UPC Authentication System

A great deal has been written about the UPC on a wide range of important topics. One area that has received scant attention until recently has been access to the on-line Case Management System (CMS) which will be used to lodge documents, opt-outs and registrations as representatives with the UPC. Early test versions of the CMS utilised a username and password log-in, but the administrative committee announced a “strong authentication” would be implemented in accordance with the EU eIDAS (electronic identification and trust services) regulation. eIDAS is essentially an electronic identifier provided by a trusted service which can be used to identify yourself electronically. The system is widely used for proving identity to financial and tax bodies in the EU.

The announcement caused some concern amongst users based on initial information and there were questions on how the system would work with the UPC. Having (we believe) successfully (and fairly painlessly) obtained a compliant identification we thought we would share our experience to assist others. With the sunrise period likely to start on 1 January 2023, time is running out to obtain the required cards, but we believe there is still sufficient time to do so without necessitating a delay to the UPC’s sunrise period.

The eIDAS regulation governs the principles and processes for handling digital identities, but not the actual implementation (and is not limited to use in the EU or by EU citizens). The most accessible route appears to be a SmartCard (similar to that used by the EPO, although the EPO smart card itself is not expected to be compliant). There are two elements of eIDAS which are relevant to the UPC – identification for logging in, and electronic signatures. These services do not have to be provided by a single device, but obviously that is more convenient.

The EU maintain a list of trusted service providers within the eIDAS regulation here.

It is likely that a number of these providers are suitable, but we selected LuxTrust as they were confident they could meet the requirements, and offered a remote identification service. Many providers require a face to face meeting, typically in the EU, to verify the identity of the individual being issued with a card, which is not always convenient. LuxTrust were able to offer a remote online identification service, which we found especially beneficial for our UK-based staff. The UPC Committee have said they will soon publish a list of preferred providers they have identified which can meet the requirements. In order to be issued a SmartCard your identity must be validated in compliance with the regulation. In the LuxTrust implementation this consisted of providing your identity details and documents, then conducting a video call with the company at which they view your image and the documents to confirm your identity, which took about 10 minutes.

There are two types of SmartCard from LuxTrust – individual and professional. The individual card serves to identify you as an individual, and the professional card also identifies you as an approved signatory for a corporate entity. We believe the individual card is sufficient, but for the small extra cost of the professional card we have also obtained some of those for our team.

For the individual card once you have completed your identity checks the card is despatched in a few days. For the professional card additional evidence is required in paper form to prove you are entitled to sign on behalf of the corporate entity. This evidence will vary depending on the form of entity, but for a UK LLP we sent a very heavily redacted copy of our partnership deed showing only a reference to the relevant UK statute for LLPs, the section of that statute noting who can sign for an LLP in the UK, and evidence of the LLP’s registration and partner list. This was accepted without question and the SmartCard was issued in about a week.

To use the LuxTrust SmartCards their driver software must be installed (which was a trivial exercise, although you may need to modify security settings and pop-up blockers) and then the card can be read by the computer. The UPC provides a test site here which can be used to confirm the smart card will be accepted by the UPC.

These cards can be used to both log in to the UPC CMS system, and to sign documents. There are a range of signature security levels ranging from a simple “stamp” based on the SmartCard which can be applied by PDF software, to a qualified signature which utilises an external service. It is our understanding a qualified signature is required by the UPC. LuxTrust provides a qualified signature service which will sign documents based on their SmartCard, but in principle any provider can be used based on any SmartCard issued by a trusted provider; for example both DocuSign and Adobe offer compliant solutions.

In summary, there is at least one provider that can provide the necessary identification tools and they are relatively easy to acquire for minimal cost, with more providers expected to be identified. We believe being ready for 1 January 2023 is within reach and no delay to the UPC’s sunrise period is necessary for the user authentication system.