One year ago, I posted a blog post on the first big step accomplished in the implementation of the eIDAS Regulation. One year later, I am glad that our efforts to accelerate the uptake of eIDAS by promoting, on one hand, the understanding of its value and opportunities offered to citizens, businesses and Member States and, and on the other, by ensuring the regulatory alignment between eIDAS and the existing or upcoming sector-specific rules, are producing first concrete results.
In the quest to build a Digital Single Market, the need for convenient and secure online cross-border transactions is becoming increasingly stronger. This is notably the case in the banking/financial sector where eID and trust services may play a key role in meeting regulatory obligations - under Payment Services Directive 2 (PSD2) and the Anti-Money Laundering Directive 4 (AMLD4) – on security and identification related to know-your-customer (KYC) in digital on-boarding activities, as well as strong authentication of parties to electronic payment transactions.
This key role of eIDAS services was highlighted in all our conversations with internal and external stakeholders on the benefit of relying upon the widespread use of eID and trust services to enhance the security of and the trust in digital transactions. Whilst a lot still needs to be done, I would like to draw the attention of our stakeholders to a couple of recent developments relevant to the banking/financial sector.
eIDAS & PSD2
The revised Payment Services Directive, which entered into force on 12 January 2016, aims to provide better protection of consumers, by promoting the development and use of innovative online and mobile payments and making European payment services safer. Under article 98 of PSD2, the European Banking Authority (EBA) is tasked to issue Regulatory Technical Standards (RTS) on strong customer authentication and secure and common communications in January 2017.
In the first stage of the RTS development process, EBA published a discussion paper on strong customer authentication and secure communication under PSD2 where possible synergies with eIDAS were highlighted. The stakeholders' feedback on the discussion paper served then as the basis for EBA to produce a Consultation Paper, published on 12 August, on draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication. The public consultation is open until 12 October 2016.
In relation to eIDAS, the paper seeks the stakeholders' advice on the use of Qualified Website Authentication Certificates (QWACs) to fulfil the requirement concerning the identification of payments service providers (PSPs), as an element of the common and secure open standards of communication. This is an important development in operationalising the use of QWACs under eIDAS in the banking/payment sector.
Besides QWACs, eIDAS offers a broader set of tools facilitating the banking sector to match the requirements set in the PSD2 in relation to strong authentication for on-line payments, such us the eID means. In addition, with regard to consenting to transactions, the Regulation gives qualified electronic signatures (for natural persons) the same legal effect as handwritten signatures everywhere in the EU. For legal persons, eSeals ensure the origin and integrity of data.
This is all very important to ensure secure online financial transactions. And this is why you should not miss the opportunity to make your voice heard and respond to the Consultation by 12 October.
eIDAS & AML4
In our conversations with stakeholders, eID has been singled out as one of the a major enabler to drive innovation in the FinTech and RegTech industry, allowing for quicker, cost-effective, and seamless identification processes, while retaining the risk reduction and compliance requirements the financial industry imposes. However, eID will be widely used only once it is recognised as a suitable tool to meet regulatory requirements concerning the identification and authentication of persons (natural or legal) as required under the 4th Anti-Money Laundering Directive (AML4). This need was addressed in the recently drafted amendments to the Anti-Money laundering Directive which proposed to enable the use of eID means for fully digital on-boarding activity, and which will be now discussed by the co-legislators.
What does it means in practice? When finally adopted, it will be possible to use "notified" eID means of appropriate assurance level (for instance level HIGH) for secure remote cross-border identification of customers, thus facilitating bank's compliance with the new know-your-customer requirement. As eID means of assurance level HIGH carry the legal value associated to a strong identity proofing and authentication which in 'offline' reality includes a step of an in-person verification, by relying on such eID means a natural (or legal) person will be able to open and operate a bank account in another EU country online, without undergoing a face-to-face identity verification in a branch.
The importance of enabling the cross border use of such eID means has also emerged from the responses to the Consultation on the Green Paper on Retail Financial Services which will serve as basis for the specific measures to be identified in the upcoming Action Plan. With eIDAS complementing AML4, customer identification at distance is considered to be easier. Many stakeholders also recommended extending the cross-border use of national eID systems to the private sector. Also, establishing the EU-wide digital identity and standardising on-line KYC requirements were pointed out as one of the ways to support at the EU level firms in creating and providing innovative digital financial services across Europe.
eIDAS and CEF
In addition to ensuring regulatory alignment, we are also working on supporting the practical deployment of eIDAS tools. In this context, funding has been made available under the CEF 2016 Call which closed on 15 September 2016. It gave financial institutions the opportunity to test their cross-border service connections via the eIDAS node and show that the integration of eID into cross-border business processes works smoothly.
eIDAS and upcoming DSM actions
We will continue our work in this context as well as explore the best possible use of eID and trust services in other fields, e.g. in the context of the eGovernment Action Plan 2016-2020 which foresees further "[...] actions to accelerate cross-border and cross-sector use of eID (including mobile ID) in digitally enabled sectors (such as banking, finance, eCommerce and sharing economy) […]. The Commission will also explore the need to facilitate the usage of remote identification and secure authentication in the retail financial services", but also in the framework of the initiative on Online Platforms foresees the development of standards that support global interoperability and seamless trustworthy authentication across objects, devices and natural and legal persons based on comparable trust models. This work should be based on technical standards aligned with the eIDAS regulatory framework.
We encourage your active involvement via the eIDAS Observatory or other channels in order to jointly build trust, security and convenience for everyone in the Digital Single Market.