peter dare board member tscheme limited [email protected] june 2000 securing electronic business...

Peter DareBoard Member

tScheme Limited

[email protected] 2000

Securing electronic business together

A model for the industry-led co-regulation of trust services

Copyright tScheme Limited 2000

Publicly-offered trust services are essential to realise the full potential of e-business, because without them several important requirements cannot be met.

Routes to market for new and existing products must be extended, in both reach and range.

Parties who only ever "meet" in cyberspace must be able to agree and enforce contracts - wherever and whoever they are.

Businesses and citizens must have the option to receive (almost) any government information or service electronically.

Almost no process must be deemed too sensitive for electronic implementation.

The rapid formation and development of business partnerships and "virtual" organisations must be possible electronically and globally.

Subject to law, personal privacy and business confidentiality must be protected.

There must be certainty in the provenance and integrity of electronic information.


Two separate pieces of legislation call for trust services to be regulated - the EU Electronic Signatures Directive and the UK Electronic Communications Act.

… Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory …… Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification-service-providers which are established on its territory and issue qualified certificates to the public …… The conformity of secure signature-creation-devices with the requirements laid down in Annex III shall be determined by appropriate public or private

bodies designated by Member States ... Article 3, EU Electronic Signatures Directive of 13 December 1999.

… It shall be the duty of the Secretary of State to establish and maintain a register of approved providers of cryptography support services …Section 1, UK Electronic Communications Act 2000, Royal Assent 25 May.


tScheme - an initiative of the UK Alliance for Electronic Business - sets out a plan for a voluntary trust services regulatory scheme that is industry-led rather than government-run.

The Alliance for Electronic Business (AEB) is an umbrella organisation of industry associations which works for the greater competitiveness of UK businesses, in national and global markets, by helping to enable their better use of electronic business.

The AEB’s members are:

Computing Services and Software Association (CSSA); Confederation of British Industry (CBI); Direct Marketing Association (DMA); e-centre UK; and

Federation of the Electronics Industry (FEI).

tScheme is part of a wider AEB strategy to encourage clearer, simpler and more cost-effective frameworks for electronic business.


AEB written and oral evidence to the Commons Trade and Industry Committee argued the benefits of industry-led regulation. First the Committee, then the Government, backed the idea that industry should lead.

We acknowledge the need for some form of accreditation scheme relating to TSPs to persuade firms and individuals “standing on the edge of the e-commerce lake wondering whether it is really safe to dive in” that electronic commerce is as safe and reliable as traditional forms of commerce. We recommend that the Government sponsor a voluntary accreditation scheme for TSPs which is based on the needs of users and service providers but which is not grounded in legislation.

Report of the House of Commons Trade and Industry Select Committee, 18th May 1999.

The Government has been working closely with the Alliance for Electronic Business who are leading the development of a non-statutory, self-regulatory scheme. Such a scheme bringing together providers and users, including consumers, should offer a more flexible and effective way of meeting the Government's objectives than a statutory scheme. The Alliance's scheme is still in its infancy, so the draft Bill proposes to take powers to set up a statutory voluntary scheme by secondary legislation. The Government will only use these powers should the industry fail to work out a suitable model for self-regulation consistent with our e-commerce and law enforcement interests.

Michael Wills MP, DTI Minister, House of Commons, 23rd July 1999


To implement the tScheme model, a not-for-profit company - tScheme Limited - was incorporated in May this year.


tScheme’s business is approving trust services. The approval process will entail assessment against published profiles.

By envisaging a number of services profiles, tScheme accommodates its objective of covering a broad range of services.

All profiles will be: based on industry-led, market-driven standards; demonstrably rigorous and impartial; and objective, transparent, proportionate and non-discriminatory.

Profiles will address procedural as well as technical issues, but tScheme does not seek to duplicate the existing regulatory framework:

Approval by other regulatory bodies (banking, telecoms, …) will be accepted as sufficient for relevant aspects of the approval process.

Accreditation to BS7799 will also be used to satisfy some assessment requirements.

To ensure choice and cost effectiveness, assessment will be a commercial activity, with service providers able to choose their assessing auditors.


tScheme will have teeth. Approval of a trust service will be subject to conditions which tScheme will enforce.

tScheme will implement effective mechanisms for enforcing adherence to the conditions under which approvals are issued.

Approved trust service providers will be required to establish a complaints handling procedure subject to enforcement and monitoring by tScheme and backed by a well-publicised mediation/dispute resolution process.

Where conditions are found to be breached, tScheme will order appropriate redress. Approvals can be modified or revoked.

There will be an appeals procedure.


tScheme’s co-regulatory model allows participation, and hence trust, by all sectors and gives open access to the trust services market. A wide range of organisations have already contributed to tScheme’s development.

AEB member organisations Association for Payment and

Clearing Services British Bankers Association British Chambers of Commerce Consumers Association UK Government

BT IBM ICL InterClear Microsoft Royal Mail

The following organisations have provided members of the tScheme board:

Other organisations have expressed commitment or interest.


The Government has declared that Part I of the Electronic Communications Act will only be brought into force if an industry-led scheme doesn't prove successful. The Act has a five-year “sunset clause”.

Our strong preference is for self-regulation, and I am working closely with the Alliance for Electronic Business, which is drawing up a self-regulatory approvals scheme. The alliance has made good progress; last Friday, I received an update, which I am urgently assessing. The proposals demonstrate the commitment of the industry to the self-regulatory approach - companies such as British Telecommunications plc, IBM and Royal Mail are involved. Patricia Hewitt MP, E-Commerce Minister, Second Reading Debate, Electronic Communications Bill, 29 November 1999.


In its White Paper of July 1999, the UK Government defined the success criteria for an industry scheme. The criteria match tScheme’s objectives well.

... a broad range of services including signature and confidentiality services ... ... demonstrably rigorous, impartial and trusted by all sectors of industry ... ... should not act as a barrier to new entrants to the market ... … should have a means of taking into account the views of consumers … … the ability to set standards (procedural and technical) … … clear mechanism for Government to monitor progress and influence the

development of such standards, in line with its objectives for promoting electronic commerce, modernising government and law enforcement ...

… mechanisms for ensuring compliance with these standards including … : … assessment of service providers …; … sanctions and the ability to monitor and take enforcement action ... ; … a means of redress for consumers …; … publicity ….

… take account of the ... Directive (including … liability and data protection) ... … showing that their signature service meets the standards envisaged in the draft

Directive … (but) it might not be necessary for all signatures to meet the Directive ...


The Electronic Communications Act became law on May 25. The Government has listened to what industry had to say. It's now down to industry to make sure that tScheme is a success.

Because participation is voluntary, the critical success factor for tScheme is to convince the market of its value.

tScheme will be seen as valuable in the marketplace only if it enables innovation, growth and development in e-business: tScheme’s broad approach to trust services will encourage the

development of new ways of conducting electronic business. With its own distinct vision and principles, requiring minimum legislation,

tScheme can react more quickly to technological change. tScheme will be run by those with an interest in making it work: business

users, consumers, technology providers, industry associations and government - and of course service providers.

If tScheme is successful, then the hope is that the model will be copied elsewhere in Europe and globally.

peter dare board member tscheme limited [email protected] june 2000 securing electronic business...

Documents