BankID is issued by the banks under a common BankID regulatory framework that meets the requirements of the Swedish e-ID, trust level 3, for which the Swedish Digital Administration Authority (DIGG) is responsible.
BankID and Swedish e-ID
A signature with BankID falls under trusted services in the eIDAS Regulation (EU 910/2014) as an advanced electronic signature. The Regulation gives a BankID signature a legal effect throughout the EU under Article 25. "An advanced electronic signature shall not be denied legal effect and admissibility in legal proceedings solely on the grounds that it is in an electronic form or does not meet the requirements for qualified electronic signatures" and Swedish legislation is updated to comply with the eIDAS Regulation.
Strong customer authentication under the EU Revised Directive on Payment Services
For financial services falling under the EU Revised Directive on Payment Services (PSD2) (EU 2015/2366), there is a Commission Delegated Regulation (EU) 2018/389 containing guidelines for technical requirements including Strong Customer Authentication (SCA). A BankID identification meets the requirements for strong customer authentication and a BankID signature meets dynamic linking requirements.
BankID counts as a payment instrument
In accordance with an interpretation of the Payment Services Act (2010:751), BankID is counted as a payment instrument when it is used to initiate a payment order. The rules in the Payment Services Act regarding unauthorised transactions, under which the payment service provider has certain obligations to recover accounts, as well as the payment service user’s responsibility to protect their personal authorisation functions (BankID) then also apply.
When BankID is used as e-identification
The rules of the Payment Services Act are not applicable when BankID is used as e-identification, for example when signing a credit agreement. The user’s obligations to protect their personal BankID and not transfer their BankID to any other person are then regulated via the agreement on the BankID service that the user has with the bank. These rules relating to care on the part of the user are also agreed for the benefit of third parties via so-called third-party agreements.
Electronic vs. physical documents
In this regards, many of the current regulations and procedures use paper-based document management as a firm basis, while at the same time an organisation should think "digital first" and should view the manual and paper-based process as the exception, because if that is not already the case today, then it is likely just a matter of time. An electronic signature constitutes an electronic document in itself. The Swedish Freedom of the Press Act defines what a finished electronic document is, so electronic documents are regulated under the Swedish Constitution.
GDPR
The processing of personal data is of course relevant when using BankID in its services. In practical terms, the issuing bank is the data controller for its processing of personal data and the relying party is the data controller for its processing. Thus, there is a transfer of personal data from one data controller (the bank) to another controller (relying party) each time a data subject chooses to use their BankID in an e-service.
There is therefore no need for a personal data processing agreement between the bank and the relying party, but if the relying party buys a service from an infraservice provider, a personal data assistance agreement may be needed. Personal data that is processed is name, Swedish Personal Identity Number but also the name of the issuing bank is included in a BankID. This information is provided in the identification certificate or in the electronic signature of the relying party, which is then responsible for processing it in accordance with applicable laws and regulations. One issue on which all relying parties must take a position is, of course, how long identification certificates and signatures should be archived and when they should be culled.
Other, abuse and criminal liability
Swedish legislation has been updated on numerous occasions so it can be adapted for electronic signatures. The last major update was the adaptations to the eIDAS regulation when the term electronic signature was introduced into Swedish legislation to comply with the nomenclature of the eIDAS Regulation. But the important thing is that the Swedish Criminal Code is updated where the crimes involving documents also include electronic documents (Chapter 14, Section 1 of the Swedish Criminal Code). So legislation on forgery, transgressions of truth, denying a signature, false attestation, use of a false document and abuse of a document that is falsely invoked apply in the same way to an electronic document. There are also newer laws such as laws on unlawful identity management and unlawful acts involving payment tools that can also be applied.
Please note that it is a crime under the Criminal Code – misuse of documents (Chapter 15, Section 12) – to use another person’s BankID as though it were valid for you, or to give your BankID and security code to another person to be misused in that way. It also constitutes a serious breach of contract against the BankID service. Never, under any circumstances, give your BankID and security code to any other person.