Trust service providers and third parties: what are they and how do they work?

Trusted service providers and third parties act in a variety of ways to enable companies and users to interact in secure, reliable, and optimized digital environments. These players have transformed the way in which online operations take place and their activity is based on the standards set by both national and international regulators in terms of IT security, supporting high-risk processes, and electronic transactions.

Acting as a third party, these e-service providers ensure that the remote and online recording of activity has been performed under appropriate technical and regulatory standards.

What is a Trust Service Provider (TSP)?

A trust service provider is a company or business that verifies the identity of users, customers or businesses and approves electronic signature operations through the issuance and storage of digital certificates. They are also called Trust Service Providers (TSP) and the rules that mark their recognition as such are contained in the European eIDAS directive on electronic transactions.

To fully understand the context of these indispensable players in the digital ecosystem and in the 21st-century economy, we must approach the concept of "trust service". This is a digital service offered to certain specialized companies and includes operations such as the creation and certification of electronic signatures, time stamps, or certified shipments through electronic channels.

For these trust services to be considered qualified, they must be recognized by the national and international institutions that set the requirements and standards for digital transactions. Certificates obtained through the use of qualified electronic signatures and applied to online transactions are considered qualified. Likewise, the application of identity verification processes with updated Know Your Customer (KYC) standards makes the certification services of qualified trust providers.

Qualified Trust Service Providers (QTSPs) are able to perform comprehensive identity checks on company processes. Whether it is opening a bank account through a bank's app or taking out a home insurance or telephone tariff electronically, qualified trust service providers support the company offering their services through intermediary technology applied to their specific use cases and ensure a secure environment in which to operate so that users cannot fall victim to crimes such as identity theft or money laundering.

Qualified Certification Authorities

Trust service providers are also referred to as qualified certification authorities. Companies operating over the Internet in the EU and Switzerland need these regulated digital signature services to be able to carry out transactions such as contracting, registration, and registration with users, as well as to give their existing customers the possibility to become autonomous in the management and use of products and services over the network.

There is no single way to provide qualified trust services. The regulations allow you to choose one of the four regulatory options to make the process safe and secure: the physical presence of an agent authorized by the company, remotely through the use of QES (Qualified Signature), online through KYC identity verification according to the standards set by eIDAS or by other authorized methods equivalent to the first three at a technical and security level.

The issuance of digital certificates that seal these operations is not the only trust service provided by these specialists. The storage of these certificates and their recognition for subsequent management falls within the standards set by the regulation. Authentication on websites with SCA (Strong Customer Authentication) standards is also included and is a great advantage in terms of user experience. 

Now, credentials can be obtained based on the mandatory identification that occurred at discharge. This allows users to log into online platforms easily with facial biometrics systems, the method preferred by most. We can find a double benefit here: improved agility and user experience on the one hand and much more robust, supported, and enabling access on the other.

Qualified electronic seals are also being used to improve the traceability of operations carried out by users, certifying each action and ensuring optimal compliance with regulations thanks to the complete electronic evidence they provide.

Definition of Trusted Third Party

There has been confusion about the differences and similarities between the terms "trusted third party" and "digital trust service provider". The former was the first exponent of the creation of a secure ecosystem in which users and companies can operate with security and legal backing, and the latter came to reaffirm and extend everything achieved by its predecessor.

A trusted third party is a mediator that acts as a repository for activities carried out between two parties, usually an individual and a company in the purchase and sale of products and services. This subject is recognized by national laws prior to eIDAS, such as the Spanish Law on Information Society Services and Electronic Commerce, and was designed to make electronic commerce, which was beginning to take off in the early 2000s, more secure.

Trusted third parties are those that hold documentation and verification certificates for a period of at least 5 years. Their task is to attest that a process has been carried out in accordance with appropriate standards and in terms of fairness. As an independent and impartial neutral node, it is particularly relevant in the activities of industries, sectors, and areas such as the financial sector, insurance, public administration, human resources, or B2B operations.

All declarations of intent in digital format are stored and support the contracts and agreements that have been produced. In this way, the impartial trusted third party or a trusted third party provides legal certainty to any transaction or agreement. Although they can be both public and private entities or institutions, the vast majority correspond to specialized RegTech partners.

The term trusted third party changed in 2014 following the adoption of the eIDAS regulation and came to be referred to as the current digital trusted service provider. The acronym for trusted third parties used to be TTP (Trusted Third Party). Although, as we indicated, the trusted third-party concept is no longer officially recognized as such, it is still widely used in sectors such as banking or real estate.

Third-party by interposition

Building the proofs and electronic evidence through interposed witnesses that are part of the transaction gives better support regarding the traceability of the operations that occurred and avoids any kind of subsequent modifications. Only the best RegTech partners such as Tecalis can also be defined as third parties by interposition.

A third-party intermediary is a trust service provider that ensures rigorous compliance with the most comprehensive IT security standards. There are many methods by which qualified electronic signatures and other types of certificates can be generated but not all have the same robustness.

Digital storage must include secure connections and SSL (Secure Socket Layer), SOAP (Simple Object Access Protocol), and OASIS (Organization for the Advancement of Structured Information Standards) protocols. The most experienced experts know how storage and archiving should be done beyond simple hosting on secure servers. The generation of certificates is generally done through PKIs (Public Key Infrastructure), which gives a plus of interoperability and integrity to the infrastructure through encryption with unique keys for the platform's users.

The use of XAdES, XAdES-XL, or PKCS#7 electronic signature standards is included in eIDAS and the LSSICE. The use of trust service providers and third parties by interposition that use them is a great guarantee of quality. It is important to bear in mind that certificate validation must be generated independently of the issuing certification authority. This is done through OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) query services.

In this way, we can speak of distributed proof by interposition by having time stamps on each of the operations and steps carried out in the total of an onboarding or electronic signature process, avoiding subsequent manipulations in each phase. The hashing of each transaction and its validation with backing equivalent to that of a notarial process makes it possible to distribute the proof matrix along workflows in different phases in Tecalis systems, with repetitions stored and traced. This makes it possible to provide the highest level of evidentiary capacity.

Providing security and legal backing

In any case, this type of more solvent player always acts from an expert perspective, offering many more services beyond those included in the regulation. Having a trusted third-party partner or qualified service provider is not only mandatory to be able to operate online in most industries but insurance for the sustainability of the core activities of a business. 

Acting as a Time-Stamping Authority (TSA) allows the integration of this system in each of the operations of a company in an automated and agile way. This is especially relevant in contracting processes, operations with suppliers or registrations, and new customer registrations.

RegTech: Electronic certificates and digital mediators

Trust e-services go beyond the mere implementation of qualified certificates. Now, innovative RegTech startups have positioned themselves as technology transformation partners to large and small companies around the world. From RPA services to holistic customer acquisition systems, they offer services of many types and proprietary technology to enable the creation of today's business models.

Electronic signature

Digital e-signature platforms have enabled small businesses to become market leaders thanks to the great scalability that the solution has brought. From automating tasks for human resources teams to the transaction-based launch of signature requests for the procurement of new products, e-signatures have proven to be a must-have for any business in the 21st century.

Digital signature platforms should not just be single-purpose apps, but dynamic contracting and negotiation centers with all the specific functionalities that can leverage this technology to grow a business. Addressing business use cases across industries and integrating them with the company's systems and activity is a must.

Communication and certified electronic delivery

Electronic communications and certified deliveries are a complicated challenge in many companies and organizations, while in others they manage to create modern and adapted business models. These types of qualified deliveries through digital channels must be taken care of and treated with the utmost rigor in industries such as insurance, telecommunications, finance, and in general any area of utilities.

The role of a qualified trust service provider is not only in the issuance and creation of digital certificates but also in the provision of technology to its customers so that they can facilitate the exercise of the business activity.

Identity verification: KYC and anti-fraud controls

Not all trust service providers are integrating digital transposition solutions of the Know Your Customer process such as eKYC (electronic Know Your Customer) together with electronic signature processes. It is important to understand that KYC must also be carried out digitally and with the utmost rigor, avoiding subsequent transfers of the customer to a face-to-face location after onboarding or online registration.

Know Your Customer (KYC) is emerging as a process that is recognized by eIDAS and the most demanding AML standards and enables transactions to be carried out that could not otherwise take place. Authentication is also key to the day-to-day running of a business and must be performed in a qualified manner. This is achieved through the generation of credentials based on the qualified certificates issued during the KYC process at onboarding.

Regulation and legality of digital trust

The legal perspective of the implementation and regulation of digital trust services is seen both nationally and internationally. While the European Union is leading the way, the rest of the world's countries apply similar rules, which in most occasions become counterparts. 

The Sixth Anti-Money Laundering Directive (6AMLD), eIDAS, PSD2, SCA and the other EU AML (Anti-Money Laundering) accompanying measures are the international benchmark for understanding the role of trusted electronic service providers in the global economy.

eIDAS (Electronic Identification, Authentication, and Trust Services)

The eIDAS regulation sets the rules for electronic identification and trust services for secure electronic transactions in the EU internal market and repeals Directive 1999/93/EC. With its approval, a common market of more than 500 million users has been established, to whom products and services can be offered securely over the Internet without the need for physical presence in all markets.

In other words, businesses from anywhere in the world can now establish themselves in all markets in 27 countries easily and without major investment. In addition, the Swiss ZertES electronic signature standards are compatible with those of eIDAS, with its federal law being a counterpart.

This regulation 910/2014 of the European Parliament establishes all the standards with which these players must comply in order to be considered as a qualified trust electronic service provider and a third party. Ensuring that the electronic signature, contracting, certified communication and authentication solutions that we are going to hire for our business and integrate throughout the company comply comprehensively with this regulation must be a priority.

LSSI

As we have seen above, the technical standards to which trust electronic service providers must adhere are very specific and are included in regulations such as the LSSI (Information Society Services Law) in countries such as Spain. Even so, the most recent Law 6/2020, regulating certain aspects of electronic trust services, has taken important steps to implement concepts assumed by eIDAS at the international level. This law then repeals the obsolete Law 59/2003 (Electronic Signature Law).

The legal basis on which trust e-services and third-party activities are based is changing as regulations are updated and expanded. Therefore, it is important to have RegTech partners close to the Certification Authority (CA) institution so that the solution the company is using always complies with the latest standards and regulatory requirements.

Listings of trust service providers

States and certain national and international public bodies publish lists of trusted e-service providers on which to rely when selecting a player. Access to these lists can be obtained through communications with the administration or by consulting directly with the appropriate RegTechs partners.

Tags