Three Deployment Versions & Business Models of eIDAS-compliant Remote Signing for Financial Institutions

by Dawn M. Turner (guest) on 03. December 2020

This article looks at 3 alternative deployment options for remote signing, catering for 3 different business models. The choice of the option will depend on the financial institution’s specific situation and strategic goals. This article gives guidance.

Digitalization creates opportunities and threats at the same time

As companies and institutions began to extend digitalization of their processes right to onboarding, transactions and communication, including the signing of contractual agreements, many companies began offering remote signature services.

However, this created open flanks to the security of these processes as many of these companies did not possess the needed skill sets. Unfortunately, not all these new entrants implemented legally backed signature protocols and systems ensuring trustworthy digital identities .

Trustworthiness requires signature protocols and systems ensuring that their digital signatures are created with non-repudiable user consent and adequate security.

Implementing eIDAS-based remote signing for technical security and legal assertion

To implement a technically secure system (data security and privacy) with legal assertion, the best option is to implement a remote signing process which is compliant with the European Regulation No 910/2014  on electronic identification and trust services for electronic transactions, commonly abbreviated as “eIDAS”.

Apart from the high level of technical protection, compliance to this regulation makes a Qualified Electronic Signature (QES) non-repudiable at European Courts, as the probative value of such a signature has the same probative value as a handwritten signature.

Such legal assertion opens the door further to digitization, even contractual agreements of legal or commercial value.

Implementing an eIDAS-certified remote signing system requires specialist knowledge of the various components within the signing ecosystem. Consider the below diagram, where the financial institution is the owner of the banking application (Signature Creation Application) that provides remote signature capabilities for it's customers (using Cryptomathic Signer technology).


Figure: Remote QES architecture compliant to eIDAS technical standards


Creating eIDAS-compliant remote signing processes with Cryptomathic Signer

Cryptomathic is a pioneer in remote digital signing. The company’s “Signer” is an eIDAS certified remote signature solution, which has been successfully implemented by various Trust Service Providers (TSPs) and banks to deliver Advanced Electronic Signatures (AdES) and/or Qualified Electronic Signatures (QES).

Cryptomathic Signer is:

Download white paper

Cryptographic Signer focuses heavily on integration and compliance under eIDAS and other regulatory standards (i.e., ZertES) to ensure secure, legally binding signature services. It offers a smooth signature experience that is tightly integrated with existing business workflows.

The probative value offered by electronic signatures proves to be very valuable in numerous business cases as it helps streamline business processes that require the security and integrity of non-repudiable electronic signatures.

3 different deployment options for financial service providers

An approach often seen in the market is that financial service providers pass customer data directly through to a 3rd party signing service company to avoid all administrative and legal burden. Doing so, they give away one of their strongest assets: customer data. 

We strongly advocate against such solutions and only suggest options, which are beneficial to financial institutions in the short and long run.

Cryptomathic therefore makes remote signing available in three different variants, allowing banks to operate as:

In the following we have a brief look at the 3 options.

Full Trust Service Provider

In this deployment option, Cryptomathic’s technology is installed on-premise. The financial institution becomes a fully qualified trust service provider (QTSP) with full control and legal liability throughout the whole signing process and the signature & certificate life-cycle.

Business relation with Cryptomathic:

The financial service provider buys licensed technology from Cryptomathic. Cryptomathic provides and installs software and hardware.

When should this business model be chosen:

This model is the preferred choice by professional trust service providers. Bigger banks or expansive banking networks might choose such a solution - either motivated by scale effects or by business model decisions. 


Trust Service Provider “light”

This model allows financial service providers to offer remote signatures, where Cryptomathic operates the back-end signature services under SLA on the institution’s behalf; the institution assumes the role of the TSP. Through this arrangement, the financial institution will significantly reduce the workload of operative tasks as compared to the full TSP model, but remains in control of and legally liable for the whole process. 

To comply with regulations, the server signing application is installed on premise in each banking jurisdiction. It is managed remotely through Cryptomathic, mandated by the banking network.

The remainder of the qualified signing infrastructure (Certification Authority and Qualified Signature creation device) is made centrally available to all customer locations through the Cryptomathic cloud.

Business relation with Cryptomathic:

Cryptomathic provides a managed PKI service to the Financial Service Provider. Cryptomathic delivers as-a-service on the bank’s mandate and operates the PKI infrastructure (CA, QSCD, HSMs, etc.).

The financial service provider owns the trust services (QES, Sealing, time stamping etc.).

When should this business  model be chosen:

This model is the typical choice of banking networks or cooperatives, benefiting from the pooled and centrally managed services in the Cryptomathic cloud.

The majority of the operative work is delegated to Cryptomathic.  


Signing Service Provider

This model enables the financial service provider for trust service provision. The financial institution receives access to an API for QES services and becomes a Registration Authority (RA) for all subscribing customers. The financial institution remains in control of all valuable customer data and is the single point of contact to the customer.

Its legal liability is limited to the tasks of the RA. The qualified trust service provider is liable for the complete remainder of the signing process, which is the vast majority of the operational workload.

Business relation with Cryptomathic:

Cryptomathic offers a qualified trust service, provided as-a-service, audited and ready to be integrated with the bank’s processes.

When should  this business model be chosen:

This is the typical choice of banks which operate at a limited number of locations or wanting to focus on core competencies and end customer business. 


Overview of Commercial Models supplied by Cryptomathic

The following infographic compares the 3 different packages offered by Cryptomathic based on their technical implementation.


Figure: Implementation / Delivery Options


Read White Paper


Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.