10 years of EBICS – a success story

Source: PPI AG

Source: PPI AG

At the start of 2008 it was finally time: From this point onwards, every corporate client in Germany could be sure of being able to reach all banks and savings banks via the Internet by means of a standardised, secure electronic banking procedure in order to send bank transfers, direct debits and other orders and obtain account information. Multibank capability, very important for corporate clients, was guaranteed by the DFÜ agreement of the German banking industry (DK), which, starting from 1 January 2008, obligated all financial institutions in Germany to support a new, standardised procedure known as EBICS (Electronic Banking Internet Communication Standard) for their data exchange with corporate clients.

Even though it was already clear at that time that EBICS was going to be successful, there was no predicting the scale of the EBICS success story. EBICS is now a European standard for secure data exchange, not only in electronic banking with corporate clients but also in interbank payments, and it is additionally in line to become the standard for current developments such as instant payments. But more on this later.

The pre-history: the road to EBICS

EBICS, to be precise, is more than 10 years old, as it came into being on 18 July 2003. This was the day on which SIZ GmbH presented an Internet-based electronic banking procedure at a special meeting of the ZKA (Central Credit Committee = old name of the DK) with the aim of promoting this procedure, or at least the design basis of this procedure, as the basis of a new, multibank-capable Internet standard for the entire German banking industry. Since 1995, the DFÜ agreement of the ZKA guaranteed a multibank-capable procedure, BCS-FTAM, for the corporate client business. However, this file transfer procedure was based on the OSI standard FTAM for X.25 and ISDN connections, and in the Internet age it was no longer state-of-the-art. Despite a number of attempts since then, it was not possible to establish a common IP-based standard. There were manufacturer-specific (e.g. MultiWeb, MCFT) and association-based solution approaches (BCS-FTP), but they lacked the decisive element: multibank capability. On 18 July 2003, the time seemed ripe for a new standard. A DK working group formed spontaneously at the special meeting, and its mission was to develop a common, IP-based, multibank-capable communication and security standard. EBICS was created based on the design of WOP. The draft concept created by the working group was the basis forthe EBICS specification, version 1.0 of which was already presented in the middle of 2005.

EBICS was not a revolution, being based from the start on an evolutionary concept. The elements of BCS-FTAM that had proven themselves for more than 10 years were kept, and only those elements that were no longer state-of-the-art were redesigned. Therefore, the concept of order types, and thus application-neutrality, was kept on board along with the authorisation of payment data via electronic signatures (ES). What was new about EBICS in particular was the replacement of the X.25- and ISDN-based communication of BCS-FTAM with a state-of-the-art XML communication protocol based on Internet standards. Additionally, the EU was extended to the distributed electronic signature (EDS), which enables corporate clients to authorise orders which, for example, are transferred automatically from the accounting department to the bank, at any time and from any location, and to also use mobile terminal devices.

SIZ GmbH initiated the development of EBICS in 2003, and has been accompanying it continuously ever since. In 2005 SIZ became the control centre of the German banking industry for EBICS (Appendix 1 of the DFÜ agreement) and for the data formats in electronic banking and payments (Appendix 3 of the DFÜ agreement).

In 2006, the savings bank financial group became the first institution group in Germany to support EBICS comprehensively. Then, in 2007, the associated and public institutions followed, along with the big banks and other private banks.

EBICS: the secure tunnel in insecure networks

The basis for the development of EBICS was above all a detailed security concept. Because data in electronic banking and payments requires special protection, the potential threats were used to derive security requirements and security measures for EBICS that use various cryptographic measures to guarantee the confidentiality, integrity and authenticity of the data in potentially insecure networks (e.g. the Internet). The confidentiality and integrity of the data was ensured by means of an EBICS-specific encryption procedure which, in addition to the TLS encryption on the transport level, also offers end2end encryption of the sensitive data in electronic banking. The authenticity of the communication is provided by the authentication signature of every data package. The authorisation of payments is ultimately given via electronic signatures, whereby depending on the contractual agreement between customer and bank, different authorisation models can be used (single and multiple signatures, ES classes, limits etc.). The security concept has been checked regularly ever since, with EBICS being further developed if required in order to adapt the procedure to new or altered threat situations and/or technical standards. Over the years, EBICS has proven to be an extremely secure standard: To date, no successful attacks on EBICS have been confirmed.

The ground-breaking features of EBICS for the secure transfer of sensitive data:Tunnel_en

2008: introduction in Germany

On 1 January 2008 the time had come: With the DFÜ agreement of the German banking industry, all banks and savings banks in Germany committed to supporting EBICS on the bank side from this date onwards. EBICS was accepted by the corporate clients faster than expected: in the first year already, a majority of corporate clients switched from BCS-FTAM to EBICS. Clearly the advantages of the new procedure were just too big. The runaway success of EBICS was mainly due to the fact that the transmission speed of the IP-based EBICS was many times faster than that of FTAM, that the use of Internet standards greatly simplified the incorporation into company and banking networks, and that EBICS offered new features such as the distributed electronic signature. It was decisive, however, that the DFÜ agreement of the DK guaranteed the multibank capability that was crucial for corporate clients from the very beginning. The switch was made easier by the fact that migration scenarios were already implemented in the procedure which made it possible to convert the keys for the electronic signature from BCS-FTAM to EBICS practically at the touch of a button.

EBICS develops into an interbank procedure

Word travelled quickly that EBICS is a very secure procedure especially designed for safe, fast transmission of large data volumes. So it was no surprise that EBICS also became the communication standard in interbank payments. The trailblazer here was the German Central Bank, which introduced EBICS in 2008 as the communication procedure for the SEPA Clearer within the scope of the the RPS (Retail Payment System). At this point it is impossible to imagine a secure exchange between banks and clearing houses without EBICS. Along with the Central Bank, the EBA clearing in the STEP2 payment system also uses EBICS, and EBICS has also been established in bilateral clearing between banks, so-called “garage clearing”, for many years now.

EBICS was also very quickly introduced for the delivery of data by service data centres. In 2009 the corresponding DK guideline relating to the support of EBICS was issued.

EBICS becomes the international standard

By the end of 2006 the French banking industry (CFONB) became aware of EBICS when looking for a new, secure, IP-based communication procedure. Similarly to Germany, France was faced with the situation of replacing an old standard (ETEBAC) with a future-oriented procedure. After intensive evaluation of various alternatives, EBICS emerged as the suitable procedure, and in 2008 a co-operation between the French and German banking industries was initiated. In summer 2010, EBICS SCRL, the European EBICS association based on Belgian law, was founded in Brussels. EBICS has now been introduced just as widely and successfully in France as in Germany. With the foundation of the EBICS association, the SIZ became the official technical office of the association (European EBICS control centre) and has since coordinated the EBICS working group, i.e. the committee responsible for the further development of EBICS.

However, with the introduction of EBICS in France, different “dialects” became established in the two countries. For practical reasons, it was accepted that due to the different requirements in the two countries, there would also be different versions of the EBICS standard. This related in particular to the representation of business transactions, for which the three-character order type ID is used in Germany, whereas in France they are identified by means of format parameters. There were also other differences, e.g. in France the cryptographic keys used are based on the X.509 standard, while Germany continues to employ a proprietary format that comes from BCS-FTAM. And while both countries were basically “speaking” EBICS, the inter-country compatibility faced some problems because of the different “accents” being used.

This shortcoming became really apparent in 2015 when Switzerland became the third country to join the EBICS association. Switzerland was presented with the dilemma of choosing between the “dialects” or even adding a third, Swiss “accent”.

If was obvious that different EBICS dialects were not conducive to the desired proliferation of the standard in Europe. The only solution was to harmonise EBICS, and this need was finally addressed in the new EBICS 3.0. In particular, the introduction of BTFs (Business Transaction and Formats) enabled a future-oriented, flexible and above all standardised identification of business transactions for EBICS. It was also possible to achieve further important harmonisations in the EBICS standard, thus making EBICS a uniform international standard. With electronic payments it is especially important for partners to be able to reach, understand and trust each other. The understanding is achieved mainly by the common SEPA data formats and the standardised EBICS identification via BTFs, the accessibility and trust is given with EBICS as a common communication and security standard. EBICS 3.0 has been released and can be introduced in autumn 2018. In Germany, EBICS 3.0 will be mandatory for all institutions of the German banking industry from 2021, as per the DFÜ agreement of the DK.

10 years of EBICS: review and outlook

It’s time to look back on 10 years of EBICS in Germany. What began as an attempt to contain different, incompatible developments in electronic banking in Germany, and ensure the multibank capability for corporate clients in the Internet age, has developed into a success story that has long traversed the nation’s borders. EBICS is known worldwide as an open standard for the secure exchange of files, and is also used in countries that are not (yet) members of the EBICS association. EBICS is now not only a customer-bank procedure but an established standard in interbank payments, and it is also expected to play an important role in both the submission and clearing of instant payments.

But what are the reasons for this long-running success? It seems to me that the following points in particular have been decisive:

  • The application-neutrality of EBICS
    EBICS is application-neutral and can transfer the widest range of data types, because neither formats nor bank-technical specifications were incorporated into the design of the transfer protocol. This is why EBICS can be used so easily in different countries and different application scenarios.
  • The security features of EBICS
    Because EBICS combines mutually independent cryptographic procedures for data confidentiality, the authenticity of the partners and the communication, and for the authorisation of orders, it offers a secure tunnel in insecure networks.
  • The multibank capability
    Both in Germany and in France, EBICS is a multibank-capable procedure. In Germany, multibank capability is guaranteed by the DFÜ agreement of the DK.
  • The adaptability of EBICS
    As an open standard, EBICS has an architecture that can be adapted to different requirements, and it is continuously being developed further by the EBICS association.

EBICS has a lot of history behind it, even more than the 10 years since its mandatory introduction in Germany. But the story is far from over: As an open, secure communication standard, EBICS has a bright future ahead. With the experience of seeing that the fundamental design decisions are still holding up today and that the flexibility of the procedure enables EBICS to be adapted to new requirements, we can be confident that EBICS will continue to be an important element of electronic payments in Europe.

Dieter Schweisfurth
Head of Electronic Banking

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 3 =

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>