The Need for Identity in Financial Electronic Transactions
Electronic transactions have been going on for years. Financial services, in particular, have been at the forefront of growing this technology, allowing us to make electronic transactions quickly and easily. But for a great many transactions, there has been something missing – identity.
Simply pushing ‘I agree’ in an online transaction is not enough to prove you have given your consent. For financial services, this and other tactics, such as recorded voice consent and handwritten online signatures, are not enough to verify the person who needs to has given consent.
This is where digital identity comes in. ‘Digital identity’ is a way for us to prove our identity online, just like you do in real-life with something like a driver’s license or passport. The electronic transaction process consists of three stages:
- initial identification (based on real ID)
- authentication (based on credentials provided in the first stage) and
- authorization (signing and approving a financial document).
In all of this electronic communication, it can be quite difficult to prove with utter certainty that authorization really happened if it was ever disputed. Proving identity becomes a legal necessity.
Identity is also now a compliance necessity, with regulations such as eIDAS, the Electronic Communications Act, the Payment Services Directive 2 and the Consumer Credit Act, organizations (especially financial in nature), must take appropriate measures to verify the identity of someone who is transacting online with their business.
Let’s look at a couple of the most popular electronic transaction use cases and how a financial services company can use identity to verify the customer and stay compliant in their industry.
E-Mandates for Sepa Direct Debits
In a direct debit mandate, your customer authorizes your organization to collect future payments. Authorization commonly occurs through a paper mandate form that your customer has to fill in. Until now this method was easy enough, but since so many organizations are starting to ‘go paperless’, the move to paperless direct debit mandates is needed.
The issue with paperless direct debit mandates is that they require approval from your bank, who need to sign off on all information presented to your customers. Once payment and approval have been collected from your customer, it must be submitted to your bank electronically. This informs the bank of your Direct Debit Instruction (DDI).
In May 2014, the Euro Retail Payments board discussed the issues stemming from e-mandates and solutions for Sepa Direct Debits (SDD).
Interestingly this document outlines many challenges that eIDAS and PSD2 together are now solving. In particular is this concept of ‘lack of trust’. In many organizations, debtors can be from foreign member states with different payment service providers (PSPs) or third-party e-mandate service providers making it difficult to keep track of authorization.
It was proposed in this document that authentication solutions need to be implemented on both sides of the coin. Authentication with the customer and authentication with the mandate.
PKI certificates, in way of advanced electronic signatures, were suggested as a means to authenticate both sides.
A credit agreement will involve a legal contract that needs to be signed by a customer as one of the steps they are taking to complete a financial transaction like getting a mortgage, for example. In order to bring this transaction into an online environment, we need to be completely sure that the right person is signing the agreement and that all the information passed from the financial service to the customer is correct. We need some type of electronic signature solution.
In the UK, the Consumer Credit Act was amended in 2004 to take into account electronic signatures. On February 26th, the High Court concluded in the case: Bassano v Toft, that an electronic signature was evidence enough that the credit agreement was properly executed and in light with the Consumer Credit Act. This meant that Mrs Bassano was not able to claim, as she was attempting to, that the conditions to which she was given a loan were in fact unenforceable and invalid.
This provides a good deal of comfort for financial lending services who are using electronic signatures. Additionally, new regulations like eIDAS are helping to enforce the use of higher assurance electronic signatures, which provide greater trust that the right person is actually signing and that no changes have been made to the document after the fact.
Using Digital Certificates for Identity in Electronic Transactions
To summarize, eIDAS expects financial organizations to have a high level of assurance and trust by implementing advanced or qualified electronic signatures, which can be achieved using Digital Certificates.
A Digital Certificate can be purchased from a Certificate Authority like GlobalSign. Before the certificate is issued, the individual’s (i.e. the potential customer’s) identity is thoroughly vetted. The resulting certificate is unique to the individual and virtually impossible to spoof or forge.
The individual can use the certificate to digitally sign electronic transactions. Digital signatures provide higher assurance than other types of electronic signatures because they are uniquely linked to the signer and can prevent any future changes to the document. Incorporating a trusted, third party timestamp into the signature provides non-repudiation of the date and time the document was signed as well.
Certificate Authorities work hard to ensure their roots are trusted and compatible in major software applications, like Adobe and Microsoft, so signatures applied with their certificates are automatically recognized and verified. This helps provide a seamless user experience for everyone involved in the electronic transaction.
Use Case 1: Electronic Mandates
In a typical scenario, an electronic mandate is agreed upon when the debtor ticks to say they agree on a check box. In the real world, you can’t tell whether the real debtor agreed to this or his cousin, or a hacker for that matter.
In order to avoid uncertainty, a Digital Certificate is issued to the debtor by a third-party company who checks his/her identity. The certificate is kept on the debtor’s phone, or other device, where only they have access and can use the certificate to sign the agreement. On top of this, the debtor enjoys an easy ‘on-the-go’ transactional experience that is unlike his previous experiences.
Use Case 2: Signing Credit Agreements Anywhere in the World
Suppose you could eliminate the need for a face-to-face with your customer and conduct an entire financial interaction online or by telephone. Customers would save time, allowing them to conduct transactions from anywhere in the world.
By integrating electronic signing solutions into your mobile application, your organization would be able to take the transaction completely paperless. You could send a credit agreement and a customer could sign it, all with the implication of trust in the transaction because identity verification already took place with a trusted third party identity provider.
In this scenario, your customer’s phone becomes a ‘secure signature creation device’ where they can prove their identity.
What’s Next for Financial Services?
The time is now to start thinking about your Digital Certificate infrastructure. If you are looking to become compliant, differentiate yourself in the market, prove identity in a legal setting and comply with current regulations such as eIDAS, talk to us today.Tags: Authentication, debit mandates, Digital Certificates