There are several new norms entering into force on 1st January 2021, namely Act No. 49/2020 Coll., amending Act No. 21/1992 Coll., on banks, as amended, Act No. 253/2008 Coll., on selected measures against legitimisation of proceeds of crime and terrorist financing, as amended, and several other laws (hereinafter referred to as the “Bank Identity Act”), which introduce fundamental changes in the field of digital identity and electronic identification – so-called bank identity, bank ID or BankID. The new legislation facilitates simple and free access to e-Government and online services for internet banking private users.[1] Banks or branches of foreign banks will newly offer, provide, or facilitate identification services and enter into contracts on such identification services in the name and on behalf of identification services´ providers.
Bank identity
Almost all Internet users, or, to put it simply, anyone who uses Internet banking services in the Czech Republic, have their bank identity. The bank identity is thus the most wide-used means of digital identity now. A client logs in to the bank’s internet banking or mobile application as the bank´s client using their client number and phone number. Such data, in combination with one of the security processes (usually a password and a verification code, which is sent to the given phone number), should guarantee that the person logging into the internet banking is indeed the given client.
In Scandinavia <a href=”#_ftn2″ name=”_ftnref2″>[2]</a>, the bank identity is used as a standard identification method used by business entities, banks, organizations, and authorities to verify and enter into contracts with individuals online. To achieve the same objective, the Czech banks, inspired by the Scandinavian experience, launched the so-called SONIA project (an acronym for soukromoprávní bod pro identifikaci a autentizaci/private law identification and authentication point [3]). The project itself was initiated by the Czech Banking Association to facilitate use of verified banking identities of citizens to create universal digital identification for the e-government services, access to the Land Register, payment of various municipal fees, or communication with the tax authorities.
On September 16, 2020, to create the necessary infrastructure for bank identity services and to develop cooperation with other banks, Česká spořitelna – in cooperation with Československá obchodní banka and Komerční banka – established an entity called Bankovní identita, a.s which is designed to provide identification services related to private sector services (e.g. financial institutions, telecommunication providers, energy suppliers, e-shops, etc.). Clients using internet banking of a bank which either enters in a contract with Bankovní identita, a.s. or becomes its shareholder will thus be able to interact online with private companies. To communicate with the public authorities, clients will be able to use bank IDs of all banks which will have this option on offer. As of the date of publication of this article, the Ministry of the Interior granted the first accreditation for administration of the qualified electronic identification system in relation to this project to Československá obchodní banka.
AML related changes
The new amendment to Act No. 253/2008 Coll., on selected measures against legitimisation of proceeds of crime and terrorist financing, as amended (hereinafter referred to as the “AML Act”) introduced a new provision of Section 8a guiding electronic identification as means of client identification [4]. The new provision was intended to provide for means of remote client identification (without necessary physical presence of the individual) in line with the AML Act [5]. In practice, this new provision should further streamline the process of electronic client onboarding.
The new provision stipulates that “An obliged entity may substitute the process pursuant to Section 8 (1) and Section 8 (2)a) by identification of a physical person, who is a client, or a physical person acting on behalf of a client, via means of electronic identification …“. The obliged entity, however, shall continue fulfilling other obligations pursuant to Section 8 which guides the identification process, such as the obligation to determine the client´s status of politically exposed person or a person on a sanction list. The obliged entity may, for the purpose of identification, chose either means of electronic identification issued and utilised in line with the Act on electronic identification [6] or means outside the framework of a certified system in line with the Bank Act. We wish to highlight that should the respective entity decide to use such means of identification, it is necessary to stipulate such facts in the entity´s internal rules of procedure.
In line with provision 8a(1)a), client may be identified with the help of means of electronic identification which comply with standards for high assurance level [7] and which is part of a qualified system in line with the Act on electronic identification. In respect of the use of bank identity, however, we should concentrate on the second type of the means of electronic identification, which is stipulated by Provision 8a(1)b), i.e. identification performed with the help of means which comply with provisions of the Bank Act [8]. This means that the obliged entity may use for identification purposes means of electronic identification issued by a bank or a branch of a foreign bank.[9] In line with the new provision of Section 38a of Act No. 21/1992 Coll., on Banks, a provider of identification services shall be understood to be “an entity which is not a bank and is, pursuant to another legal norm, authorised to provide identification services and stakeholders of which are solely banks or branches of foreign banks; these banks or branches of foreign banks shall guarantee that the identification services´ provider keeps all data received confidential and protects them from misuse.“ This authorised entity should be the above mentioned Bankovní identita, a.s.
Should the obliged entities decide to use this new type of identification, Provision 8a(2) requires them to “Keep, for a period of 10 years after the transaction outside a business relationship or after termination of a business relationship with a client, data on the entity which performed identification pursuant to Section 38ac(1)b) part 1 or 2 or Section 38ac (2) of the Bank Act.“ It concerns information on the entity which, upon issuing the means of electronic identification, identified the client in their physical presence or via the means of electronic identification with high assurance in line with eIDAS, which is issued and utilised in a framework of a qualified system or any other reported system of electronic identification. The lawmakers intended primarily to increase security of the means of electronic identification as well as safety and reliability of identification performed via these means. At the same time, this provision in this respect excludes application of Section 16 (1)c) of the AML Act [10], which guides general principles of obliged persons´ obligation to keep information on the entity which performed the first identification. This type of information is of particular importance for the Financial analytical office in case there was a suspicious transaction reported by the responsible obliged entity.
Next time, we will develop on practical examples of how bank identity may be used and explain details of identification via such bank identity.
[1] The explanatory statement to the Bank Identity Act stipulates that “Bank identity is a simple and free of charge access to e-Government services as well as private sector online services for about five million citizens using Internet banking.“
[2] Scandinavian countries have taken lead in digital services assuming the top four positions in the Index of digital economy and DESI compiled by the European Commission. Available on the European Commission’s website: https://ec.europa.eu/digital-single-market/en/digital-economy-and-society-index-desi
[3] SONIA is a private law alternative to the National Identification Point (NIA). NIA is a tool for safe and secure verification of public online services´ users. There are several means of identification used to verify users´ identity which are offered by public or private accredited providers connected to the National Identification Point – the new ID with a chip issued as of July 1st 2018 or the NIA ID maintained by the Administration of Basic Registers which can be used to log in the user account in the National Identification Point portal. For more information visit: https://info.eidentita.cz/portal/.
[4] The eIDAS regulation defines electronic identification means as follows: ‘electronic identification means’ means a material and/or immaterial unit containing person identification data and which is used for authentication for an online service. The current electronic identification means in the CR are, among others, eObčanka – an electronic ID with a chip issued from 1st July 2018 onwards, eIdentita.cz portal user account (verification based on a name, password, and authentication text message, or a chip card called Starcos issued by První certifikační autorita, a.s.
[5] The current AML Act allows for client identification without their physical presence via identification of so called “first transaction”; to comply, the client must meet conditions stipulated by Section 11 (7) of the AML Act. Identification is also possible in line with Section 11 (8) of the AML Act by verifying identity of the given physical person by a qualified provider of trust services based on the Regulation on electronic identification and trust services (eIDAS). These exceptions can be used solely should the authorised person performing identification has no doubt of the true identity of the client.
[6] See Section 3 of Act No. 250/2017 Coll., on electronic identification.
[7] The assurance levels for electronic identification means are guided by Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8 (3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
[8] At No. 21/1992 Coll., on Banks, as amended (hereinafter referred to as the “Bank Act”). Electronic identification means issued by a bank, a branch of a foreign bank or a provider of identification services for the purposes of identification pursuant to the AML Act shall have the required quality (see Section 38 ac (1) of the Bank Act).
[9] Solely provided that these activities are not in breach of the banking licence of the respective branch of a foreign bank issued by the country of incorporation.
[10] In line with Section16 (1), an obliged entity shall, for a period of 10 years after the transaction or after termination of a business relationship with a client, keep data on the entity which performed the first identification of the client.
Czech cyberataths in the USA, currently living in Washington D.C. Author of national security cyber strategies, since 2013 he co-created the National Center for Cyber Security at the NBU and subsequently participated in the establishment of the National Office for Cyber and Information Security, where he built the Department of Cyber Security Policies, which became a model for security institutions across continents. He has lectured at Georgetown University, the Elliott School of International Affairs and the US National Defense University in academic programs and professional conferences, including in Australia, Japan and Germany.
Under his leadership, the concept of cybersecurity exercises at the strategic level became an aid to the armed forces from the Pentagon to the African Union. He is the author of a book on Russian influential operations in cyberspace, which is, for example, part of the training for future generals at the Joint Advanced Warfighiting School in Norfolk, USA. He studied at Charles University, Israel and the Bunderswehr University of Munich / George C. Marshall Center for Security Studies in Germany. His expertise is in demand across the globe because, like money laundering, cyberspace and cybercrime know no boundaries. Did you know that there are government actors in cyberspace, acting like criminal groups, attacking to enrich themselves with companies like yours and Internet users like you?