This article was originally published in the Banking Automation Bulletin, Issue 352
The EU’s new regulation on electronic identification (eIDAS) has now become enforceable and ushers in a new era of opportunity for banks to enhance the customer journey with digital services. Yet, due to the regulation’s evolution, there remains considerable confusion among EU banking executives about its implications, so the situation could benefit from some clarification.
The Electronic Identification and Trust Services (eIDAS) regulation offers a common legal framework intended to make it easier for citizens and businesses within member states of the European Union to give e-transactions and other e-signed documents the same legal status as those that are paper-based.
Since 1st July 2016, the regulation has been enforceable across the EU, replacing all previous legal work that has been undertaken to steer the ‘digital enablement’ of traditional paper-based services. Advanced and Qualified eSignatures lie at the heart of the eIDAS regulation, and the establishment of common technical standards is key to making it happen.
Until now, the main EU compliance reference for secure digital service delivery has been an EU Directive from 1999, which focused primarily on certificate provisioning and chip-based Secure Signature Creation Devices (SSCDs). The directive, at the EU’s admission, has gaps, leaving large parts of the trust model in the hands of national agencies. It did not define the obligations for the national supervision of service providers, for example, or adequately explore issues relating to legal and technical cross-border interoperability. In addition, it did not address the emergence of new technologies since 1999, such as mobile or cloud signing. This has resulted in discordant legal and compliance requirements and numerous loopholes across the EU member states.
eIDAS is designed to ‘reboot the system’ and provide a new legal framework that establishes consistent approach across Europe, ensuring that the digitalization of legally binding paper-based services occurs in a consistent and interoperable way. The thinking is simple: if everyone manages the process using a common framework and approach, after which the goal of establishing a more connected and commercially efficient single European market can be achieved faster and with greater efficiency.
As a regulation, eIDAS is much more powerful and unambiguous than its predecessor. It delivers a far wider application scope, covering almost the entire trust chain, including sealing, validation, time stamping, and central signing, making it far more suited to the delivery of a browser and mobile-friendly user experience. (To provide further clarity, the European Commission has published a useful Q&A on the implications of eIDAS, together with an infographic that gives an overview of what eIDAS is about, what kind of transactions it enables, and the sectors which are most likely to benefit from it.)
Moreover, given that eIDAS is a regulation and not a directive, member states are mandated to observe and transpose the regulation directly into national law and demonstrate compliance in their issuance of electronic signatures and eID certificates from mid-2018 onwards.
The regulation’s Trust Service also delivers the EU Trusted List, an official list of supervised and accredited certification service providers issuing qualified certificates to the public, with constitutive effect. This means that a provider or service may only present itself as ‘qualified’ if it appears in the list, removing any ambiguity from the marketplace; a provider or service is either qualified, or it isn’t, and there is a very easy way to check.
A strong business enabler for banks
With this new milestone and transparent, straightforward approach in place, banks, together with various other industries, now have a great set of compliance tools that can steer their migration to a digital services environment. This will allow them to offer an end-to-end digital experience to their users across the whole of Europe in a fully interoperable manner. eIDAS will also serve as a strong mark of best practice for those nations outside of Europe. Countries that are not part of the EU but still foster strong trade relationships with the Union, like Switzerland and, soon, the United Kingdom, will almost certainly follow eIDAS’ dictates; it makes little sense not to.
For retail banks, eIDAS will, over time, transform their entire operations. Once the customer has passed anti-money laundering (AML) verifications and can be granted a trusted identity, they will be able to conduct all of their banking activities digitally. This means that banks will benefit from a binding digital commitment which is the legal equivalent of a handwritten signature when a customer or partner e-signs a document. The positive implications of this cannot be overstated. Enabling a bank to complete its transition to a fully digital services environment will allow for enormous efficiency gains, not only in terms of process efficiency, but also in terms of the ease of document archiving and the speed of information exchange. They will also get benefit from non-repudiation in electronic transactions, cross-border interoperability, and a more modern client relationship that is far more in keeping with today’s consumer expectations for digital services. Those banks that are fleet of foot and able to adapt to eIDAS quickly stand to establish considerable competitive advantage.
What banks need to do now
In recent years, many banks have sidelined e-signature management, largely due to the interoperability and market fragmentation issues brought about by the previous EU directives. This has resulted in e-signature development being pigeonholed into innovation teams of two or three people. These banks now need to work hard to generate greater awareness of eIDAS’ tremendous potential within their organizations. The new regulation offers huge opportunities to various departments across the bank, including business engagement, compliance and risk management, security, IT, electronic and mobile banking solutions, and more.
To begin with, banks must start to get to grips with the new legislation. Having done this, a review process must surely follow, in which impacted business processes that can be transformed are identified and included in an overall action plan. A subsequent review and evaluation of which technologies can facilitate the transition should then be conducted. Engaging with the specialist vendor community, which can provide expert counsel on compliant solutions, is an important step here. Doing so will enable banks to test their in-house expertise and verify that their current and planned technologies will continue to operate within the boundaries of the law. Finally, it will be vital to engage with tech-savvy legal advisors who can help the bank define an appropriate path to full regulatory compliance and all the benefits it provides.
Between now and mid-2018, banks will begin to appreciate eIDAS’ potential. It will be fascinating to see which banks can use the grace period to establish clear water between themselves and their competitors; there is little doubt that the allure of a fully digital services environment will represent a strong point of differentiation for EU customers. But regardless of whether banks adopt ‘first mover’ status or not, one thing is for sure: eIDAS is a force for good in Europe, and is set to make life easier for everyone.
Read the complete September'16 issue of the Banking Automation Bulletin here.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority
Cryptomathic would like to thank the people at RBR London for the great cooperation on this publication. Twitter: @rbrlondon
Image: "Bankers", courtesy of Chris Brown, Flickr, (CC BY-SA 2.0)