On January 1, 2021, Act No. 49/2020 Coll. – commonly known as the BankID Act – will enter into force. This new legislation has the potential to bring a significant change to the way Czechs operate on the Internet and to promote further digitalization in both the public and private sectors.
But what exactly is going to be different after the act comes into force in 2021? What services will banks be able to provide and who will benefit from them? Before answering these questions, let’s have a quick look at the origins of the BankID Act.
The BankID Act is a result of an initiative of the Czech Banking Association that began in November 2018. The primary goal of the initiative was to allow banks to provide electronic identification services pursuant to the EU’s eIDAS regulation, and thus to provide (not only) Czech citizens with an easy and trustworthy way of ensuring their online identification.
In short, the idea was to give banks’ clients an opportunity to use the same methods of identity authentication they use when logging onto Internet banking websites to prove their identities to third parties as well. This process of identification is not only user-friendly (as customers are already familiar with their login methods (e.g. login and SMS OTP)), but also trustworthy, since banks are subject to strict regulations, including PSD2 requirements for strong (two-factor) customer authentication.
It may be added that the idea was not something entirely new. In some other countries, banks may already act as identity services providers. However, prior to the BankID Act, Czech law did not allow banks to provide this type of service commercially, as Act No. 21/1992 Coll., on Banks does not include electronic identification services in its stipulated list of business activities that banks may lawfully conduct. Therefore, the first main change introduced by the BankID Act is to allow banks to provide electronic identification services on a commercial basis.
The act goes on to lay down further rules as well. First, if a bank wants to issue electronic identification means pursuant to eIDAS (i.e. “BankIDs”). and provide electronic identification services, it needs to make such BankIDs accessible through the state-operated National Point for Identification and Authentication. As a result, clients will have the option of using their BankIDs to identify themselves to state and municipal bodies free of charge. Thus, clients will be able to prove their identity online and thereby, for example, submit tax declarations, make requests for various authorizations (e.g., building permits) or obtain extracts from public records (e.g., criminal records). There will be no need to visit any agencies or offices in person.
Second, BankIDs may be used by private sector entities such as utility providers and telecommunications services providers, especially for client identification during online onboarding. BankIDs may also be used for identification required by AML regulations. For example, a client of bank A may use its BankID to identify itself towards bank B when opening a new bank account. However, the selected BankID needs to comply with additional criteria laid down by the act to further enhance the trustworthiness of the whole “BankID environment.” Not only must it fulfil the requirements laid down by eIDAS (and associated regulations) for a substantial level of assurance, but it must have been issued only to clients who were previously identified by the bank face-to-face.
To sum up, starting January 1, 2020, banks will be able to provide their clients with a new high value-added service. Clients, for their part – potentially millions of people in Czechia – will gain access to a user-friendly, trustworthy, and cost-free means of online identification for communication with both the public and private sector. And because of this, both the public and private sector will have the opportunity to further digitalize their services and products.
By Josef Donat, Partner, and David Orsulik, Junior Lawyer, Rowan Legal