Service status:

BankID and Swedish e-ID

BankID is issued by the banks under a common BankID regulatory framework that meets the requirements of the Swedish e-ID, trust level 3, for which the Swedish Digital Administration Authority (DIGG) is responsible.

A signature with BankID falls under trusted services in the eIDAS Regulation (EU 910/2014) as an advanced electronic signature. The Regulation gives a BankID signature a legal effect throughout the EU under Article 25. "An advanced electronic signature shall not be denied legal effect and admissibility in legal proceedings solely on the grounds that it is in an electronic form or does not meet the requirements for qualified electronic signatures" and Swedish legislation is updated to comply with the eIDAS Regulation.

Strong customer authentication under the EU Revised Directive on Payment Services

For financial services falling under the EU Revised Directive on Payment Services (PSD2) (EU 2015/2366), there is a Commission Delegated Regulation (EU) 2018/389 containing guidelines for technical requirements including Strong Customer Authentication (SCA). A BankID identification meets the requirements for strong customer authentication and a BankID signature meets dynamic linking requirements.

BankID counts as a payment instrument

According to interpretation of the Swedish Payment Services Act, BankID is counted as a payment instrument when BankID is used for such transactions. This also applies to the rules regarding unauthorised transactions in the Swedish Payment Services Act where the payment service provider has certain obligations to recover accounts. As the legislation on unauthorised transactions is designed, it shall only apply to the person who issued the payment instrument, which is a pronounced deficiency in the legislation. Here, the party that is not the issuer of the payment instrument must either invoke third-party agreements in the Terms of Use BankID, or argue that BankID does not constitute a payment instrument when, for example, applying for a loan with a third party. (The Swedish Payment Services Act should only apply to the transaction, which may then move the money out of the account, and not apply to the loan agreement itself, etc.)

Electronic vs. physical documents

In this regards, many of the current regulations and procedures use paper-based document management as a firm basis, while at the same time an organisation should think "digital first" and should view the manual and paper-based process as the exception, because if that is not already the case today, then it is likely just a matter of time. An electronic signature constitutes an electronic document in itself. The Swedish Freedom of the Press Act defines what a finished electronic document is, so electronic documents are regulated under the Swedish Constitution.

GDPR

The processing of personal data is of course relevant when using BankID in its services. In practical terms, the issuing bank is the data controller for its processing of personal data and the relying party is the data controller for its processing. Thus, there is a transfer of personal data from one data controller (the bank) to another controller (relying party) each time a data subject chooses to use their BankID in an e-service.

There is therefore no need for a personal data processing agreement between the bank and the relying party, but if the relying party buys a service from an infraservice provider, a personal data assistance agreement may be needed. Personal data that is processed is name, Swedish Personal Identity Number but also the name of the issuing bank is included in a BankID. This information is provided in the identification certificate or in the electronic signature of the relying party, which is then responsible for processing it in accordance with applicable laws and regulations. One issue on which all relying parties must take a position is, of course, how long identification certificates and signatures should be archived and when they should be culled.jälv sedan ansvarar för att behandla dessa i enlighet med gällande lagar och regler. En frågeställning som alla förlitandeparter måste ta ställning till är givetvis hur lång tid identifieringsintyg och underskrifter ska arkiveras och när de ska gallras.

Other, abuse and criminal liability

Swedish legislation has been updated on numerous occasions so it can be adapted for electronic signatures. The last major update was the adaptations to the eIDAS regulation when the term electronic signature was introduced into Swedish legislation to comply with the nomenclature of the eIDAS Regulation. But the important thing is that the Swedish Criminal Code is updated where the crimes involving documents also include electronic documents (Chapter 14, Section 1 of the Swedish Criminal Code). So legislation on forgery, transgressions of truth, denying a signature, false attestation, use of a false document and abuse of a document that is falsely invoked apply in the same way to an electronic document. In addition, there is also the new law on unlawful use of identification, which can also be applied.