DiPP - ICT-powered banking: the case of eID as key enabler
ICT has become ubiquitous: citizens and consumers can’t get enough of the amazing convenience it brings with it; at the same time, they are increasingly concerned about security and privacy.
Electronic identification (eID) solutions provide a variety of authentication tools that may be used to access not only government services but also those offered by the private sector in a safe and secure way. Banking is no exception: eID enables opening an account with a laptop or phone by way of a process which some argue is more secure than face-to-face interaction with a bank clerk busy juggling with several tasks at once. However, national barriers still in place have eID banking solutions across the EU look like a patchwork that ends up depriving users and businesses alike from the benefit of available technology.
While not specific to banking, this tension between technology readily available and a robust framework at EU level on one hand, and a diversity of national regulations on the other hand was worth investigating further.
- Andrea Servida
Head of Unit, eGovernment and Trust
- Cornelius Kopke
eIDAS expert, Bitkom
- Emmanuel Methivier
CEO, Crédit Agricole Store
- Stéphane Mouy
Head of Group Services, BNP Paribas
- Thomas Frandsen Rojkjaer
Development Director, First Vice President, eBusiness Security Personal Banking IT, Danske Bank
- Patrice Chazerand
Director at DIGITALEUROPE
Working on a seamless pan-European eID
Back in 2003, the STORK project, a forerunner of eIDAS, tried to reconcile diversity and scope by way of interoperability, bearing in mind that there is no legal basis for harmonization. It aimed to make it easier for citizens to access online public services across borders by implementing Europe-wide interoperable cross border platforms for the mutual recognition of national electronic identity (eID) between participating countries. But interoperable technology is of little use without legal enforcement.
Appropriate infrastructure has been available since November 2016. Regulation-wise, the Council has spurred the Commission into showing extra care to secure full compatibility between the eIDAS Regulation, the Anti Money Laundering (AML) and other directives. The Commission did get its act together but lacks ‘teeth’ when it comes to implementation. Member States are the missing link: Germany, the early adopter that notified the Commission in record time, stands isolated ahead of a slow moving pack, which results in a patchwork of incompatible applications.
On embracing eIDAS instantly, Germany came a long way, parting company with a 1896 law that made ink and paper mandatory to sign a contract. The challenge was to make ICT more convenient, affordable, easy-to-use, secure and cheaper than ink and paper. They went through the whole gamut of use cases, from hardware or ID card to apps in search of the ultimate usable case which strikes the right compromise between security and convenience. Take ID card with a chip: it won’t work as long as e-certification is missing. Far from being moot, the issue is urgent in light of the growing nuisance of hackers lurking in the so-called Dark Net. Another incentive for member States not to sit on their hands is the amazing growth of M2M, hence the perfect testbed of unbreakable authentication tools that will make Society 5.0 possible.
Safe experimenting is the name of the game
However counter-intuitive it might sound, security, all too often seen as putting the brakes on innovation, is actually a proven catalyst for innovation. There is indeed no dearth of creative solutions: pseudonymization whereby only the bank knows the real ID behind the pseudonym is but one example of effective, leading edge technology-based ways around a problem. But Europe needs more sandboxes to play in and develop innovative solutions with ad hoc regulatory relief.
Denmark, one of Europe’s most advanced digital societies, has been toying for almost a decade with eID on a variety of supports: paper, hardware, USB, laptop, albeit no mobile yet. It typically features shared use for public and private services, from tax or social security to doctor’s appointment or gambling. More critically, it reaches cross-border: Denmark, Norway, Sweden may have different infrastructures (mobile is part of Sweden’s scheme), they regardless share a common belief in the need to provide users with a mix of solutions. On the downside, the system is considered a critical national infrastructures, hence an obvious target for hackers ever ready for their next phishing or ID theft experience. Governance shows room for improvement too. As to Data ownership, the field is wide open, ranging from car manufacturers eager to keep the data under a tight lid to farmers’ cooler approach. While conducive to cost-sharing, Public Private Partnerships, or PPPs, won’t necessarily solve the nagging issue of too many regulations.
Will regulation match technology to make the eIDAS dream come true eventually?
Indeed, however fine and dandy the scene painted above might look, banks worry nonetheless that national regulations are not ready yet either to grant experiments much-warranted regulatory relief or to align relevant regulation on that of front-runners with a view to pave the way for smooth cross-border data transfer. The future of banking in Europe is informed by two landmark legislations, eIDAS and the General Data Protection Regulation (GDPR). Banks do believe that eID is a major enabler of cross-border operations: eID guarantees the value carried by our own identity, as passports do. Yet, the Anti Money Laundering (AML) Directive, while referring explicitly to eIDAS, remains open to other national solutions possibly inconsistent with eIDAS, which is a problem, for instance, on trying to meet ‘Know Your Customer’ (KYC) national requirements. The legal status of video interviews provides one telling example: they are as good as face-to-face in Germany or Italy while banned in France. Trust services suppliers may well provide a stopgap, but those discrepancies are a self-inflicted wound. It wouldn’t harm to recognize eID as part of KYC and thus facilitate the deployment of reliable non face-to-face interactions with onboarding clients. At least this much is certain: for lack of a reasonable fix, the EU risks being stuck with the very patchwork eIDAS was meant to put an end to.
These hurdles notwithstanding, the EU keeps moving forward. The Communication on the Consumer Financial Services Action Plan bears witness of its enduring faith that the need for a federated model to work globally has to be met urgently: it is the only way forward.