LogoRegulatory Alerts
2017-06-26

Instruction No. 2017-I-13 of June 26, 2017 amending Instruction No. 2015-I-19 on the electronic signature of documents transmitted to the ACPR (Banking Sector)

The Prudential Control and Resolution Authority (ACPR) issued Instruction No. 2017-I-13 to update the requirements for the electronic signature of documents transmitted to the authority in the banking sector. The instruction mandates that electronic certificates used for signing must comply with the EU eIDAS regulation or specific French standards depending on their issuance date, effectively replacing previous certification frameworks. It also establishes strict declaration procedures for authorized signatories and allows for signature delegation within banking groups while maintaining ultimate responsibility with effective management.

Autorite de Controle Prudentiel et de Resolution logo

France

Autorite de Controle Prudentiel et de Resolution

Click to view thumbnail

PRUDENTIAL CONTROL AND RESOLUTION AUTHORITY

Instruction No. 2017-I-13 amending Instruction No. 2015-I-19 on the electronic signature of documents transmitted to the ACPR (Banking Sector)

The Prudential Control and Resolution Authority, Having regard to Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market, known as the 'eIDAS Regulation'; Having regard to the opinion of the Prudential Affairs Consultative Committee of 1 June 2017; Having regard to the opinion of the Consultative Committee for the Fight against Money Laundering and Terrorist Financing of 9 June 2017. DECIDES:

Article 1 Article 1 of Instruction No. 2015-I-19 is replaced as follows:

"Article 1 This instruction concerns the establishments referred to in all ACPR instructions that refer to electronic signature."

Article 2 Article 2 of Instruction No. 2015-I-19 is replaced as follows:

"Article 2 For the purposes of electronic signature, transmitted collection statements are electronically signed using an electronic signature certificate that meets, depending on its date of issue, the following conditions:

  1. Certificates issued before 1 July 2017 must be issued: 1.1 By a qualified electronic certification service provider at the 'Two stars' security level or the 'Three stars' security level, within the meaning of the General Security Reference in version 1.0 'Trust Service Signature' provided for by Ordinance No. 2005-1516 or in version 2.0 according to the Order of 13 June 2014 approving the general security reference and specifying the implementation procedures for the certificate validation process. Or 1.2 By an electronic certification service provider declared compliant with the Common Acceptance Policy (PAC) of the French Centre for Banking Organization and Standardization (CFONB) for signature at level 2 or level 3. Or 1.3 By an electronic certification service provider certified compliant with the European standard of the European Telecommunications Standards Institute (ETSI) ETSI TS 101 456 QCP Public + SSCD. Or 1.4 According to one of the modalities provided for in 2.1 and 2.2 below.

  2. Certificates issued after 1 July 2017 must be issued: 2.1 By an electronic certification service provider certified compliant with the European eIDAS Regulation for the 'qualified certificates' level (EU Qualified Certificates). Or 2.2 By the 'strong signature' Certification Authority of the Bank of France."

Article 3 Article 3 of Instruction No. 2015-I-19 is deleted.

Article 4 Article 4 of Instruction No. 2015-I-19 is replaced as follows:

"Article 4 Any establishment implementing electronic signature must declare to the ACPR, by means of a single document, the identity of the electronic certification service provider it uses, the type of certificate used, as well as, for each person it authorizes to sign on its behalf, their identity and their functions within the establishment.

Unless otherwise indicated or specified in the relevant instructions, the persons authorized to sign are those ensuring the effective management of the company within the meaning of the second paragraph of Article L. 511-13, point 4 of Article L. 532-2, paragraph II of Article L. 522-6, and point 4 of Article L. 526-9 of the Monetary and Financial Code (hereinafter the Effective Managers). Persons having the competence and position within the establishment allowing them to commit to the quality and reliability of the information they are called upon to sign may also be duly authorized by these managers.

The aforementioned managers may also delegate signature authority to the financial holding company, the mixed financial holding company, a credit institution, or another enterprise or person mentioned in point 2° of A of I of Article L. 612-2 of the Monetary and Financial Code, established in France and belonging to the same group subject to consolidated or sub-consolidated supervision within the meaning of European Union Regulation 575/2013 of 26 June 2013 and the Order of 3 November 2014 relating to prudential supervision on a consolidated basis. In this case, the managers of the delegated establishment and the persons designated by them in application of the aforementioned provisions are authorized to sign.

The managers of an establishment affiliated with a central body within the meaning of Articles L. 511-30 and L. 511-31 of the Monetary and Financial Code may delegate to this central body for the purpose of electronically signing those of their documents to which electronic signature applies in accordance with this instruction. To this end, the central body declares to the ACPR by means of a single document the persons it authorizes to sign, specifying for each their identity, their functions within the central body, as well as the affiliated establishments and the documents for which they are authorized to sign.

In the event of signature delegation by the effective managers under the aforementioned conditions, the types of collections concerned by the delegation are specified.

Regardless of the delegations granted, the aforementioned effective managers remain responsible for the quality and reliability of the information transmitted on their behalf and are able to transmit the information under their own electronic signature.

The declarations provided for by this article are communicated to the ACPR at least one month before the deadline for the first electronically signed submission. Similarly, each modification made to these declarations is communicated to the ACPR at least one month before the relevant deadline.

Establishments take the necessary measures to communicate to the persons they declare the information provided for in Article 32 of Law No. 78-17 of 6 January 1978 relating to computing, files and freedoms."

Article 5 Article 5 of Instruction No. 2015-I-19 is replaced as follows:

"Article 5 The ACPR may oppose at any time the use of a certificate by an entity that does not meet or no longer meets the requirements of Article 2 above."

Article 6 The second paragraph of Article 7 of Instruction No. 2015-I-19 is replaced as follows:

"References to Instruction No. 2007-01 in the instructions listed in Annex 2 are replaced by references to this instruction."

Article 7 The following is added to the second paragraph of Article 8 of Instruction No. 2015-I-19:

"The modifications to Instruction No. 2015-I-19 appearing in Instruction No. 2017-I-13 of 26 June 2017 enter into force as of 1 July 2017."

Article 8 This instruction enters into force as of 1 July 2017.

Paris, 26 June 2017 The President of the Prudential Control and Resolution Authority François VILLEROY de GALHAU

Share