This month’s question
“What are the pros and cons of SWIFT’s 3SKey?”
Christoph Albers, Solution Manager Corporate Market, SWIFT, responded:
3SKey is SWIFT’s new digital identity solution designed to enable banks and corporates to exchange information in a secure way. The solution allows corporate treasurers to manage their various banking relationships using a single, multi-network personal signature device. This reduces the complexity of managing the ever-increasing number of tokens and passwords typically needed to administer multiple accounts with multiple financial institutions.
3SKey was launched at Sibos in Amsterdam in October 2010, and is already being deployed in Europe where banks such as Société Générale, BNP Paribas, HSBC, Crédit Agricole, BBVA and La Banque Postale started offering 3SKey as the most appropriate solution to meet their corporate customers’ authentication needs, and this regardless of the channel being used.
Using 3SKey brings a range of key benefits to corporates and banks:
The main advantage for corporate treasurers adopting 3SKey is that they can simplify the signing process across applications and banks. They no longer need to maintain multiple authentication methods.
3SKey enables the creation of a single credential for personal signature – providing for seamless transaction processing, and allowing both banks and their clients to increase efficiency and reduce operational risks and costs.
The solution enables corporates and banks to reduce costs in managing multiple devices and processes to securely exchange financial transaction by using a standardised multi-bank solution for personal identity management.
3SKey is a highly secure solution built using the latest cryptographic technology. This strengthens the security and minimises risk associated with personal authentication of corporate representatives.
3SKey is built using commonly used industry standards, so it can be easily and rapidly integrated in corporate and bank applications, including online web channels offered by the banks to their corporate clients. SWIFT will ensure the technology at the heart of 3SKey is updated as cryptographic techniques develop, making banks and corporates benefit from the latest developments in this space.
3SKey can be used on SWIFTNet, on any proprietary bank channel (bank web interfaces), on domestic networks, with the local EBICS TS exchange protocol and on other private channels.
Thanks to 3SKey, corporates will be able to clearly record who has accessed a payment system and what operations he or she has performed during a given period of time. This is, most of the time, possible with any bank proprietary system, but 3SKey allows for the single authentication system to apply to all banks – no matter where they are based. Any corporate using a worldwide and multi-bank e-banking platform should be interested in using a personal digital identity solution with the same qualities. Thanks to 3SKey, only individuals with the required privileges within corporations are able to sign payments. Each of these payments will be controlled by the bank on the basis of a strong authentication of the signatories.
The pros of this solution are clear. The setup of the bank mandates is most of the time the first step when establishing a business partnership between a bank and a corporate. 3SKey is the generic tool made available to create a link between the administrative work done around the bank mandates and the day-to-day automated operations. Furthermore, thanks to a generic approach of electronic signature, corporates could more easily establish new banking relationships. Having a global approach will help corporations to have a global view on the certificates and the tokens in use.
Despite all this, some potential weaknesses are to be overcome. Local regulation could eventually be incompatible with a generic approach. Registration processes could differ from one bank to another, impeding the benefits of a global approach. Finally, the technical and administrative (if not legal) setup could differ heavily from a bank to another.
Luc Belpaire, Product Director, Payments, SunGard, also gave his opinions:
Participating banks, called ‘subscribers’ in the 3SKey scheme, give USB tokens to their corporate customers, called ‘users’ in the 3SKey scheme. After activation of each token on the 3SKey Portal, the corporate user will associate the token with an individual at that corporate entity, eg token with unique ID 12345 is associated with Eric, the treasurer. As part of the association step, the bank will determine whether token 12345 is valid or has been revoked. This association is done for each of the banks with which the corporate does business. Once the token is associated with an individual, the bank will be able to authenticate files that are signed by token 12354 as being signed by Eric.
Much of the value proposition of 3SKey is directly linked with the degree of uptake by banks. The more banks offering the service to their customers, the more valuable the service becomes. If only a few of a corporate’s banks are offering the service and others not, the value for the corporate is less. The demand side of the market will decide on the level of uptake and ultimately on the value and success of the 3SKey service. There is strong demand in markets like France and early adopter customers are putting pressure on all their banks to adopt 3SKey, boding well for quick market adoption.
J.P. Morgan’s Sean Croston, Senior Product Manager, Treasury Services, also responded:
Since the SWIFT solution is new, the industry has many questions which the initial pilot largely addressed. For example, a user obtains a USB stick which securely stores cryptographic keys. The user enters the USB stick into his or her computer in order to authorise access to a bank’s products. The SWIFT Digital Credential Interoperability model allows the user to insert the same USB stick into the computer when accessing competitors’ products. The SWIFT approach asks users to register their credential with each bank, as opposed to the traditional approach of working with a centralised benevolent party.
The SWIFT 3SKey solution is a new offering in the market but the fundamental approach to achieving Digital Credential Interoperability in wholesale banking has proven to work for years. The core of the SWIFT model is already implemented in J.P. Morgan and other banks for computer-to-computer interactions. The SWIFT 3SKey model expands this approach to online banking: the client purchases or produces a security credential such as a USB token with a cryptographic key. The client securely registers the token with each bank with the appropriate legal liability agreements. The client also manages the credential (eg replace old credentials before they expire).
Snapshot of pros:
Achieves Digital Interoperability while preserving the core liability and service relationship between the client and bank.
Does not require multiple banks to have liability contracts amongst each other to allow client interoperability.
SWIFT is a global bank consortium that has a rich history of providing secure infrastructure and service for decades.
Does not require a client to be on the SWIFT network.
Enables users to access all of their banks using the same credential.
Banks cannot view usage of client credentials with other banks; SWIFT doesn’t allow, nor tracks identities but rather security credentials (the banks know who their clients are).
There are also some potential drawbacks and challenges: the solution is new, and the security solution will need to continue to evolve, given the constant upgrades of the cyber-crime community.
Next month’s question
“Now that migration to SEPA is going to be mandatory, what can corporations do to benefit from SEPA and ensure a smooth transition?”
Please send your comments and responses to firstname.lastname@example.org