EC, July 31, 2001, No 2001-696
COMMISSION OF THE EUROPEAN COMMUNITIES
Decision
Identrus
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community, Having regard to the Agreement on the European Economic Area, Having regard to Council Regulation No 17 of 6 February 1962, First Regulation implementing Articles 85 and 86 of the Treaty (1), as last amended by Regulation (EC) No 1216-1999 (2), and in particular Articles 2, 6 and 8 thereof, Having regard to the application for negative clearance and the notification for exemption submitted pursuant to Articles 2 and 4 of Regulation No 17 on 6 April 1999, Having regard to the summary of the application and notification published pursuant to Article 19 (3) of Regulation No 17 (3), After consulting the Advisory Committee for Restrictive Practices and Dominant Positions, Whereas:
I. INTRODUCTION
(1) On 6 April 1999, the Commission received an application for negative clearance or alternatively a notification for exemption, pursuant to Article 4 of Council Regulation No 17, of a set of agreements ("the Notified Agreements") concerning the establishment of a network of financial institutions which will operate as Certification Authorities (4) of trusted electronic commerce (e-commerce) transactions, initially only in the business-to-business (B2B) context.
(2) The notifying Parties are ABN-AMRO Services Company, Inc., BA Interactive Service Holdings, Inc., Barclays Electronic Commerce Holdings, Inc., Bayerische Hypo- und Vereinsbank AG, The Chase Manhattan Bank, Citibank Strategic Technology, Inc., Deutsche Bank AG and Pyramid Ventures, Inc., (the "Parties").
(3) For the purposes of establishing and managing the network, the Parties have formed a joint venture company, Identrus, LLC ("Identrus"). Identrus was established in March 1999 pursuant to a Limited Liability Company Agreement (the "LLC Agreement"), governed by US Delaware law. The initial capitalisation of Identrus was contributed equally by the Parties. Identrus will provide and manage the infrastructure required for establishing a global, interoperable network among financial institutions offering Certification Authority services (the "Identrus System").
(4) Besides the notifying Parties, Identrus will have a limited number of further shareholders (the "equity owners") (5). No single equity owner will have control over Identrus. Participation in the Identrus System will be open to qualified financial institutions around the world ("Participants"). Participants need not be equity owners of Identrus, but all equity owners are Participants. Participants will compete with each other in the relevant markets described in recitals 29 to 34.
II. PARTIES
(5) The corporate groups to which the Parties to the Notified Agreements belong may be described as follows: ABN AMRO Services Company, Inc., is an Illinois corporation. Its ultimate parent is ABN AMRO Holding NV, the Netherlands. BA Interactive Services Holding Company, Inc., is a Delaware corporation. The ultimate parent is Bank America Corporation, USA. Barclays Electronic Commerce Holdings Inc., is a Delaware corporation and an indirect subsidiary of Barclays Bank PLC, United Kingdom. Bayerische Hypo-und Vereinsbank AG ("Hypo Vereinsbank") is a financial group resulting from the merger in 1998 of Bayerische Vereinsbank AG and Bayerische Hypotheken und Wechsel Bank, AG. The Chase Manhattan Bank ("Chase") is a wholly-owned subsidiary of the Chase Manhattan Corporation, USA. Citibank, NA is a wholly-owned subsidiary of Citigroup Inc., Delaware. Deutsche Bank AG, Germany, holds its equity investment in Identrus directly. Pyramid Ventures, Inc., USA, is an indirect subsidiary of Bankers Trust New York Corporation which has now merged with Deutsche Bank AG.
III. THE REGULATORY AND POLICY CONTEXT
(6) A coherent and appropriate legislative framework is essential to develop electronic commerce within the Community. In 1997, the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions, - a European Initiative in Electronic Commerce (6), defined the broad lines of the Commission's policy in this area. Since then, a series of directives has been adopted. They include Directive 1999-93-EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (7), which establishes rules on the legal recognition of electronic signatures and certification procedures, and Directive 2000-46-EC of the European Parliament and of the Council of 18 September 2000 on the taking up, pursuit of and prudential supervision of the business of electronic money institutions (8), which provides that electronic money may be issued only by supervised institutions meeting certain legal and financial conditions, ensuring technical security. Of central importance is Directive 2000-31-EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (9). It is designed to ensure that information society services can be freely provided throughout the Community.
(7) Secure electronic payments in particular are essential for the development of e-commerce. Today, there is no widespread, effective and secure way to make cross-border Internet payments, and the respective market operators lack confidence in the security of such payments. The present legislative framework provides consumers with some protection but it does not meet many of the concerns associated with on-line trade within the Community. Improvements are needed in technical security and in the establishment of a legislative "safety net".
(8) On technical security, the "e-Europe initiative" launched by the Commission in December 1999 (10) promotes the use of new technologies, and envisages further work on identification and authentication techniques. As recognised in Directive 1999-93-EC, in particular recitals 4, 5, 10, 21 and 23, the development of electronic commerce requires, as a basic prerequisite, the existence of global Certification Authority services over open networks. The necessity for securing electronic commerce transactions is giving rise to a number of new, emergent markets for the provision of electronic trust services. Failures arising from any of the risks associated with the on-line provision of financial and authentication services could lead to significant legal and reputation risks. Such risks are not new, but their relative importance grows given the increasing reliance on technology.
IV. THE TRANSACTION
A. Purpose of the transaction
(9) The declared purpose of the Parties in setting up the Identrus System is the promotion, operation and management of an infrastructure for securing electronic commerce transactions. That infrastructure is intended to enable the Participants in the system to operate as individual and competing Certification Authorities.
Scope of the activities of Identrus
(10) The Identrus equity owners will provide the infrastructure, a data processing system designed to operate through digital networks, required to enable the financial institutions participating in the system to become Certification Authorities for the purposes of secure e-commerce transactions and offer related services to their end users.
The role of Participants in the Identrus System
(11) In the Identrus System, each Participant will issue digital certificates certifying the identity of clients engaged in electronic transactions. The Participants will operate as individual and competing certifying authorities. This means that companies engaged in financial transactions are free to choose any participating Certification Authority which is not necessarily their regular banking institution. Identrus System specifications provide interoperability in order to enable each Participant to develop its own technology independently. Furthermore, each Participant will offer its own, independently created applications, built upon the digital Certification Authority services of the Identrus System infrastructure, in competition with each of the other Participants. Each Participant is free to set the prices it charges to its end users for authentication services.
Warranty requirements
(12) Each Participant will post a deposit (collateral) to an account with an appointed financial institution, who will hold it for the benefit of relying third parties to secure warranties issued to them. The Operating Rules applying to the Identrus System establish collateral requirements applicable to each Participant, including the amount of collateral required to be posted, the frequency with which collateral requirements and Participants' obligations will be calculated and the times at which collateral would be required to be posted.
Non-discrimination
(13) The Parties' business plan foresees up to 300 banks at worldwide level participating in the Identrus System. Furthermore, all Participants, irrespective of whether they are equity owners or not, are subject to the same rules and standards of the Identrus System.
(14) The most important criteria for third parties (being in the business of providing financial services) to become equity owners in Identrus are certain capital requirements, as defined by the Basle Committee on Banking Regulations and Supervisory Practices and in compliance with certain financial rating requirements.
B. Participation in the system
(15) Interested financial institutions may join the System either as "Level One Participants", or as "Level Two Participants". Level One Participants may issue certificates to end-users and to Level Two Participants. Level Two Participants may issue certificates only directly to end users. In other respects, the two types of Participants will operate within the System in the same manner and will thus compete with each other for end-users. Any person requiring Identrus certificates is entirely free to become a customer of either a Level One or a Level Two Participant.
Level One Participants
(16) An entity will be eligible to act as a Level One Participant if it is primarily engaged in the business of providing financial services, it is subject to governmental regulation and examination, and it meets certain capital and credit requirements.
(17) Identrus as such is a root Certification Authority that issues digital certificates to its Level One Participants and thus permits the validation of the Level One Participants' identities. This allows Level One Participants to operate as Certification Authorities within the Identrus System and to issue digital certificates to their corporate customers.
(18) Vis-a-vis Level Two Participants, Level One Participants can also have the function of root Certification Authorities (11) Level One Participants must therefore be positioned to meet in a special manner the requirements of corporate customers regarding trust, reputation and confidence.
(19) The equity owners of Identrus will participate in the system as Level One Participants under the same terms and conditions as apply to any third party acting as a Level One Participants.
Level Two Participants
(20) The eligibility criteria for Level Two Participants are similar to those for Level One Participants. However, the capital and credit requirements are less stringent, enabling smaller entities to participate in the Identrus System. Provided the respective capital and credit requirements are met, each Participant is free to be either a Level One or a Level Two Participant.
(21) Level Two Participants will operate as Certification Authorities and issue certificates to their corporate customers.
C. The agreements
The LLC Agreement - corporate organisation
(22) The equity owners of Identrus have a voting right in the shareholders' meeting that is calculated on the basis of their respective percentage ownership interest in Identrus. This means that the founding equity owners will each have less than 10 % of the voting rights and that the newer equity owners will have less than 5 % each. All matters requiring an equity owner's vote, approval or consent require the consent of a majority. The failure to obtain the consent of a majority on any such vote means that the required consent has not been obtained.
(23) It follows from those provisions that the equity owners in Identrus do not exercise joint control over the company's commercial policy.
(24) Participants in the Identrus System will not be required to hold equity in Identrus; membership in the System as a Participant will be open to all entities that satisfy the membership criteria outlined in recital 14.
(25) All Participants, including the Parties, are free to join other schemes offering Certification Authority services.
Rights and obligations of equity owners and Participants (Operating Rules)
(26) The Identrus equity owners have the same rights and obligations with respect to issuing certificates as all other Participants in the System and will, like them, enter into "Participation Agreements" with Identrus to establish the terms of their operational relationship. However, all equity owners are obliged to be active Participants in the Identrus System and the LLC Agreement requires that each equity owner operates a Certification Authority, registration and risk management system under the Identrus System. Accordingly, each equity owner's investment in Identrus will not be a passive investment, as each is required to deploy its own certification services based on the Identrus System.
Pricing policy
(27) Identrus has been set up as a for-profit organisation and will establish its pricing policy accordingly. The same pricing policy will be applied to all Participants on the basis of objective and non-discriminatory criteria, irrespective of whether they are equity owners or Participants of whatever category in Identrus. Identrus plans to charge fees only to Participants in connection with the services provided (Section 6 of the Operating Rules) and not to the customers of the Participants. Participants will be free to set the prices they in turn charge their customers.
(28) The customers of Identrus will be its Participants. The Identrus System requires investments and these will be financed by three different revenue components (12) 1. "Chartering fees" will be collected as a one-time payment from the Participants, and are intended to recover Identrus's costs incurred in conducting interoperability testing and compliance certification of the infrastructures of new Participants. 2. Participants will pay "annual membership fees" with respect to the validation and warranty services once a Participant's deployment of each of these services has been developed. 3. The final revenue component of Identrus is an ad hoc fee, charged for each transaction.
V. THE RELEVANT MARKET
A. Product markets
(29) The Identrus System's trust services include:
1. services for the identification of the sender of a message over a digital network;
2. the authentication of such message via electronic signatures;
3. the validation that the keys used to create and authenticate the signature have not been revoked;
4. the provision of services to manage the risk that the signatory may claim the signature was unauthorised; and
5. the establishment and administration of rules, policies, procedures, technical specifications and agreements governing the operation of the System.
(30) By means of such services, Participants in the system should be able to provide authentication and connected electronic transactions security services to end-users. End-users may utilise the Identrus services in a variety of transactions - i.e. essentially any transaction conducted over an electronic network in which one or all entities involved in the transaction require a high degree of certainty as to the identity of the other. These transactions may be financial or commercial transactions, such as purchases and sales of goods or trading in financial instruments, potentially all over the world. The use of technical applications that enable such electronic transactions to be carried out cannot provide assurances about a user's identity. Therefore, Certification Authorities are needed to issue digital certificates that can be used to bind the specific identity of a user to a particular application.
(31) Consequently, the Notified Agreements will address at least two separate markets: 1. the market for the provision of trust services to Certification Authorities; and 2. the downstream market for the provision of trust services by Certification Authorities to end users initially in the corporate sector. In both cases, markets have not yet been sufficiently developed nor has consumer confidence been tested.
Provision of trust services to Certification Authorities
(32) Identrus will be active in the design and operation of the infrastructure for financial institutions to manage risks inherent in relying on the identity of authors and the authenticity of electronic messages. It will perform its role as a root Certification Authority and will establish a set of business rules defining the identity certificates issued by Participants and their use.
Authentication services
(33) Both Level One and Level Two Participants of the Identrus System will provide digital certificate services directly to their corporate end users enabling them to conduct commercial transactions over open electronic networks.
B. Geographic markets
(34) The services on both relevant product markets are offered on a global basis enabling international business-to-business transactions. The relevant geographic market is hence the worldwide market for the services in question.
VI. STRUCTURE OF THE MARKET
A. The Parties' position on the market
(35) As the Parties are currently not active on the relevant markets, the Parties' market shares on the described segments are non-existent.
B. Competitors of the Parties
(36) Due to the developing nature of the markets in question, the Commission does not have a comprehensive overview of the competitive situation in these markets and the competitive position of the Parties' future competitors. The Parties were, however, able to indicate a number of active and not yet active competitors, amongst them American Bankers Association (ABAecom), SWIFT, VISA and MasterCard.
(37) Furthermore, due to the rapidly increasing demand for authentication services and related profit opportunities, fostered among others by the Commission's e-Europe initiative referred to in recital 8, Identrus will be confronted by numerous potential competitors such as postal authorities, technology vendors, telecommunications carriers and industry specific initiatives. Although not all of those potentially competing systems will succeed, they will have a distinct competitive check on Identrus, if successful.
VII. THIRD-PARTY OBSERVATIONS
(38) Following the publication of the notice pursuant to Article 19 (3) of Regulation No 17 (13), three interested third parties submitted comments to the Commission regarding Identrus. Those comments focused, in particular, on the openness of the Identrus certification system to potential participants and standards, as well as its interoperability with other similar systems.
(39) Generally speaking, commentators addressed concerns of potential concentration processes that would result from the Identrus System. Those concerns ranged from the "formation of a technology cartel" to the "endangering of the competitive equilibrium" in the emerging market for electronic authentication services.
(40) All comments received have been carefully reviewed and it has been concluded that the concerns expressed therein had already been raised by the Commission and discussed in detail with the Parties, who had provided adequate answers, as explained in recitals 41 to 53. Therefore, those comments have not affected the Commission's positive position as regards the Notified Agreements outlined in the notice pursuant to Article 19 (3) of Regulation No 17.
VIII. ARTICLE 81 (1) OF THE EC TREATY AND ARTICLE 53 (1) OF THE EEA AGREEMENT
A. Application of Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement to the agreements setting up the Identrus System
(41) Through the Notified Agreements, the Parties have set up a company that is not under the joint control of its equity owners. An agreement to set up a company does not, however, in itself constitute a restriction of competition within the meaning of Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement (14).
(42) However, in view of comments from third parties voicing concern at the risk of exclusionary effects that would result from the Identrus System, the impact of the creation of Identrus on the relevant product markets was examined and it was concluded that there were no such risks.
No risk of coordination
(43) Identrus will be operating in a newly developing and emerging market. Due to the advent of the Internet and its widespread use, in which a variety of persons control access and use, it became necessary to develop systems to prevent the transmission of unauthorised, fraudulent, or corrupted messages. New entrants into the nascent e-commerce markets are exposed to strong pressure from corporate customers to provide the necessary security for their transactions. The Parties' cooperation is limited to the establishment of the Identrus System as a common platform for the provision of root certification services. They will not extend their cooperation to the market for the provision of certification and authentication services to end-users, nor will they extend it to cooperation between the Parties in the financial or banking services sector, where they will remain independent competitors.
(44) The success of a certification system is based on its interoperability with other similar systems.
(45) The Operating Rules enable the Identrus System Participants to establish an interoperable infrastructure that makes domestic and cross-border electronic commerce applications possible. As regards those applications, however, each Participant will develop them independently.
Open access to the system
(46) Moreover, reputation and warranty policies are important in providing a trust product such as authentication services. In this context, the most important criteria for third parties to become equity owners in Identrus are objective and by using them, Identrus will not be required to assess and identify the quality of potential Participants. The Notified Agreements are therefore unlikely to affect the competitive position of third parties, as access to Identrus infrastructures is open to all, provided they meet the objective criteria referred to in recital 14. Identrus has no incentive to exclude potential Participants, as it is inherent in the Identrus System to attract as many Participants as possible. Identrus's revenues increase with the number of electronic commerce transactions covered by the Identrus System.
(47) End-users will benefit from the existence of the additional system Identrus will create. The wider benefits of the system to the free movement of goods in the internal market ought not to be underestimated. The authentication system will be used in a large variety of circumstances, which will in turn create other products and services increasing competitiveness, levels of trust, security and quality demanded by the evolving market.
Competitive checks
(48) As indicated in recital 7, security of financial transactions over the Internet is one of the main concerns affecting the widespread development of electronic commerce. A large number of projects aimed at the development of Internet applications to address such concerns have been launched. A number of commercial competitors have already announced the setting up of certification systems similar to the one intended by Identrus.
(49) Among Identrus's future main competitors the Parties identify the American Bankers Association (ABAecom), which has offered global Certification Authority services since the beginning of 1999, SWIFT (the international financial transactions services company), VISA and MasterCard. Identrus faces competition not only from the financial industry ventures but also from postal authorities, technology vendors, telecommunications carriers and industry specific vertical initiatives.
(50) Financial industry ventures, postal authorities and telecommunications carriers for example have, on the basis of requirements for acting on their traditional markets, already made a certain part of the irreversible investments necessary for entry into the markets in question. Their ability to enter these markets must therefore be assessed as relatively high.
No exclusivity
(51) Identrus Participants are free to participate in any other equivalent scheme, if they choose to do so. The decision would be based on internal questions to be answered solely by the Participant. Thus, participation is not exclusionary. The choice provided to Participants will potentially further foster competition between competing authentication systems.
No adverse effects on input markets
(52) The Notified Agreements are unlikely to affect markets for inputs that are necessary for companies operating in the relevant markets. As a matter of fact, Identrus will not engage in software development, it will only set up specifications which will be given free of costs to Participants and software providers. There is no exclusivity as to which software will be used as root software and which software Participants can choose. In practice, many different vendors could be used by the Participants, provided those vendors meet the Identrus standards that have to be developed. Participants can change vendors if they so wish.
Conclusion
(53) The creation of the Identrus System entails no foreclosure risk, as the joint venture will face competitive checks from competing systems, and Participants are free to join other such systems. There are in addition no adverse effects on input markets. Therefore, the agreements to establish Identrus do not fall within the terms of Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement.
B. Application of Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement to the clause concerning the general prohibition of assignment of membership interests
(54) Article 9.1 of the LLC Agreement enshrines a general prohibition of assignment of membership interests. Such interests must first be offered to Identrus itself or to other members before being offered to third parties (see Article 9.3 of the LLC Agreement). Although equity owners have the right to set the rules for the functioning of the system, no individual member can dominate the system as the maximum vote is limited to 15 %.
(55) To the extent that this clause is a restriction of competition on the market for the exchange of equity, the restriction is not an appreciable one.
C. Conclusions on the applicability of Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement
(56) Neither the Notified Agreements nor the clause concerning the general prohibition of assignment of membership interests has the effect to preventing, restricting or distorting competition within the relevant market defined in recitals 29 to 34. Therefore, the Agreements fall outside the scope of Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement,
HAS ADOPTED THIS DECISION:
Article 1
On the basis of the facts in its possession, the Commission has no grounds for action under Article 81 (1) of the EC Treaty and Article 53 (1) of the EEA Agreement in respect of the Notified Agreements relating to the establishment of the Identrus System.
Article 2
This Decision is addressed to:
1. ABN AMRO Services Company, Inc. 200 West Monroe Street Chicago IL 60606 USA
2. BA interactive Services Holding Company, Inc. 425 First Street San Francisco CA 94105 USA
3. Barclays Electronic Commerce Holdings, Inc. 222 Broadway New York NY 10038 USA
4. Bayerische Hypo- und Vereinsbank AG Am Tucherpark 16 D - 80538 München
5. The Chase Manhattan Bank 270 Park Avenue - 44th Floor New York NY 10017 USA
6. Citibank Strategic Technology 153 East 53rd Street New York NY 10043 USA
7. Deutsche Bank AG Taunusanlage 12 D - 60325 Frankfurt a. M
8. Pyramid Ventures, Inc. 130 Liberty Street New York NY 10006 USA
9. Identrus LLC 140 East 45th Street - 16th Floor New York NY 10017 USA.
(1) OJ 13, 21.2.1962, p. 204/62.
(2) OJ L 148, 15.6.1999, p. 5.
(3) OJ C 231, 11.8.2000, p. 5.
(4) Certification authorities are entities or legal or natural persons who issue digital certificates for electronic commerce transactions.
(5) Since the notification was filed, the following additional institutions have become equity investors in Identrus: Australia New Zealand Banking Group, Banco Santander Central Hispano, Bank of Tokyo/Mitsubishi, Banque Nationale de Paris, Caisse Nationale de Credit Agricole, CIBC WMC Inc., HSBC Financial Services Corporation, Industrial Bank of Japan, National Australia Bank, Royal Bank of Scotland, Sanwa Technology Services, Inc., Société Générale and Wells Fargo. Consequently, the number of Identrus's equity owners has already reached 21 and the share of any equity owner is below 8 %. According to the Parties' application for negative clearance, the envisaged final number of equity owners should not significantly exceed 20.
(6) COM (97) 157 final.
(7) OJ L 13, 19.1.2000, p. 12.
(8) OJ L 275, 27.10.2000, p. 39.
(9) OJ L 178, 17.7.2000, p. 1.
(10) The e-Europe initiative is a two-year action plan which aims at providing all citizens of the Community with access to Information and Communications Technology (ICT) based services and applications (see: http://europa.eu.int/information_society/eeurope/index_en.htm).
(11) Due to its structure, Identrus itself can only supervise a limited number of Participants regarding the requirements for the provision of trust services to end-users. Therefore, Identrus has a system of delegation in which Level One Participants have a monitoring role vis-a-vis Level Two Participants. Identrus itself will not issue digital certificates directly to Level Two Participants or to end-users.
(12) Level Two Participants are scheduled to pay only 50 % of Level One Participants' chartering fees and annual membership fees. In addition, chartering fees are waived with respect to Level One Participants who make equity investments in Identrus, as those investments greatly exceed the magnitude of the chartering fees.
(13) See footnote 3.
(14) See Commission Decision 1999-242-EC in Case No IV.36.237 - TPS, OJ L 90, 2.4.1999, p. 6, recital 91.