Project Abstract TUPAS
For key data see overview.
TUPAS
Key purpose, services, user community, numbers:
Banking industry specification for citizen and company user identification in Finland. Widely deployed in government and private sector e-services.
10 Banks (2012) offering IDP service.
http://en.wikipedia.org/wiki/TUPAS
http://www.fkl.fi/en/themes/e-services/tupas/Pages/default.aspx
Numbers: see Slide 16 Continued growth since 2004, 21.7 million authentication transactions during 2010.(Finnish population 5.4 million 2011)
http://www.fkl.fi/en/material/statistics/Statistics/Statistics_banks_payment_systems_2001-2010.pdf
Inception: Established 2004. Initial focus internet payment protocol.
Maturity: Well established, small changes. Recent addition is authentication for companies, returning VAT codes of authorized company account holders. Discussion has reportedly begun for next generation model.
Business case: (must find reference) Banks need authentication and can sell it others who need it to. Government services particularly need it and are willing to pay for the data. Leverage existing infrastructure.
Legal framework:
Since 1 March 2010, initial identification in the Tupas identification service follows the Act on Strong Electronic Identification and Electronic Signatures (617/2009). http://www.finlex.fi/en/laki/kaannokset/2009/en20090617.pdf
Providers of strong authentication under the aforementioned law must register for the privilege to the Finnish Communications Regulatory Authority (FICORA) and be subject to strict audit.
FICORA identification service provider register
In the identification of customers, banks follow the Act on Preventing and Clearing Money Laundering and Terrorist Financing (503/2008) and the Standard 2.4 on customer identification and customer due diligence, issued by the Financial Supervisory Authority of Finland.
Individual bank service contracts limit liability in both SP and customer direction. Banking customer provides informed consent and asserts information shown on screen is correct using an approval button. Contracts and implementations vary by bank.
Technical standards:
Proprietary standard based on shared secrets, front channel browser redirect/posts.
Nordea bank service description includes English language overview and technical description. (One of 10 banks offering the service)
Assurance levels and policy profiles:
Specifies minimum initial identity proofing requirements and on-going two-factor credential use.
http://www.fkl.fi/en/themes/e-services/Dokumentit/Tupas_Identification_Principles_v20b.pdf
Lessons learned:
- Bleeding edge, implemented before any applicable standards existed. Adoption limited to Finland.
- No discovery mechanism defined, each service implements their own.
- Technically no completely automated discovery possible, as each user may have accounts at many banks.
- Commercial IDP service, serving banks own needs as well as third-parties (government, private sector).
- Although a common technical specification, use requires service contract with each individual bank.