Digitalisation in action – key exchange via INI letter procedure

Since the introduction of cryptographic keys in online banking, both for private and corporate customers, the process of exchanging the public keys of bank and user has always been a lengthy and complicated process. Admittedly, for the users it is particularly burdensome – and for the rest of humanity it is a riddle wrapped up in an enigma:

The INI letter procedure that has become established for key exchanges. In use for over 15 years, it is a reoccurring hindrance to the use of EBICS. Generating keys, sending them, then printing the INI letter on paper, signing it and handing it over to the financial institution is complicated and tedious for many. Processing at the financial institution itself, where an employee receives the INI letter, then calls up the corresponding customer contact in the EBICS system and compares the values of the electronic transfer with the values on the INI letter or even has to type them out digit by digit, is also time-consuming. Of course, the signature provided on the account sheet or contract must also be verified. It doesn't sound at all like the digitalisation that is supposed to accompany our business processes today.       

Simplifying the release of EBICS keys
Everything would be much easier if financial institutions were to detach the above process from their own employees, digitalise it completely and thus delegate it to the users themselves. The first step to be implemented is the unambiguous recognition of the respective user by exchanging a mutually agreed secret (e.g. TAN) or – if already available – an activated online session that ensures that the user is actually the right person. As a rule, this already applies to every registered online banking session. If we assume that after a successful key submission, the bank system can reach the active user online, e.g. via smartphone by SMS or app or via an online banking session, then it would surely also be possible for this user to personally confirm the correctness of the key transfer and thus release the EBICS keys within a very short time.

Only the user!
The user may do this because the bank system has determined the identity of that user for release – for example, through the correctness of the requested TAN. The user then only compares the values of the INI letter and the display in the bank system and confirms their correctness. And maybe has to enter them again. In other words, exactly what the employee at the financial institution does. Of course, the bank system logs this release by the user in order to have proof later that the user has checked the process.

Digitalisation in action
Users of the EBICS protocol can use their new access within a few minutes. Time-consuming printouts and transfers to the respective financial institution will no longer be necessary. Days of waiting time are reduced to minutes. The financial institution saves itself lengthy and expensive manual in-house processes of key release. Transferred documents – the INI letter – no longer need to be archived. The digital logging of the new procedure is sufficient and no longer requires manual creation/digitalisation of the INI letter. Customer satisfaction and acceptance of the EBICS procedure are strengthened, financial institutions save costs for employees and manual post-processing. Digitalisation in action, an undeniable win-win situation!

Author: Michael Schunk


Post a Comment