Thought CenterSM   -TC Home   -Portable Content   -Index   -Webcast Registration   -Register for Updates

Ernst & Young Excerpt
CrossCurrents Magazine
Summer 2001 Issue

E-Business Bytes
PKI: The Path to Secure Electronic Transactions for Financial Institutions

By Matthew Mancuso, National Director of Security Implementation Services, Ernst & Young LLP

For years, financial institutions have facilitated business-to-business transactions by identifying trading partners, offering signature guarantees, and acting as payment intermediaries. Now, as the pace of Internet activity accelerates, institutions need to address the security barriers to full-blown e-commerce so that they can safely do business with millions of potential global trading partners and position themselves to offer a wide range of services outside the traditional payment and settlement arena. By establishing and validating the electronic credentials that prove the identity of trading partners, institutions can protect their role as trusted third parties to their customers and create new business opportunities and services.

Ensuring Security. Many financial institutions are studying the possible implementation of a public key infrastructure (PKI) system that will allow them to exchange electronic information securely with unknown parties. PKI is the delivery channel for public key cryptography, a method that allows the parties to a transaction to keep a communication private through the use of a two-part key made up of public and private components. To encrypt messages, the published public keys of the recipients are used. To decrypt the messages, the recipients use their unpublished private keys, known only to them.

Under the PKI system, the parties to a transaction rely on digital certificates issued by a certificate authority (CA) , which can make this validating information quickly available. This digital certificate, in conjunction with a digital signature containing the public and private keys, authenticates the message sender and guarantees the integrity of the message. Digital signatures offer financial institutions significant revenue opportunities by allowing them to continue their time-honored role of serving as a trusted intermediator in financial transactions. It also enables them to decrease costs by reducing the need for a paper trail and through the increased speed made possible by electronic transactions.

The Identrus Model. The PKI model in the financial services industry is Identrus (Identity Trust), through which member banks establish themselves as certificate authorities offering digital signature services to their customers. Identrus was launched in 1999 by a consortium of the world's largest banks, including ABN AMRO, Bank of America, Barclays Bank, Chase Manhattan, Citibank, Deutsche Bank, and Sanwa Bank. Identrus and its member banks are establishing a global trust infrastructure using public key technology to facilitate the electronic exchange of transactions and information between trading partners. This Identrus infrastructure can be seen as the foundation that will enable the global banking community to establish the next generation of electronic payments processes securely through the Internet.

The Identrus network, potentially encompassing as many as 300 financial institutions, operates as a certificate authority that enables participating institutions to issue digital certificates to their corporate customers and employees based on a uniform set of rules and business practices. The structure of the network is based on Identrus serving as the root certificate authority at the pinnacle of the digital certificate hierarchy, with financial institutions and other service providers functioning as lower-level participants.

Once a bank has joined the Identrus network, the system facilitates multiple banking applications within a PKI infrastructure built on business rules, risk management, identity assurance, and trust principles. Potential banking applications include online auction markets, electronic content delivery and data interchange, insurance sales, securities trading, government filings and procurement, B2B payments, financial statement delivery, letters of credit, and other functions.

Enrolling in the Network. Enrolling in the Identrus network is a demanding, time-consuming undertaking for financial institutions because it affects multiple areas of the organization: processes, controls, taxation, legal, governance, audit and operations. As a result, some institutions seek assistance from experienced third parties to assist with implementation. The business rules and policies that must be put in place include procedures for developing certificate policy and practice statements, managing public and private keys, renewing or revoking a certificate, providing for backup and disaster recovery, and establishing liability constraints.

Lack of trust is a barrier to trade on the Internet, especially for large dollar amounts and electronic payment. The Identrus model seeks to remove this barrier by providing banks with a global trust infrastructure on which they can deploy e-commerce services, including facilitating secure B2B transactions between corporate buyers and sellers. By greatly reducing the risks of transacting business electronically, this model can help institutions step confidently into the digital era.

Matthew Mancuso, National Director of Security Implementation Services.