Portable/reusable eID would allow for the elimination of redundancies and for more seamless cross-border business in the EU internal market.
- Electronic signatures represent a natural evolution of the way individuals and institutions enter into written agreements.
- Near-universal adoption of computers and mobile devices, combined with shifting customer preferences and the reality of cross-border business, make the adoption of eSignatures and associated services, such as remote onboarding, inevitable in the context of a competitive market.
- The EU-level legal framework under eIDAS, international standardisation of technical aspects and the availability of regulated service providers means that there are few, if any, real obstacles to a transition towards electronic signing and electronic archiving in the financial sector.
- A 2015 Luxembourg law on electronic archiving, in conjunction with eIDAS, presents an additional opportunity for Luxembourg businesses to gain a competitive edge.
- The fulsome implementation of eSignatures, associated trust services and electronic archiving opens the door for additional efficiency gains in areas such as IAM, KYC/AML and reporting. Portable/reusable eID would allow for the elimination of redundancies and for more seamless cross-border business in the EU internal market.
- We provider readers with a curated list of qualified trust service providers across the EU, classified with regard to their capabilities.
Introduction of the eSignature white paper
Signatures and personal identities have been intertwined for nearly as long as people have been entering into written contracts. At a high level, signatures can be thought of as an abstraction of the signing entity’s authority to enter into an agreement. Signatures need to be relied upon not only by the contracting parties, but also by third parties, typically public or private institutions, for verification, fraud prevention and dispute resolution purposes.
The indelible link between signature and identity is evident in the Luxembourg Civil Code, which states (translated from French):
The signature necessary for the conclusion of a private deed identifies the person who affixes it and manifests their adherence to the content of the deed.
It can be handwritten or electronic.
The electronic signature consists of a set of data, inextricably linked to the act, which guarantees its integrity and meets the conditions set out in the first paragraph of this article.
In the West, we know signatures first and foremost as more-or-less idiosyncratic permutations of an individual’s name, typically delivered with a few swift strokes of the pen – the handwritten signature. Thus, we rely in most situations solely on the idiosyncrasy of the strokes, without paying any particular heed to the writing utensil used, or other attributes that could be linked to the signature or the signing party. The relatively bare-bones nature of the written signature in the West helps explain the persisting influence of the notarial profession, providing an additional layer of assurance for the most critical of transactions.
In the Far East, seals remain commonplace – stamps made specifically for an individual or a legal entity, often registered with the government for the issuance of a certificate of authenticity.
As one author explains, “when handwritten signatures were invented, they augmented seals, which had been in use for over 3,000 years – they did not replace them. In fact, seals continue to be used today. Instead, handwritten signatures took their place beside seals as an authentication mechanism useful for particular purposes, and over time, handwritten signatures gradually increased in the frequency and scope of their usage. It is likely to be much the same with digital signatures, which are the latest authentication tool in the continuing advancement of communications technology.”
With electronic devices and services now being ubiquitous across our lives, the way our identities and signatures are defined and handled is shifting, and our reliance on ink and paper need no longer be absolute.
At LHoFT, we are of the view that actors in the financial sector are presented with a significant opportunity to leverage trust services for in order to drive digitalisation and automation at large within their organisation. The fulsome implementation of electronic signature (eSig) solutions and their potential integration with electronic identity (eID) has the potential to enshrine lasting gains in efficiency and transparency all the while leading to an improved customer experience.
The present white paper ambitions to be thought-provoking as well as pragmatic. It presents readers with a discussion of
- The critical attributes of modern trust services,
- Their regulatory backbone in the EU
- An overview of relevant solutions providers.
This document seeks to help decision makers in financial services consider their strategy to upgrade and modernise their processes in order to meet evolving client needs and drive their satisfaction while lowering costs and improving overall efficiency.
Comparing handwritten and digital signatures
While much has changed on the technological front since the publication of this 1997 paper on MIT’s CSAIL website, it provides to this day one of the best publicly available discussions around the history of signatures and relevant points of comparison between analog and digital signatures. We have drawn up our own comparative table as follows below.
[table id=2 /]
Some of the above terms merit additional discussion.
The term level of assurance or LOA rests on the ability of parties to a transaction or process to effectively measure the extent to which data, a process or other relevant subject matter align with suitable criteria. These criteria are typically defined by the law or by standards. Providing assurance is a critical exercise in order to reduce risk and increase confidence in any given dataset or process. It goes without saying that signatures represent a critical element of any written agreement and hence, we should be able to ascertain their LOA. Ironically, the LOA of handwritten signatures is difficult to ascertain due to a number of factors: signatures are defined by their user and may not be sufficiently complex and unique to establish a strong link with the (presumed) signatory. Furthermore, there are many ways to replicate a given individual’s handwritten signature, which brings us to our next point.
Part of the fundamental value proposition of (advanced) digital signatures is their ability to significantly strengthen fraud prevention. Forgery of handwritten signatures has been practiced for centuries, whereas forgery of digital signatures, except where the private signature key has been compromised, or the signature mechanism hijacked, is virtually impossible. The mechanisms of forgery for handwritten and digital signatures are fundamentally different, and as opposed to handwritten signatures, there is a coordinated regulatory & technological effort (cf.: systematic verification in our table) to provide for real-time supervision of eSignatures and their associated trust services under the EU framework.
Finally, storing, archiving and handling business-critical documents of all sorts is an exercise which can be greatly facilitated with a fully digital or hybrid model. Electronic signatures open the door to more efficient data access and transfer in parallel to more cost-efficient and flexible electronic archiving.
Understanding electronic trust services
The term “trust services” is rooted in a recent milestone regulation at EU level. To fully understand & appreciate the value of trust services such as electronic signatures, however, one must also consider their technological attributes and their integration with existing infrastructure and business processes. Let’s dive into the legal framework at EU level before considering eSignature in more detail.
The contemporary notion of a “trust service provider” has roots that reach back to the Electronic Signatures Directive 1999/93/EC, where they were called certification-service providers. The Directive can be considered the legal and intellectual precursor to the eIDAS regulation, which entered into force in late 2018. eIDAS provides an EU-wide, mandatory framework for the following trust services:
- Electronic signature (eSignature): the expression in an electronic format of a person’s agreement to the content of a document or set of data. Qualified eSignatures have the same legal effect as hand written signatures.
- Electronic seal (eSeal): an electronic equivalent of a stamp that is applied on a document to guarantee its origin and integrity.
- Electronic Timestamp (eTimestamp): proves that a document existed at a point-in-time.
- Electronic Registered Delivery Service (eDelivery): a service that permits the electronic transfer of data between businesses, public administrations and citizens. It provides proof of sending and receiving the data and protects against the risk of loss, theft, damage or unauthorised alterations.
- Website Authentication Certificates (WACs): electronic certificates that are issued to prove to users (e.g. citizens and SMEs) that a natural or legal person owns a website, helping avoid data phishing.
The eIDAS Regulation defines three types of eSignature:
- At its most basic, the term Electronic signature covers the broad category of all electronic signatures including “any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” In other words, it is an electronic form of signature that a signer can apply to a document as evidence of their acceptance or approval. This could include a scanned signature image or the click of an “I accept” button on a website or a DocuSign electronic signature.
- An advanced electronic signature is a type of electronic signature that must meet specific requirements providing a higher level of signer ID verification, security, and tamper-sealing. The Regulation requires that it is:
- Uniquely linked to the signer
- Capable of identifying the signer
- Created using signature creation data that the signer can use under their sole control
- Linked to the signed data in such a way that any subsequent change in the data is detectable
- Finally, a qualified electronic signature is the only electronic signature type to have special legal status in EU member states, being the legal equivalent of a written signature. It is a specific type of electronic signature that must meet advanced electronic signature requirements and be backed by a qualified certificate, meaning a certificate issued by a trust service provider that is on the EU Trusted List (ETL) and certified by an EU member state. The trust service provider must verify the identity of the signer and vouch for the authenticity of the resulting signature.
The above categorisation of electronic signatures represents a key provision in eIDAS, as it creates legal and technical clarity, overriding any prior divergences across the EU’s Member States with regard to their treatment / recognition of eSignatures. Unsurprisingly, a digital signature’s validity & legal recognition in a given jurisdiction – or cross-border – are foremost concerns for businesses considering a meaningful transition away from ink on paper. Thus, eIDAS provides businesses operating in the EU with the certainty that electronic signatures which meet certain criteria will benefit from recognition as legally valid across the EU. While qualified electronic signatures provide the highest level of assurance & legal certainty, other forms of eSignature cannot simply be denied legal effect either, cf. Article 25 of eIDAS:
An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is an electronic form or that it does not meet the requirements for qualified electronic signature.
However, for practical purposes, our discussion will focus on qualified electronic signatures and associated trust services as their legal & technical attributes make them most suitable for cross-border applications, integration into digitized and automated business processes and adoption by the highly regulated financial sector.
eIDAS and the market
In a 2018 report, EU agency ENISA provides us with valuable insights into the perception of trust services, and their implementation, by market participants. The study found that key factors influencing the development of the trust services market “revolve around the market’s ability to adapt to customer needs and its ability to build suitable business models”. Some key insights are reproduced below:
It is clear that eSignature, especially in its qualified flavor per eIDAS, is the most sought-after trust service by market participants. Unsurprisingly, (qualified) electronic time stamps are also in high demand as they are a natural complement to eSignatures.
- Used in conjunction with eSignatures, eTimestamps provide assurance of the authenticity of a document and its versions, if any, across time.
In addition to the EU-level insights provided by ENISA, global research efforts help complete the picture when it comes to future demand for trust services.
For instance, in its Analytics Business Technographics® Priorities And Journey Survey, 2020, Forrester Research queried nearly 20,000 global purchase influencers and concluded that “40% of [respondents] say that improving the experience of their customers is a high or critical priority over the next year. Another 27% state that investing in digital experience technologies is likewise a high or critical priority technology initiative for the coming year”, with trust service providers playing a key role in achieving these business goals.
With regard to the financial sector in particular, “strong governance and auditable compliance logs result from processes and transactions that are brokered through digital signature and trust services platforms. Clients use these sophisticated onboarding platforms to grant digital identities to their customers or to verify existing ones, depending on the use case. Firms in regulated verticals can also rely on these solutions to perform identity checks according to know your customer (KYC) requirements or comply with strong authentication requirements such as those in the European Payment Services Directive 2.”
An additional piece of research conducted by Forrester, the Forrester State of Systems Agreement Research 2020, sheds further light on the need for enhanced digital processes, especially when it comes to agreement processes (concluding contracts, executing orders, ordering products and services…). Key takeaways are:
- 9 out of 10 firms are burdened by manual agreement processes
- Digital signatures are a common first step towards full process automation
- 79% of respondents view the improvement of customer experience as a high or critical priority, with digitalisation and process automation as a way to achieve this priority
Additional Forrester research commissioned by Docusign yields additional insights with regard to the financial sector in particular. Notable findings relating to manual processes include:
● 47% say work is duplicated when re-entering date from agreements into systems of record
● 63% of respondents say errors occur when manually transferring data such as customer or product data into agreements manually
● 45% of respondents say customer experience has suffered as a result of manual processes
● 35% say they see delays in starting projects because of manual processes
● 39% see delays in recognising revenue and 23% experience lost revenue
All in all, the market rationale for eSig and its complementary trust services rests on multiple applications, from improving customer experience in terms of onboarding and services rendered, over integration with overall process automation cross-industry, to heightened KYC/AML compliance in the context of existing and emerging financial sector regulation.
Use case: Banco Santander
In the below presentation delivered at the EFPE 2020 conference, Banco Santander highlight an eSig use case. A fully digital & remote loan signing system was set up in collaboration with Asseco Data Systems – a qualified trust service provider included in our curated list at the end of this report – leading to faster contract processing and increased client satisfaction:
Finally, the impact of eIDAS on the market is also a result of its interaction with other regulations, notably PSD2 and the EU’s AML directives. With PSD2 for instance, Qualified Website Authentication Certificates (QWAC) and QSeals are specifically prescribed for authentication purposes, and EBA guidance recommends using both trust services in parallel. When it comes to the EU’s 5th AML directive, eIDAS qualified trust services are emerging as valuable tools for financial service providers as they seek to enhance their remote customer onboarding & online banking activities.
The future of eIDAS
There is little doubt that eIDAS is here to stay, but as with any ambitious piece of EU legislation, revisions are due over time. The European Commission is about to adopt a proposal for a revised version of the regulation in the near-term.
Until then, we can glance a few areas of priority by going over the 2020 Position Paper of the Forum of European Supervisory Authorities for Trust Service Providers (FESA). FESA presents “seven suggestions of maximum importance unanimously supported by its members”, namely:
- Harmonising the accreditation of Conformity Assessment Bodies
- Harmonise remote identification practices
- Provide greater clarity on remote server signing/sealing certification processes
- Mandatory adoption of Implementing Acts related to Qualified Trust Services
- Periodic vulnerability assessment and limited validity for Qualified electronic Signature Creation Devices (QSCDs)
- Sharing information on vulnerabilities and almost incidents
- Provisions for transition of Qualified Trust Services in the event of company shutdown
With regard to the first point, FESA postulates that there exist substantial differences “both in audit effort and quality” with regard to CAB certification schemes, which leads to a risk of a race to the bottom. Ensuring harmonisation on the EU level is viewed as “essential for building actual trust in trust services and for mutual recognition of trust services”.
The level playing field issue is also evident with regard to point 2, seeing how remote identification practices in the financial sector for instance are still governed by national law.
Remote signing (point 3) is a technically fascinating topic which overlaps with the question of cloud-based solutions (cf. Cloud Signature Consortium). Public key infrastructure specialists such as Ascertia are key proponents of this approach to eSig, but as FESA explains, “stakeholders have different views on remote signing/sealing” and calls for “greater clarity on the requirements for remote signing systems”.
Point 4 concerns itself with global requirements for qualified trust services and calls for the mandatory adoption of secondary legislation to enshrine a suite of ETSI standards that are already on the books.
Point 5 postulates that the current, indefinite, assurance of conformity delivered for QSCDs should be abolished in favour predefined validity periods & vulnerability assessments.
The final two points are self-explanatory.
In a nutshell: in all likelihood, eIDAS in its revised form will clarify a number of technical requirements for qualified trust service providers, strengthen evaluation of signing servers & devices and – potentially – harmonise remote onboarding rules across the EU, which would greatly contribute to the harmonisation of the EU internal market.
The technicals: a deep dive into eSignature
To truly understand what an eSignature is, we need to consider some underlying technical considerations in areas such as cryptography and standardization.
It is useful to first consider the primary goals of any signature, whether analog or digital:
- Integrity: providing assurance that a document hasn’t been changed somewhere in the workflow (e.g. post-signature).
- Authenticity: providing assurance that the signer of a document is a specific person or legal entity.
- Non-repudiation: providing assurance that the signer can’t deny his/her signature.
The 2nd and 3rd goals are best ensured when qualified eSignature is employed, which helps explain why qualified eSignature enjoys such a special legal status under eIDAS.
Encryption and hashing
Cryptography – the use of codes and ciphers to protect secrets – permeates anything meaningful you might be doing with an electronic device such as your computer or smartphone. While the term “crypto” has been co-oped by the cryptocurrency boom, it is important to understand that cryptography has been an important element of computing since the beginning, and in fact, has roots that reach back thousands of years prior to the advent of modern technology.
In the context of eSignatures, encryption plays multiple roles, as is best illustrated by its integration into .pdf files.
Portable Document Format (PDF) files are by far the most popular way to share important documents in electronic form. Commonly associated with its inventor Adobe Systems, the PDF format became an open standard governed by ISO 32000 in 2008, dramatically increasing the format’s appeal to developers and consumers alike. To end users, PDF files might be best known for their visual attributes which typically mirror printed documents in the A4 format. PDFs’ many advantages over other file formats include their ability to combine machine-readable text with rich graphic designs, and most importantly for the present discussion, the ability to integrate seamlessly with electronic trust services such as eSignatures.
Cryptography in PDFs is employed in 2 notable ways which help illustrate the underlying principles of eSignatures.
- First and perhaps most familiar to readers is password encryption of the document itself. This can be used both for content management and access management purposes. PDF password encryption typically rests upon the Advanced Encryption Standard (AES), which relies on a symmetric key encryption method (block cipher).
- Asymmetric key encryption methods, such as RSA, on the other hand are the foundation for secure electronic communications as we know them today and they also provide the basis for electronic signatures. In a nutshell: whereas for message encryption purposes the public key would be used to encrypt the message and the private key would be used to decrypt it, for eSignature purposes, the signature is created with input from the user’s private key and can subsequently be verified by anyone through use of the corresponding public key.
Elegant as this “inverted” application for cryptographic principles may be, it is not the only factor at play in the eSignature process.
The computer science (CS) hashing allows one to “map data of arbitrary size to fixed-size values”. Hashing is used to perform integrity checks on documents containing eSignatures.
Taken together, cryptography and hashing lay the technical foundation for the signing & verification processes of eSignatures, as explained by David Fillingham:
- The signer generates (or is provided) a “private signature key,” and an associated “public signature key.” It is computationally infeasible to determine the private signature key from knowledge of the public signature key, so the public key can be widely and freely disseminated.
- The signer generates a “digest” of the message to be signed. A “message digest” is the product of a “hash function,” that maps a message of arbitrarily large size to a specific, small size. For example, message of 25,000 bytes might be “hashed” to create a message digest of 128 bits (16 bytes). A good hashing algorithm will have the following properties:
- A modification of any bit in the message will result in a deterministic modification of the message digest;
- Given a specific message digest value, it should be computationally infeasible to generate a message that will hash to that message digest value.
- The signer provides the message digest and a “private signature key” as inputs to the signature algorithm. The output is a “signature value” which is normally appended to the signed data.
- The verifier, having obtained the signed message, uses the same hash function as the originator to generate a message digest over the received message. If the message has not been changed since the signer applied the signature, the signer’s and the verifier’s hash calculation will result in the same message digest.
- The verifier obtains and authenticates the signer’s public signature key, and provides the message digest, signature value, and signer’s public signature key to the signature algorithm, which will indicate whether the signature is valid or not. If the signature is valid, then the verifier has an indication that the originator signed the message, and that the message was unchanged during the time between when the message was signed, and when it was verified.
Certificate authorities (CAs), which constitute trust service providers under the eIDAS definition, play another crucial role in the eSignature ecosystem.
While anyone can self-create an electronic signature as laid out above, this carries little meaning without reference to a person’s real-world identity as verified by a reliable third party. This is where certificate authorities intervene, providing trusted 3rd party verification of an end user’s (digital) identity.
The concept of a “certification scheme” is defined in ISO/IEC 17065:2012 as a “certification system related to specified products, to which the same specified requirements specific rules and procedures apply”. Certification systems in term are defined as conformity assessment systems per ISO/IEC 17000:2004 definition 2.7.
In simple terms, the main elements of certification schemes relate to:
- A set of requirements
- Ways to check against those requirements.
To better understand the concept of certificate authorities in the specific context of eIDAS, let’s break the terms down one by one:
- Certificate: the user’s public key combined with additional information, e.g. to identify the user, which is then enciphered with the certificate authority’s private key to render it unforgeable
- Certificate authority: an authority trusted by one or more users to create and assign certificates for use with their electronic signatures.
By linking a given user’s public key to additional, unique attributes and by encrypting the resulting combination with the CA’s private key, CAs provide a crucial step in establishing trust in digital signatures.
Qualified signature creation devices (QSCD)
QSCDs are Secure Signature Creation Devices (SSCDs) which comply with the requirements laid out by Annex II of eIDAS.
QSCDs are both hardware- and software-based, and eIDAS enables both local and remote (=server) signing.
- Local signing uses cryptographic keys stored on the user’s device to create a signature.
- The hardware component can be comprised of e.g. a token, a cardreader or a USB-stick.
- Server signing relies on a trust service provider (TSP) to remotely generate and manage the signing keys on the signatory’s behalf.
- For remote signing to be compliant with QSCD requirements it must combine a Signature Activation Module (SAM) with a Hardware Security Module. Both modules undergo certification.
- In theory, remote signing requires no specific hardware or software to be available to the end user, even for the purposes of qualified trust services such as qualified eSig. However, as we described in the preceding chapter on the future of eIDAS, European Supervisory Authorities believe that clarifications are necessary to ensure eIDAS compliance of qualified remote signing systems.
Luxembourg’s homegrown trust service provider Luxtrust in 2020 migrated all of its remote signing services to the highest LOA, i.e. qualified eSig under eIDAS, in collaboration with Cryptomathic. As the latter explain, the integration of the Cryptomathic remote signing server (SignerTM) with the Luxtrust infrastructure “removes the requirement for residents to use connected smart cards and readers – thereby providing full mobility for all users”.
The result are pragmatic solutions such as the Luxtrust App, which combines remote signing with multifactorial authentification to allow for qualified eSig.
App-based solutions have additional advantages over token- or smartcard-reliant services. Apps can leverage smartphone-inherent features such as a camera for QR code reading & biometrics features such as fingerprint readers or Apple’s FaceID.
Integration of eSignature into enterprise workflows
Equipped with the knowledge that eIDAS ensures legal equivalence between qualified eSignatures & ink on paper, encouraged by the technical underpinnings of the eSignature process and motivated by the undeniable gains in efficiency, transparency, fraud prevention & detection and regulatory compliance that eSignatures offer, the next step for your business is to consider practical implementation of eSignature into existing workflows & processes.
While integration with existing processes is a case-by-case exercise, there are a few obvious and overarching applications that flow from the implementation of eSig and contingent trust services. Here we discuss 2 such opportunities.
An obvious but crucial consideration is that of electronic archiving: no paper trail means a partial or full shift to electronic archiving.
The rationale for such a shift is obvious: by some measures, electronic records management clocks in at only 1/5th the cost of physical records management – cf. this discussion paper by our partner Deloitte.
Not only does digital archiving offer significant cost advantages, it also enables features such as redundancy and the seamless integration into automation processes & big data analytics.
A subtle but important distinction is that under eIDAS, the preservation of electronic signatures and seals is defined as a trust service (PresS), whereas digital document archiving is not.
In order to ensure the legal validity of electronic signatures and electronic seals over long periods of time one needs to apply appropriate preservation techniques as outlined in ETSI SR 019 510.
The preservation techniques realised by a Preservation Service (PresS) according to Article 34 may involve Evidence Records according to RFC 4998 or RFC 6283 or the continuous augmentation of signatures using archive time stamps according to CAdES or XAdES for example.
However, under Recital 25 of eIDAS, Member States may indeed define electronic archiving as a trust service at the national level, and this is precisely what the Grand Duchy has done.
The Luxembourg edge
Given the mandatory cross-border recognition of (qualified) eSignatures under eIDAS & the logical implication that the transition towards digital-first document signature workflows entails heightened electronic record keeping requirements, Luxembourg in 2015 passed a law relating to the latter.
As discussed here, the Law and accompanying regulation establish a presumption of probative value equivalent to original documents for digitised copies that are made by a duly certified and registered digitisation or storage service provider. The national competent authority in Luxembourg is ILNAS, which attributes the corresponding PSDC statute and keeps an updated list of accredited providers.
Accredited entities may provide only archiving functions or both digitalisation & archiving functions.
The combination of cross-border recognition of eSignatures via eIDAS & the availability of electronic archiving providers regulated as national trust service providers means, in practice, that MNCs or even SMEs with a cross-EU client base gain the ability to conduct all of their document signing operations in the EU digitally, fully integrated with regulated electronic archiving in Luxembourg benefiting from the same probative value as paper copies. Furthermore, insofar as the corporate entity is headquartered in Luxembourg, all of its cross-border contracts would benefit from Luxembourg contract law.
Integration with eID
Another obvious “next step” is the integration of eSig and other trust services with national eID schemes & other attributes of an end user’s electronic ID.
For the purpose of simplification, we will focus our discussion on a pragmatic concept, namely that of eID as “means for people to prove electronically that they are who they say they are“, as defined here.
This needs to be distinguished from eID schemes as defined via eIDAS. These schemes are primarily designed with cross-border acceptance for travel purposes, which brings into play ICAO rules on biometrics and machine readability.
Where eIDAS provides an overarching backbone for interoperability of trust services, Regulation (EU) 2019/1157 provides for technical convergence between Member State identity cards, at a minimum compliant with ICAO Doc 9303.
Thus, the concept of a person’s electronic identity is not necessarily contingent upon national eID schemes as regulated under eIDAS. As the EU Commission explains, “an electronic identity does not necessarily imply the use of a physical item such as a smart card or a USB token”.
Notwithstanding, national eID schemes today form part and parcel of modern eID infrastructure. For instance, via appropriate card readers and software interfaces, national digital ID cards also enable eSignature execution. As noted in the PwC/European commission report on eID and digital onboarding, “there can be a technical overlap between electronic identification and electronic signatures and trust services [such as] where Member States combine an eID token with a Signature Creation Device, where the two functions might even share the same PIN”.
As of now, 17 EU Member States have notified or pre-notified eID schemes, up from 15 roughly a year ago. In practice this means that more than half of the EU’s citizens have access to eID schemes that enable them to use public sector, and increasingly private sector, services which benefit from a high level of assurance (LoA) and mutual recognition across the EU. A complete list of these schemes can be consulted on a Commission website. Notified schemes often come in the form of national eID cards which automatically carry a high level of assurance (LoA), but they can also represent a suite of compatible solutions with varying LoA, issued by various providers, compliant under a national scheme such as the Italian SPID. Indeed, several Member States have notified or pre-notified more than one eID scheme.
A highly attractive attribute of eIDs is their potential portability and reusability within a clearly defined legal framework such as eIDAS. This allows for a paradigm shift away from verification on a case-by-case basis each time a customer signs up with a new service provider. In the new trust service enabled framework, customer identities rest on high LOA trust services and/or national eIDs compliant with eIDAS, resulting in a mutually recognised, legally binding and cost-efficient reusable digital identity.
An expert-level working group coordinated by the European Commission has published an extensive report on the topic of eID and digital onboarding in the banking sector. To be extremely concise, the report’s conclusions centre around the need for additional harmonisation and collaboration between the private & public sector, as well as between different types of stakeholders in the private sector. With regard to this crucial point, the expert group stipulates:
As eID solutions have been created by different public and private sector entities, it is of vital importance that they are interoperable, meaning that eIDs issued by one system can be recognized by another system, and reusable across different geographies.
A potential solution to these challenges is for providers of financial services to work with FinTech integrators to minimize their own development efforts, and leverage FinTech partners to integrate with various eID services on their behalf. This approach works well when Firms are cash rich but development poor.. It has been voiced that a strong driver for integration with eID schemes is experimentation to help understand the customer perspectives of using such schemes.
All things considered, while additional technical, regulatory and commercial developments are needed to fully reap the benefits of eID integration with other trust services under eIDAS & existing enterprise processes in finance, the groundwork has been laid and experimentation – together with the Fintech ecosystem – is explicitly called for.
Identity and access management (IAM)
IAM in enterprise IT is about defining and managing the roles and access privileges of individual network entities (users and devices) to a variety of cloud and on-premises applications (source).
Thus, IAM is a crucial IT discipline for organisations of meaningful size, and one that is practically calling for the integration with trust services. Classically, IAM would have been based off username / password combinations attributed by the organisation, but with advanced electronic trust services becoming increasingly prevalent, one can envision integration between IAM and such solutions.
Example: the Luxembourgish eID & e-signature ecosystem enabled by LuxTrust. LuxTrust devices & certificates are used by individuals both for authentication & eSignature purposes in their capacity as customers, most pertinently in the local financial sector, and as private citizens seeking access to the comprehensive online administrative services offered by the Luxembourgish government through the portal guichet.lu.
Thus, LuxTrust acts as a central authority providing both the private and public sector with advanced IAM solutions. Recently, the utility of such services has been further highlighted by the socio-economic imperatives of the COVID-19 pandemic: an online teleconsultation platform was launched by the government to de-risk & speed up medical visits, all the while a shared electronic health record finally saw the light of day. Both of these services tie into the concepts of eID and eSignature for the purpose of highly secured & reliable IAM.
[discussion box] IAM in the cloud:
Federated Identity Management provides the policies, processes and mechanisms to manage identity and trusted access to systems across organizations. This allows for reuse of users’ identities across organizational boundaries, and ensures efficient user lifecycle management, compliance, and congruence of relevant user information between two partner organizations without excessive administrative overhead. The primary objective of federated identity management is to provide the users of one security domain the ability to access the systems of another domain in a seamless manner, thus enabling Federated Single Sign-On. SecaaS_Cat_1_IAM_Implementation_Guidance [/discussion box]
Curated list of trust service providers
The below table represents a curated list of qualified trust service providers with a focus on 4 essential services for the financial sector:
- Qualified eSig
- Qualified eSeal
- Qualified eTimestamp
- Qualified Website Authenticity Certificates
We sourced eligible providers from the EU Trusted List Browser and applied a deliberate curation effort aimed at pre-selecting providers that are commercial entities (as opposed to government institutions) and which appear able to provide the required services cross-EU (e.g.: english language website and documentation available).
Furthermore, we provide additional attributes & annotation for each provider. Notably, we provide the ability to highlight providers which can be considered trust platform and/or transformation platform providers.
We define digital trust platform providers as companies which integrate eIDAS qualified trust services with the issuing of digital identities to end users, assuming full liability. They typically share attributes with digital transformation platform (cf. below) but with an emphasis on governance and compliance. Integration with enterprise solutions via APIs and workflow automation is typically provided.
We define digital transformation platform providers as those which seek to balance customer experience with enterprise requirements. These offerings are typically very flexible and able to integrate with more specialised trust service providers and 3rd party eIDs.
Readers should feel free to use the header of the below table to sort vendors according to the above attributes and to dig further by visiting their corresponding websites (also included in the table).
[table id=3 /]
Annex: Consortia and projects advancing eSignature state-of-the-art
Cloud Signature Consortium
The Cloud Signature Consortium (CSC) is an international non-profit association with a broad industry and academic membership base. The Consortium aims to promote cloud-based digital trust services through the design of common architecture and building blocks to facilitate trust service interoperability. Notably, CSC providers integrate with the Adobe ecosystem, thus addressing a large unmet need: the ability to sign off on contracts and other documents in .pdf form, via different service providers and through cloud-based infrastructure.
What makes the CSC’s approach so appealing is its collaborative and open approach with a goal of facilitating integration of the greatest possible number of trust service providers, the crucial Adobe ecosystem and end users. The core of CSC’s offering to date is a Web Service API based on the REST protocol and JSON data exchange – commonly used technologies that are very accessible to developers thus lowering the barrier to entry.
At EFPE, Adobe highlighted some of their work at the CSC and making the case for Adobe Sign’s integration with various trust service providers:
Ongoing work inside the Consortium is focused on expanding authentication and authorisation options, aligning with the ETSI standard on remote digital signature creation and improving error handling.
The Horizon2020-funded FutureTrust project was created to design and develop “innovative open source components and services complementing the current eIDAS ecosystem”. The motivations behind the FutureTrust project are detailed further on blog.eid.as:
“The eIDAS-Ecosystem is […] fairly well developed. Similarly, there also exist a significant number of European providers of qualified certificates for issuing electronic seals (93) or website authentication (41). The development of the market seems to be on the right track here. On the other hand, there are very few providers of qualified validation (13), preservation (10 or 11) or electronic registered delivery service (15) so far. Furthermore the very promising option for issuing qualified certificates based on electronic identification (see Art. 24 (1) (b) of the eIDAS-Regulation) – especially in combination with remote signatures – does not yet seem to be practically implemented and available in the market.
Expecting this foreseeable development, the FutureTrust project has built upon experiences and previous work from pertinent projects (e.g. STORK, STORK 2.0, FutureID, e-SENS, SD-DSS, Open eCard, OpenPEPPOL and SkIDentity) in order to close the existing gaps as far as possible”
The project’s main results are collated on a dedicated website, notably the following services:
- Pan-European eID-Broker (eID-Broker, eID)
- Signature Generation Services (SigS)
- Validation Service (ValS)
- Preservation Service (PresS)
The pan-European eID-Broker, for instance, “ensures the trustworthy identification of a person and makes it possible to get this identification delivered to the entitled Relying Party”. This solution supports the Luxembourgish eID scheme, among others.
Another FutureTrust service, SigS, allows for use of the same range of national eIDs in order to electronically sign (advanced & qualified signatures) any document via a web portal.
As described on the project’s blog, the development of a universal “eIDAS API” remains an important goal together with cloud integration.