Electronic Signing in Banking

Contact: +386 590 742 70 Follow us:

Details: 18.01.2020

How to Deliver High-Trust Electronic Signing Solutions in Banking

International banks are rapidly evolving to cater to the digital world. With pen and paper signatures nearly obsolete, banks are investing in electronic signatures as a more secure, trustworthy replacement.

But questions remain:

How secure are the systems that consumers and businesses use and what happens if a transaction is disputed?
Do you truly trust your solutions to provide sufficient and valid evidence, particularly if a claim is escalated to a court of law?

This risk means high-trust solutions across the digital stack have become critical to protecting an institution’s reputation as well as a customer’s funds.

Ensuring secure, valid authorisation to sign

Despite this growing adoption, it’s important to remember not all electronic signature types can be considered high-trust or legally valid.

The common terms for electronic signatures, e.g. eIDAS Qualified (Europe) or AeSign (South Africa) vary across different international regions and countries and have different levels of assurance associated. Furthermore, some countries still mandate the use of a hardware device e.g. Smartcard or USB dongle for creating individual digital signatures.

Like a paper signature, an electronic signature’s purpose is to prove the identity of the signer and the date. A simple box-tick or digital scribble is not enough. Basic click-to-sign signatures can be easily tampered with and generic e-signatures (using a single witness certificate) need to be used alongside strong 2-factor authentication as the signature is attributed to the signing organisation rather than the individual themselves. An easily disputed document is no good for the bank nor the customer.

To check you have secure, valid authorisation you need to confirm what constitutes a legal signature in the country the document is being signed in. By doing so, you ensure that, should fraud or an error occur, the e-signature in question contains sufficient evidence of when the individual signed and that the document has not been tampered with.

The European Union’s e-signature regulation, eIDAS, clearly sets out the legal definition of e-signatures across all 27 member states and provides clear guidelines to enable easier cross-border trade across Europe.

eIDAS also provides guidance for legal certainty and technical operability for eIDs, e-signatures and Trust Service Providers. One of its main requirements is for there to be proof of sole control– i.e. the user can prove with certainty that the signature was created by them.

Under eIDAS this breaks down into different signature types.

The first, an advanced e-signature, must be uniquely linked to the signatory, capable of identifying the individual, under their sole control and can demonstrate that any subsequent changes can be detected.

A qualified e-signature goes one step further in that the user’s digital certificate used to sign the document must be issued by a trusted Qualified Certificate Authority. The signing key must be managed within a trusted Qualified Signature Creation Device (QSCD).

eIDAS also recognises e-seals as valid signatures. E-seals enable legal entities to sign on behalf of a person or institution and provide banking staff with an efficient, secure method of document approval.

High-trust remote signing

The most recent advancement in e-signatures beneficial to the banking industry is remote signing.

Prior to this, the only option for secure PKI based signatures was local signing. This involved specialised card readers and software which were difficult to use with mobile devices and made the process cumbersome.

Signing keys can be held securely in server-based systems or secure cloud services, making signing from a mobile device from any location much easier. To ensure high-trust, non-reputable signatures the signing keys are held in a Hardware Security Module (HSM) which only authorises use of the signing keys once it can verify authorisation from a registered signing device.

With billions of documents a day processed by banks across the world, remote signing can transform the authorisation process.

Supporting this advancement are new regulations and certifications. These determine whether the HSM or signing solution is compliant and offers the highest level of trust.

For HSMs, look for the Common Criteria EAL4+ EN 419 221-5 standard and for remote signing solutions look for EN 419 241-2. Solutions certified with these standards have undergone independent evaluation to determine their compliance against the eIDAS standard. All products with these certifications are listed on the Common Criteria website.

Europe continues to be a leading force in high-trust regulations and certifications and in September 2019 it will introduce PSD2 – a regulation and set of standards for online payments within the EEA. Qualified certificates and e-seals will form part of the requirements of the regulation which is focused on secure authentication of online transactions.

PSD2 is especially beneficial to the security of large value transactions, requiring an e-seal from the bank upon the opening of an account by a customer and further identification authentication from the customer for transactions. This provides banks and their customers with an additional means of fighting fraudulent transactions and ensures the highest-trust for online and remote payments.

The Future of Banking

Security has always been a top priority for the banking industry. The move to online banking and cloud-based solutions has its own risks, just as traditional paper methods before. The industry has been quick to adopt solutions that provide security and peace of mind for customers, but threats are constantly evolving and it’s important that institutions do as much as possible to mitigate risk.

High-trust solutions are becoming more advanced and provide additional layers of authentication to ensure that all involved parties can prove their identities and that documents remain valid and legal long into the future.

E-signatures are a large component of this technological advancement and alongside high-trust hardware solutions that keep data secure, they are powering cross-border business. If businesses are using these solutions to sign their own business contracts, they will be looking to their financial institutions to follow suit and provide the same level of assurance.

Banks have a duty to keep up to date with eIDAS advancements and to implement solutions that comply with the latest standards.

As customers look for more innovative solutions that provide them with the freedom to bank wherever they are, banks should ensure that their services are as secure as coming into a branch. This will secure the finance industry’s future success.

---
Source: Taken from this article.

News

Utimaco and CREAPLUS strengthen cooperation to meet NIS 2, DORA and GDPR requirements

Utimaco in CREAPLUS krepita sodelovanje pri izpolnjevanju zahtev NIS 2, DORA in GDPR

Utimaco and CREAPLUS have outlined their cooperation in 2025, which will be marked by new solutions that make it easier for companies to comply with legal requirements in managing cybersecurity and resilience and protecting data.

Mitja Trampuž presents the state of the art in the use of artificial intelligence in cybersecurity

In Budva, the Association of Security Managers of Montenegro organized the conference "Security without compromise", which addressed the current challenges of regional companies in the field of corporate security.

Slovenian organizations get an updated edition of the AI implementation guide

Slovenske organizacije dobile posodobljeno izdajo vodiča za uvajanje umetne inteligence

The Artificial Intelligence for Slovenia AI4SI initiative, which operates within the Association for Informatics and Telecommunications of the Slovenian Chamber of Commerce and Industry, has published an updated "Guide to Deploying Artificial Intelligence in Enterprises".

Mitja Trampuž discovers measures to mitigate the risks of RSA key vulnerabilities

In an article by journalist Daret Hribersek on the portal of the magazine Finance: ICT informant, Mitja Trampuž, CEO of CREAPLUS, sheds light on the problems with RSA cryptographic key cracking and provides best practices for reducing risks and vulnerabilities in this type of data encryption.

CREAPLUS team enhances its expertise to support regional partners in implementing Ascertia's top PKI solutions

CREAPLUS has strengthened its partnership with Ascertia, a global leader in high trust public key infrastructure and remote qualified digital signature solutions.