# Swedish BankID
Last updated: 28/09/2023
Current version effective from: 28/09/2023
Page contents
# 1 Service description
The Swedish banks, Nordea Bank AB, Svenska Handelsbanken AB, and Swedbank AB (collectively the "BankID Banks") cooperate through the mutually owned company Finansiell ID-Teknik BID AB ("BID") to deliver an electronic identification solution that may be used for authentication and signing the "BankID Service", the electronic certificate that provides secure identification and digital signing online which is available to physical persons with a Swedish national identification number.
The BankID Banks offer the BankID Service for resale by service providers, such as Signicat. Signicat's integration module for the BankID Service allows other service providers, such as the Customer, to access the BankID Services through the Signicat Services.
Subject to the terms and conditions in the Agreement and this Appendix, the Customer and its Affiliates have the right to use the BankID Service. The BankID Service is issued in accordance with each BankID Bank's Policy and Certificate Policy Statement.
This Appendix remains in force as long as Signicat has a valid agreement with a BankID Bank, and the Customer may use the BankID Service as long as the Agreement between Signicat and the Customer and the agreement between Signicat the BankID Banks are in force.
# 2 Signicat's obligations
Signicat shall provide to the Customer the BankID Service through the Signicat Services if the BankID Bank accepts the Customer. Signicat will collect such consent from the BankID Bank on behalf of the Customer.
# 3 Customer's obligations
The Customer and its Affiliates shall ensure that their services that utilize the Bank ID Services are in accordance with applicable laws and regulations, any instructions or regulations from BankID Banks/BID communicated to the Customer by Signicat, and that the services does not:
(i) include discriminating, pornographic or otherwise offending material;
(ii) risk harm to the trademarks or reputation of the BankID Banks;
(iii) appear as unethical or immoral, or;
(iv) put the BankID Banks at risk of any other economic harm.
The Customer is solely responsible for any costs related to integration between the BankID Service and the Customers service.
When the Customer use the BankID Services to identify End Users, this identification shall not be used to issue or use other electronic identities for End Users in any manner or form. If the Customer uses other identification – or signing solutions than the BankID Services, the issuing of such identities must be structured so that the verification of the user never directly or indirectly is based on or can be connected to the BankID Services.
The Customer must only use the BankID certificates in its own platform, website, service, portal or application.
# ID-switching (Sw: ID-växling)
The Customer is not permitted to allow End Users to be identified with BankID and thereafter allow the End User to be identified by another identification method. By way of example:
(i) The End User logs into the Customer's application and is identified by BankID. After the End User has been identified, the End User is asked to log in with Touch ID. The next time the End User logs into the Customer's application, the End User is identified with Touch ID. In this example, the Customer must ensure that the End User uses BankID to log in every time.
(ii) The End User log into the Customer's web site and is identified by BankID. After the login, the End User is asked to create a password for future login. In this example, the Customer must ensure that the End User logs in with BankID every time.
# BankID-switching (Sw: BankID växling)
The Customer is not permitted to enable BankID-switching, i.e. that the Customer with the BankID certificates handles BankID identification or signing for third parties. It is important that the Customer, when using the BankID Service in the Customer's service, communicate clearly to the End User that logs in using BankID where the End User has logged in and who is the counterparty when signing, for instance, an agreement. Similarly, the display name the Customer uses must enable the End User to easily identify the Customer (the registered business name, or another name that is more known to the public), and it must be clearly set out what any agreements the End User's will sign with the Customer using BankID is regarding. By way of example, the following use of BankID certificates is not permitted:
(i) Company A manufactures Product B, creates a website, and uses as a display name for the BankID certificates "My pages". The correct handling would be for Company A to use its registered business name as display name, i.e. Company A, or the product name, Product B, if said product is well-known to the public. Use of the display name "My pages" does not clearly communicate to the End User where the End User is logging in.
(ii) Company X creates an application where other companies are offered to enter into agreements with private parties and acquire BankID certificate. The private party, i.e. the End User, logs into Company X's application and is offered to enter into an agreement with Company Y. The End User thereafter use BankID to sign by way of Company Y's BankID certificate. In this case the End User is not offered the desired clarity by using BankID, as Company X's display name will appear, even though the End User is entering into an agreement with Company Y.
The Customer shall ensure that their users abide by the terms and conditions of the Agreement, as well as this Appendix.