# 1. Introduction
The Norwegian government has proposed a revised law that governs financial agreements. It is likely that the parliament will approve the law early 2021 with limited chances to the clauses affecting consumer protection.
One of the key changes is introduction of a cap on the user’s responsibility in cases of misuse of electronic IDs, such as BankID. Even in cases of negligence, the BankID holder will face limited liability for agreements that are electronically signed by someone else misusing the BankID. Consumer protection will become stronger in case of misuse at the expense of more risk for the providers of financial services.
This creates a situation where banks will have a strong incentive to ensure the right person is using the BankID when e.g. signing an agreement for a bank loan. The use of BankID alone will not be considered sufficient evidence that the owner of the BankID was using it.
Evidence is perhaps the most important practical consideration for banks and other financial institutions currently leveraging BankID for contract signing.
The new law will only apply to electronic signing of financial agreements between financial services providers and the consumer, i.e., not all electronic signings.
# 2. Why the original Financial Contracts Act was changed
The responsibility of misuse of electronic identification, when entering into agreements digitally, is today not explicitly regulated but legal practice is largely that it is the consumer’s responsibility to protect their electronic ID and if the electronic ID has been misused the consumer must have acted negligently and is responsible.
As a result, consumers who have had their BankID code brick stolen and used in conjunction with their personal password have so far been held responsible for agreements they have not signed or been aware of. The legal practice in this area has been somewhat inconsistent, but numerous high profile cases have been seen where it is not clear that the misuse of code brick and password is due to negligence, but where the consumer still has been held responsible. This is one reason for the government’s decision to propose a change to the law.
# 3. How the new Financial Contracts Act differs from the former
With the new law, the holder of an electronic ID will be responsible, even in case of gross negligence, only for an amount of 12,000 NOK if the electronic ID is used by an imposter to sign an agreement. Only in case of a wilful act or collaboration with the imposter will the eID holder risk being held responsible for the imposter’s actions.
The financial service provider will be responsible for proving the case; it is no longer the consumer that must prove that they did not act negligently.
As stated in the law proposal, the use of an electronic signature alone is not sufficient to prove that it was the owner of the signing mechanism that did the signing, consented to the signing, or acted with intent or gross negligence to enable an imposter to sign.
Effectively, this means under the new law that if BankID is used to enter an agreement for a loan, and it turns out that the signee was in fact an imposter, then the financial services provider carries the entire risk except for the amount that can be obtained from the imposter. The BankID holder carries a very limited risk.
# 4. How the new Financial Contracts Act will affect financial providers
A financial service provider has three options for acting on the new law:
- Accept the risk and continue current practice for use of BankID.
- Use additional measures to ensue that it is the real BankID holder that signs, and to be able to prove this in retrospect.
- Use something else than BankID to verify the identity of the customer.
Some simple measures should be carried out, such as risk profiling of the purported user and of the transaction, tracking and analysis of user behaviour, ensuring that for example money is only transferred to an account owned by the identified person.
Alternative 2 implies additional measures to assess the identity of the person using the BankID for the specific operation. This can be applied to all transactions or only to those that are singled out by risk management procedures. In short:
- Mapping of customer journeys and internal processes is always recommended to identify the touchpoints that can represent a risk.
- Evaluate whether enhanced identity verification will be applied to all customers in a certain situation, or for example only new customers.
- Evaluate the evidence the bank can collect of the event without using an additional identity verification.
- How enhanced identity verification methods can be integrated into your workflows, and the additional evidence they provide.
Alternative 3 - using of something else than BankID - has limited applicability due to some practical considerations. This is because alternatives to BankID either do not have sufficient market penetration to be attractive for service providers, or do not have proven compliance to the eID assurance level and/or electronic signature level required by the law proposal. As a result, BankID will be part of the solution in the short and medium term.
# Signicat delivers solutions for enhanced identity verification
Signicat delivers proven, user-friendly solutions that can enhance or, eventually, replace identity verification based on BankID, and in conjunction with BankID provide a fully digital onboarding flow that also includes electronic signing of documents, such as a loan agreement.
Several options are available that financial services providers can consider as supplementary means to BankID when preparing for the revised act on financial contracts.
For a new customer, remote reading of the NFC (Near Field Communication) chip of a passport or ID-card plus biometrics can replace enrolment by BankID. This consist of the following steps:
- The customer installs an app that has functionality to read the chip of the passport or ID-card (Norwegian ID-card to be launched late 2020). This can be built into the usual app of the financial service provider, making a consistent flow where new customers start by installing that app.
- Using the app, the content of the document’s NFC chip is read, including identity information and a high resolution face photography. Then the user provides a selfie picture using the same app. Taking a selfie with liveness detection
- Face biometrics is used to ensure with high reliability that it is the person owning the identity document that is present and using it. The identity information from the document is hence confirmed and the user can be enrolled.
If such enrolment is used, and the customer later wants to sign something, confirmation of the intent to sign an agreement in the app, in addition to the BankID signature, will provide extra evidence. If however enrolment is by BankID, one cannot be entirely sure that it is not the imposter that has also used the BankID to obtain the app enrolment.
Opening the app to give the confirmation should be by face or fingerprint. If the attacker is a close relation, as in quite some of the reported cases of BankID misuse, then possession of phone plus PIN might be too weak.
For existing customers, but not for enrolment, a procedure where the identity document is optically scanned can be an alternative. An advantage is that this does not require an app but can be done in a browser interface. As for NFC reading, the customer must provide a selfie picture. The comparison between the (low quality) picture obtained from the scanning of the ID document and the selfie is carried out either manually or semi-automated, meaning biometrics is used whenever a reliable result can be obtained, with a manual fall-back procedure. The verified identity can be checked against the BankID identity for the signature.
There are simpler methods that can be used in combination with BankID to obtain a second confirmation of the intent to sign, e.g. SMS or email. This however requires that a verified phone number or email address is available, and not information supplied potentially by the attacker. Also, a close relation may have access to both the mobile phone and the email of the victim. Although not without value, such mechanisms may be consider too weak.
# 5. Get in touch with Signicat
Signicat offers various solutions that can either supplement or replace BankID by introducing biometric elements to the identity verification in the form of photo or video evidence. This will secure the additional evidence needed to determine who used the BankID and not simply who owns it.