TUPAS Identification Service. Identification Principles

Transcription

1 TUPAS Identification Service Version 2.0b

2 Table of contents 1 Introduction General description Document name and specification data Parties Banks Service provider System supplier The identifying customer The purpose of bank identifiers and the Tupas certificate Organisation administering the identification principles Administrative data of the standard Administrative organisation Intellectual property rights Naming convention and definitions Publication and availability of the data Implementation of the service Contract between the bank and the service provider Applicability for operations and the industry Agreement on legal consequences Handling of personal identity codes Marketing use of the name Tupas and the logos of the banks providing the service Bank identifiers Identification of the applicant for bank identifiers Contracts concerning bank identifiers Blocking service Use of the service Storage of the data in the identification document Release of data and bank secrecy The service provider's data Collecting log data of the use of service, storage of the data Storage period Release of data and bank secrecy The service provider's key Continuity of operations, error management and handling of exceptions Use of the data received via the Tupas service Single Sign-On and Session Transfer Halting of the Tupas service and termination of the contract Right to give notice Technical security arrangements Creation and implementation of bank identifiers and the service provider's keys Protection of identifiers and keys IT security arrangements Timestamp Certificate and blocking list profiles Auditing and inspections The statutory right of supervisory authorities for inspections APPENDIX 1 BANK-SPECIFIC CONTACT INFORMATION HANDELSBANKEN NORDEA OP BANK GROUP S-BANK SAMPO BANK SAVINGS BANKS AND LOCAL CO-OPERATIVE BANKS TAPIOLA BANK... 15

3 2 (16) BANK OF ÅLAND APPENDIX 2 DOCUMENTS USED FOR INITIAL IDENTIFICATION... 16

4 3 (16) CHANGE LOG Version Page Comment v second paragraph incorrect, changed to correspond to decision made on 19th December 2007 by the Federation's Banking Executive Committee. v2.0 all Name changed to identification service, use of the term certification abandoned, additional specification to identification principles, contact information moved from the service description. v2.0b 11 Minimum length, generation and renewal of authentication key. 16 Acceptability of documents used for initial identification updated. APPROVAL Version code Date Approved by v June 2008 Payment Systems Committee v March 2010 Payment Systems Committee v2.0b Payment Systems Committee

5 4 (16) 1 Introduction 1.1 General description The banks Tupas identification service (hereinafter "Tupas service") allows businesses and corporations (hereinafter "service provider") who provide electronic business services to identify their customers using Tupas certificates. In the Tupas service, banks identify their customers with strong identification 1 by using their own registers. The Tupas service is used primarily for electronic identification and electronic signatures in the service provider's business services. The Tupas service has been jointly specified by all the involved banks. Each bank identifies its customers using the same bank-specific identifiers (hereinafter "bank identifiers") that the customer uses in the bank s own services. The Tupas service can be used in Internet services which require the reliable identification of customers. In addition to strong identification, the transaction must be carried out through sufficiently secure procedures. The changing identification numbers which banks use satisfy the criteria for a secure identification transaction. 2 The service provider initiates the identification by sending an identification request to the customer. The customer then transfers the request to their own bank s identification service by clicking on the bank s service button. The bank's Tupas service sends a response message to the customer (hereinafter "Tupas certificate" or "certificate") once the identification has taken place. 3 The customer checks the information on the certificate, and after approving it, returns to the service provider's service, at which point the certificate's data is transmitted to the service provider. If the customer so wishes, he or she is allowed to cancel the identification transaction before identifying himself or herself, or while checking the certificate. In the Tupas service, the bank is only responsible for identifying the customer as specified in this service description, and is not responsible for the validity or content of the legal transaction between the customer and the service provider. The service provider and the customer can agree on the use of the Tupas certificate as part of the electronic signature 4 in the legal transaction between the customer and the service provider, which enables the reception of various applications and the signing of contracts through the Internet. The service provider is responsible for the other requirements of the electronic signature, such as managing all of the data and ensuring 1 Strong identification comprises something that the user: knows (such as a user ID), possesses (such as a list of passwords or a security calculator that generates one-time identifiers, or some other device), is physically (such as a fingerprint). Two of these conditions must be satisfied simultaneously for the authentication transaction to satisfy the definition of strong authentication. (Act on Strong Electronic Identification and Electronic signatures [617/2009], Chapter 1 Section 2 Subsection 1) 2 The combination of a fixed password and user name does not satisfy the criteria for strong identification required by the Tupas specification. 3 The Tupas Certificate can only be used once and it is tied to both the service provider's service transaction in question and to the customer with a time stamp. 4 Electronic signature means data in an electronic form that is linked or logically connected to some other electronic data and used as a device for verifying the identity of the signatory. Identification devices may be used in the execution of legal transactions, unless otherwise provided by law or section 18. (Act on Strong Electronic Identification and Electronic signatures [617/2009], Chapter 1 Section 2 Subsection 9, and Chapter 2 Section 5 Subsection 1).

6 5 (16) its integrity and indisputability, and for storing the response message. Use of the Tupas certificate as an electronic signature is supported by the timestamped response messages and the banks' log files. 1.2 Document name and specification data 1.3 Parties Banks Service provider System supplier These identification principles are a description of the banks' Tupas identification service, as defined in the Tupas specifications. The document describes those procedural methods and operating principles that apply to the strong identification of the customer and service provider, the administration and lifespan of bank identifiers, and legal questions related to the business operations. The principles were produced by the Federation of Finnish Financial Services. In the Tupas identification service, banks function as the producers of certificates and identify the person and/or company that uses the services of a service provider who has a contract with the bank. The bank also identifies the service provider for the customer. The word "bank" refers here to a credit institution operating in Finland or to a branch of a credit institution that has licence to operate in Finland. The service provider forms a contract with each Tupas bank for the use of the service. The service provider uses the Tupas certificates for the reliable identification of customers who are using their service. The bank and the service provider are not in direct contact with each other in the identification service. There is no contractual or subcontracting relationship between the banks and the service provider's system supplier. The system supplier builds the system to include the technical features required for the introduction of the Tupas service The identifying customer The word customer here refers to a person who transacts business in the service provider s Internet service, using bank identifiers for identification. The customer is pivotal in the use of the service, and controls the transmission of his or her data between the service provider and the bank. 1.4 The purpose of bank identifiers and the Tupas certificate The Tupas service is suitable for Internet services whether they are targeted for consumers or businesses. The Tupas service enables the strong identification of a person using the service provider's service, and makes it possible to sign contracts and

7 6 (16) verify authorisations. It also enables the identification of businesses using the Tupas service. The strong identification carried out using the Tupas service is needed in Internet services in which confidential or financially valuable information is handled, binding legal transactions are made, or a person s age requires verification. 1.5 Organisation administering the identification principles The Federation of Finnish Financial Services maintains the documents connected to the Tupas identification principles, and is responsible for administrating and updating them. The Federation of Finnish Financial Services owns the copyrights to the Tupas identification principles. 2 Administrative data of the standard 2.1 Administrative organisation The Federation of Finnish Financial Services administrates, develops and maintains the Tupas specification and the documentation connected to it. The current technical description of the Tupas service, the identification principles and implementation procedures, and the roles and legal relationships of the parties that partake in the provision of the Tupas service are described in more detail in documents maintained by the Federation. Banks offer and sell the Tupas service to their own business and corporate customers with their own standard terms and conditions and under their own name. 2.2 Intellectual property rights The Federation of Finnish Financial Services owns the copyrights and all other intellectual property rights connected to the standard, such as the copyrights of the Tupas documentation, the Tupas product name (trademark) and the copyrights of the Tupas service information website. The documentation published by the Federation can be browsed, stored or printed for one's own use within the limits set by Finnish copyright legislation. Any other use without the express permission of the Federation of Finnish Financial Services is prohibited. The material or any part of the material may not be lent or distributed publicly without the advance written permission of the Federation. If the Federation gives its express written permission, the material can be used only in an appropriate manner pursuant to the law, authority guidelines and good practice, and the Federation of Finnish Financial Services must be indicated as the source. 2.3 Naming convention and definitions There is no designated name for the identifiers banks use in their service. In the Tupas documentation, the general term "bank identifiers" is used to denote these identifiers. In addition to the identifiers, banks may also decide to accept the use of other remote

8 7 (16) identification devices. The service must fill the specifications of the Tupas service, but each bank may use their own bank-specific names. 2.4 Publication and availability of the data The public documentation connected to the Tupas specification is available on the website of the Federation of Finnish Financial Services at The Tupas specification comprises the following public documents: Tupas identification service for service providers service description and service provider's guidelines Tupas identification service identification principles 3 Implementation of the service 3.1 Contract between the bank and the service provider The service provider must sign a separate contract with all the banks whose Tupas service they want to use. The contract should include the details of the construction and technical solutions of the service, the division principles of expenses that result from the technical solutions, the division and limitations of responsibility, and the commercial terms and conditions of the cooperation. The contracts must follow the bank-specific terms and conditions of the Tupas service. Refer to Appendix 1 for bank-specific contact information. A bank may refuse the contract with the service provider, if it is evident that the Tupas certificate would be used for unethical or illegal activities, or if the use of the certificate could potentially cause financial or immaterial losses to the bank. It is fundamental for the Tupas service that the participating service providers provide their service under their own names. The interface between the services provided by the bank and the service provider should be made clearly separable in the implementation. Customers should be able to clearly distinguish who owns and is responsible for the service they are using at any given time (service provider identification). The first day of service is agreed on in the contract. The service provider s information is registered at each bank, and the service provider must notify each bank separately if the contract information changes. After the contract has been made, the bank delivers the service s bank-specific user ID and authentication key to the customer. The information is delivered either in digital or paper form depending on the bank. Before signing any contract, service providers can test the service in their product environment by using bank-specific trial identifiers. The bank-specific data used during the testing phase are available in the bank s service descriptions.

9 8 (16) Without the bank s permission, a service provider is not allowed to reproduce the Tupas service, attach Tupas buttons to e.g. s, or construct the Tupas service on websites other than the website registered under the service provider s name. 3.2 Applicability for operations and the industry The Tupas service is suitable for all private service providers and service providers subject to public law, and for all services and industries provided that the activity in question can be carried out through electronic services according to substantive legislation (such as the provisions concerning real estate business, estate law and family law). The service provider is responsible for the applicability of the Tupas service to the service provider's operations. The service provider should in advance always verify the introduction of the Tupas service with the regulatory authority of its own industry, for example if obligations for the identification of customers have been decreed in regulations, sector-specific laws, or the law for the prevention and investigation of money laundering. The service providers referred to above include deposit banks, financial institutions, fund management companies, investment service companies, brokerage firms, life and pension insurance companies and real estate agencies. In certain industries, projects that are to be outsourced, and situations in which agents or subcontractors are used, may in and of themselves require a contract that differs from the standard terms and conditions. 3.3 Agreement on legal consequences The terms and conditions of the contract between the customer and the bank do not apply to the legal relationship between the customer that is identified and the service provider utilising the Tupas service. For this reason, the terms and conditions of the service and the consequences of the signature must always be separately agreed on between the customer and the service provider whenever it becomes necessary. The use of bank identifiers for electronic signatures requires that the service provider acquires the customer s express agreement on these legal consequences, for example by asking them to sign a form on the service s website. The service provider must be able to indisputably reconcile the log data created in the use of Tupas identifiers. The service provider is responsible for the specification of the log data that is created in the service provider's own services. 3.4 Handling of personal identity codes The service provider is responsible for ensuring that it has the right to handle plaintext personal ID codes in the service in question, if it prefers to use the plaintext delivery of Tupas identifications.

10 9 (16) 3.5 Marketing use of the name Tupas and the logos of the banks providing the service 4 Bank identifiers The image files for the bank-specific buttons used in the service can be downloaded from the banks websites. The size or colours of the buttons may not be changed. More detailed instructions on the use of the images can be found in the bank-specific terms and conditions of the contract between the service provider and the bank. The image on the button cannot be used for any other purpose than what is defined in the contract. 4.1 Identification of the applicant for bank identifiers When the identifiers are handed over, the bank authenticates the identity of the person who is applying for them. The identification is made face-to-face using a governmentissued document which reliably shows the identity of its holder. The documents that can be used in this initial identification are listed in Appendix 2. An exception to the rule of performing initial identification in person can be made if the identification service providers have entered into a mutual agreement on ways to rely on each other in performing the initial identification. In such cases, the identification device may be applied for electronically. In their agreement, the identification service providers shall define how the liability from potential faulty initial identification will be shared among them. Regarding the party sustaining the damage, the identification service provider relying on another provider performing the initial identification shall be held responsible. 5 The bank can use an agent in the identification if the bank and agent have agreed to do so in the manner required by the authorities. 4.2 Contracts concerning bank identifiers 4.3 Blocking service The identifier applicant and the bank sign a contract on the surrender and use of the bank identifiers. The first time a customer retrieves the identifiers must be in person, so his/her identity can be verified. In the future the identifiers can be ordered online and delivered by mail, if the customer has already existing, valid identifiers. A customer cannot authorise a third party to retrieve the identifiers on his or her behalf. Deactivated identifiers can only be activated when their owner has been identified. The bank can employ an agent to sign the contract and surrender the identifiers if the bank and agent have agreed on it in the manner required by the authorities. Banks offer the users of bank identifiers a round-the-clock (24/7) bank-specific blocking service, which the customer can use if his/her bank identifiers have been lost or wrongfully acquired by a third party. More information about the blocking service 5 The Act on Strong Electronic Identification and Electronic Signatures (617/2009), 17

11 10 (16) 5 Use of the service is available on the banks own websites. The blocking service alternatives are bankspecific. 5.1 Storage of the data in the identification document In the bank, the customer's identification must be documented and archived so that it can be shown what data the identification was based on and who the customer was identified by. The identification documents must be archived for at least five years after the end of the customer relationship. 6 The identification is recorded in documents and files concerning the customer. At least the following information must be stored: information concerning the person's identity the name of the document used in authenticating the person's identity, the number of the document, or some other identifier data (such as customer data recorded in the contract) or a copy of the person's identity papers name of the person who carried out the identification 5.2 Release of data and bank secrecy In connection with the Tupas service, the customer gives the bank permission to release customer data to the service provider. This concerns only data which is necessary for the use of the service. The service provider must process this data confidentially, pursuant to the Personal Data Act, decrees of the authorities, and legislation specific to the service provider's industry. If the service provider requires additional information from the customer s bank, for example for the purposes of risk management or to investigate a transaction which the customer has disputed, the bank cannot release the data due to bank secrecy, unless the customer has given the bank such permission. In connection with the use of the Tupas service, the service provider must ensure that it also asks for the customer's permission in advance for such situations. 5.3 The service provider's data On its website, the service provider must provide precise, clear and easily available information about itself. Such information includes, for example: the service provider's contact details o business name recorded in the trade register o auxiliary business name or other such name o address of the main place of business, address or other electronic contact details alternative way of contacting the service provider, such as a telephone number business ID and corporation ID the target of the service the authority supervising the service provider 6 Section 8 of the Act on Preventing and Clearing Money Laundering.

12 11 (16) how and where disputes concerning the service are to be settled to which deposit insurance or investment insurance system the service belongs the service fees and what they consist of The customer must be able to easily and clearly see when he or she moves from the pages of the Tupas service provider to the pages of another service provider. 5.4 Collecting log data of the use of service, storage of the data Storage period Each bank's Tupas application maintains a log of the use of the Tupas service. When the Tupas service is used, the bank sends the data on the identified customer to the service provider's data system. The service provider is responsible for reconciling this identification and/or signature transaction data with the transaction (contract, application, etc.) in which the Tupas service was used. The service provider must ensure that its own service maintains log files of the service. It must be possible to reconcile this log data with the audit trail data in the data content of the transaction (database(s) that form(s) the transaction's entire data content) to which the use of the Tupas service was connected. The banks store the log data generated through the use of the Tupas service for the minimum time period required by legislation and official regulations. The service provider stores the customer data it receives via the Tupas service for the time period required by its industry s legislation and the Personal Data Act, after which the personal data must be deleted Release of data and bank secrecy The bank's log data is subject to bank secrecy and is not released to the service provider. With the customer s permission, the bank is entitled to release log data created through the use of the Tupas service. 5.5 The service provider's key The authentication key (the MAC key) used in the calculation of checksums is random and at least 32 characters long. 7 For security the bank generates the service provider's key by using changing attributes. The authentication key is regularly changed by the bank and can also be changed if the service provider so wishes. The change is carried out through bank-specific procedures which are described in the banks' system descriptions. 7 All authentication keys issued after 1 April 2011 must have a minimum length of 32 characters (64 hexadecimal characters).

13 12 (16) 5.6 Continuity of operations, error management and handling of exceptions The banks provide the identification service in accordance with bank-specific terms and conditions. The banks are required to have a continuity plan for the services, which includes the description of error handling and notification. 5.7 Use of the data received via the Tupas service The identification transaction data the bank sends to the service provider in the Tupas service is only intended to be used in connection with the single transaction in which the Tupas service was used. The bank-specific standard terms and conditions may have various use restrictions concerning the data that was received via the Tupas service. The service provider is not allowed to use the received data for any other purposes, unless they have made a bank-specific, written contract that specifies otherwise. Using the Tupas identifiers to create new identifiers is only allowed if the Tupas provider bank and the service provider using the identification service have mutually, contractually agreed to trust initial identification which has been performed by the other. 5.8 Single Sign-On and Session Transfer Single Sign-On refers to a method by which the customer uses a single Tupas identification to sign on to several service providers. Single Sign-On is not allowed using Tupas identifiers. Session transfer refers to transferring from one service to another without a new Tupas identification so that the customer logs out from the first service and is only logged in to one service at a time. The conditions for session transfer are: each service provider whose service the customer can be transferred to must make a session transfer contract with the banks the service provider must record log files from all session transfers banks must have access to the session transfer logs, to investigate errors and cases of suspected misuse the customer should at all times be able to see which service he/she is logged in at the moment whenever binding legal transactions are made over transferred sessions, Tupas identification must be performed to validate the transaction.

14 13 (16) 6 Halting of the Tupas service and termination of the contract 6.1 Right to give notice The service provider and the bank agree on the details of the contract s termination and the bank's right to halt the use of the Tupas service. This agreement is entered in the bank-specific terms and conditions. 7 Technical security arrangements 7.1 Creation and implementation of bank identifiers and the service provider's keys The equipment and software used by the bank for the creation of the bank identifiers and the service provider's authentication keys are protected with physical and software security measures. The keys are stored within and their validity is confirmed from a special environment that is secured against unauthorised use. 7.2 Protection of identifiers and keys No confidential data processed in the system used to create and individualize keys is to be released outside the system in an unsecured manner. 7.3 IT security arrangements 7.4 Timestamp The system's security features ensure individual access control and traceability of each measure and task connected to the management of bank identifiers and keys. The Tupas service does not have its own timestamp service. Each party must independently maintain the clocks of the data systems connected to the service. 8 Certificate and blocking list profiles The data content of the Tupas certificate is described in the Tupas specification. 8 There is no separate blocking list for the certificates, because the unique certificate that is created each time can only be used once. The bank maintains a blocking service for its own bank identifiers. Tupas certificates are not granted for blocked bank identifiers. 9 Auditing and inspections 9.1 The statutory right of supervisory authorities for inspections The bank must ensure that its data system and the distribution system of bank identifiers and Tupas certificates can be inspected by the supervisory authorities. 8 Tupas identification service for service providers, service description and instructions for service providers.

15 14 (16) APPENDIX 1 BANK-SPECIFIC CONTACT INFORMATION HANDELSBANKEN NORDEA OP BANK GROUP Contract issues Local branch User ID and keys Collected from the bank Customer support and technical problems HelpDesk During weekdays finhelp@handelsbanken.fi Contract issues User ID and keys Local branch Delivered by mail to the contact person named in the contract. Customer support and technical problems Solo information for corporate customers In Finnish: (0.11 /min + local network/mobile call fee) During weekdays between 8 18 In Swedish: (0.11 /min + local network/mobile call fee) During weekdays In English: (0.11 /min + local network/mobile call fee) During weekdays Solo.tori@nordea.fi Contract issues User ID and keys Customer support Local OP bank Collected from a branch of the bank OP Bank phone service: In Finnish: In Swedish: verkkopainikkeet@op.fi S-BANK Contract issues S-Bank electronic services (contact by or telephone) User ID and keys Delivered to the contact person named in the contract Customer support and technical issues ( /call /min) e-palvelut@sok.fi

16 15 (16) SAMPO BANK Contract issues Local branch or phone (local network/mobile call fee) Mon Fri 8 17 User ID and keys Delivered on diskette in a sealed mail package Customer support and technical problems Private customers (local network/mobile call fee), Mon Fri 9 18 Corporate customers (local network/mobile fee), Mon Fri Corporate customers can contact customer support through the internet banking site, over a secure connection SAVINGS BANKS AND LOCAL CO-OPERATIVE BANKS Contract issues Local branch User ID and keys Collected from the bank Customer support and technical problems phone (1.17 /min + local network fee) info@samlink.fi TAPIOLA BANK Contract issues Tapiola electronic services User ID and keys Delivered to the contact person named in the contract Customer support and technical problems Private customers (Mon Fri) tunnistuspalvelu@tapiola.fi BANK OF ÅLAND Contract issues User ID Local branch Handed at the branch upon signing the contract. The identification key is mailed to the contact person named in the contract. Customer support and technical problems Contact Center customer service In Finnish: In Swedish: during weekdays Mon Thu , Fri contactcenter@alandsbanken.fi

17 16 (16) APPENDIX 2 DOCUMENTS USED FOR INITIAL IDENTIFICATION Valid document usable in initial identification In the identification of customers, banks follow the Act on Preventing and Clearing Money Laundering and Terrorist Financing (503/2008) and the Standard 2.4 on customer identification and customer due diligence, issued by the Financial Supervisory Authority of Finland. The Federation of Finnish Financial Services issued guidelines for its members on 12 January 2008 regarding the prevention and investigation of money laundering and terrorist financing, delineates the documents that may be used in identity verification. Since 1 March 2010, initial identification in the Tupas identification service follows the Act on Strong Electronic Identification and Electronic Signatures (617/2009). Legal interpretations that are shared by the Ministry of the Interior and the Finnish Communications Regulatory Authority have been placed within parentheses in the following table. The documents that are acceptable in banking related identification have been listed by country. Country the document has been issued by Banking identifiers used in Tupas service Kela photocard Finland not acceptable acceptable Other bank services Driver s licence Finland if issued after 1 Oct 1990 may be defined acceptable in bankspecific guidelines (interpretation: if no mention of transfer to another country) acceptable ID card Passport EEA countries if issued after 1 Oct 1990 may be defined acceptable in bankspecific guidelines not acceptable Finland acceptable acceptable EEA country, Switzerland or San Marino Other EEA country, Switzerland or San Marino Other acceptable if a travel document and authenticity is verifiable from public sources not acceptable acceptable may be defined acceptable in bank-specific guidelines acceptable if a travel document and authenticity is verifiable from public sources acceptable if a travel document and authenticity is verifiable from public sources acceptable if authenticity verifiable from public sources acceptable if authenticity verifiable from public sources Alien s passport Finland acceptable if no mention of previous failure of identification acceptable if no mention of previous failure of identification Refugee s travel document Finland acceptable if no mention of previous failure of identification acceptable if no mention of previous failure of identification