Signer Case Study - UBS
UBS SPARES ITS CLIENTS THE PAPERWORK AND INCREASES EFFICIENCY AND SECURITY USING QUALIFIED ELECTRONIC SIGNATURES
As one of the world’s largest banks, UBS is transforming its services through digitization by offering clients remote electronic signatures that provide the same legal value as a handwritten signature, while adding convenience and efficiency.
Using Cryptomathic Signer, UBS customers now have the freedom to digitally sign legally binding documents at any time on any device, from anywhere in the world.
For a superior user experience, UBS clients can utilise the secure signing service through multiple channels, such as in UBS e-banking or mobile banking, without changing the existing authentication methods.
Cryptomathic Signer also incorporates unique What You See Is What You Sign (WYSIWYS) technology to provide non-repudiation and give users confidence and trust in the transactions they are committing to.
As part of a comprehensive selection process for an e-signing solution that matched their business, legal and technical requirements, UBS carefully chose Cryptomathic Signer as being the most technologically advanced and secure digital signature solution on the market.
By partnering with leading security hardware and service providers, including SwissSign and nCipher, Cryptomathic delivered a turn-key solution allowing UBS to offer Qualified Electronic Signatures.
"Previously, our clients had to print, sign and send documents manually for compliance reasons. Now they can do it in a smart, easy and time-saving way. Thanks to the Cryptomathic Signer solution they can sign their contracts digitally in e-Banking – while meeting all legal and compliance requirements."
Head Multichannel Management & Digitization, UBS Switzerland
UBS – DRIVING DIGITIZATION
UBS is the largest retail bank in Switzerland and is also one of as the world’s largest wealth managers. Its range of services include wealth- and asset management as well as investment- and retail banking. With millions of clients, UBS has traditionally generated, managed and maintained vast amounts of physical documentation, all of which was signed by hand for legal and security purposes.
By leading the transformation of securely digitizing the entire customer journey, from opening an account and through its entire lifecycle, UBS has become one of the first banks in the world to roll out a Qualified Electronic Signature (QES) service to such a large number of users. The remote digital signing solution, Cryptomathic Signer, enables UBS to move more of its services online, pioneering a superior digital user experience while enhancing security and control of document management. As an added benefit, the financial and environmental costs of managing millions of paper documents are drastically reduced.
The ability to securely digitize operations as well as document management is a strategic goal for UBS in order to provide an improved customer experience that offers a competitive advantage to conduct business more efficiently through electronic means. A key enabler of the digitization strategy involves offering clients a legally binding remote electronic signature service that does not compromises security. Providing electronic signatures that are legally equivalent to handwritten signatures is a crucial step to achieve the objective of an entirely digital customer journey. Going paperless cuts gives customers flexibility to conveniently conduct business without the need to call or visit the bank branch, while increasing security and efficiency.
Due to UBS’ international operations and clientele, the electronic signature service has to comply with international regulations that carry the strongest legal value in court, in case of litigation. QES is the only current standard of e-signatures that can offer such a strong level of probative value at an international level.
In order to maximise the usability of a digital signature service, it was imperative that UBS’ existing portfolio of online services and systems could leverage the QES solution to deliver greater value to their customers. As such, the key requirements for the electronic signature service include:
Seamless signing workflow for end-users:
The signature operation must be simple and straightforward for users, without disrupting the familiar user-flow. To ensure a strong service uptake, UBS required the solution to support a variety of channels and devices without changing the user experience or impose downloads.
The reuse of existing authentication technology for user authentication and transaction signing was an important requirement to ensure the viability of the solution for cost and environmental considerations. In addition, the solution would have to serve new efficiency and sustainability requirements. Going paperless for a bank the size of UBS with millions of contracts signed on a monthly basis is naturally a big step in the right direction.
Performance and Scalability:
The service is expected to support millions of customers, growing from an initial roll out in the Swiss domestic market. Being able to maintain a high level of availability with short latency was naturally also an important requirement.
User Confidence and non-repudiation:
In order to meet internal UBS compliance policies and user expectations, the solution had to encourage the same level of confidence and security regardless of whether a document was signed at the branch or online. In particular, the solution had to ensure that what the customers are committing to when invoking an electronic signature is precisely what they intend to sign - as displayed on the user’s device. In other words, only the correct document can be signed by the user and this document cannot be tampered with.
UBS business and legal stakeholders were ready to move online under the condition that the online signature process delivers the same probative value as the offline process. In Switzerland and in the EU, only a QES provides the principle of legal equivalence between handwritten signatures and electronic signatures. A signature pad or advanced electronic signature was not good enough to achieve the digital transformation objectives.
IMPLEMENTATION AND USER EXPERIENCE
Together with Cryptomathic, UBS implemented the solution to offer a unified signing experience for multiple channels, where the flexibility of the Signer architecture allowed for minimal changes to be made to the existing front- and back-end environments. If we look at the users’ journey from the time they knock at UBS’ virtual bank door, the following happens:
The first step is a prospect who wants to become a customer. The client on-boarding process is slightly adapted beyond the traditional Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements from the financial regulator FINMA, as well as the requirements from the federal office of communication (OFCOM / BAKOM) around QES.
As part of this, it is essential to verify that the user is eligible to receive a qualified certificate that must be bound to the electronic signature, as per Swiss digital signature law. A Registration Authority (RA) assumes responsibility of activities consisting of verifying and collecting the user´s identity credentials before a qualified certificate can be issued. The RA function is delegated by the selected Certificate Service Provider, SwissSign, who bears the responsibility of liability of certificate issuance as ascertained in a certificate policy.
The client on-boarding process is either done face-to-face or, more recently, remotely through video identification. This first step of identification and on-boarding is extended to include the QES terms, where all of the intricate PKI processes are done behind the scene.
The second step is when a client advisor prepares a document or contract which requires a signature from the end-user. This step remains unchanged. The only addition is that the back-end now verifies whether or not the user is eligible to sign online.
The third step is the actual signature operation, which starts when the user decides to sign a transaction or document. With one click, the user can securely observe the document over a trusted viewer, featuring Cryptomathic What You See Is What You Sign (WYSIWYS) technology. On the user side, WYSIWYS is a zero footprint signature client running inside the browser to protect against online attacks and ensure nonrepudiation. To securely authorise the signature operation, the user is requested to use their authentication token in a similar way as when logging into to the system.
Behind the scene, a secure, sole control channel is established between the user´s browser and the Signer hardware security module (HSM), where is the user´s signing key is protected using a Common Criteria certified HSM from nCipher Security. As soon as the document is signed, a visual signature mark is stamped onto the document so that both parties can easily see that the document was signed. The solution follows relevant ETSI standards to ensure interoperability with standard browsers.
UBS SOLUTION OVERVIEW
In order to offer the qualified electronic signature service, UBS and Cryptomathic designed the architecture as illustrated below.
Signer is a remote signature solution and the main component of the QES infrastructure. Cryptomathic’s patented solution offers centralised digital signature services in a secure, convenient and cost effective fashion. The QES service is delivered through a unique signing experience where PKI becomes transparent to the end-user and integrated into the business workflow.
Users no longer need to carry around smart cards and worry about interoperability or protecting their private keys; the signing keys are deposited in a central and encrypted database, protected by HSMs. Signatories seamlessly retain sole control over the signing process using strong authentication techniques. All of this is hosted in UBS’ secure data centre. The business units that integrate directly with Signer include UBS’ e-banking, corporate banking, mobile banking and wealth management services.
Cryptomathic WYSIWYS module
As part of the complete solution, the unique What-You-See-Is-WhatYou-Sign (WYSIWYS) technology ensures that users can only sign a document that is presented to them if the document is genuine and has not been tampered with. The Cryptomathic WYSIWYS module is a web application, which provisions the necessary zero footprint interfaces to the user´s browser or mobile app in order to deliver the WSYSIWYS functionality over a trusted viewer and perform document signing using Cryptomathic Signer.
The WYSIWYS module plays a key role in the signature creation by delegating the signature request to Cryptomathic Signer. The Cryptomathic WYSIWYS Server supports input data in PDF/A and outputs signed data with PAdES signature profiles. It handles PDF manipulation in order to create the PAdES signatures and renders images of the PDF documents that are displayed in the WYSIWYS Client.
Cryptomathic Signer RA
The Signer Registration Authority (Signer RA) is an integration component provided by Cryptomathic situated between UBS´ user management solution and Signer.
It exposes a RESTful web services interface so that users can be generated and certificate established or revoked. The Signer RA handles all the necessary interaction with Signer as well as with the external CA services provided by SwissSign.
SwissSign CA Services
SwissSign, a leading certificate authority (CA) provider in Switzerland, partnered with Cryptomathic to deliver the complete QES solution. As part of the deployment, SwissSign’s MPKI services delivers the Qualified Certificates in accordance with Swiss signature law (ZertES) and EU regulations (eIDAS). Based on the user´s identity credentials that are collected and verified by UBS, SwissSign enables UBS to act as a Registration Authority (RA-Delegation) for its Qualified Certificates.
In addition, SwissSign also provides OCSP services and certificate management such as certificate revocation and necessary dissemination and maintenance of the so called certificate revocation list (CRL), as well as Time Stamping services to issue time stamps in accordance with the RFC 3161 standard. SwissSign is also in charge of maintaining and enforcing policy for the issuance and the use of Qualified Certificates as specified in their SwissSign Platinum Certificate Policy / Certificate Practice Statement.
These services had to undergo stringent audits performed by the Swiss Accreditation Body, KPMG AG, which is the entity designated by the Swiss regulator SAS (SECO).
nCipher n-Shield HSMs for key protection
nCipher Hardware Security Modules (HSMs), certified against Common Criteria EAL4+ standards, are used provide the strongest level of protection for the private keys that are used by Signer to provide the remote signature services for UBS.
Cryptomathic Signer also uniquely makes use of the HSMs for terminating the sole control channel in a tamper evident environment as demanded by eIDAS and supported by nCipher nShield Connect and Cryptomathic Signer.
Integration with the UBS environment
The flexible and extendable architecture of the Signer solution allows efficient integration with legacy services. For UBS there was a need to provide seamless integration with several e-banking services; the document management system; the authentication service and existing user management process.
This also involved integrating with UBS´s Web Application Firewall which controls input, output, and/or access from, to various application so that the user maintains a single browsing session while accessing multiple services.
At the time of writing, UBS has won the prestigious industry magazine Euromoney's "Best Bank in Switzerland" award for five consecutive years, and was recently voted "World`s best Bank for Wealth Management". To maintain its leadership position on a global level, UBS aims to be a forerunner in digitization by offering a secure end-to-end digital customer journey with a QES service that ensures legally binding user consent and non-repudiation.
By teaming up with Cryptomathic and choosing Signer, the market leading remote e-signature solution, UBS made a strategic investment. With more than 2,000 document templates and over 2,5 million documents physically signed, scanned and processed in 2015, the potential for greater efficiency resulting from the electronic signature service is simply tremendous. The ability to provide all services online in real time, from any device, anywhere in the world is a great competitive advantage for UBS – resulting in superior customer experience, control and cost savings.
Cryptomathic technology is a strong enabler in that regard. UBS’ decision to offer a credible alternative to hand-written signatures, which have been entrenched in peoples’ behaviour for centuries, requires the engagement of a skilled partner; which beyond possessing skills in IT security and complex project management also needs to pay attention to legal and regulatory aspects as well as user experience. Cryptomathic, with its Signer solution and a highly competent and devoted team, successfully delivered this unique combination.
Read how UBS offers its clients remote electronic signatures providing the same legal value as a wet signature.
UBS had the following goals:
- Enhanced user experience through a seamless digital signing workflow for end-users
- Sustainability through paperless workflows
- High performance and scalability, to serve millions of customers
- Compliance to the eIDAS regulation for Qualified Electronic Signatures - providing the same probative value as handwritten signatures but making it more difficult to counterfeit.
The case study explains how the goals were accomplished by integrating Cryptomathic's Signer solution into the existing UBS infrastructure.