Published: June 01, 2013
Ensuring the integrity and security of payments is a major priority for every company, with considerable progress made in recent years. Building a secure, robust and automated payments process involves a series of elements, of which one of the most recent, and important, is 3Skey for personal digital signatures on payments and other transactions. This article looks at how 3SKey is used by corporations, the benefits, and its role as part of a wider payment security strategy.
Centralisation of payments processing through a payments factory or shared service centre (SSC) is often an important first step by implementing consistent payment and approval processes, making the best use of specialist resources and leveraging a single technology environment.
The second major step for companies is to rationalise their bank communications technology in order to limit the number of proprietary electronic banking systems that are in place, minimise the interfaces that need to be maintained and standardise security mechanisms. In many cases, particularly (but by no means exclusively) amongst larger multinational corporations, treasurers and finance managers are replacing their proprietary banking systems with SWIFT, a bank-neutral robust, secure communications platform that allows companies to connect with multiple banking partners through a single channel.
A final step in companies’ payment security strategy is to secure individual payments and payment batches, to ensure that each has been approved by one or more authorised individual(s) in accordance with their security rights. A highly effective way to achieve this is using 3SKey, SWIFT’s personal digital signatory capability. This can be used to replace individual bank tokens with a single token that can be used to digitally sign payments through SWIFT or through banks’ proprietary systems.
When sending messages and files over SWIFT there are several means of ensuring that transactions are not tampered with or intercepted en route. In addition to the inherent security and resilience offered by the SWIFT network, payment files sent from a corporate to its bank through SWIFT’s file-based communication protocol FileAct can be encrypted and ‘signed’ to validate that the file has originated from the company itself. This ensures that the integrity of file contents are protected and that the receiving bank can be sure of the sender’s identity at an organisation level. [[[PAGE]]]
Some organisations seek to extend this already robust security mechanism one step further by validating not just the originating organisation but also the identity of the individual who approved the release of the payment file or message. In countries such as France, this is considered an essential requirement as the legacy payment protocol ETEBAC 5 that was used by most companies before being retired in 2012 included a personal digital signature capability. Leading beauty company Yves Rocher is one of the many companies that has incorporated personal digital signatures as part of its payment security strategy. Laurent Delauriere, Director of Treasury, Yves Rocher explains,
“We have connected to our banks through SWIFT since 2005 very successfully, but the lack of personal digital signatures was a problem as we had been accustomed to this additional level of payment security through ETEBAC 5. We therefore implemented a hybrid solution using SG Trust cards, but there were variations in the level of bank acceptance and signatory validation.”
3SKey was designed to address this business requirement, not only for companies in France but globally, by providing a single solution that would be accepted across the banking community. Authorised signatories sign a payment message or payment file using the digital signature on the 3SKey token. The receiving bank can then validate the organisation from which a payment originated, the identity of the user that released the payment, and the authority level of the user. For example, companies may determine that individual users are eligible to approve messages or files of a certain value, or for specific entities or currencies.
3SKey is a valuable addition to finance managers’ payment security toolkit. As a first step, companies need to deploy specialist payment factory or SSC software that allow user rights for approving payments to be defined and validated at every stage of the payment process, including but not limited to the point of release to the bank. For example, in a centralised environment, it is likely that business users will need to confirm that payments are correctly due for goods or services provided, as opposed to SSC staff alone approving payments on file transmission. Consequently, appropriate payment security and approval mechanisms need to be built into payment processes from end-to-end. In addition, signatory information held by the bank, and the mechanisms they use to check digital signatures and security rights need to be consistent with the company’s own records and systems.
The advantage of a bank-neutral signatory token is that it facilitates a consistent approach to payment security across the entire payment process, both within and beyond the organisation. Companies can deploy 3SKey in different ways according to their specific needs:
i) Sign payment messages and files for external transmission to the banks;
ii) In-house user authentication;
iii) Internal signature processes on payment approval
iv) As the single token solution for all internal and external signature processes.
We support all of the above scenarios through our payment factory solution AvantGard Trax. Typically, we find that the first step for companies using 3SKey is to digitally sign external payment files. In this scenario, only signatories need to use the tokens. Having gained confidence in 3SKey, some corporations will then consider extending the use of the 3SKey token to meet their internal authentication or signing needs. Some will only use 3SKey for internal approvals but this is less common. Laurent Delauriere, Yves Rocher continues,
“We use an ERP and TMS which we connect to AvantGard Trax as our payments processing and communications platform. We hold all data and reference information relating to payments in Trax, and we have set up rules to determine the levels of authority that are required. We now have 78 users and 40 3SKey signatories across multiple locations. Authorised signatories perform single or dual-level payment approvals in Trax using the 3SKey token. The payments are then released to the relevant bank, which validates the signatories and authority limits.”
The value of 3SKey is not limited to payments. It can also be used to support companies’ use of electronic bank account management (eBAM). For example, our AvantGard eBAM solution enables finance executives to send instructions to the bank, such as opening or closing accounts or adding new signatories via ISO 20022 messages, and sign the message and associated documentation with their 3SKey token.
There are now a number of corporate treasuries, payments factories and SSCs using 3SKey as part of their payment and bank account management security strategy, particularly French companies that previously used ETEBAC 5. Similarly, French banks were the first to promote 3SKey to both their domestic and multinational customers although its potential as part of a best practice security framework is becoming increasingly recognised. Although adoption is increasing gradually on a global scale, in addition to strong take-up in France, there are a number of reasons why companies in France that are more accustomed to personal digital signatures have been quicker to adopt 3SKey than others. For example, it may take time for those that have not used a personal digital signature in the past to recognise the value of an additional step beyond their existing security mechanisms. The need for greater familiarity with the 3SKey solution and its benefits may also apply to some banks: if they have not used digital personal signatures extensively with their customers in the past, the value of 3SKey may initially be more difficult to ascertain. There are a variety of initiatives under way, however, to make 3SKey easier for banks to adopt, and therefore to roll out to their corporate customers. For example, while banks are responsible for managing 3SKey token issuance at present, SWIFT is exploring a direct distribution model to ease this process for banks and corporates alike.[[[PAGE]]]
It remains corporates’ own responsibility to ensure that the payments process is closely controlled and fully audited with appropriate levels of user security. At the same time, process automation, efficiency and user convenience remain important objectives. 3SKey can play an essential role in achieving these potentially competing objectives, supplementing a robust payments solution that supports end-to-end process automation, user-defined controls and secure integration with the company’s chosen bank communication channel(s). Perception of cost or a preference for mobile signing capabilities may also have delayed adoption a little outside France, but mobile capabilities for signing and authentication are part of the SWIFT road map, and there is an active focus on removing any other perceived barriers to adoption.
Looking ahead, we expect to see the use of 3SKey expanding as bank readiness increases, costs reduce and corporate awareness develops further. The extension of 3SKey to include mobile capabilities will also increase its flexibility and further boost adoption. At SunGard, we will also soon be offering a mobile approval application to provide even greater convenience to our customers whilst maintaining the highest levels of control. And we will be keen to support 3SKey within our mobile application as soon as it becomes available from SWIFT. 3SKey has the potential to become an essential tool for companies seeking to implement best practices in their payment and bank account management processes as part of a robust, automated and transparent end-to-end solution.
How Thought Leadership Can Reduce the Cost of Sales by Patrik Havander, Havander & Partners A focused attention on the costs incurred by the global sales and marketing processes is becoming increasingly important for corporate banks and their transaction banking departments. While the client/bank relationship remains vital, research has shown that in fact relationship selling […]
