Blog series: How to enhance EBICS, Part 2 – delegating authorisations with EBICS and the Distributed Electronic Signature (VEU)

In this article, we shall continue the series we began in December on possible improvements to the EBICS standard. This post will focus mainly on the following issue: If one were to submit a payment transaction order today, the submitter wouldn't – at least with the standard features – have the option of managing additional authorisation procedures. In some cases, you only know who is eligible for the additional authorisation when you make the submission, so that it might be beneficial to delegate the authorisation on a case-by-case basis.

In the currently specified EBICS configuration, various authorisation models on the banking server end can be utilised for the submission and authorisation of order files by corporate clients. In practice, these models are always based on the signature categories E, A, B and T, the number of required signatures and the personal authorisations for a physical file. Moreover, credit institutions and software developers have extended the authorisation models so that they are appropriate for various usage scenarios. Such extensions include:

• Authorisations relating to an individual and an order, in conjunction with signature category, order type (i.e. specific administrative operations) and accounts.
• Various limit concepts, indexed by amounts, number of transactions, time frames, persons applicable, accounts and/or customers, as well as signature categories.
• Group concepts in conjunction with signature categories, such as approving authorisation rights for persons in exclusively different or exclusively the same groups.
• Proprietary signature categories which take their own evaluations for an authorisation into account.
• Procedures for service data centres (SRZ procedures), in which submission and authorisation processes run separately on the customer end.

All these models should be considered relatively static. This means, when an EBICS customer submits an order, he has very few possibilities to influence how the bank processes the business transaction. The master data established by the bank will always be the basis for approval, format verification and authorisation. Where a clear derivation of approvals in the EBICS environment on the bank's end is possible, this is generally reasonable and desirable. However, submission orders which require different processes depending on the circumstances cannot be processed in any other way in EBICS. For equivalent SEPA submissions with the order type CCT relating to a specific account, all persons approved for this account and this order type in the bank server for VEU would always be approved for authorisation.

Would it not be useful if a customer could, when submitting via EBICS, nominate specific persons to whom authorisation rights can be delegated? Of course, these individuals must have the correct basic authorisations on the bank's end. The upshot would be that individuals who are not nominated with the otherwise equivalent basic authorisations would not receive the order ready for VEU and therefore wouldn't be able to see it. This model can, for example, apply to cases in which a) arbitrary payments, salaries or honorarium-esque payments are processed from a certain account, and b) the payments are not given special transaction IDs. These IDs, however, remain dependent on format and country. With the right extensions to the EBICS standard, a solution independent of format may be viable.

Michael Lembcke