Published: Wednesday 13 February 2019 | 08:30 AM CET, The Paypers
Jon Shamah, Chair of EEMA, discusses how the eIDAS Trust Services Regulation can help citizens and business achieve the EU’s vision of a Single Digital Society
Imagine a world where citizens of the European Union can travel, work, and live wherever they choose, regardless of their native country. A place where you can transact with any EU bank or other financial institutions; where you can keep your original records of your pensions, savings, health data, no matter where they were initially created. This is the goal of building The Single Digital Society envisioned by the EU, for which the first big steps have already been taken. Those steps are an assembly of identity, trust, data protection, and finance measures helping both citizens and business to achieve the EU’s vision of a Single Digital Society.
Arguably, the eIDAS Trust Services Regulation is the most important of these measures. This regulation, which is an applicable law in all Member States, brings a “level playing field” across the entire EU to identity recognition, digital signatures, company seals, and other related services. It also enables digital legally admissible registered email services.
Simply, identity credentials that are accepted in one Member State for authentication in order to access government services must be recognised in all Member States for similar government services, if they are declared (“Notified”) to the EU by that Member State.
Similarly, high confidence Qualified Digital Signatures (which require face-to-face enrolment) issued by a Qualified Trust Services Provider (QTSP), whether a person or a corporate, will be legally admissible across the entire EU. Know Your Customer (KYC) is also simplified by eIDAS; thus, by using a “Notified eID”, the process can be conducted almost entirely online.
So what does this mean for a business?
Digital Transformation has been proven to be a major source of cost and time savings when applied to workflows and processes in business. This is particularly obvious in the Financial Services sector, where many products and services require legally binding agreements by all parties. A typical example may be represented by the application and provision of a mortgage or loan.
Digital Transformation of these workflows and digital signing of complex documents can save substantial amounts, but until now they have traditionally been restricted to the home Member State and its citizens, mainly for reasons regarding legal admissibility and KYC compliance. This limits the potential market.
eIDAS can bring strong benefits. Qualified eIDAS signatures are legally admissible across the entire EU, and most citizens can use the signing certificate in their National eIDs. This means that, with little additional effort, market size can be significantly increased, and so the Return on Investment for digitisation can be really improved with little extra risk. This applies even better to organisations that have responsibilities distributed across many countries.
The relation with PSD2 and SEPA
eIDAS is also specified as the identification scheme used in the new Payment Services Directive (PSD2). This disruptive Directive brings the prospect of permissioned direct access to end-user bank accounts. Third Party Provider Financial Services companies (TPPs) can now offer a whole range of services that were previously not possible without breaches of security. For example, before PSD2, if an end-user wished to obtain a single consolidated view of his financial status, across many financial institutions, the end user would have been forced to provide the account aggregator with the account numbers and password. Not only was this very much frowned upon, and an obvious risk, but there was also no possibility of an audit trail as essentially the aggregator was logging in as the end-user. Now, with PSD2, the TPP will be able to view and alter the account within the parameters permissioned by the end-user.
This does require a high degree of certainty of the identity of the end-user and their consent to actions, as well as the certainty that the entire process is originating from the known and correct TPP. PSD2 calls for the possibility of accessing customer account information, to initiate payments on behalf of the customers, and this access to be based on Strong Customer Authentication (SCA).
Qualified Certificates (QWACs) for Websites and Qualified Certificates for Electronic Seals (issued by Qualified Trust Service Providers) will enable the identification and the verification of the payment institution by a third party. This process will use identification based upon the legal name of an organisation, its registration number, and its primary role in the transaction.
The Single European Payment Area (SEPA) calls for Europeanwide payment mandates, in which “The creditor may offer the Debtor an automated means of completing the mandate, including the use of an electronic signature.” Typical uses are regular bill payments, credit agreements, etc.
A Qualified Digital Signature issued by a Qualified Trusted Service Provider (QTSP), being legally admissible across the EU, is the ideal vehicle for this certainty across the EU and is seen as a major component of SEPA. The result is the capability to set up a
regular payment mandate to fulfil any cross-border transaction or service provision.
In summary, eIDAS will quickly become an integral regulation in our financial lives and an enabler, making the Single Digital Society a practical reality for European Financial Services.
Further information on eIDAS can be found at following this link.
This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.