The broader financial services industry – including banks, credit card companies, FinTech service providers, tech companies offering digital wallets etc – are today at the frontlines in the fight against cybercrime. Because these companies are involved in moving large sums of money around each day, they become obvious targets for criminal elements.
Many people assume that cyber attacks targeting financial service companies are sophisticated and high level, and while that is indeed true for some cases, the vast majority of them happen due to simple carelessness. For example, not having secure passwords, allowing malware to infect your computer, logging in on infected public computers and so on.
A Balancing Act
Financial services companies have to obviously protect against this threat. However, they are also under pressure to make banking a lot easier and seamless. They are under threat from things like digital wallets, P2P lending, robo-advisors, digital-only banks etc which offer a hassle-free experience and are becoming the platforms of choice for many people.
A balance is therefore needed – something that provides a great level of security but is also capable of being seamlessly integrated on
multiple platforms using multiple
approaches.
This is where Qualified Electronic Signatures come into the picture. To be fair, electronic signatures have been used for a while now but with the eIDAS Regulation, the European Commission has clearly set out the criteria for what qualifies as a Qualified Electronic Signature (hence the name).
These signatures have a certificate that is issued by a qualified trust provider using a Qualified Signature Creation Device (QSCD). The technical specifications for using these electronic signatures for XML, PDF and emails have been developed by the European Telecommunications Standards Institute. However, from a banking/ FinTech perspective, the most interesting aspect is their legal status. EU member states have to accord the same legal standing to qualified electronic signatures provided by qualified trust providers as they do to handwritten signatures as per the eIDAS Regulation.
Two Birds with One Stone
What this means is that using Qualified Electronic Signatures allows banks to tackle both of their problems together – on one hand they can offer a fully digital and hassle-free experience to the customer. There is no need for physical documents to be signed and shipped or handed over back and forth due to errors or mistakes or mismatching signatures and so on. And on the other hand, the electronic signature will have the same legal probative value as a handwritten signature and provides the necessary assurances. These signatures guarantee that it is indeed the customer that has signed the document or initiated a transaction (non-repudiation of origin) and that his message or command has not been altered in-transit (non-repudiation of emission).
These built-in features for non-repudiation ensure that financial service providers are able to ascertain both the authenticity of the user and the integrity of the message. But it's not just the banks and service providers that benefit, the customer also gets a better level of security and a more user-friendly fully-digital experience.
References and Further Reading
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- eIDAS webinar 1: Using electronic Identification, Authentication and trust Services for Business (2018), by the European Commission
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
-
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
-
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council