Signatures will be strengthened for banking customers – Newspaper Kommersant No. 12 (7457) of 01/24/2023

Legislators are preparing amendments, according to which citizens will be able to give electronic permission to the processing of personal data to banks and insurers only with the help of an enhanced electronic signature. At the same time, in the course of the corresponding experiment, for three years a simple electronic signature was used, which is available to more than one hundred million Russians. Changing this signature to an enhanced one, according to market participants, will reduce the conversion to 10-15%, which makes the use of a citizen’s digital profile uninteresting for commercial organizations.

As it became known to Kommersant, the National Council of the Financial Market (NSFR) sent a letter to the Duma with a proposal to finalize the draft law on amending the law “On Information, Information Technologies and Information Protection”, which is being prepared for adoption in the first reading, taking into account the proposals of financiers. The document, in particular, establishes the procedure for obtaining permission from citizens to access and process personal data in electronic form. The project is expected to be considered in March.

Today, everyone who uses the Gosuslug portal uses a simple electronic signature (SES) of the Unified Identification and Authentication System (ESIA), Andrey Yemelin, head of the NSFR, explained to Kommersant. It, according to Mr. Emelin, can be obtained only after a personal visit to the certification center or an authorized bank. “The PEP bill does not include the ESIA as an authentication method for granting an individual to a commercial organization permission to process their personal data – there this procedure is allowed only with an enhanced unqualified or qualified electronic signature (UNEP or UKEP),” he says.

UNEP, according to Andrey Emelin, is not more protected, but much less common than PEP. You can get it in the “Goskey” application, using the same data (login and password) as the PEP ESIA. “If the password from the Gosuslug portal is compromised, then the owners of both ES options will be in the same position,” he explains. The main problem with UNEP, as Andrey Emelin noted, is that “there are not so many customers who have downloaded the Goskeych application and their number will grow gradually, while more than 100 million people already have PEP ESIA” . The adoption of the law in its current form will immediately cut off the vast majority of citizens who will not be able to give permission for the processing of their personal data in electronic form, the head of the NSFR concludes.

As part of the experiment to create a “Digital Citizen Profile”, banks and insurers, which are its main participants, receive data for free. The draft also says that the government can establish a list of information that can be provided on a reimbursable basis. If this list contains data that the bank must legally request from the client, then the credit institution will rather invite the client to visit the office in person than pay.

According to a Kommersant source in the banking market, the experiment to create a digital profile of a citizen has been going on for the third year and during it no security problems were noticed, despite the use of only the ESIA PEP. As Sergei Saiganov, head of Technology & Product Comply practice, explained, “the key difference between the two systems is that only a confirmed entry on the State Services is enough to use the ESIA PEP, while in the State Key, the issuance and use of ES takes place in a separate mobile application on based on the IDPoint technology – while the identity confirmation for issuing a signature is also mainly carried out through the ESIA (for UNEP).

At the same time, experts believe that the PEP ESIA will be enough to sign a permit for the processing of personal data. According to the director of the technical department of RTM Group Fedor Muzalevsky, the PEP ESIA is actually issued at the MFC. According to him, it is also possible to allow the ESIA PEP to access personal data, at least in order to popularize this type of signature. “It is only theoretically weaker, practical attack vectors for this type of simple signature have not yet been implemented,” he is sure. According to the data provided in the NSFR letter, if, according to the law, only UNEP and UKEP can sign a consent to the processing of personal data, this, “according to the estimates of financial organizations, will reduce the conversion to the level of 10-15%, which will make it inexpedient to further introduce a citizen’s digital profile in client scenarios from commercial organizations”.

Maxim Buylov