After a proposed rule was published in July 2022, on January 25th the New York Department of State amended Title 19 of the New York Codes, Rules and Regulations (NYCRR), Chapter V, Subchapter E, Part 182 as it relates to notaries and remote online notarization (RON).
Section 182.7.a reads, “Identity proofing must meet, at minimum, the Identity Assurance Level 2 standard as outlined in the Digital Identity Guidelines of the National Institute of Standards and Technology (NIST), as referenced in subdivision (b) of this section, or any industry accepted standard that is at least as secure, or more secure, than that standard.”
The amended language of “any industry accepted standard”, leaves open the potential for ambiguous technology implementations which could be based on standards which are not parallel with efforts to support RON. In addition, unforeseen risk and exposure may occur due to lack of “uniformity” needed for both RON service providers and all relying parties.
Identity Assurance Level 2, commonly referred to as IAL2 is defined in NIST’s Special Publication 800-63a, which is part of the SP 800-63-3 suite of documents last revised in 2017 and currently in the process of being updated. Federal agencies must comply with NIST’s guidance and over the years many state, county and local governments as well as commercial entities have embraced 800-63-3. Many have written 800-63-3 certification as a requirement for vendors into RFPs.
No doubt, the regulation caught the attention of all RON vendors given New York’s population and position in the financial industry. To date, states that have enacted laws permitting RON have for the most part written portions of MISMO’s RON standards into their laws, which have no requirement to comply with NIST’s IAL2. MISMO is short for the Mortgage Industry Standards Maintenance Organization, according to its Wikipedia entry, MISMO is “a not-for-profit, wholly owned subsidiary of the Mortgage Bankers Association responsible for developing standards for exchanging information and conducting business in the U.S. mortgage finance industry.”
While notarizations are used for real estate transactions, they are not isolated to mortgages, so why is the Mortgage Bankers Association driving remote online notarization standards for the nation? I’ve been scratching my head over that for a few years now. NIST and/or NIST’s National Cybersecurity Center of Excellence (NCCoE) should really be engaged here. Afterall, NIST is part of the U.S. Department of Commerce, but I’ll leave that for another day.
Most vendors address IAL2 by combining the scan of a government issued identity document such as a driver license or passport along with a bank statement or utility bill, with a selfie that is checked for liveliness to assure it is really a live person’s face and not a recording or a mask that looks like someone else, that is compared using biometric algorithms. The documents are also checked to be authentic and verified to provide confidence in the asserted identity’s validity.
Regulations should be “black and white”, whenever possible. In the case of IAL2 for RON, black and white was possible, but NY regulators opted for gray – leaving vendors, state agencies and commercial organizations with questions.
NIST defines guidance but does not assess and certify vendors. The federal government no longer maintains an approved products list of credential service providers and instead recognizes the Kantara Initiative, a globally recognized, non-profit certification body for NIST’s SP 800-63-3 under the Kantara Assurance Program. Kantara’s five-person Assurance Review Board (ARB) even includes a representative from NIST. The ARB is the body that reviews assessments and awards the 800-63-3 trustmark to vendors.
It would have been helpful for the state to name another industry accepted standard that is at least as secure, or more secure, than that standard.” The only thing close is DirectTrust, but DirectTrust specializes in the healthcare industry and along with Kantara will be instrumental as HHS’ Trusted Exchange Framework and Common Agreement (TEFCA) matures, which has an IAL2 requirement to assure that those professionals accessing and exchanging electronic health records are who they claim they are. The FIDO Alliance has pieces available for technical certification with its Document Authenticity and Biometric Component Certification Programs, but not a full certification for NIST 800-63-3.
I will note there is a distinct difference between a vendor claiming they meet the IAL2 standard and actually being assessed and being awarded a trustmark. I have been employed by vendors that could claim that they technically met the IAL2 requirements but were never assessed or were awarded a trustmark.
Kantara’s assurance program goes well-beyond technical requirements and includes non-technical requirements that vendors must first self-attest to and later provide evidence to a Kantara-accredited, independent, third-party assessor, like Kuma, that they actual do what they say they do. Some examples include:
- Is the vendor financially solvent?
- How long do they retain personally identifiable information (PII)? Where is it stored and how is it secured?
- How do they obtain user consent?
- Do they have a privacy policy in place? When was it last revised?
- Does the vendor have a Security Awareness and Training Policy applicable to all employees?
- Do they have an Information Security Management Plan? When was it last revised?
While many RON vendors may qualify for Kantara trustmark, as of today, none have directly, but some may be partnered with a credential service provider that have been certified.
To thwart the ambiguity in the regulation, I recommend that procurement officers in New York (and the other 49 states) require a Kantara trustmark to meet the intent of the regulation.
The title states that NY Regulators swung and missed. To be clear, they did not strike out and it would behoove them to tighten up IAL2 requirement and add clarity to the regulation.
