Issuer Declaration BankID

The holder of BankID should be able to feel safe when BankID is used and be able to rely on the various e-services where BankID is used. Similarly, the e-service shall be able to rely on the fact that an electronic identification or signature based on a BankID is carried out by a properly identified person. For this to be possible, the issuing bank must identify the prospective BankID holder and deliver BankID in accordance with high BankID common rules.

The BankID holder must also enter into a user agreement with the issuing bank that regulates liability, management and use. An organisation that has one or more e-services where BankID can be used has also signed agreements regulating how BankID can be used in their e-services. This information is primarily addressed to holders of BankID and organisations with e-services where BankID can be used.

About BankID

A number of banks cooperate on BankID and issue BankID to their banking customers. A bank-wide regulatory framework ensures that BankID is a secure product for identification and signature with a guaranteed quality regardless of the bank issuing BankID. The technology and security solution is the same regardless of the issuing bank. The bank-owned company Finansiell ID-Teknik BID AB is responsible for the management of the bank-wide regulatory framework as well as the development, operation and management of the technology and infrastructure that banks use to deliver the BankID service. There are currently three different types of BankID, which work slightly different from a technical perspective:

• BankID on files used on computers where BankID is stored in the computer.

• BankID on cards used on computers together with a connected card reader in which a smart card with a BankID is inserted.

• Mobile BankID used on mobile phones and tablets and where BankID is stored on the mobile phone or tablet.

All types of BankID constitute personal electronic ID documents that can be used for electronic identification and signature. The banks and Finansiell ID-Teknik BID AB are continuously working to further develop the security around BankID and implement the necessary changes necessary for BankID to always be a safe product that meets the requirements that banks themselves and the rest of society set for secure e-services.

Changes to the issuer declaration

Changes to this Issuer Declaration are decided by the product management department at Finansiell ID-Teknik AB. A new version of the Issuer Declaration takes effect 30 days after publication and is valid until 30 days after the next Issuer Declaration is published.

Laws and regulations

BankID acts under several different laws and regulations, including:

• BankID regulatory framework – the bank-wide internal regulatory framework for BankID.

• Trust framework Swedish e-ID – BankID meets the Trust Framework for Swedish e-ID managed by the Swedish Digital Administration Authority (DIGG), according to trust level 3.

• BankID meets the requirements for Strong Customer Authentication and Dynamic Coupling in accordance with the technical requirements of the Second Payment Services Directive (PSD2) at EU level.

• BankID constitutes a so-called trusted service under the EU eIDAS Regulation. An electronic signature carried out using BankID constitutes an advanced signature under the Regulation.

• BankID constitutes a socially critical infrastructure in Sweden and thus falls under national legislation for security protection.

Commitment and responsibility

Issuing bank
The issuing bank is responsible for the BankID it has issued to its bank customers. This responsibility includes:

• Performing an adequate identity check of the holder in accordance with the rules of financial institutions and the bank-wide BankID regulatory framework.

• Informing the holder about the terms of use for BankID.

• Signing an agreement with the holder for the BankID service.

• Archiving agreements and proof that identity verification has been carried out.

• Verifying current name information against official records.

• Delivering BankID to the holder safely.

• Providing support to the user.

• Providing the possibility for BankID holders to block their BankID.

BankID holder
The holder of a BankID must manage their digital ID document securely and in accordance with the terms of use for their bank. The Terms of Use include:

• That a BankID may only be stored on a computer or other device the holder has control over and that cannot be used by other persons outside the holder's control.

• Keeping the password of their BankID secret and not recording the password in such a way or location that makes it obvious that the password is related to the user's BankID.

• Not to share their BankID or password with any other person.

• To contact their bank as soon as possible if their computer, mobile device or card containing a BankID is lost or stolen and to block the BankID concerned.

• To block the BankID concerned if it is suspected that unauthorised persons have found out their password.

• That the person agrees that personal data in the form of name and Swedish Personal Identity Number is handed over to an e-service, every time they use their BankID with the e-service.

• To get a new BankID if their first or last name changes.

• To not use their BankID to engage in criminal activity.

The holder shall also be observant of the counterpart's name in the BankID app(s) on identification or signature. The name displayed shall correspond to the e-service or organisation for which the BankID is used. If the name does not match the organisation you intend to identify with, it is important that you do not enter your password. Cancel the transaction and report the event to abuse@bankid.com.

When signing, the text you sign appears in the BankID program. It is important that users read through the entire text before entering their password. If you do not agree with the text and do not want to sign it, then you should cancel the signature.

You should never use your BankID, bank security device or other identification method at the request of someone else. If you are contacted by someone claiming to be from the bank, the police or any authority and asked to identify yourself and use your BankID, then this is an attempted fraud.

If you think you are the victim of an attempted fraud in any way, you should contact your bank or abuse@bankid.com.

E-service/organisation (relying party)
Organisations that wish to use BankID for identification or signature in an e-service must be approved to use BankID in the current e-service and obtain an agreement with a selling bank, https://www.bankid.com/kontakt/foeretag, or for the public sector to use freedom of choice systems https://www.bankid.com/offentlig-sektor/kom-igang.

The selling bank/Finansiell ID-Teknik BID AB assesses the organisation and the intended e-service before BankID can be used. The selling bank/Finansiell ID-Teknik BID AB has the right to deny the use of BankID and can also block e-services for organisations that fail to comply with laws, agreements or rules.

The organisation will be blocked from using BankID if the e-service is regarded as:

• contravening Swedish law, other government regulations or any instructions.

• constituting fraudulent conduct towards BankID holders.

• issuing any form of new identification method or technology (so-called ID switching).

• abusing the BankID trademark.

Lifecycle of a BankID

Application and verification of identity
When a bank customer applies for a BankID from their bank, the bank must perform, or have previously carried out, an adequate identity check, in accordance with the rules for financial institutions and the BankID regulations. If the bank has already carried out an adequate identity check before applying for BankID and then given the customer another identification tool such as a code box, then this identification tool can be used to identify the bank customer via a distance procedure in the internet bank provided that the issuing bank otherwise has good customer knowledge of the user.

A prerequisite for obtaining a BankID is that the applicant has a Swedish Swedish Personal Identity Number and is a customer of a Swedish bank that can issue BankID. The Bank provides the applicant information about BankID and the Terms of Use for BankID.

The Terms of Use for BankID must be approved by the applicant and the bank is obliged to archive that information.

Issuance of BankID
The bank gives the user instructions on how to install the BankID program in the computer, mobile phone or tablet. The Bank is then responsible for ensuring that the information contained in BankID is consistent with the personal data of the applicant, and that BankID is supplied to the correct person. When the user receives their Bank ID, in most cases, they are able to select their own password. For BankID on file and Mobile BankID, the password must be at least six characters/digits, while for BankID on cards it must be at least four digits. A password/security code must not be too simple or easy to guess. A check is carried out to ensure the selected code is not too simple and you may not be allowed to use the specific code.

Control of BankID
A BankID holder can obtain information about all their BankIDs through their bank. This is easiest to do via the internet bank. In most internet banks, the holder can see all BankIDs, i.e. also BankIDs issued from other banks. It is an important requirement for issuing banks to enable holders to easily check which BankID is issued to them. Thus, a holder may have several different BankIDs and also BankID from different banks.

Checking transactions performed
A holder can see for themselves which BankID transactions have been carried out on their Swedish Personal Identity Number. This is done in the BankID program under Settings > My BankID > My BankID history. After an identification, you can then see all the identifications or signatures that you have carried out from all your BankIDs and not just from the unit in question. For each transaction, you can also see more detailed technical information such as IP addresses, location info and which BankID is used. It is possible to search for transactions that are up to four years old.

Block BankID
The bank offers BankID holders the opportunity to block their BankID. The easiest way to do this is via the internet bank, but if this is not possible, the holder can contact their bank in other ways. If a BankID holder suspects that someone else has come across your BankID or become aware of its password, it is important to block the current BankID. BankID that is no longer used or that you do not recognize that you have should also be blocked. If you enter an incorrect password more than five times in a row, the current BankID will automatically be blocked. Some BankID cards may have fewer attempts. Some BankID cards may also have an unlock code. The respective issuing bank may disclose this. Once a BankID has been blocked, the block cannot be removed. If a BankID has been blocked, you need to get a new BankID in order to continue using e-services that use BankID.

Expired BankID
Similar to physical IDs, a BankID has a certain lifespan. Once a BankID has expired, it is no longer usable and the holder must obtain a new BankID. The issuing bank determines the lifespan of a BankID within certain BankID common limits. A BankID may be valid for a maximum of 5 years, but it is the issuing bank that determines the validity of each issue. In the BankID app/program you can see how long a BankID is valid.

Technical solution

BankID app/program
In order to use BankID, you first need to install a BankID app or program on your mobile phone, tablet or computer. The BankID program for computers is installed from https://install.bankid.com which also provides instructions. The BankID app is downloaded from the App Store, Google Play or Huawei Mobile Services.

Get a BankID
After the BankID program is installed on your computer, mobile phone or tablet, you can obtain a BankID on file for your computer or Mobile BankID for your mobile phone or tablet via your internet bank or bank branch.

If you have BankID on a card, you need to connect a card reader to your computer and insert the card into the card reader, after installing the BankID program.

Processing of personal data
The issuing bank is the data controller and Finansiell ID-Teknik BID AB is the data processor to the respective bank.

The holder of a BankID chooses which e-services or organisations he/she wants to use his/her BankID with and presents his/her name and Swedish Personal Identity Number for the e-service when identifying and signing. The e-service is responsible for the personal data it processes.

For more information about how personal data is processed, see BankID’s Privacy Policy.

Archiving information
The issuing bank archives the application and agreement for BankID in accordance with applicable laws, for at least 10 years after the date the BankID expires. Finansiell ID-Teknik BID AB archives events relating to the use of BankID for a maximum of five years, the stored information related to the use is available to the user, as per 3.3 and 3.4.

Note that the text signed with BankID is not saved anywhere in the BankID infrastructure. The electronic signature has been handed over to the e-service and it is the e-service's responsibility to store the signature in accordance with their applicable laws and regulations.