This guide is here to help you understand the basics of the proposed new Norwegian Financial Contracts Act ("ny finansavtalelov") and to help financial service providers prepare for the practical aspects of the act.
The Norwegian government has proposed a revised law that governs financial agreements. It is likely that the parliament will approve the law early 2021 with limited chances to the clauses affecting consumer protection.
One of the key changes is introduction of a cap on the user’s responsibility in cases of misuse of electronic IDs, such as BankID. Even in cases of negligence, the BankID holder will face limited liability for agreements that are electronically signed by someone else misusing the BankID. Consumer protection will become stronger in case of misuse at the expense of more risk for the providers of financial services.
This creates a situation where banks will have a strong incentive to ensure the right person is using the BankID when e.g. signing an agreement for a bank loan. The use of BankID alone will not be considered sufficient evidence that the owner of the BankID was using it.
Evidence is perhaps the most important practical consideration for banks and other financial institutions currently leveraging BankID for contract signing.
The new law will only apply to electronic signing of financial agreements between financial services providers and the consumer, i.e., not all electronic signings.
The responsibility of misuse of electronic identification, when entering into agreements digitally, is today not explicitly regulated but legal practice is largely that it is the consumer’s responsibility to protect their electronic ID and if the electronic ID has been misused the consumer must have acted negligently and is responsible.
As a result, consumers who have had their BankID code brick stolen and used in conjunction with their personal password have so far been held responsible for agreements they have not signed or been aware of. The legal practice in this area has been somewhat inconsistent, but numerous high profile cases have been seen where it is not clear that the misuse of code brick and password is due to negligence, but where the consumer still has been held responsible. This is one reason for the government’s decision to propose a change to the law.
With the new law, the holder of an electronic ID will be responsible, even in case of gross negligence, only for an amount of 12,000 NOK if the electronic ID is used by an imposter to sign an agreement. Only in case of a wilful act or collaboration with the imposter will the eID holder risk being held responsible for the imposter’s actions.
The financial service provider will be responsible for proving the case; it is no longer the consumer that must prove that they did not act negligently.
As stated in the law proposal, the use of an electronic signature alone is not sufficient to prove that it was the owner of the signing mechanism that did the signing, consented to the signing, or acted with intent or gross negligence to enable an imposter to sign.
Effectively, this means under the new law that if BankID is used to enter an agreement for a loan, and it turns out that the signee was in fact an imposter, then the financial services provider carries the entire risk except for the amount that can be obtained from the imposter. The BankID holder carries a very limited risk.
Some simple measures should be carried out, such as risk profiling of the purported user and of the transaction, tracking and analysis of user behaviour, ensuring that for example money is only transferred to an account owned by the identified person.
Alternative 2 implies additional measures to assess the identity of the person using the BankID for the specific operation. This can be applied to all transactions or only to those that are singled out by risk management procedures. In short:
Alternative 3 - using of something else than BankID - has limited applicability due to some practical considerations. This is because alternatives to BankID either do not have sufficient market penetration to be attractive for service providers, or do not have proven compliance to the eID assurance level and/or electronic signature level required by the law proposal. As a result, BankID will be part of the solution in the short and medium term.
Signicat delivers proven, user-friendly solutions that can enhance or, eventually, replace identity verification based on BankID, and in conjunction with BankID provide a fully digital onboarding flow that also includes electronic signing of documents, such as a loan agreement.
Several options are available that financial services providers can consider as supplementary means to BankID when preparing for the revised act on financial contracts.
For a new customer, remote reading of the NFC (Near Field Communication) chip of a passport or ID-card plus biometrics can replace enrolment by BankID. This consist of the following steps:
If such enrolment is used, and the customer later wants to sign something, confirmation of the intent to sign an agreement in the app, in addition to the BankID signature, will provide extra evidence. If however enrolment is by BankID, one cannot be entirely sure that it is not the imposter that has also used the BankID to obtain the app enrolment.
Opening the app to give the confirmation should be by face or fingerprint. If the attacker is a close relation, as in quite some of the reported cases of BankID misuse, then possession of phone plus PIN might be too weak.
For existing customers, but not for enrolment, a procedure where the identity document is optically scanned can be an alternative. An advantage is that this does not require an app but can be done in a browser interface. As for NFC reading, the customer must provide a selfie picture. The comparison between the (low quality) picture obtained from the scanning of the ID document and the selfie is carried out either manually or semi-automated, meaning biometrics is used whenever a reliable result can be obtained, with a manual fall-back procedure. The verified identity can be checked against the BankID identity for the signature.
There are simpler methods that can be used in combination with BankID to obtain a second confirmation of the intent to sign, e.g. SMS or email. This however requires that a verified phone number or email address is available, and not information supplied potentially by the attacker. Also, a close relation may have access to both the mobile phone and the email of the victim. Although not without value, such mechanisms may be consider too weak.
Signicat offers various solutions that can either supplement or replace BankID by introducing biometric elements to the identity verification in the form of photo or video evidence. This will secure the additional evidence needed to determine who used the BankID and not simply who owns it.
If you have any questions and want to know more about how the new Financial Contracts Act will affect your business, get in touch with us.
Solutions Marketing Manager at Signicat
September 29 2020