Campaign text for updating O.G. 85/2004

Executive summary

What the petition asks for

• a legal obligation to perform robust multi-factor identity verification before contract formation and before disbursement
• mandatory use of a biometric liveness factor and at least one additional independent factor
• a prohibition on disbursing funds before verification has been completed successfully
• loss of enforceability and invalidity of contrary clauses where minimum safeguards are missing
• suspension of enforcement and negative reporting when there is a substantiated complaint of identity theft or fraud
• retention for at least 5 years of the relevant logs and recordings

Why ANPC

• O.G. 85/2004 expressly places consumer complaints and reports concerning distance financial contracts within ANPC’s competence.
• The petition asks ANPC to assess the need for an urgent legislative amendment and to support related changes in other applicable acts.
• From a consumer-protection perspective, the intervention must be about valid consent, technical proof and a fast remedy, not only formal compliance.

Technical proposal to amend Article 8

Below is a public and condensed version of the proposed legislative solution for remote credit contracts:

1. (5)Before concluding the contract and before making funds available, the provider completes robust multi-factor identity verification of the client.
2. (5¹)Verification must include a biometric liveness factor and at least one additional independent factor from another category, together with documentary checks of the identity document and corroboration with lawful independent sources.
3. (6)Disbursement of funds is prohibited until the checks have been completed successfully.
4. (7)Failure to comply with the minimum obligations removes the contract’s enforceable effect and invalidates contrary clauses.
5. (8)Upon receipt of a substantiated complaint of identity theft or fraud, the provider suspends enforcement and negative reporting until internal checks are completed and gives a reasoned answer within a short timeframe.
6. (9)The provider retains logs, documents and technical recordings of the identification process for at least 5 years and makes them available to authorities and courts on request.
7. (10)Competent authorities issue technical rules on anti-spoofing, liveness performance, auditing and security testing.

Requests addressed to ANPC

• to register the petition and communicate the registration number, responsible unit and indicative response timeline
• to examine the opportunity for urgently amending O.G. 85/2004 in line with the technical proposal
• to support the necessary legislative alignment with O.U.G. 50/2010 and Law 129/2019
• to examine, from the perspective of professional diligence and unfair practices, how some providers currently verify identity in online-credit processes
• to communicate ANPC’s position in writing and, if steps are initiated, the indicative calendar