Documentation
API ReferenceChangelogFAQDashboard

Qualified Electronic Signature (QES) Verification

Effortless and compliant customer onboarding for the entire Europe.

Sumsub's QES Verification is a Qualified Electronic Signature-based remote onboarding and document signing solution that meets the highest identification standards in the European region. It is recognized as a compliant method for customer verification under the national AML/CDD requirements in all 30 member states of the European Economic Area (EEA). Moreover, the solution facilitates instant high-value and high-risk document signing with the legal power of a handwritten signature that is formally accepted on an international level.

Since QES Verification is consistent with the electronic trust service requirements established under the eIDAS framework which has been incorporated into national AML/CDD law by EEA countries, businesses are not required to individually comply with jurisdiction-specific identification standards, including those of BaFin in Germany, ANSSI in France, SEPBLAC in Spain, or ADR in Romania.

The solution works by combining Sumsub's certified Identity Verification modules together with the Document Signing service enabled by a Qualified Trust Service Provider (QTSP). To complete the onboarding journey using a QES, the customer simply needs to verify their identity and seamlessly sign the relevant documents using a One-time Password.

Overall, QES Verification is an excellent choice for user verification and electronic document signing that not only helps organizations achieve regulatory compliance on a pan-European basis, but also enables a fast and effortless experience for their end customers.

📘

Note

Under the requirements of the German Money Laundering Act (GwG § 12 (1) 3.), when a person's identity is verified by means of a qualified electronic signature, the obliged entity is also required to ensure that a transaction is executed directly from a payment account, which is held in the name of the verified individual.

In order to help regulated organizations in Germany achieve compliance with this requirement, Sumsub has simultaneously enabled the Penny Drop Verification solution, which enables combining Identity Verification, Payment Initiation, and Qualified Signing in a single user journey.

Use cases

QES Verification satisfies two primary use cases for Sumsub clients.

Case 1: User onboarding that is compliant with AML/CTF regulations across all European Union countries under the eIDAS framework, including the following industries and sectors:

  • Banks
  • Neobanks
  • Trading platforms
  • iGaming operators
  • Investment platforms
  • Credit unions
  • Brokerage firms
  • Insurance companies

Case 2: Electronic signing of high-value or high-risk documents that require the same legal power as a handwritten signature, including:

  • Financial Services — credit applications, platform usage agreements, loan agreements.
  • Employment — employment contracts, vendor contracts.
  • Government — permits, tax returns.
  • Healthcare — patient consent forms, prescriptions.
  • Real Estate — property leases, sales agreements.

Solution benefits

  • Compliance. Ensures full compliance with national AML/CTF regulations for customer onboarding in all 30 member states of the European Economic Area (EEA) as well as United Kingdom and Ukraine.
  • Scalability. Enables businesses to onboard customers on a pan-European level without having to comply with country-specific identification standards, such as those of ANSSI in France, SEPBLAC in Spain, and ADR in Romania.
  • Conversion. Improves the speed and user experience of identification and document signing in comparison to traditional verification methods accepted in Europe, leading to a direct increase in both customer conversion and approval rates.
  • Legal recognition. Delivers the same legal power for document signing as a handwritten signature, making it effortless for businesses to remotely execute legally binding transactions and agreements.
  • Fraud prevention. Offers the highest level of onboarding and operational security by ensuring the integrity of the signed document, authenticity of the customer data, and non-repudiation of the signing process.
  • Seamless integration. Delivers an effortless product implementation experience for Sumsub clients via our lightweight Mobile and Web SDK frameworks.

How QES Verification works

The Sumsub QES process is typically completed in less than 5 minutes, requiring minimal user action; it is simple and streamlined to enhance user experience while ensuring security.

General QES Verification flow

Step-by-step product journey:

  1. ID Verification. The applicant’s identity document is captured and verified via our Seamless ID Capture module.
  2. Liveness check. Biometric data is collected to confirm the applicant's identity document ownership and real-time presence.
  3. Phone and Email Verification. Applicant submits and verifies their phone number and email address via OTP. This step can be omitted if the Sumsub client shares the verified phone number and email address data via the API before starting the onboarding.
  4. Document review. Applicant is presented with client documents to review prior to signing.
  5. OTP Authentication. A One-time Password (OTP) is sent to the applicant's verified phone number to confirm real-time signing is automatically filled in.
  6. Document Signing. The document is signed with a Qualified Signature and sent back to the client both via the API and the Dashboard.

Penny Drop Verification flow

Step-by-step product journey:

  1. ID Verification. The user’s identity document is captured and verified via our Seamless ID Capture module.
  2. Liveness check. Biometric data is collected to confirm the applicant's identity document ownership and real-time presence.
  3. Phone and Email Verification. Applicant submits and verifies their phone number and email address via OTP. This step can be omitted if the Sumsub client shares the verified phone number and email address data via the API before starting the onboarding.
  4. Country and bank account selection. Applicant identifies their onboarding country and bank from which the transfer will be conducted.
  5. Consent review. Applicant provides consent for personal data sharing and authorizing the transaction.
  6. Bank account login. Applicant logs into their online banking account via Secure Customer Authentication (SCA).
  7. Payment confirmation. Applicant authorizes a nominal payment, typically of 0.01 EUR, to be processed from their account. The transferred amount will be returned.
  8. Real-time presence and account ownership validation. The relevant applicant identity and account data are retrieved to confirm the applicant's real-time presence. Additionally, the system cross-checks the information to ensure a complete identity match and validate the account ownership.
  9. Document review. Applicant is presented with client documents to review prior to signing.
  10. OTP Authentication. A One-time Password (OTP) is sent to the applicant's verified phone number to confirm real-time signing is automatically filled in.
  11. Document Signing. The document is signed with a Qualified Signature and sent back to the client both via the API and the Dashboard.

Supported jurisdictions

Sumsub's QES Verification solution supports all jurisdictions that have incorporated the eIDAS framework (Regulation (EU) No 910/2014) and, specifically, the regulatory guidelines concerning Qualified Electronic Signatures as part of their national AML/CTF laws for customer identification and document signing. That includes all 30 member states of the European Economic Area (EEA) as well as the United Kingdom and Ukraine.

Austria
Belgium
Bulgaria
Croatia
Cyprus
Czechia
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Ukraine
United Kingdom

📘

Note

Countries in the European region, such as Georgia, Serbia, Switzerland, and Turkey, have separate approval processes for Qualified Trust Service Providers under their national laws that should be executed in order to offer Qualified Signing locally. For the time being, Qualified Electronic Signatures issued under the eIDAS technical standards and legal framework are not recognized on a formal basis in these jurisdictions.

Supported identity documents

Sumsub's QES Verification supports all official identity documents that are recognized for remote customer verification under the eIDAS framework and ETSI technical standards. Depending on the jurisdiction, these may include National Identity Cards, Passports, Driving Licenses, and Residence Permits. Overall, the solution offers around 98% adult population coverage in each applicable country. Explore our Coverage Sheet for a full breakdown of the supported identity documents.

📘

Note

While a number of countries have not incorporated the eIDAS regulatory guidelines into their AML/CTF laws and do not recognize Qualified Electronic Signatures as defined under the framework, the ETSI technical standards still accept the identity documents of those countries for customer verification and Qualified Signature issuing purposes. As a result, the provided list of supported identity documents covers a much broader scope than the list of supported jurisdictions.

Supported languages

The QES Verification solution currently supports the following languages:

  • English
  • German
  • French
  • Italian
  • Spanish
  • Dutch
  • Polish

📘

Note

  • Languages that are not supported will be displayed in English within the Document Signing steps of the process. The rest of the verification process will be displayed in the language chosen by the client, as long as it is supported by Sumsub.
  • Contact your Customer Success Manager if you wish to include an additional language to the onboarding flow. The expected delivery time is ~1 month.

Compliance overview

Sumsub’s Qualified Electronic Signature ensures several crucial elements, which gives it the same legal power of a handwritten signature:

  • Integrity — no modifications to the document or its content can be made once the signature has been issued;
  • Authenticity — the signature is based on a qualified certificate, which serves as a proof of the signer’s identity;
  • Non-repudiation — the signer cannot deny having completed the signing process himself.

For these reasons, QES Verification adheres to the highest identification standards under the eIDAS framework (Regulation (EU) No 910/2014), which outlines the use of electronic identification and trust services and is considered equivalent to in-person customer onboarding. As a result, the solution is recognized as a compliant identification method by national AML/CTF regulatory requirements in all 30 member states of the European Economic Area (EEA) as well as United Kingdom and Ukraine.

Setup and configuration

The provided QES Verification solution scheme demonstrates the following:

  • Integration architecture between Sumsub, our clients, and the Qualified Trust Service Provider (QTSP)
  • Required and optional steps of the end-user journey
  • Overall solution functionality

Get started with QES Verification integration

The QES Verification solution is currently supported via the following Sumsub frameworks:

Refer to the complete technical integration guide to get started with the implementation process of QES Verification.

QES Verification FAQ

Find the most frequently asked questions about Qualified Electronic Signature (QES) Verification.

Is Sumsub certified as a Qualified Trust Service Provider (QTSP) under eIDAS?

Sumsub is a certified Registration Authority (RA) under the relevant ETSI technical standards, meaning our Identity Verification modules are approved for issuing Qualified Digital Certificates and Electronic Signatures. To issue Qualified Electronic Signatures, Sumsub partners with InfoCert - a certified QTSP under the eIDAS framework.

Which financial regulatory bodies in Europe recognize QES as a compliant method of customer identification under AML/CDD laws?

Since the 30 member states of the European Economic Area (EEA) have incorporated eIDAS-regulated trust services into their national AML/CDD law as accepted methods for identity verification, the QES is recognized as a compliant means of customer identification across the EU. As a result, regulatory bodies such as SEPBLAC, ANSSI, BaFin, and the Bank of Italy accept QES as meeting the highest level of assurance for electronic verification.

Can QES Verification work as an alternative to the SEPBLAC-approved Video Identity Verification process in Spain?

Yes, an Independent review conducted by ECIJALAW FIRM S.L.U confirmed that Sumsub's eIDAS-compliant QES Verification is a valid alternative to the SEPBLAC-authorized, video-based identification process for the purpose of remote identity verification.

What is the Seamless ID Capture solution and how does it differ from Sumsub's standard Photo IDV?

The Seamless ID Capture is Sumsub's ETSI-certified identity document capturing solution that delivers a fast and effortless experience for the end-user in verifying their proof of identity, and simultaneously adheres to the highest international standards for customer identification. The solution works just like our regular Photo Identity Verification service, the main difference being that the entire document capturing process is seamlessly recorded in the background and stored on the Applicant's Page for compliance purposes, making it eligible for the issuance of Qualified Signatures under the ETSI 119 461 technical standard.

Which user interface languages are supported in QES Verification?

While English is the default setting in the QES Verification solution, Sumsub additionally supports French, Spanish, Italian, German, Dutch, and Polish languages at no additional cost for its clients.

Is QES Verification available for testing using both real and test applicant data?

Yes, the solution can be tested using mock personal data on our Sandbox environment, while the Production environment allows test using real user information.

Is the customer allowed to leave the QES Verification session while their identity data is being processed and resume it later?

Yes, once the the end-user's identification status changes, Sumsub will immediately send the client an API webhook informing them about it. In turn, this will allow them to send an in-app or email notification to the end user, letting them know that their data has been processed and they can continue with the final steps of the QES Verification.

Are there any limits on the maximum number of documents that can be signed in a single session?

There are no limits to the number of documents that can be uploaded for signing in a single session. However, the maximum size of the total uploads is 30MB.

Are there any limits on the maximum number of signatures that can be requested per document?

There are no limits to the number of Qualified Signatures that can be requested per signed document

Is it possible to sign a document with multiple Qualified Signatures?

Yes, both the number and placement of the Qualified Signatures can be defined using Sumsub's Client Dashboard or dedicated API method by specifying the X and Y axes of each signature in the document.

What is the average time of the document signing step of the QES Verification?

Document signing with a Qualified Signature is expected to take an average of 5 seconds. The required time additionally depends on these factors:

  1. Number of documents uploaded for signing;
  2. Size of the uploaded documents;
  3. Number of signatures required in each document;
  4. Latency of the SMS OTP code delivery.
Does Sumsub charge additionally depending on the number of signed documents or signatures per document?

No, the number of signed documents or required signatures per document does not affect the solution billing.

Does Sumsub charge its clients per initiated or per successfully completed signing sessions?

The charges apply per each initiated signing session, but only after the customer successfully passes the Identity Verification part of the process. Moreover, if the customer leaves the signing session before completing it, the same session, which is valid for 60 minutes, can be re-used, avoiding additional charges.

How will the customer receive the documents signed with a Qualified Signature?

Sumsub will firstly return all signed documents to the client both via API and the Client Dashboard. The client can then share these documents with their customer using their dedicated platform or other communication channels.

What is the validity of a Qualified Signature?

The validity of a Qualified Signature is 20 years.

What is the validity of a Qualified Certificate?

The validity of a Qualified Certified that is used in document signing is 60 minutes. The certificate is issued after the customer successfully passes the identity verification process.

Is the Qualified Certificate reusable for multiple signing sessions?

No, the Qualified Certificate can only be used once in a document signing session. Multiple signing sessions require completing the identity verification subsequently.

Why does the identity document capturing process require recording?

According to the ETSI 119 461 requirements, remote customer identification, which is conducted on the basis of a physical identity document, requires recording of a video sequence to visualize the physical characteristics of the identity document and its security features, covering each relevant side.

Why is manual Operator review required in QES Verification?

According to the ETSI 119 461 requirements, fully automated remote customer identification can only occur when a digital identity document is used as evidence. Meanwhile, physical identity document verification requires manual operator review.

What is the average time of the manual applicant review by the Operator?

On average, manual applicant review by the Operator takes 1-2 minutes.

Why does QES Verification require Email address and Phone number authentication?

Sumsub requires user contact information as part of the regulatory requirements to issue a Qualified Digital Certificate. At the same time, a verified Phone number is required to conduct the SMS One-time Password (OTP) authentication for document signing in real time and by the same verified individual.

What is the format of the SMS OTP code and how long is the code valid for?

The SMS OTP code is composed of 8 digits and is valid for 5 minutes.

Does Sumsub offer its ETSI-certified Identity Verification module on a standalone basis?

Yes, Sumsub offers its certified Identity Verification module on a standalone basis for clients that already have a Qualified Signing solution.

Updated 8 days ago