Signer Case Study

- UBS

UBS SPARES ITS CLIENTS THE PAPERWORK AND INCREASES EFFICIENCY

AND SECURITY USING QUALIFIED ELECTRONIC SIGNATURES
As one of the world’s largest banks, UBS is transforming its services Cryptomathic Signer also incorporates unique What You See Is What You
through digitization by offering clients remote electronic signatures that Sign (WYSIWYS) technology to provide non-repudiation and give users
provide the same legal value as a handwritten signature, while adding confidence and trust in the transactions they are committing to.
convenience and efficiency.
As part of a comprehensive selection process for an e-signing solu-
Using Cryptomathic Signer, UBS customers now have the freedom to tion that matched their business, legal and technical requirements, UBS
digitally sign legally binding documents at any time on any device, from carefully chose Cryptomathic Signer as being the most technologically
anywhere in the world. advanced and secure digital signature solution on the market.

For a superior user experience, UBS clients can utilise the secure sign- By partnering with leading security hardware and service providers,
ing service through multiple channels, such as in UBS e-banking or including SwissSign and nCipher, Cryptomathic delivered a turn-key solu-
mobile banking, without changing the existing authentication methods. tion allowing UBS to offer Qualified Electronic Signatures.
 Andreas Kubli,
UBS – DRIVING DIGITIZATION Head Multichannel
UBS is the largest retail bank in Switzerland and is also one of as the Management & Digitization,
world’s largest wealth managers. Its range of services include wealth- UBS Switzerland
and asset management as well as investment- and retail banking. With
millions of clients, UBS has traditionally generated, managed and main- "Previously, our clients had to print,
tained vast amounts of physical documentation, all of which was signed sign and send documents manually
by hand for legal and security purposes. for compliance reasons. Now they can
do it in a smart, easy and time-saving
By leading the transformation of securely digitizing the entire customer way. Thanks to the Cryptomathic Signer
journey, from opening an account and through its entire lifecycle, UBS solution they can sign their contracts
has become one of the first banks in the world to roll out a Qualified digitally in e-Banking – while meeting all
Electronic Signature (QES) service to such a large number of users. The legal and compliance requirements."
remote digital signing solution, Cryptomathic Signer, enables UBS to
move more of its services online, pioneering a superior digital user expe-
rience while enhancing security and control of document management. UBS REQUIREMENTS
As an added benefit, the financial and environmental costs of managing
millions of paper documents are drastically reduced. In order to maximise the usability of a digital signature service, it was
imperative that UBS’ existing portfolio of online services and systems

DEPLOYING QES could leverage the QES solution to deliver greater value to their custom-
ers. As such, the key requirements for the electronic signature service
The ability to securely digitize operations as well as document man- include:
agement is a strategic goal for UBS in order to provide an improved
customer experience that offers a competitive advantage to conduct Seamless signing workflow for end-users: The signature operation must
business more efficiently through electronic means. A key enabler be simple and straightforward for users, without disrupting the familiar
of the digitization strategy involves offering clients a legally binding user-flow. To ensure a strong service uptake, UBS required the solution
remote electronic signature service that does not compromises security. to support a variety of channels and devices without changing the user
Providing electronic signatures that are legally equivalent to handwritten experience or impose downloads.
signatures is a crucial step to achieve the objective of an entirely digital
customer journey. Going paperless cuts gives customers flexibility to Sustainability: The reuse of existing authentication technology for user
conveniently conduct business without the need to call or visit the bank authentication and transaction signing was an important requirement to
branch, while increasing security and efficiency. ensure the viability of the solution for cost and environmental considera-
tions. In addition, the solution would have to serve new efficiency and
Due to UBS’ international operations and clientele, the electronic sig- sustainability requirements. Going paperless for a bank the size of UBS
nature service has to comply with international regulations that carry with millions of contracts signed on a monthly basis is naturally a big
the strongest legal value in court, in case of litigation. QES is the only step in the right direction.
current standard of e-signatures that can offer such a strong level of
probative value at an international level. Performance and Scalability: The service is expected to support millions
of customers, growing from an initial roll out in the Swiss domestic mar-
ket. Being able to maintain a high level of availability with short latency
was naturally also an important requirement.

User Confidence and non-repudiation: In order to meet internal UBS com-

pliance policies and user expectations, the solution had to encourage
the same level of confidence and security regardless of whether a docu-
ment was signed at the branch or online. In particular, the solution had
to ensure that what the customers are committing to when invoking an
electronic signature is precisely what they intend to sign - as displayed
on the user’s device. In other words, only the correct document can be
signed by the user and this document cannot be tampered with.

Legal value: UBS business and legal stakeholders were ready to move
online under the condition that the online signature process delivers
the same probative value as the offline process. In Switzerland and in
the EU, only a QES provides the principle of legal equivalence between
handwritten signatures and electronic signatures. A signature pad or
advanced electronic signature was not good enough to achieve the
digital transformation objectives.
IMPLEMENTATION AND USER The third step is the actual signature operation, which starts when the
user decides to sign a transaction or document. With one click, the user
EXPERIENCE can securely observe the document over a trusted viewer, featuring
Cryptomathic What You See Is What You Sign (WYSIWYS) technology.
Together with Cryptomathic, UBS implemented the solution to On the user side, WYSIWYS is a zero footprint signature client running
offer a unified signing experience for multiple channels, where the inside the browser to protect against online attacks and ensure non-
flexibility of the Signer architecture allowed for minimal changes repudiation. To securely authorise the signature operation, the user is
to be made to the existing front- and back-end environments. requested to use their authentication token in a similar way as when log-
If we look at the users’ journey from the time they knock at UBS’ virtual ging into to the system. Behind the scene, a secure, sole control chan-
bank door, the following happens: nel is established between the user´s browser and the Signer hardware
security module (HSM), where is the user´s signing key is protected using
The first step is a prospect who wants to become a customer. The client a Common Criteria certified HSM from nCipher Security. As soon as the
on-boarding process is slightly adapted beyond the traditional Know document is signed, a visual signature mark is stamped onto the docu-
Your Customer (KYC) and Anti-Money Laundering (AML) requirements ment so that both parties can easily see that the document was signed.
from the financial regulator FINMA, as well as the requirements from The solution follows relevant ETSI standards to ensure interoperability
the federal office of communication (OFCOM / BAKOM) around QES. with standard browsers.
As part of this, it is essential to verify that the user is eligible to receive
a qualified certificate that must be bound to the electronic signature,
as per Swiss digital signature law. A Registration Authority (RA) assumes
UBS SOLUTION OVERVIEW
responsibility of activities consisting of verifying and collecting the user´s In order to offer the qualified electronic signature service, UBS and
identity credentials before a qualified certificate can be issued. The Cryptomathic designed the architecture as illustrated below.
RA function is delegated by the selected Certificate Service Provider,
SwissSign, who bears the responsibility of liability of certificate issuance Cryptomathic Signer
as ascertained in a certificate policy. The client on-boarding process is Signer is a remote signature solution and the main component of the
either done face-to-face or, more recently, remotely through video iden- QES infrastructure. Cryptomathic’s patented solution offers centralised
tification. This first step of identification and on-boarding is extended to digital signature services in a secure, convenient and cost effective fash-
include the QES terms, where all of the intricate PKI processes are done ion. The QES service is delivered through a unique signing experience
behind the scene. where PKI becomes transparent to the end-user and integrated into the
business workflow. Users no longer need to carry around smart cards
The second step is when a client advisor prepares a document or con- and worry about interoperability or protecting their private keys; the
tract which requires a signature from the end-user. This step remains signing keys are deposited in a central and encrypted database, protect-
unchanged. The only addition is that the back-end now verifies whether ed by HSMs. Signatories seamlessly retain sole control over the signing
or not the user is eligible to sign online. process using strong authentication techniques. All of this is hosted in
UBS’ secure data centre. The business units that integrate directly with nCipher n-Shield HSMs for key protection
Signer include UBS’ e-banking, corporate banking, mobile banking and nCipher Hardware Security Modules (HSMs), certified against Common
wealth management services. Criteria EAL4+ standards, are used provide the strongest level of protec-
tion for the private keys that are used by Signer to provide the remote
Cryptomathic WYSIWYS module signature services for UBS. Cryptomathic Signer also uniquely makes use
As part of the complete solution, the unique What-You-See-Is-What- of the HSMs for terminating the sole control channel in a tamper evident
You-Sign (WYSIWYS) technology ensures that users can only sign a environment as demanded by eIDAS and supported by nCipher nShield
document that is presented to them if the document is genuine and Connect and Cryptomathic Signer.
has not been tampered with. The Cryptomathic WYSIWYS module is a
web application, which provisions the necessary zero footprint interfaces Integration with the UBS environment
to the user´s browser or mobile app in order to deliver the WSYSIWYS The flexible and extendable architecture of the Signer solution allows
functionality over a trusted viewer and perform document signing using efficient integration with legacy services. For UBS there was a need to
Cryptomathic Signer. The WYSIWYS module plays a key role in the provide seamless integration with several e-banking services; the docu-
signature creation by delegating the signature request to Cryptomathic ment management system; the authentication service and existing user
Signer. The Cryptomathic WYSIWYS Server supports input data in PDF/A management process. This also involved integrating with UBS´s Web
and outputs signed data with PAdES signature profiles. It handles PDF Application Firewall which controls input, output, and/or access from, to
manipulation in order to create the PAdES signatures and renders various application so that the user maintains a single browsing session
images of the PDF documents that are displayed in the WYSIWYS Client. while accessing multiple services.

Cryptomathic Signer RA
The Signer Registration Authority (Signer RA) is an integration compo-
CONCLUSION
nent provided by Cryptomathic situated between UBS´ user management At the time of writing, UBS has won the prestigious industry magazine
solution and Signer. It exposes a RESTful web services interface so that Euromoney's "Best Bank in Switzerland" award for five consecutive years,
users can be generated and certificate established or revoked. The and was recently voted "World`s best Bank for Wealth Management". To
Signer RA handles all the necessary interaction with Signer as well as maintain its leadership position on a global level, UBS aims to be a fore-
with the external CA services provided by SwissSign. runner in digitization by offering a secure end-to-end digital customer
journey with a QES service that ensures legally binding user consent and
SwissSign CA Services non-repudiation. By teaming up with Cryptomathic and choosing Signer,
SwissSign, a leading certificate authority (CA) provider in Switzerland, the market leading remote e-signature solution, UBS made a strategic
partnered with Cryptomathic to deliver the complete QES solution. As investment.
part of the deployment, SwissSign’s MPKI services delivers the Qualified
Certificates in accordance with Swiss signature law (ZertES) and EU regu- With more than 2,000 document templates and over 2,5 million docu-
lations (eIDAS). Based on the user´s identity credentials that are collected ments physically signed, scanned and processed in 2015, the potential
and verified by UBS, SwissSign enables UBS to act as a Registration for greater efficiency resulting from the electronic signature service is
Authority (RA-Delegation) for its Qualified Certificates. In addition, simply tremendous. The ability to provide all services online in real time,
SwissSign also provides OCSP services and certificate management such from any device, anywhere in the world is a great competitive advantage
as certificate revocation and necessary dissemination and maintenance for UBS – resulting in superior customer experience, control and cost
of the so called certificate revocation list (CRL), as well as Time Stamping savings. Cryptomathic technology is a strong enabler in that regard.
services to issue time stamps in accordance with the RFC 3161 standard.
UBS’ decision to offer a credible alternative to hand-written signatures,
SwissSign is also in charge of maintaining and enforcing policy for which have been entrenched in peoples’ behaviour for centuries,
the issuance and the use of Qualified Certificates as specified in their requires the engagement of a skilled partner; which beyond possessing
SwissSign Platinum Certificate Policy / Certificate Practice Statement. skills in IT security and complex project management also needs to pay
These services had to undergo stringent audits performed by the Swiss attention to legal and regulatory aspects as well as user experience.
Accreditation Body, KPMG AG, which is the entity designated by the Cryptomathic, with its Signer solution and a highly competent and
Swiss regulator SAS (SECO). devoted team, successfully delivered this unique combination.

ABOUT CRYPTOMATHIC
Cryptomathic is a global provider of secure server solutions to and unique market knowledge, with two-thirds of employees working in
businesses across a wide range of industry sectors, including banking, R&D, including an international team of security experts and a number
government, technology manufacturing, cloud and mobile. With over of world renowned cryptographers. At the leading edge of security
30 years' experience, we provide systems for Authentication & Signing, provision within its key markets, Cryptomathic closely supports its global
EMV and Crypto & Key Management, through best-of-breed security customer base with many multinationals as longstanding clients.
solutions and services. We pride ourselves on strong technical expertise

Learn more at cryptomathic.com

v1.1