Real-time notifications and EBICS – no more "hopeful queries" for downloads

As I already wrote in my blog post in December 2018, real-time credit transfers (instant payments) in the corporate customer business are making their way into the world of EBICS via the new bulk format. When uploading real-time credit transfers, the EBICS transfer phase is not subject to the strict synchronous time rules of instant payments. The clock starts ticking only after the EBICS bank server processing.

But what about the opposite direction for instant payments business transactions in EBICS? After all, a credit notification, if not possible in real time, should still be sent to the payment recipient as soon as possible. In the standard role relationship between customer and bank, the EBICS client always downloads the information from the bank server. An active provision by the bank via EBICS is not intended. Especially the business community has urged the banks and the German Banking Industry Committee (Deutsche Kreditwirtschaft) to find a pragmatic solution for a push option. The ultimate goal was to develop a solution that could be implemented without the need to change the EBICS protocol and the role concept.

The result was the idea to create a new web socket-based standard interface that informs EBICS clients when new information is available for download. This also includes information about a newly available credit notification. This new push channel is thus not used to transfer any sensitive data. The download of the relevant sensitive data is still carried out via the secure EBICS channel.

In the meantime, the Deutsche Kreditwirtschaft has described this new interface in the "Spezifikation Echtzeitbenachrichtigungen" (specification for real-time notifications) and published version 1.0 on July 18, 2019 on the German EBICS website (www.ebics.de).

Now the interface must be implemented in the EBICS clients and EBICS servers in a standard-compliant and timely manner. This development opens up new possibilities for optimising corporate customer business, even independently of instant payments. For example, the frequent and ongoing "hopeful queries" by automated EBICS clients (as performed in case of account statement downloads) can be eliminated for all download processes. This means that both EBICS client users and bank server operators can expect a load reduction. That's good news, isn't it?


Author: Michael Lembcke

Is the EBICS protocol exempt from strong authentication (SCA) in line with PSD2?

We have been asked this question repeatedly by French and European financial institutions and it has not always been easy to give a sufficiently formal answer.

Recently, the Banque de France wrote an official reply in which it added the EBICS protocol to the list of procedures and protocols exempt from strong authentication under Article 17 of the delegated regulation (UE) 2018/389. The regulation states that: "For legal entities initiating electronic payment transactions through dedicated payment processes or protocols that are available only to payers who are not consumers, payment service providers may waive the requirement of strong customer authentication where the competent authorities consider that such processes or protocols provide at least a level of security comparable to that provided for in the directive (EU) 2015/2366."

The full text can be found on the following page: https://www.banque-france.fr/stabilite-financiere/securite-des-moyens-de-paiement-scripturaux/2eme-directive-sur-les-services-de-paiement
However, this does not mean that EBICS does not support strong authentication - far from it! The certainty that the EBICS protocol guarantees at least comparable levels of security to those provided for in the directive has long been established. With this in mind, I would like to invite you to read or re-read the article EBICS and PSD2 – How do they work together? published on this blog a few months ago.

Author: Marc Dutech

Verifying the hash value of the bank keys in the EBICS initialisation request

EBICS transactions are divided into different phases: initialisation, data transfer and acknowledgement (the latter only for download transactions).

The scope of the initialisation includes, among other things, checks of the following aspects:

- Order type

- Authentication signature

- Hash values of the bank keys

- User-related authorisations

Only once the initialisation is successfully completed does the transaction continue with the transfer phase, during which the actual order data is sent. The hash values of the bank keys are checked during initialisation to ensure that the client uses the current bank keys. If the check is not successful, the server sends the return code EBICS_BANK_PUBKEY_UPDATE_REQUIRED. For the client, this indicates that the most recent bank keys should be downloaded by means of the order type HPB.

Before the EBICS 3.0 harmonisation, the bank keys could be used directly or within certificates. As per EBICS specification, up to EBICS 3.0 the hash values of the public bank keys must be specified in the transaction initialisation – irrespective of whether it is certificates or keys that are exchanged with the bank.

As of EBICS 3.0, certificates are mandatory for key management. In this context it was decided that both for uploads and for downloads, the hash values of the certificates will have to be specified in EBICS initialisation requests in the future.

Usually the manufacturers of EBICS bank servers enable their customers to have a gradual transition by allowing them to specify both the bank keys and the certificates in DER format. This means that customers do not have to perform a download via the order type HPB after the migration to EBICS 3.0. Both keys and certificates can be specified either in a specification compliant hex layout or in an alternative Base64 layout. A mixture of both layouts in one request is usually not intended.

By the way: with EBICS 3.0, the key management has been unified not only for bank keys, but also for user keys. It is thus now mandatory to initialise users with certificates not only in France (CFONB), but in all countries. Usually EBICS bank servers allow for a gradual transition in this aspect, as well. User keys with a minimum length of 2.048 bits can also be used for EBICS 3.0. For key updates (order types HCA, HCS and PUB) new certificates can usually be signed with the keys of older EBICS versions.
CA-based certificates are still only used in France. From the bank server perspective, however, nothing should stand in the way of introducing them in other countries.


Author: Hendrik Chlosta

gpi and EBICS – how do they work together?

Isn't gpi purely a SWIFT topic? At first glance it might be. The abbreviation originates from SWIFT and means "Global Payments Innovation". The gpi initiative was launched at the end of 2015 and was already broadly supported by many global financial institutions.

gpi is based on the unique end-to-end transaction reference (abbr. UETR), which accompanies a payment throughout the sometimes long correspondence bank chain. The reference may be a monstrosity of 36 characters in a format defined by a universal algorithm (xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx), but that monstrosity ensures an end-to-end uniqueness without an "issuing authority". Though initially, the UETR was only used in a CUG (closed user group) for (corporate) customer payments in MT103 messages, by now all payments in the FIN network have such a reference – a reference that remains unchanged throughout the entire payment process chain.

The second substantial part of gpi is the so-called Tracker. The Tracker is a central database for all gpi payments and is hosted at SWIFT. It provides the participating banks with comprehensive information on the status of payments in the correspondent bank chain, on fees and on currency conversion rates. While the FIN transport reads this information directly from the transported messages, non-FIN banks can also actively inform the Tracker. Currently under discussion is the so-called confirmation – a notification on the credit arriving in the beneficiary's account at the end of the payment process chain. As of 2020, all FIN banks shall be obligated to use the confirmation.

But why all this effort? gpi tackles the two core challenges in correspondent banking – transparency and speed. The extensive use of the UETR has yielded statistical data: on average, 40 percent of the gpi credit transfers are booked on the account of the end beneficiary within five minutes, 50 percent within 30 minutes, 75 percent within six hours, and almost all of them within 24 hours. Such a statement was simply impossible to make before gpi. On the contrary, all treasurers have experienced cases of payments arriving too late or not at all, with high, inexplicable fees, and with unclear or missing purpose information.

In addition to technical details such the UETR and Tracker, gpi provides a rulebook that stipulates the preferably same-day forwarding of a payment with complete remittance information and specification of deducted fees and currency conversion details. As there is no global transparency guideline, these stipulations have to be enforced on the basis of multi-lateral contracts. And that is a good thing – it's about time.

The (corporate) customer shall receive better service in cross-border payments. Aside from speed and transparency, another aspect is the acknowledgement. Acknowledgements, or receipts, have so far been used in cash transactions only. In electronic payments, the motto was mostly "shoot and forget". If no complaints come in, the money must have reached its destination. Recent years have seen a remarkable development in the SEPA, and with instant payments according to the SCTinst scheme, electronic payments now have acknowledgements, too. With SWIFT gpi, such an acknowledgement can also be generated, even if it (still) requires a complete FIN chain in the settlement process. However, there is a long way left to go: so far, the broad, bank-internal implementations have been in the focus. The connection of customer systems for access to the information or even for forwarding of statuses and fee information to the customer system is still in its early stages. But alone the possibility to check on a payment's status via a central database in case of doubts shows considerable progress in the vast correspondent bank network.

Is this potential only applicable to FIN? Not at all. Current developments, e.g. the migration of real-time gross settlement systems (RTGS) such as TARGET2, EURO1 or CHAPS from MT to XML messages according to the ISO 20022 standard, are going in this direction. The (newer) ISO message formats contain dedicated fields for the UETR, meaning that the reference is transferred outside the FIN network, as well. Just recently, SWIFT made an announcement: "SWIFT trials instant cross-border gpi payments through TIPS"[1].

For the connection of gpi return messages to customer systems such as TMS or ERP, PSR messages (payment status reports, i.e. pain.002) are more efficient than manual processes. These self-services alone are already a significant step towards more transparency. By the way, the standards for these return messages, i.e. fields (tags) and codes, were made multi-bank compatible in the harmonisation initiative CGI-MP. PPI is now also actively partaking in this initiative.

Furthermore, the customers shall be enabled to initiate their reference in the payment as UETR – in the pain.001.001.03 within special fields according to the CGI-MP, or even in more current ISO versions within dedicated fields.

This customer-bank or bank-customer interface is where both customer payments and PSR return messages are often also transferred via EBICS. Which means that gpi and EBICS do not contradict each other, but are rather complementary concepts – as is often the case in payments.

Author: Dr. Mario Reichel

[1] Source: https://www.swift.com/news-events/press-releases/swift-trials-instant-cross-border-gpi-payments-through-tipshttps://www.swift.com/news-events/press-releases/swift-trials-instant-cross-border-gpi-payments-through-tips

EBICS tests with customers in a productive bank server?

As of EBICS 2.4, in France it is possible to not use the business transactions with 3-character order types that are customary in Germany and other countries, but to instead exchange FileFormat parameters of up to 40 characters. These must each be introduced with the FUL or FDL order types. Here, it is possible to specify a so-called test flag. Using this flag, during the productive operation, an EBICS customer can make a test submission and signal this to the financial institution, for example when sending a file. Provided that there is a bilateral agreement on the use of the test flag, the financial institution may accept the order, classify it as a test case and separate it prior to the actual processing. The use of a test flag in the running operation is not uncontroversial to the financial institutions. Presently, the German financial institutions mainly reject such an option.

With the current EBICS version 3.0 and the unified use of BTFs instead of order types and FileFormat parameters the existing test flag is omitted in the EBICS specification. In addition, with the EBICS CR EB-17-01 Element Group Parameter a stricter check of the use of not bilaterally agreed upon specifications in the generic parameters of the BTF has been introduced. Specifications that are not permitted are now rejected with the EBICS return code 09-0-0-06: EBICS_UNSUPPORTED_REQUEST_FOR_ORDER_INSTANCE.

To assist with the introduction of EBICS 3.0 in France, the French CFONB has created their own migration guidelines (EBICS 3.0 Aide à la migration BTF & Table de correspondance File Format/BTF). Since in France the test flag has been used by financial institutions in the past and there will continue to be a need for such an option in the future, for the BTF migration the CFONB has defined the use of the test mode for BTF and added it as an optional feature in the guidelines. Therefore, in the case of bilateral agreements between the financial institution and the customer even for BTF the parameter TEST can be used in test cases. If the specification of the parameters differs, a rejection occurs with the return code mentioned above. EBICS bank servers and EBICS clients can optionally offer this functionality.

Independent from this, for EBICS there is also the alternative to use business transactions (BTFs) that have been especially agreed upon bilaterally for the test submissions.

In the end, however, it must be noted that when using the test option in the production environment there is always a risk that the test data may negatively affect the production or even unexpectedly be introduced into the production data.

The more secure option then remains to have an own EBICS bank server installation for EBICS tests with customers. And why not?


Author: Michael Lembcke

Standardisation and automation in external asset manager relations thanks to EBICS

External asset managers (EAMs) offer their wealthy private customers or institutional customers such as pension funds and insurance companies a multitude of services (for example, tax and real estate consulting as well as trading and investment transactions). The customer accounts are usually held at one or more custodian banks. Interactions with the financial institutions are often neither standardised nor automated. Communication by mail, telephone, e-mail and sometimes even fax dominates everyday business.

Few big asset managers have a SWIFT connection and are using it for treasury and foreign currency transactions (message category 3), securities transactions (message category 5), precious metal transactions (message category 6) or cash management transactions (message category 9). Some have implemented proprietary system-to-system connections, for example via FTP, to exchange financial messages. In Switzerland we are currently observing a trend towards EBICS as an alternative connection type for these use cases.

During the PPI Petit Déjeuner in April 2019 in Lausanne, a representative of Credit Suisse presented the offer "Private swift Network (PsN)". It deals with the extension of the EBICS service scope in the sense that about 20 new EBICS order types (reports for download) based on the EAM use cases mentioned above are available. Thanks to their cooperation with leading software manufacturers of portfolio management systems (such as Allocare or Expersoft), Credit Suisse achieves a significantly higher level of standardisation and automation when interacting with their partners. In concrete terms, the SWIFT messages of the above message categories can now also be transferred via EBICS.

As the EBICS protocol is flexible with regard to the content transferred, Credit Suisse additionally offers other formats like CSV or XML for reporting on the transactions and assets, including the master data of the respective customer depositories. All players stand to profit from the new offer: asset managers can connect more financial institutions via EBICS at low cost and automate their processes, software manufacturers can effectively extend their functional scope, and financial institutions can boost their appeal for EAMs. Viewed across all parties and processes, the error rate decreases and the implementation speed increases through elimination of manual operations.

Swiss financial institutions that are currently implementing projects in this area are already planning the next steps of the EBICS offer extension. In addition to the reporting functions (EBICS download), the order functions (EBICS upload) shall also be offered in the future. Especially orders in the trading business (SWIFT message category 5) are well-suited for uploads via EBICS. Particularly stock exchange orders (like SWIFT MT502) shall be transmitted from the asset manager to the financial institution. In the same way as the known payment order interfaces, the stock exchange interfaces are connected on bank side. The use of an EDS is also conceivable in this context.

In conclusion:

The first financial institutions in Switzerland are extending their EBICS offer beyond the use cases of payments. The Credit Suisse offer for medium and larger asset managers paves the way for EBICS in the EAM customer market and will likely prompt others to follow suit. Software manufacturers of portfolio management systems are slowly but surely learning to understand the EBICS protocol and extending their connectivity options with this connection type. When it comes to formats and standards that may be transferred via EBICS in the future, there are no limits to the possibilities. It is safe to say that for a certain customer segment, EBICS presents a viable alternative to the communication via SWIFT even in domains outside of payments.

Carsten Miehling

You are a bank customer and you are using EBICS: Will your EBICS monitoring still work with EBICS 3.0?

Since EBICS 2.5, EBICS clients cannot only use the purely text-based customer protocol but also an XML-based customer protocol for monitoring EBICS processes and results. The XML-based customer protocol is particularly suitable for automated evaluations. For downloading the protocol from the EBICS server, the EBICS client can use the order type PTK for the text-based protocol and the order type HAC for the XML-based protocol. With EBICS 3.0, the text-based protocol is no longer part of the specification. Moreover, changes of the HAC protocol have to be considered during automated result evaluation. Due to the required overall version interoperability, these changes partly affect EBICS clients of previous EBICS versions too, if an EBICS bank server supports EBICS 3.0.

Hence, software manufacturers and EBICS users must be prepared for changes of EBICS clients that already provide functions for the automated customer protocol evaluation. First, a change from PTK to HAC should be performed for automated evaluations in EBICS clients. Furthermore, users of the HAC protocol must be aware that with EBICS 3.0 the final HAC protocol is displayed differently.

Up to now, the HAC end flag with the identifiers ORDER_HAC_FINAL_POS and ORDER_HAC_FINAL_NEG has provided information on whether the submission was positive or negative. With EBICS 3.0, only the HAC end flag ORDER_HAC_FINAL is still available which informs on the submission’s result in conjunction with the last reasons code only. The final code DS04, for example, stands for the order’s rejection whereas code DS05 proves that the order was successfully submitted and forwarded to the bank system. Further reason codes have to be considered.

To make sure that your EBICS monitoring will still provide the correct results, I recommend to rely on the HAC customer protocol and to focus on the evaluation of the reason codes. This way, you can easily keep track of the EBICS communication with your financial institution.



Michael Lembcke