Nov 10

New ENISA orientative guidelines within eIDAS framework

By ENISA Guidelines No Comments

The European Security Agency ENISA has worked in 2016 on a concise set of technical guidelines to ease the adoption of the eIDAS Regulation in the non-mandatory aspects, foreseeing its voluntary use by the different agents involved: Electronic Trust Service Providers , Supervisory Bodies and Conformity Assessment Bodies.

Within this scope, ENISA has prepared the following documents, which are in a draft status:

Interested parties are invited to send comments to ENISA in reference to the above mentioned documents.

Comments and opinions should be addressed to: slawomir.gorniak@enisa.europa.eu

Sep 22

eIDAS: Conformity Assessment of Electronic Trust Service Providers

By Conformity Assessment No Comments

Compliance with the requirements of EU Regulation 910/2014 (eIdAS) by qualified Trust Electronic Service Providers consists in the compliance with several technical standards that the auditor will use to evaluate the entity:

The evaluator, for example TCAB (Trust Conformity Assessment Body), must be accredited on the basis of EN 319403  based itself on ISO 17065.

Once the TSP receives the CAR (Conformity Assessment Report) (in Spanish, IEC, Conformity Assessment Report) it must submit it to the Supervisory Body, to the State Secretariat for Telecommunications and to the Information Society of the Ministry of Industry, Energy and Tourism.

Once the CAR has been notified, the SETSI will incorporate the TSP’s information into the TSL Trust List, which implies the recognition and admissibility of the audited services in Europe.

 

 

Sep 09

“Video Onboarding” solutions assessment within the SEPBLAC Regulation framework

By Video onboarding One Comment

TCAB (Trust Conformity Assessment Body) has registered an expert in electronic identity management techniques as an assessor within the framework of the anti-money laundering regulation supervised by SEPBLAC.

In this way, the expert is in a position to audit the control measures used in the “video onboarding” environments of the financial institutions in the context of the recent regulation published for that purpose by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Infringements (the aforementioned SEPBLAC).

The Commission for the Prevention of Money Laundering and Monetary Infringements, which reports to the  Economy and Business Support Secretary of State of the Ministry of Economy and Competitiveness, created by Law 19/1993 of 28 December, is a collegiate body formed by representatives of different ministerial departments and agencies, the Public Prosecutor’s Office, as well as the Autonomous Communities. It is the main responsible for the development of the anti-money laundering policy in Spain. Currently it is regulated by Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism.

The Commission is supported by the Secretariat, currently held by the General Subdirectorate of Inspection and Control of Capital Movements of the Treasury and Financial Policy General Secretariat and the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC).

SEPBLAC is the Spanish financial intelligence unit and performs actions aimed at preventing and stopping the use of the financial system or of companies or professionals of another nature for money laundering, as well as the functions of investigation and prevention of administrative infractions  of the legal regime of capital movements and economic transactions with foreign countries.

The Article 28 of Law 10/2010 stipulates that the internal control measures referred to in article 26 of the aforementioned Law will be subject to annual review by an external expert and those who wish to act as such should report it to the Executive Service of the Commission before starting its activity and inform the latter half-yearly about the list of obliged subjects whose internal control measures have been examined. This management has already been done by TCAB.

It is the responsibility of the obliged subjects to select suitable professionals, as well as to verify that the external examination is carried out in the terms established in Order EHA / 2444/2007, of July 31.

TCAB is an evaluation entity for products and services related to computer security and, in particular, for Electronic Trust Service Providers,  within the framework of the #eIdAS Regulation (European Regulation EU 910/2014). It is governed by ISO 17065 and by EN 319 403 in relation to the evaluation of Providers.

Due to its specialization and the arrangements already made, it can prepare the External Expert Report on the evaluation of internal control measures aimed at preventing money laundering and terrorist financing. In particular in application of the AUTHORIZATION OF IDENTIFICATION NON-PRESENCE BY VIDEOCONFERENCE PROCEDURES published by SEBPLAC.

The aforementioned authorization allows the obliged subjects to use non-presence identification procedures by videoconference according to the following specifications:

 

  • The non-presence identification procedures by videoconference will only be applicable to clients provided by the reliable identification documents referred to in Article 6 of the Regulation of Law 10/2010.

 

  • Prior to the effective implementation of a non-presence identification procedure by videoconference, the regulated subject must carry out the specific risk analysis referred to in Article 32.2 of the Regulation of Law 10/2010.

 

  • Prior to the effective implementation of a non-presence identification procedure by video conference, the obliged subject will document the procedure and will test its effectiveness, outlining the results in writing. The actual implementation of the procedure will not proceed if the results of the tests do not prove its effectiveness.

 

  • It is the responsibility of the obliged subject to implement the technical requirements that ensure the authenticity, validity and integrity of the used identification documents and the correspondence of the owner with the customer that is being identified.

 

  • Non-presence videoconference procedures must be managed by staff with specific training. This training, which will be congruent with the performed functions, must be accredited in accordance with the provisions of article 39 of the Regulation of Law 10/2010.

 

  • The process of videoconference identification shall be recorded with date and time, and the recording shall be kept in accordance with the provisions of article 25 of Law 10/2010. The client must expressly consent to the non-presence identification procedure by videoconference and the recording and preservation of the process, either prior to or during the course of the process.

 

  • During the development of the videoconference, the obliged subject will adopt measures that ensure the privacy of the conversation with the client.

 

  • In any case, in the course of the videoconference the customer subject to identification must visibly display the front and back of the document used for identification.

 

  • The identification process may not be completed when (i) there is evidence of falsehoof or manipulation of the identification document, or (ii) there is evidence of a lack of correspondence between the document holder and the customer being identified, or (iii) the conditions of communication prevent or make it difficult to verify the authenticity and integrity of the identification document and the correspondence between the holder of the document and the customer being identified.

 

  • The obligated subject must obtain and keep a photograph or snapshot of the front and back of the used identification document. The photograph or snapshot obtained must meet the quality and clarity conditions that allow its use in research or analysis and will be preserved in accordance with the provisions of article 25 of Law 10/2010.

 

  • Prior to the execution of any transaction, the obliged party will verify that the client is not subject to international financial sanctions or countermeasures, in the terms established in article 42 of Law 10/2010.

 

  • The implementation of non-presence identification procedures by videoconference can be outsourced, keeping the bound subject the full responsibility.

 

  • The external expert report referred to in article 28 of Law 10/2010 must expressly express its opinion on the adequacy and operational efficiency of the non-presence identification procedure by videoconference.

 

  • This authorization is understood without prejudice of the compliance by the obliged parties with any other legal obligations, particularly in tax matters, planning and discipline, information and consumer protection and protection of personal data.

 

  • The specific non-presence identification procedures by videoconference that the obliged subjects establish under this authorization will not be subject to a new authorization, without limiting its control in the exercise of the supervisory and inspection powers reflected in the article 47 of Law 10/2010 by the Executive Service.
Sep 02

New classification of Digital Electronic Trust Services after eIDAS

By Digital Electronic Trust Services No Comments

Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trustworthy services in electronic transactions in the internal market and repealing Directive 1999  / 93 / EC (eIDAS) is fully applicable from 1 July 2016.

The information displayed on the website of the Ministry of Industry, Energy and Tourism (MINETUR) on electronic certification service providers has been adapted to the new classification and categories of services provided in the aforementioned eIDAS Regulation.

Therefore, as of July 1, 2016, MINETUR publishes a new version of the service providers database with the following structure:

 

Qualified electronic trust services:

  • Issuance service of qualified electronic signature electronic certificates;
  • Issuance service of qualified electronic seal electronic certificates;
  • Issuance service of qualified website authentication electronic certificates;
  • Issuance service of qualified electronic timestamps;
  • Qualified service of certified electronic delivery;
  • Qualified service of qualified electronic signatures validation;
  • Qualified service of qualified electronic stamps validation;
  • Qualified service of qualified electronic signatures preservation;
  • Qualified service of qualified electronic seal preservation.

 

Unqualified electronic trust services:

  • Issuance service of not qualified electronic signature electronic certificates;
  • Issuance service of not qualified electronic seal electronic certificates;
  • Issuance service of not qualified website authentication electronic certificates;
  • Issuance service of not qualified electronic timestamps;
  • Not qualified service of certified electronic delivery;
  • Not qualified service of qualified electronic signatures validation;
  • Not qualified service of qualified electronic stamps validation;
  • Not qualified service of qualified electronic signatures preservation;
  • Not qualified service of qualified electronic seal preservation.

 

Other services:

Section in which services related to electronic signatures that do not have the condition of trusted service according to the eIDAS Regulation are published, but which would fall within the Law 59/2003 framework, of December 19th, of electronic signature, that contains the services of electronic certificates issuance of legal person or entity without legal personality, the services of issuance of component certificates, the publications certification services or electronic contracting services.

In addition, it provides the possibility of obtaining categorized information on electronic certificate issuing services used as identification and signature systems of the Public Administrations (Law 11/2007, of June 22, on electronic access of citizens to Public Services , Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations and Law 40/2015, of October 1, of the Legal Regime of the Public Sector):

  1. Issuance service of Public Administrations electronic site electronic certificates.
  2. Issuance service of Public Administrations seal electronic certificates;
  3. Issuance service of public employee electronic certificates.