By Sam Crook, Sales Director, Ascertia
International banks are rapidly evolving to cater to the digital world. With pen and paper signatures nearly obsolete, banks are investing in electronic signatures as a more secure, trustworthy replacement. But questions remain:
- How secure are the systems that consumers and businesses use and what happens if a transaction is disputed?
- Do you truly trust your solutions to provide sufficient and valid evidence, particularly if a claim is escalated to a court of law?
This risk means high-trust solutions across the digital stack have become critical to protecting an institution’s reputation as well as a customer’s funds.
Ensuring secure, valid authorisation to sign
Despite this growing adoption, it’s important to remember not all electronic signature types can be considered high-trust or legally valid.
The common terms for electronic signatures, e.g. eIDAS Qualified (Europe) or AeSign (South Africa) vary across different international regions and countries and have different levels of assurance associated. Furthermore, some countries still mandate the use of a hardware device e.g. Smartcard or USB dongle for creating individual digital signatures.
Like a paper signature, an electronic signature’s purpose is to prove the identity of the signer and the date. A simple box-tick or digital scribble is not enough. Basic click-to-sign signatures can be easily tampered with and generic e-signatures (using a single witness certificate) need to be used alongside strong 2-factor authentication as the signature is attributed to the signing organisation rather than the individual themselves. An easily disputed document is no good for the bank nor the customer.
To check you have secure, valid authorisation you need to confirm what constitutes a legal signature in the country the document is being signed in. By doing so, you ensure that, should fraud or an error occur, the e-signature in question contains sufficient evidence of when the individual signed and that the document has not been tampered with.
The European Union’s e-signature regulation, eIDAS, clearly sets out the legal definition of e-signatures across all 27 member states and provides clear guidelines to enable easier cross-border trade across Europe.
eIDAS also provides guidance for legal certainty and technical operability for eIDs, e-signatures and Trust Service Providers. One of its main requirements is for there to be proof of sole control– i.e. the user can prove with certainty that the signature was created by them.
Under eIDAS this breaks down into different signature types.
The first, an advanced e-signature,must be uniquely linked to the signatory, capable of identifying the individual, under their sole control and can demonstrate that any subsequent changes can be detected.
A qualified e-signaturegoes one step further in that the user’s digital certificate used to sign the document must be issued by a trusted Qualified Certificate Authority. The signing key must be managed within a trusted Qualified Signature Creation Device (QSCD).
eIDAS also recognises e-seals as valid signatures. E-seals enable legal entities to sign on behalf of a person or institution and provide banking staff with an efficient, secure method of document approval.
High-trust remote signing
The most recent advancement in e-signatures beneficial to the banking industry is remote signing.
Prior to this, the only option for secure PKI based signatures was local signing. This involved specialised card readers and software which were difficult to use with mobile devices and made the process cumbersome.
Signing keys can be held securely in server-based systems or secure cloud services, making signing from a mobile device from any location much easier. To ensure high-trust, non-reputable signatures the signing keys are held in a Hardware Security Module (HSM) which only authorises use of the signing keys once it can verify authorisation from a registered signing device.
With billions of documents a day processed by banks across the world, remote signing can transform the authorisation process.
Supporting this advancement are new regulations and certifications. These determine whether the HSM or signing solution is compliant and offers the highest level of trust.
For HSMs, look for the Common Criteria EAL4+ EN 419 221-5 standard and for remote signing solutions look for EN 419 241-2. Solutions certified with these standards have undergone independent evaluation to determine their compliance against the eIDAS standard. All products with these certifications are listed on the Common Criteria website.
Europe continues to be a leading force in high-trust regulations and certifications and in September 2019 it will introduce PSD2 – a regulation and set of standards for online payments within the EEA. Qualified certificates and e-seals will form part of the requirements of the regulation which is focused on secure authentication of online transactions.
PSD2 is especially beneficial to the security of large value transactions, requiring an e-seal from the bank upon the opening of an account by a customer and further identification authentication from the customer for transactions. This provides banks and their customers with an additional means of fighting fraudulent transactions and ensures the highest-trust for online and remote payments.
The future of banking
Security has always been a top priority for the banking industry. The move to online banking and cloud-based solutions has its own risks, just as traditional paper methods before. The industry has been quick to adopt solutions that provide security and peace of mind for customers, but threats are constantly evolving and it’s important that institutions do as much as possible to mitigate risk.
High-trust solutions are becoming more advanced and provide additional layers of authentication to ensure that all involved parties can prove their identities and that documents remain valid and legal long into the future.
E-signatures are a large component of this technological advancement and alongside high-trust hardware solutions that keep data secure, they are powering cross-border business. If businesses are using these solutions to sign their own business contracts, they will be looking to their financial institutions to follow suit and provide the same level of assurance.
Banks have a duty to keep up to date with eIDAS advancements and to implement solutions that comply with the latest standards.
As customers look for more innovative solutions that provide them with the freedom to bank wherever they are, banks should ensure that their services are as secure as coming into a branch. This will secure the finance industry’s future success.