Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For key data see overview.

TUPAS

Key purpose, services, user community, numbers:

Banking industry specification for citizen and company user identification in Finland. Widely deployed in government and private sector e-services.

10 Banks (2012) offering IDP service.

http://en.wikipedia.org/wiki/TUPAS

...

http://www.fkl.fi/en/material/statistics/Statistics/Statistics_banks_payment_systems_2001-2010.pdf

Inception: Established 2004. Initial focus internet payment protocol.

Maturity: Well established, small changes. Recent addition is authentication for companies, returning VAT codes of authorized company account holders. Discussion has reportedly begun for next generation model.

Business case: (must find reference) Banks need authentication and can sell it others who need it to. Government services particularly need it and are willing to pay for the data. Leverage existing infrastructure.

Legal framework:

Since 1 March 2010, initial identification in the Tupas identification service follows the Act on Strong Electronic Identification and Electronic Signatures (617/2009). http://www.finlex.fi/en/laki/kaannokset/2009/en20090617.pdf

...

In the identification of customers, banks follow the Act on Preventing and Clearing Money Laundering and Terrorist Financing (503/2008) and the Standard 2.4 on customer identification and customer due diligence, issued by the Financial Supervisory Authority of Finland.

Individual bank service contracts limit liability in both SP and customer direction. Banking customer provides informed consent and asserts information shown on screen is correct using an approval button. Contracts and implementations vary by bank.

Technical standards:

Proprietary standard based on shared secrets, front channel browser redirect/posts.

Nordea bank service description includes English language overview and technical description. (One of 10 banks offering the service)

Assurance levels and policy profiles:

Specifies minimum initial identity proofing requirements and on-going two-factor credential use.

http://www.fkl.fi/en/themes/e-services/Dokumentit/Tupas_Identification_Principles_v20b.pdf

Lessons learned:

  • Bleeding edge, implemented before any applicable standards existed.

...

  • Adoption limited to Finland.
  • No discovery mechanism defined, each service implements their own.
  • Technically no completely automated discovery possible, as each user may have accounts at many banks.
  • Commercial IDP service, serving banks own needs as well as third-parties (government, private sector).
  • Although a common technical specification, use requires service contract with each individual bank.