At the start of 2008 it was finally time: From this point onwards,
every corporate client in Germany could be sure of being able to reach
all banks and savings banks via the Internet by means of a standardised,
secure electronic banking procedure in order to send bank transfers,
direct debits and other orders and obtain account information. Multibank
capability, very important for corporate clients, was guaranteed by the
DFÜ agreement of the German banking industry (DK), which, starting from
1 January 2008, obligated all financial institutions in Germany to
support a new, standardised procedure known as EBICS (
Electronic
Banking
Internet
Communication
Standard) for their data exchange with corporate clients.
Even
though it was already clear at that time that EBICS was going to be
successful, there was no predicting the scale of the EBICS success
story. EBICS is now a European standard for secure data exchange, not
only in electronic banking with corporate clients but also in interbank
payments, and it is additionally in line to become the standard for
current developments such as instant payments. But more on this later.
The pre-history: the road to EBICS
EBICS,
to be precise, is more than 10 years old, as it came into being on
18 July 2003. This was the day on which SIZ GmbH presented an
Internet-based electronic banking procedure at a special meeting of the
ZKA (Central Credit Committee = old name of the DK) with the aim of
promoting this procedure, or at least the design basis of this
procedure, as the basis of a new, multibank-capable Internet standard
for the entire German banking industry. Since 1995, the DFÜ agreement of
the ZKA guaranteed a multibank-capable procedure, BCS-FTAM, for the
corporate client business. However, this file transfer procedure was
based on the OSI standard FTAM for X.25 and ISDN connections, and in the
Internet age it was no longer state-of-the-art. Despite a number of
attempts since then, it was not possible to establish a common IP-based
standard. There were manufacturer-specific (e.g. MultiWeb, MCFT) and
association-based solution approaches (BCS-FTP), but they lacked the
decisive element: multibank capability. On 18 July 2003, the time seemed
ripe for a new standard. A DK working group formed spontaneously at the
special meeting, and its mission was to develop a common, IP-based,
multibank-capable communication and security standard. EBICS was created
based on the design of WOP. The draft concept created by the working
group was the basis forthe EBICS specification, version 1.0 of which was
already presented in the middle of 2005.
EBICS was not a
revolution, being based from the start on an evolutionary concept. The
elements of BCS-FTAM that had proven themselves for more than 10 years
were kept, and only those elements that were no longer state-of-the-art
were redesigned. Therefore, the concept of order types, and thus
application-neutrality, was kept on board along with the authorisation
of payment data via electronic signatures (ES). What was new about EBICS
in particular was the replacement of the X.25- and ISDN-based
communication of BCS-FTAM with a state-of-the-art XML communication
protocol based on Internet standards. Additionally, the EU was extended
to the distributed electronic signature (EDS), which enables corporate
clients to authorise orders which, for example, are transferred
automatically from the accounting department to the bank, at any time
and from any location, and to also use mobile terminal devices.
SIZ
GmbH initiated the development of EBICS in 2003, and has been
accompanying it continuously ever since. In 2005 SIZ became the control
centre of the German banking industry for EBICS (Appendix 1 of the DFÜ
agreement) and for the data formats in electronic banking and payments
(Appendix 3 of the DFÜ agreement).
In 2006, the savings bank
financial group became the first institution group in Germany to support
EBICS comprehensively. Then, in 2007, the associated and public
institutions followed, along with the big banks and other private banks.
EBICS: the secure tunnel in insecure networks
The
basis for the development of EBICS was above all a detailed security
concept. Because data in electronic banking and payments requires
special protection, the potential threats were used to derive security
requirements and security measures for EBICS that use various
cryptographic measures to guarantee the confidentiality, integrity and
authenticity of the data in potentially insecure networks (e.g. the
Internet). The confidentiality and integrity of the data was ensured by
means of an EBICS-specific encryption procedure which, in addition to
the TLS encryption on the transport level, also offers end2end
encryption of the sensitive data in electronic banking. The authenticity
of the communication is provided by the authentication signature of
every data package. The authorisation of payments is ultimately given
via electronic signatures, whereby depending on the contractual
agreement between customer and bank, different authorisation models can
be used (single and multiple signatures, ES classes, limits etc.). The
security concept has been checked regularly ever since, with EBICS being
further developed if required in order to adapt the procedure to new or
altered threat situations and/or technical standards. Over the years,
EBICS has proven to be an extremely secure standard: To date, no
successful attacks on EBICS have been confirmed.
The ground-breaking features of EBICS for the secure transfer of sensitive data:
2008: introduction in Germany
On 1 January
2008 the time had come: With the DFÜ agreement of the German banking
industry, all banks and savings banks in Germany committed to supporting
EBICS on the bank side from this date onwards. EBICS was accepted by
the corporate clients faster than expected: in the first year already, a
majority of corporate clients switched from BCS-FTAM to EBICS. Clearly
the advantages of the new procedure were just too big. The runaway
success of EBICS was mainly due to the fact that the transmission speed
of the IP-based EBICS was many times faster than that of FTAM, that the
use of Internet standards greatly simplified the incorporation into
company and banking networks, and that EBICS offered new features such
as the distributed electronic signature. It was decisive, however, that
the DFÜ agreement of the DK guaranteed the multibank capability that was
crucial for corporate clients from the very beginning. The switch was
made easier by the fact that migration scenarios were already
implemented in the procedure which made it possible to convert the keys
for the electronic signature from BCS-FTAM to EBICS practically at the
touch of a button.
EBICS develops into an interbank procedure
Word
travelled quickly that EBICS is a very secure procedure especially
designed for safe, fast transmission of large data volumes. So it was no
surprise that EBICS also became the communication standard in interbank
payments. The trailblazer here was the German Central Bank, which
introduced EBICS in 2008 as the communication procedure for the SEPA
Clearer within the scope of the the RPS (Retail Payment System). At this
point it is impossible to imagine a secure exchange between banks and
clearing houses without EBICS. Along with the Central Bank, the EBA
clearing in the STEP2 payment system also uses EBICS, and EBICS has also
been established in bilateral clearing between banks, so-called "garage
clearing”, for many years now.
EBICS was also very quickly
introduced for the delivery of data by service data centres. In 2009 the
corresponding DK guideline relating to the support of EBICS was issued.
EBICS becomes the international standard
By
the end of 2006 the French banking industry (CFONB) became aware of
EBICS when looking for a new, secure, IP-based communication procedure.
Similarly to Germany, France was faced with the situation of replacing
an old standard (ETEBAC) with a future-oriented procedure. After
intensive evaluation of various alternatives, EBICS emerged as the
suitable procedure, and in 2008 a co-operation between the French and
German banking industries was initiated. In summer 2010, EBICS SCRL, the
European EBICS association based on Belgian law, was founded in
Brussels. EBICS has now been introduced just as widely and successfully
in France as in Germany. With the foundation of the EBICS association,
the SIZ became the official technical office of the association
(European EBICS control centre) and has since coordinated the EBICS
working group, i.e. the committee responsible for the further
development of EBICS.
However, with the introduction of EBICS in
France, different “dialects” became established in the two countries.
For practical reasons, it was accepted that due to the different
requirements in the two countries, there would also be different
versions of the EBICS standard. This related in particular to the
representation of business transactions, for which the three-character
order type ID is used in Germany, whereas in France they are identified
by means of format parameters. There were also other differences, e.g.
in France the cryptographic keys used are based on the X.509 standard,
while Germany continues to employ a proprietary format that comes from
BCS-FTAM. And while both countries were basically “speaking” EBICS, the
inter-country compatibility faced some problems because of the different
“accents” being used.
This shortcoming became really apparent in
2015 when Switzerland became the third country to join the EBICS
association. Switzerland was presented with the dilemma of choosing
between the “dialects” or even adding a third, Swiss “accent”.
If
was obvious that different EBICS dialects were not conducive to the
desired proliferation of the standard in Europe. The only solution was
to harmonise EBICS, and this need was finally addressed in the new EBICS
3.0. In particular, the introduction of BTFs (
Business
Transaction and
Formats)
enabled a future-oriented, flexible and above all standardised
identification of business transactions for EBICS. It was also possible
to achieve further important harmonisations in the EBICS standard, thus
making EBICS a uniform international standard. With electronic payments
it is especially important for partners to be able to reach, understand
and trust each other. The understanding is achieved mainly by the common
SEPA data formats and the standardised EBICS identification via BTFs,
the accessibility and trust is given with EBICS as a common
communication and security standard. EBICS 3.0 has been released and can
be introduced in autumn 2018. In Germany, EBICS 3.0 will be mandatory
for all institutions of the German banking industry from 2021, as per
the DFÜ agreement of the DK.
10 years of EBICS: review and outlook
It’s
time to look back on 10 years of EBICS in Germany. What began as an
attempt to contain different, incompatible developments in electronic
banking in Germany, and ensure the multibank capability for corporate
clients in the Internet age, has developed into a success story that has
long traversed the nation’s borders. EBICS is known worldwide as an
open standard for the secure exchange of files, and is also used in
countries that are not (yet) members of the EBICS association. EBICS is
now not only a customer-bank procedure but an established standard in
interbank payments, and it is also expected to play an important role in
both the submission and clearing of instant payments.
But what
are the reasons for this long-running success? It seems to me that the
following points in particular have been decisive:
- The application-neutrality of EBICS
EBICS
is application-neutral and can transfer the widest range of data types,
because neither formats nor bank-technical specifications were
incorporated into the design of the transfer protocol. This is why EBICS
can be used so easily in different countries and different application
scenarios.
- The security features of EBICS
Because
EBICS combines mutually independent cryptographic procedures for data
confidentiality, the authenticity of the partners and the communication,
and for the authorisation of orders, it offers a secure tunnel in
insecure networks.
- The multibank capability
Both
in Germany and in France, EBICS is a multibank-capable procedure. In
Germany, multibank capability is guaranteed by the DFÜ agreement of the
DK.
- The adaptability of EBICS
As an open
standard, EBICS has an architecture that can be adapted to different
requirements, and it is continuously being developed further by the
EBICS association.
EBICS has a lot of history behind it,
even more than the 10 years since its mandatory introduction in Germany.
But the story is far from over: As an open, secure communication
standard, EBICS has a bright future ahead. With the experience of seeing
that the fundamental design decisions are still holding up today and
that the flexibility of the procedure enables EBICS to be adapted to new
requirements, we can be confident that EBICS will continue to be an
important element of electronic payments in Europe.
Dieter Schweisfurth
Head of Electronic Banking
SIZ GmbH
Even if it might appear strange at first sight: in Germany, instant
payments use cases for the file-based EBICS transfer protocol are also
currently being discussed and specified for the customer-bank relation.
