ESA investigation is about the security in BankID

Finance Norway and BankID Norway AS has had a dialogue with the EFTA Surveillance Authority (ESA) on requirements for safe access to customers' Norwegian bank accounts to initiate payments. ESA has opened a formal investigation into conduct by Finance Norway, BankID Norway AS and some banks in Norway following a complaint by Trustly Group AB, active in international payment services.

This does not signify that ESA has concluded that competition rules are violated, but rather that the case is entered into a more formal process. The matter will be discussed in public. Finance Norway looks forward to this discussion.

It is Trustly’s claim that Norwegian consumers are kept from accessing a new payment service that is available in most other EEA countries.

The complaint concerns so-called payment initiation services, where customers turn to the complainant who initiates the transaction from the customer's bank account. When making use of BankID, the ID-system that enables the customer to identify themselves in a unique manner, Trustly requires the customer’s password and security code. This also enables Trustly to access the customers on-line bank independently.

BankID is an effective and efficient electronic ID solution and has contributed greatly to the digitalisation of Norway. BankID can be used for identification in virtually all logins, also for public services. BankID has 3.5 million users. A secure login mechanism is needed to access online banking accounts. Banks offer different varieties of electronic IDs, but BankID is the most widely used.

In order to safeguard and maintain BankID as a secure identification and to prevent ID theft, fraud or other misconduct, the customer must not share their personalised security credentials with anyone. When consumers use Trustly’s services, they are required to share their login secrets.

BankID service safeguards trust in the payments system, and is guided by a comprehensive, open and general set of rules that all issuers of BankID need to follow. These meets with rules regarding customer "sole control" as set out in EU directives and regulations concerning electronic ID, meaning that control of BankID secrets is the responsibility solely of the individual customer. Customers who have disclosed their BankID secrets have therefore had their BankID withdrawn and have been issued a new BankID.

In communications with banks in the Norwegian market, Finance Norway has stressed that each bank independently must decide whether and how the bank wants to enter into agreements with regards to payment initiation on customers’ accounts.

If the customers share their BankID secrets with third parties, security is undermined. Against this background, BankID Norway has proposed several solutions to facilitate Trustly’s provision of payment initiation services in the market, that still would ascertain the high level of security provided by BankID.

Society faces increasing challenges with regards to cybercrime, and substantial resources are used by criminal actors in development of their business. It is thus imperative for us to defend the trust in BankID, as it is the most widely used e-id in Norway, and with it, the security of customers' money.

Trustly AB offers payment services for e-commerce, and outside Norway transfer to game companies, see the company's own marketing on their websites.