Ask Sumsubers: What are the most important certifications and attestations for a verification provider?

Sumsub keeps getting questions from our followers about the specifics of regulatory compliance, verification, automated solutions, and everything in between. We’ve therefore decided to launch a bi-weekly Q&A series, where our legal, tech, and other experts answer your most frequently asked questions. Check out The Sumsuber and our social media every other Thursday for new answers, and don’t forget to ask about the things that interest you.

This week, our DPO/Deputy Head of Legal Department, Polina Ryabinchuk, will advise on the most important certifications a verification provider must hold.

"Usually, a company can ensure the reliability and security of its digital identity verification solution by passing independent assessments in the areas of information security, data privacy, and identity verification product-related evaluations. The following certifications and tests are examples that confirm adherence to industry standards in these areas:

Information Security:

• ISO/IEC 27001:2013
• ISO/IEC? 27017:2015
• ISO/IEC 27701:2019
• SOC 2

Data Protection:

• ISO/IEC? 27018:2019
• UK GDPR certification (Data & Privacy ACCS 2:2021)
• EU GDPR certification

Product-related:

• eIDAS & ETSI standards framework
• UK digital identity and attributes trust framework
• ISO 29003:2018? & 29115:2013
• FIDO certification

Testings:

• Biometric Presentation Attack Detection according to ISO/IEC 30107-1:2023

These certifications demonstrate a company’s compliance with a wide range of international and local requirements and best practices.

However, this list is not exhaustive. It’s important to know how often the company conducts audits and whether it actively seeks new checks and certifications. Recently, Sumsub became the first identity verification provider to complete the new Global Digital Identity Certification (GDIC).

This certification is based on ISO/IEC 29115:2013 (LoA2 & LoA3) and ISO/IEC TS 29003:2018 Identity Proofing (LoIP2 & LoIP3), setting a new benchmark for secure and standardized digital identity verification worldwide. The standard offers a comprehensive framework for reliable digital identity verification.

You can check the key features of the Global Digital Identity Certification here. In December 2023, ISO published the first edition of the global standard for AI management systems. It is essential to give careful consideration to this standard when engaging with providers that utilize AI.

Additionally, it’s important to ask the following questions:

• Does the vendor have the technology to combat sophisticated identity fraud?
• Does the vendor use device fingerprinting?
• Does the vendor employ #AI to detect AI-enhanced documents?
• How and where does the vendor store the processed data?

It’s also critical to determine if the vendor helps its partners stay compliant with regulations in their operating regions. Make sure to verify if the provider is familiar with various regional regulations in the areas mentioned above.

You can view all of Sumsub’s existing certifications here . For a detailed guide on selecting an efficient verification vendor, check this link .