...
Banking industry specification for citizen and company user identification in Finland. Widely deployed in government and private sector e-services.
10 Banks (2012) offering IDP service.
http://en.wikipedia.org/wiki/TUPAS
...
In the identification of customers, banks follow the Act on Preventing and Clearing Money Laundering and Terrorist Financing (503/2008) and the Standard 2.4 on customer identification and customer due diligence, issued by the Financial Supervisory Authority of Finland.
Individual bank service contracts limit liability in both SP and customer direction. Banking customer provides informed consent and asserts information shown on screen is correct using an approval button. Contracts and implementations vary by bank.
Technical standards:
Proprietary standard based on shared secrets, front channel browser redirect/posts.
Nordea bank service description includes English language overview and technical description. (One of 10 banks offering the service)
Assurance levels and policy profiles:
...
http://www.fkl.fi/en/themes/e-services/Dokumentit/Tupas_Identification_Principles_v20b.pdf
Lessons learned:
- Bleeding edge, implemented before any applicable standards existed.
...
- Adoption limited to Finland.
- No discovery mechanism defined, each service implements their own.
- Technically no completely automated discovery possible, as each user may have accounts at many banks.
- Commercial IDP service, serving banks own needs as well as third-parties (government, private sector).
- Although a common technical specification, use requires service contract with each individual bank.