Up to now, provider-overarching identification services have tended to focus on the field of e-government in Germany. In e-commerce and, notably, e-banking, they are few and far between. Besides sovereign eID procedures, such as nPA, particularly social media platforms, such as Facebook and Google, offer authentication and single sign-on functions. This means that users’ logins to these platforms can be used on other websites as well. Although this so-called social login is convenient, it cannot be used to unequivocally confirm a user’s identity as only the user’s account at the original service provider serves as the information basis. What is therefore needed is a recognised legitimisation process based on an official document.
These procedures are already offered by banks outside Germany. Secure Key Concierge, for example, has established itself in Canada, with IDIN popular in the Netherlands and BankID in Scandinavia. With these identity services, bank customers can use the online ID which their bank issued them to register with third party service providers or prove their identity. Banks naturally enjoy considerable trust in the role of ID providers as they have to exercise the strict principles of “Know Your Customer” and also observe anti-money-laundering regulations.
Bank login as digital identity card
In Germany, the recently formed FinTech Council is promoting this development. It wants to position the bank login as a digital identity card in the Internet, thereby creating a universally deployable digital identity. Large industrial and financial concerns, such as Allianz, Deutsche Bank, Postbank, Daimler and Axel Springer, are currently working together with IT firms Core and Here to create a universal login for different online offerings. It is planned that users identify themselves just once, at the beginning, by means of VidoeIdent or an alternative, secure identification procedure. After that, they will be able to conclude legally-secure contracts, transact with the public authorities, and avail themselves of payment functions and other financial services.
Germany’s savings banks have meanwhile also started taking steps in this direction. Together with YES Europe AG, they hope to provide an identity service which can be integrated into their online banking portfolio by the end of the year. Due to the sav-ings banks association’s considerable reach, this offering would be especially interesting for service providers requiring a reliable identification and authentication of a person, as they could access a large dataset of identified customers over a single interface. Other more-protracted identification processes, such as PostIdent and VideoIdent, which often cause media breaks in otherwise fully-digitalised business processes, would then be a thing of the past.
The legal basis for these planned identity services is the European Union’s enacted eIDAS Regulation. This creates a uniform legal framework for using eID procedures, trust services, digital seals and certificates within the EU, and obliges member states to provide for the usability of national eID schemes across borders. An ongoing Anglo-French project involving HSBC and Barclays, for example, has the goal of enabling a domestic eID to be used to open an overseas bank account.
The eIDAS Regulation also allows the legally-binding digital signing of documents. The first providers – such as Bankverlag – have already developed a solution that allows electronic signatures to be provided via online banking using a bank’s existing authentication procedures, such as photoTAN. All that is required is for the customer to register himself for this service be-forehand with his bank, and then to link the bank’s TAN procedure with his qualified electronic signature which was issued by the service provider.
New legislation in the EU
The eIDAS Regulation is just one regulatory component in the ongoing digital odyssey. Besides the EU General Data Protection Regulation (EU GDPR) which takes effect on 25 May 2018, Europe’s banking industry also faces another challenge: the imple-mentation of the second Payment Services Directive, PSD2. This requires banks to establish an interface which enables third-party service providers to access accounts managed online (Access to Account or XS2A). Subject to the bank customer’s con-sent, the service provider concerned will then be able to e.g. process payments, query account balances and turnovers, and confirm account coverage.
To ensure unambiguous identification of the third-party provider, PSD2 prescribes the use of eIDAS-conformant certificates for accessing accounts. As a further measure against fraudulent access to sensitive account data, PSD2 also envisages strong customer authentication (SCA) with well-defined authentication procedures. In this connection, EU GDPR additionally provides for the uniform handling of personal data across Europe by, amongst others, the right to data portability which has be adopted for the first time by the Regulation.
At first sight, PSD2 certainly looks like a risk for established banks. On the one hand, their exclusive hold on the customer interface could be broken to the benefit of third-party service providers; and on the other hand, they are challenged by grow-ing competition from credit institutions that specialise in mobile-only or white-label solutions for fintechs, and offer innovative banking products with much shorter times to market.
PSD2 as a new opportunity for banks
Notably, however, large credit institutions with sizeable customer bases could use PSD2 as a new opportunity to act as third-party service providers themselves, and thereby improve their competitiveness. Even more than Facebook and Google, banks benefit from large volumes of verified and identified user and customer data. By using the XS2A interface judiciously in the future, banks could position themselves to generate meaningful profiles of their customers and use these for innovative ser-vice offerings such as identity services. Given the activities of Facebook, Google, Apple & Co., which in part have already been awarded banking licenses or acquired finance-sector companies, banks would be well-advised to position themselves accord-ingly on the market to avoid them falling behind.
Banks today have the opportunity to offer comprehensive, one-stop services using a single authentication medium. Proof of identity based on eID enables requests to be made for opening accounts, accessing online banking and remotely providing legally-binding signatures for documents. Additionally to this, the bank can also act as an identity provider for other service providers, and assist its customers in logging into other portals by means of single sign-on. With instant payments available from the end of the year, another important gap in digital contract conclusion will be bridged: from then on, an end-to-end digital process covering everything from identity verification to digital signing and service payment within ten seconds will truly be-come reality.