRA against all requirements of the CCN guide, satisfactorily passing all the tests performed.

It is essential to highlight that the product has been the subject of 70 document fraud attacks and 230 facial biometrics attacks in the mobile web environment. The product had to guarantee the automatic detection of 100% of the cases without considering human intervention. These tests have meant overcoming one of the most demanding environments developed by an evaluator to date.

CERTIFICATION AND EVALUATION REQUIREMENTS

In this section, where reference is made to the required certifications and evaluations, it is worth mentioning how the CCN demands all qualified solutions to have their biometric engines evaluated by the National Institute of Standards and Technology, NIST, considered the most prestigious independent evaluator body in the world. Veridas has always submitted its facial and voice biometric engines for evaluation by the NIST, obtaining fantastic results yearly.

Specifically, the guide requests that “the biometric facial matching system between the applicant and the ID photo must have been evaluated, according to the Face Recognition Vendor Test (FRVT) in the VISABORDER category, by NIST and have obtained an FNR (False Negative Rate) of less than or equal to 5% for a FPR (False Positive Rate) of less than or equal to 1/1,000,000. The database used for the test must be the one used by NIST in 2020 or higher” (Article 24).

In this regard, Veridas obtained an FNR rate of 0.80% in its last submission in September 2021, well below the rate required by the CCN, which places it among the best biometric engines worldwide.

FUNDAMENTAL SECURITY REQUIREMENTS (RFS)

Protection against evidence capture attacks: the tool must ensure that a single device is used in a single sequential act of time. In addition, it must ensure that the process is executed in real-time without allowing pre-recorded files.
Biometric verification: the tool should provide facial biometric verification through the captured selfie and document. It should also incorporate active or passive liveness detection and implement presentation attack detection (PAD) mechanisms.
To assess the biometric verification requirements, the CCN specifies that the evaluator should do this by applying IT-14, also known as the biometric evaluation module (MEB). These requirements are explained later in the article.
Auditing: the annex defines different characteristics that the auditing tool accompanying the manufacturer’s solution must have.
Secure communications: the tool must establish secure channels when exchanging sensitive information with authorized entities or between different parts of the product, following the guide CCN-STIC-807.
Trusted administration: the tool shall ensure that only a user with administrator permissions can perform administrative functions, distinguishing between the role of configurator and auditor.
Identification and authentication: the tool shall identify and authenticate each user before granting access, implementing mechanisms to prevent attacks, protecting the confidentiality and integrity of authentication credentials, and blocking or close the session after a certain period of inactivity.
Protection of credentials and sensitive data: if the tool stores credentials and/or other sensitive data, these should be stored using the cryptological mechanisms authorized in CCN-STIC-807.

VALIDATION OF SUBMITTED DOCUMENTS

This section of Annex F.11 details the following requirements regarding the validation of submitted identity documents:

The tool shall implement detection mechanisms for replay attacks and print attacks.
The tool shall be able to verify that the validity date of the document has not expired.
The tool shall check the data integrity of the Visual Inspection Zone (VIZ) with the Machine Readable Zone (MRZ).
The tool shall generate alerts to the operator whenever it detects any of the described attacks or failed test checks.

BIOMETRIC EVALUATION MODULE (MEB)

As mentioned above, the MEB establishes a set of tests to be performed by the laboratory on the software under evaluation (Target Of Evaluation or TOE) to verify the biometric verification capability of the tool under assessment. In this set of tests, six types of attacks to be prevented are distinguished:

Imposter presentation attacks: this test aims to verify that the TOE is not vulnerable to the impersonation of a bona fide user by an attacker resembling the bona fide user.
Presentation attacks using videos: this test aims to check that the TOE is not vulnerable to the impersonation of a bona fide user by an attacker using a video of a bona fide user.
Presentation attacks using very low-cost masks: this test aims to verify that the TOE is not vulnerable to an attacker’s impersonation of a bona fide user using a low-cost (e.g., paper) mask as an artifact.
Presentation attacks using advanced masks: the objective of this test is to verify that the TOE is not vulnerable to the impersonation of a bona fide user by an attacker using an advanced mask as an artifact.
Presentation attacks using makeup: this test aims to verify that the TOE is not vulnerable to the impersonation of a bona fide user by an attacker using makeup as an artifact.
Attacks using deepfake computing tools: this test aims to verify that the TOE is not vulnerable to an attacker’s impersonation of a bona fide user using deepfake tools. These tools can manipulate video and sound, superimposing such those elements on the actual images. Focusing on a possible use of identity theft, deepfakes would be used to modify the face of one person on the video where another person appears.

What does having a CCN-qualified solution allow me to do?

To date, Veridas Digital Onboarding is the only solution available on the market that will enable a QTSP to issue qualified electronic certificates in a non-face-to-face manner as of March 1, 2023.

This recognizes Veridas’ continued work towards the qualification and ongoing assessment of all its solutions, seeking to provide a high degree of certainty to its customers and setting the industry standard for independent evaluations.

Veridas certifies compliance with all relevant regulations in all sectors in which it operates, such as anti-money laundering regulations (AML), data protection regulations (GDPR or CCPA), or the different standards in information security (ISO 27001 and ENS) or the one that regulates liveness detection (ISO 30.107) where we have recently obtained level 2 by iBeta.

Veridas uses 100% proprietary and fully automated technology (no human in the loop), which allows it to achieve very high levels of accuracy without compromising privacy and security.

In addition, the commitment to a Phygital approach to the identity challenge allows our customers to cover all their needs under a single provider: from digital onboarding of new customers to their authentication in both digital and physical environments.

Biometrics and data protection are an inseparable pair

Marta Morrás — Tue, 07 Jun 2022 12:23:31 +0000

Compliance and technology go hand in hand

Proving our identity in digital environments has become an almost daily activity, but is it a secure process?

There is a pressing need to maintain and increase security in all these processes without compromising our personal data protection. And that may be possible thanks to biometrics and advances in artificial intelligence technology.

Veridas and dasGate organized an event at the end of May to present case studies from the perspective of compliance and technology. A talk that was moderated by Eduardo Arbizu, Of Counsel at Pérez-Llorca, with the participation of Agustín Puente, partner at Broseta Abogados; Alonso Hurtado, partner at ÉCIJA Abogados; Leire Arbona, Legal and Compliance Director at Veridas and dasGate; and Eduardo Azanza, CEO and Co-Founder of Veridas and dasGate.

The session, which was especially aimed at Data Protection Officers (DPOs), provided an insight into the experience of access to El Sadar, the stadium of Club Atlético Osasuna, the first LaLiga team to implement a facial recognition access system successfully. In addition, biometric solutions for time and attendance control in offices were analyzed in detail, and digital and remote processes for opening bank accounts or issuing digital certificates.

Conclusions of the event

Among the conclusions drawn from the event were the following:

Modern biometrics is a guarantor and pillar to safeguard our identity, not the other way around. Everyone has the right to use it.
As we do at Veridas and dasGate, projects of high technical complexity can be carried out with exquisite regulatory care.
If lost, stolen or hacked, modern biometric vectors are not a threat to my identity (because they are irreversible and not interoperable, they cannot be used outside the system that generated them); this is keystone for regulation to be built proportionally.
Biometrics and artificial intelligence generate a more secure environment to operate our identity in the digital and physical (phygital) space.
Veridas and dasGate are leaders in technology and data protection, and we are ahead in development and transparency.