Koumentakis

Tag: συναλλαγές

  • Electronic payments (and how they are secured)

    Electronic payments (and how they are secured)

    1. Preamble

    “… for law, in its true notion, is not so much the limitation as the direction of a free and intelligent agent to his proper interest… where there is no law, there is no freedom” wrote John Lock in 1690, who was an English philosopher with great influence and a theoretical of the  Social Contract (:Second Treatise of Government, Ch. VI, sec. 57).

    There could, of course, be a big discussion regarding the fulfillment of the purpose (or not) of the law – especially in totalitarian regimes. But sometimes setting rules can prove to be very important for maintaining and extending freedom. In these cases, it is actually, most of the times, widely accepted.

    One of these cases is that of the rules securing transactions and transacting parties as well as maintaining and extending the freedom of both.

    In this context, we need the existence (and application) of relevant rules, although we already have way too many rules as a country.

    The European Union leads the way. The way to the right direction.

     

    2. The new environment after Directive (ΕU) 2015/2366 (:PSD 2)

    Since 14.9.2019, the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 is an applicable law. This regulation is supplementing the Directive (EU) 2015/2366 of the European Parliament and of the Council, (also referred to as “Second Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication”-PSD2). The European Commission very recently published, in a concise manner, the new facts that come from the application of the PSD2 concerning electronic payments in Europe. It should be noted that these new facts and rules are covering electronic payments in total (among others bank transfers, payments with credit or debit cards).

    More Precisely:

    2.1. Regarding the Rights of the Consumers

    Electronic payments taking place throughout the EU and also in Island, Norway and Lichtenstein are becoming cheaper, easier and safer.  It is now as easy and safe to make a payment across those countries, as it would be if the payment was made within the consumer’s country. Additional charges by a merchant when the consumer pays for a product or a service using a card issued in the EU, are no longer tolerated.

    Everyone legally staying in Europe has the right to have a bank account with which they can make electronic payments (“Payment Account”): an account connected to a debit card, covering cash withdrawals, holding of funds, making and receiving payments throughout Europe.

    2.2. Regarding the charges imposed on the consumer

    The Payment Account is provided free of charge or at a reasonable price. Cross-border payments in euro should cost the same as the domestic ones. Cash withdrawals in euro outside of the beneficiary’s ATM network should also cost the same when made in the rest EU member countries as in the country of the beneficiary.

    2.3. Regarding the safety of transactions

    Since 14.9.2019, electronic payments have become more secure, thanks to the strong identification of the users, since a combination of verification levels will be required (i.e. not only a PIN, but also the beneficiary’s fingerprint). The consumer’s liability in case an unauthorized payment is made, is limited to 50€ (i.e. if their credit card has been stolen) – except for cases of gross negligence. The account’s beneficiary is not responsible for any unauthorized payment made after they have informed the card’s issuing bank (i.e. in case of a stolen card) as well as for payments conducted via the internet, if the payment service provider or the bank has not implemented a “strong customer authentication” (below under 4). In cases where the total amount of the bill is not known in advance (i.e. in car rentals or in covering accommodation expenses like staying at a hotel and using the services it provides) the business owner cannot charge at will, but can only charge up to an amount, which amount the card’s owner has approved in advance. In case a business has been authorized for “direct debit” of a bank account (i.e. paying electricity, mobile phone or gas bills), the beneficiary has eight weeks to question the amounts that may have been wrongfully charged. And moreover: this specific amount must be refunded to them in only ten working days.

    2.4. Regarding the (reasonable) charges

    The consumer has the right to know exactly the charges, if any, imposed on their electronic payments. In general, the merchants (either in physical or electronic stores) do not have the right to impose a price greater than the one published (some king of additional charge) when the payment is done by debit or credit card. Only in some cases (i.e. for specific cards) it is possible to have an additional charge, which should not be greater than the amount of the true expense the merchant will have to incur because the specific payment method was chosen.

    2.5. Regarding new technologies

    Thanks to the evolution of technology, it is possible to use new, innovative financial services offered by properly licensed banks and other electronic payment service providers – apart from the beneficiary’s bank. This means, for example that a beneficiary can monitor their financial information and data or make electronic payments without a credit or debit card. But, just like the banks, these new payment service providers must be properly licensed, monitored and, of course, handle the consumers’ data securely. The EU rules ensure that the electronic payments are conducted without problems. If any problem occurs, the consumer’s bank or other payment service provider must reply to the consumer’s complaint within fifteen (15) working days. If the beneficiary is not satisfied with the answer, they can file a complaint with the competent national authority.

     

    3. Data and the necessity to guarantee electronic transactions

    The competent authorities of the European Union have long now been concerned with the issue of the security of transactions and the protection of the transacting parties. That is why the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017, was issued and, as mentioned above, applies since a few days ago (since 14.9.2019 -article 38 § 2). This regulation was issued, as it was also mentioned above, to supplement the Directive (EU) 2015/2366 of the European Parliament and of the Council, (also referred to as “Second Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication”-PSD2), about the regulatory technical standards for the strong client identity verification and the common and secure open communication standards.

    Some of the data that were taken into account for the issuing of these legislative texts (Directive and Regulation) are very interesting. Specifically:

    The Directive (EU) 2015/2366 considers as a necessity to have “secure electronic payments” (characterizing them “…crucial in order to support the growth of the Union economy…”), to close regulatory gaps, to provide further legal clarity. The Directive also accepts what goes without saying, which is: “…Safe and secure payment services constitute a vital condition for a well-functioning payment services market. Users of payment services should therefore be adequately protected against such risks. Payment services are essential for the functioning of vital economic and social activities…”.

    Some very interesting assumptions can be found in Regulation (EU) 2018/389, that mention the data, based on which the Regulation introduced the new provisions.

    For example: “Payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. The authentication procedure should include, in general, transaction monitoring mechanisms to detect attempts to use  a  payment service  user’s  personalised security credentials that  were  lost,  stolen, or  misappropriated and should also  ensure that  the  payment service  user  is  the  legitimate user  and  therefore  is  giving consent for  the transfer of  funds and  access to  its  account information through a  normal  use  of  the  personalised security credentials. Furthermore, it  is  necessary to specify the requirements of  the strong customer authentication…”.

    As technology progresses, the methods of committing fraud progress with it. That is why the Regulation also accepts that: “As fraud methods are constantly changing, the requirements of strong customer authentication should allow for innovation in  the  technical solutions addressing the  emergence  of  new  threats to  the  security  of  electronic payments. To ensure that the requirements to be laid down are effectively implemented on a continuous basis, it is  also  appropriate  to  require that  the  security  measures for  the  application of  strong customer  authentication…

    And also: “As electronic remote payment transactions are subject to a higher risk of fraud, it is necessary to introduce additional requirements for the strong customer authentication of such transactions, ensuring that the elements dynamically link the transaction to an amount and a payee specified by the payer when initiating the transaction”.

    And finally: “In order to ensure the application of strong customer authentication, it is also necessary to require adequate security features for the elements of strong customer authentication categorised as ‘knowledge’ (something only the user knows), such as length or complexity, for the elements categorised as ‘possession’ (something only the user possesses), such as …something the user is… such as algorithm specifications, biometric sensor and template protection features…

     

    4. The “strong customer authentication”

    Based on all the above mentioned, it is obvious that the “strong customer authentication” is a very important step towards achieving the security of transactions referenced separately by the Directive and the Regulation mentioned above. This “strong authentication” is not necessary in all instances. In most cases, though, the need for strong authentication of the transacting parties seems to be of the outmost importance, and so is taking proper – increased security measures and having a secure connection for specific transactions with some specific beneficiaries (article 97, Directive (EU) 2015/2366).

    Such cases are, among others, those where payment service providers (i.e. financial institutions, electronic currency institutions, postal check offices, payment institutions etc.): (a) gain access to the customer’s payment account online, (b) conduct the initial payment online, (c) remotely take any action that may involve the risk of committing fraud or other infringement.

    In these specific cases, the payment service providers apply strong customer authentication which includes elements that dynamically and securely connect the transaction with a specific amount and a specific beneficiary.

    In the rare case, though, where these providers overlook their obligation, the responsibility and the relevant liabilities burden them and not the (non-culpable) customers.

     

    5. In Conclusion

    Payment services, through the ages, have been proven necessary for the operation of vital financial and social activities: nobody can imagine any economy functioning without secure payment services. In the globalized economy of our times, secure electronic payments have been proven of vital importance (“onditio sine qua non”) in order to support the desired (in a national, European or global level) and in some cases absolutely necessary development.

    The “strong customer authentication” is of course aiming to provide security and also facilitate transactions. Of course, to secure and facilitate those transacting as well. The relevant rules, coming from the European Union, fulfill, in this case, John Lock’s requirement, stated in the introduction, about the (desired) objective of the law.

    Development is proven to be closely tied to the security of transactions, among others. And we can’t but benefit from development. All of us.

    So, since 14.9.2019, we are entitled to be a bit happier. And, most importantly, to feel safer.

    stavros-koumentakis

    Stavros Koumentakis
    Senior Partner

    P.S. A brief version of this article has been published in MAKEDONIA Newspaper (September 22nd, 2019).

  • Transactions using an electronic signature

    Transactions using an electronic signature

    [vc_row][vc_column][vc_column_text]

    Conducting transactions using an electronic signature:

    Its legal significance

    The legislative framework for electronic signature

    The electronic signature is a mathematical system of electronic data used to prove the authenticity of a message or document.

    The concept of e-signature was introduced into the Greek legal system by P.D. 150/2001, which incorporated Directive 1999/93 / EC. The latter set the legal framework for the use and legal validity of the e-signature. This Directive was repealed by Regulation 910/2014 (“eIDAS Regulation”), which regulates, also in our country, the issues of e-signature.

    Types of electronic signature

    The Regulation introduces, among other, new regulations for electronic transactions – the distinction between “electronic signature”, “advanced electronic signature” and (for the first time adopted) “qualified electronic signature”. The latter is based on a qualified certificate for electronic signature. This certificate is issued (and it is unique for any person or legal entity) only by the Qualified Trust Services Providers, which have been recognized as such by the competent supervisory body (in Greece, such is the Hellenic Telecommunications & Post Commission).

    In the broad sense of e-signatures, there is also included the “digitized signature”, i.e. the digital image of the handwritten signature. The latter is laid usually by using a special pen on a tablet. With the pen the signatory marks (“draws”) the image of his signature. The “digitized signature” is widespread in banking (known as e-signature).

    Various electronic applications (already) enable traders to put their “digitized signature” in electronic documents.

    The legal effects and the importance of electronic signature

    According to the above Regulation, the qualified e-signature has legal validity equivalent to the handwritten signature. At the same time, however, the legal validity and admissibility of e-signature as evidence in legal proceedings is maintained. This despite the fact that the (simple) e-signature does not meet the requirements of the qualified e-signature.

    The above legislative provisions are of particular legal significance: The person who lays a qualified e-signature cannot contest the legal consequences of his signature. Every other e-signature produces – in principle – the legal consequences of the handwritten signature. However, it is permitted for the signatory to prove that he is not the signatory and that he is not bound by it.

    The differentiation in reliability and consequently in the legal “gravity” of the above signatures arises from the Greek legislation: Public organizations are obliged to use only a qualified e-signature, and only with this it is possible to participate in an e-procurement.

    Should we finally choose to use it?

    In the context of ever-increasing electronic transactions, the use of all types of electronic signatures has considerable advantages. The speed in the completion of a transaction, reduced costs, environmental protection are only some of them. Of course, the assurance of its credibility depends on the technical means used each time.

    It is very important for the enterprises to get a full picture of the different types of electronic signatures as well as of the consequences of their use. This particular road seems to be safer for their business interests in a constantly evolving environment.

     

    Evdokia Kornilaki
    Senior Associate

    Υ.Γ. This article has been published in MAKEDONIA Newspaper, on 25th of November 2018

  • Blockchain: a revolution in safety

    Blockchain: a revolution in safety

    [vc_row][vc_column][vc_column_text]

    Blockchain is one of the most promising new technologies of the future.

    Blockchain has been around for quite some time now, but the markets only became aware of this technology because of the “bitcoin madness” let’s call it.

    Blockchain is the technology that, until this day, is mostly used to facilitate the creation and movement of cryptocurrency from one individual to another.

    In this article we will approach the matter theoretically and refrain from making references to the actual technical parts. We will try to explain the concept that is blockchain by approaching the subject only from the view of financial transactions.

     

    Without Blockchain

    In order to make a transaction in an environment other than blockchain you most likely have to go through a third party that both you and your counterparty trust. Don’t think about it from the perspective of technology: black screens and white signs only programmers with black T-shirts can read.

    Let’s say you want to transfer a sum of money; to do so you have to order a third party to make the transfer for you. That third party will most likely be a bank, since till this day in the West very few people can envision a world where not banks but other entities will be holding their money. In Asia, on the other hand, Alipay and WeChat have a huge chunk of the market of money in their role as the third party in most everyday financial transactions.

    In any case, entities (banks or other) that hold money for or receive money from persons are selling the service of transferring money. To be more precise after these entities confirm that the sender of the payment has available funds they identify the receiver of the payment and deposit the money in its account, while withdrawing the same sum from your account. But of course, this service costs. At the same time, depending on the specific banks involved in the process and the countries they reside in, this transfer can take a few days to go through.

    So now we have two problems, both resulting from the involvement of the third party/intermediary: (i) there is a fee owed to that third party and (ii) it takes time for the transfer to actually go through.

    This is where blockchain comes in.

     

    The innovation of blockchain

    Blockchain resembles a database. Of course that, on its own, is not revolutionary. The innovation is that, while databases have traditionally been centralized, blockchain is decentralized. This means that there has until now always been a need of a “central authority” (a third party, as described above) recording and verifying data transactions happening on those databases. This is not the case with blockchain.

    The need for third parties to intermediate transactions has until now seemed like the only way: parties who wish to transact cannot blindly trust each other. Thus, a need for verification/insurance from a prestigious third party emerged.

    But what if the transaction had no risk at all? What if the verification of data was automatic? What if there was a way to ensure that even if the slightest of the data represented by one of the parties did not check out, the transaction would be automatically blocked and no risk regarding what was communicated would be assumed?

    What blockchain does is exactly that.

     

    The Mechanics

    As promised, a visualization of blockchain technology:

    (a) Blocks

    Each block contains a single piece of information, in the form of a code. That code gives a specific ID to each block. To better understand it, let’s say that code is a letter of the alphabet. In this case, one block would contain the letter A.

     (b) Chain (chainm of transactions)

    Blockchain consists of a series of blocks, each one containing a single piece of information on the “inside”, and ID and the “IDs” of the blocks that come before and after them on the sides “touching them”, like so:

    This “function” makes sure that no one can hack the code contained in blocks, because if you hack one block (which would on its own take a ridiculous amount of time), the ID of that block would change (since the IDs of blocks depend on and adjust to the code in the block). So if you hacked Block B, it would no longer be called B. But Block C would still witness that block B should come before it. Now if you hacked block in order for it to witness that not Block B, but the block with the new ID (taken after block B was hacked) was the one that came right before it, then the name of block C would change and so on…

    For a blockchain to function (for a transaction to be valid, as we will see below), the chain has to at any point verify itself.

    One might say that you could try and hack all the blocks in the chain and all the copies of the chain (see below), but, with blockchain technology being as strong as it is today, there is not enough time and computational power in the world to do so.

    (c) Introducing a different way to record transactions.

    Those chains of blocks are much like a ledger in accounting. They record all transactions, all debits and credits. A simplified example would have as follows:

    1. X has 10 (Block A)
    2. Y has 2 (Block B)
    3. X gives 10 to Y (Block C)
    4. X has 0 (Block D)
    5. Y has 12 (Block E)

    A blockchain can simultaneously tell us how much (money) there is and where it is (who has how much). So it truly does not matter what is represented by any party that wishes to transact. We do not have to trust anyone regarding the truthfulness of any representations -not someone we know or don’t, not a third party. We do not even have to trust blockchain. Anything recorded in a blockchain is a fact.

    Any transaction not verified by blockchain is not valid. Anything not validated do not actually happen (technology will not allow an invalid order for a transaction to create and add a new block in the blockchain). Those safeguards result in creating the safest, till this day, environment to transact in.

    In our example, if X tried to give 20 to Y instead of 10 in step one above, blockchain would not allow the transaction to go through, simply because X does not have 20 to give.

    But how can blockchain know? Well … it does not exactly know. But thanks to the principles following, all persons in the network do know and their knowledge alone ensures that the blockchain is valid and protected, through a distributed and decentralized system, which up until this day seems unhackable.

     

    The principles behind blockchain

    All the essence of blockchain, what renders it the most secure environment to transact in, is its principles:

    (a) Open Ledger Principle

    Everyone in the environment of blockchain, under circumstances, can see all the data (open and public information), but they cannot actually make up the information, because they can only have bits and pieces of it. Thus, everything is public and private at the same time!

    (b) Distributed Ledger Principle

    The open ledger principle on its own would not go far without the distributed ledger principle. The latter ensures that anyone who wishes can hold a copy of the ledger (chain of blocks).

    (c) Shared Ledger Principle

    When you wish to make a transfer through blockchain, you have to make that intention of yours public. The network will immediately see the declaration of your intention. At this point, the transaction is still unvalidated, and thus not yet part of the blockchain – it has not yet created a new entry in the ledger, a new block, so it has not yet taken place. Blocks are created and added to the blockchain only through mining.

    All the above principles can only reassure anyone who chooses to transact using blockchain. Just imagine how much easier it would be to hack a central authority (eg a bank), than the thousands that may have a copy of the ledger (hack all the blocks of the blockchain and all the copies of the blockchain held by all the peers).

     

    Mining

    Anyone can mine. Miners are persons that choose to hold a copy of the ledger. What they do is compete amongst each other (amongst those who hold a copy of the same chain) in order to be the first to validate a transaction and put it in the ledger (make a new entry – add a new block).

    Mining comes in two steps:

    • Validation: miners essentially check that a transaction is valid according to the data already validated and in blocks.
    • Connecting that new block to the chain: to connect a new block miners have to “find a key” that will mathematically allow them to add that new block. Imagine it like solving an extremely complicated riddle by using computational power.

    The first to validate a transaction and add a block to the blockchain gets a financial reward.

     

    Application of blockchain

    The very concept behind blockchain technology is unconceivably groundbreaking. Theoretically, if applied, it will eliminate the need for any middle man, including banks, even governments, while simultaneously ensuring that transactions are as secure as can be!

    Many governments have felt uncomfortable with all those changes happening. Some more than others: China has “banned” the trading of bitcoin altogether.

    With bitcoin having almost reached USD 20.000 per bitcoin at its peak, billions of dollars have exchanged hands without anyone having any record of those transactions, without any banks having gotten any fees, without governments having any control over the exchange rates in order to protect their currencies. And all that happened because just one application of blockchain became popular!

    Recently, the World Bank launched a new debt instrument (bond-i) that is blockchain operated. In Cyprus big law firms accept payment in bitcoin, and the relevant laws are in the making.

    Blockchain is not a technology for the dark web, but a technology for all of us. Today.

     

    To that new reality that blockchain is leading us to we all (and of course businesses and lawyers) have to adapt.

    And soon!

    Lida Koumentaki
    Junior Associate

     

    P.S. A shorter, Greek version of this article has been published in MAKEDONIA newspaper (November 4, 2018)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.