Log in Get Started
Docs Privacy Policy Terms of Service Contact Imprint
Language: English Deutsch

VEU - Distributed Signatures

Multi-signer authorization workflows for EBICS payments.

VEU (Verteilte Elektronische Unterschrift) enables multi-signer authorization workflows. When an order requires multiple signatures, it enters the VEU queue at the bank where authorized signers can review and sign.

How VEU Works

┌──────────────────────────────────────────────────────────────────────────────┐
│                              VEU WORKFLOW                                    │
├──────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  1. User A uploads payment (Signature Class A)                               │
│     └─→ Order enters VEU queue at bank                                       │
│                                                                              │
│  2. User B fetches VEU overview (HVU/HVZ)                                    │
│     └─→ Sees pending order requiring signature                               │
│                                                                              │
│  3. User B reviews order details (HVD)                                       │
│     └─→ Verifies amount, recipient, purpose                                  │
│                                                                              │
│  4. User B signs order (HVE)                                                 │
│     └─→ Adds second signature                                                │
│                                                                              │
│  5. Bank executes order                                                      │
│     └─→ All required signatures collected                                    │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

Signature Classes

The signature class determines authorization requirements:

Class German English Can Execute Alone?
E Einzelzeichnung Single Signature Yes
A Erstzeichnung First Signature No - needs A or B
B Zweitzeichnung Second Signature No - needs A
T Transportunterschrift Transport Only No - upload only

Valid Signature Combinations

First Signer Second Signer Result
E - Executed
A A Executed
A B Executed
B A Executed
T - Stays in VEU

H006 Complementary Signatures

EBICS 3.0.2 (H006) introduces Complementary Signatures (CR-EB-22-05), which extends the traditional signature class model. This feature, originally developed for Austrian banks, allows:

  • Bank-defined signature groups beyond the standard E/A/B/T classes
  • Amount-based authorization levels (e.g., higher amounts require more signers)
  • Role-based signing hierarchies (e.g., department head + finance officer)
  • Complex multi-level approval workflows
┌──────────────────────────────────────────────────────────────────────────────┐
│                    COMPLEMENTARY SIGNATURE EXAMPLE                           │
├──────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  Scenario: Corporate Treasury with Amount-Based Authorization                │
│                                                                              │
│  Amount Range          │ Required Signatures                                 │
│  ──────────────────────┼─────────────────────────────────────────────────────│
│  Up to €10,000         │ Any single authorized signer                        │
│  €10,000 - €50,000     │ Two signers from Authorization Group 1              │
│  €50,000 - €250,000    │ One Group 1 + One Group 2 signer                    │
│  Over €250,000         │ CFO approval + Two Group 1 signers                  │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

Note: Complementary Signatures require H006 protocol version and bank support. Check the HTD response for available signature configurations.

VEU Order Types

HVU - Get VEU Overview (Unsigned)

Retrieves a list of pending orders without cryptographic verification. The response includes order IDs, types, amounts, and signature status for all orders awaiting signatures.

HVZ - Get VEU Overview (Signed)

Same as HVU but the response is signed by the bank, providing cryptographic verification that the data has not been tampered with.

HVD - Get Order Details

Retrieves detailed information about a specific VEU order, including the original order data, its SHA-256 hash, and information about existing signatures.

HVT - Get Transaction Details

Retrieves the complete order data for review. This allows signers to examine the full payment details before adding their signature.

HVE - Add Signature

Adds your electronic signature to a pending VEU order. The signature is applied to the order data hash, ensuring you are signing exactly what you reviewed.

HVS - Cancel Order

Cancels a pending VEU order. This is only possible if you have the appropriate permissions and the order has not yet been fully signed.

VEU Workflow Example

Scenario: Dual Authorization Payment

Setup:

  • Alice: Signature Class A (First Signer)
  • Bob: Signature Class B (Second Signer)
  • Payment: EUR 50,000 to Supplier

Step 1: Alice uploads payment

Alice uploads the payment file using BTU. Because she has Signature Class A (which requires a co-signature), the order enters the VEU queue at the bank instead of being executed immediately.

Step 2: Bob checks VEU queue

Bob uses HVZ to fetch the list of pending orders. He sees Alice's payment waiting for a second signature:

  • Order ID: A001
  • Amount: EUR 50,000
  • Signatures Required: 2
  • Signatures Collected: 1

Step 3: Bob reviews details

Bob uses HVD and HVT to retrieve the full order details. He verifies:

  • Recipient: Supplier GmbH
  • Amount: EUR 50,000
  • Purpose: Invoice #12345

Step 4: Bob signs

Bob uses HVE to add his signature to the order. With both signatures now collected, the bank executes the payment.

VEU Status Tracking

Status Description
PENDING_SIGNATURES Waiting for more signatures
FULLY_SIGNED All signatures collected
EXECUTED Bank processed the order
CANCELLED Order was cancelled
EXPIRED Order expired before completion

Security Considerations

  1. Verify Order Data Hash - Always compare the hash before signing
  2. Review Full Details - Don't sign without reviewing HVD/HVT data
  3. Check Expiration - VEU orders have time limits
  4. Audit Trail - All signatures are logged with timestamps

Best Practices

For Organizations

  • Implement separation of duties (different people for A and B)
  • Set up notifications for pending VEU orders
  • Define escalation procedures for urgent payments
  • Regular VEU queue monitoring

For Developers

  • Cache VEU overview to reduce bank requests
  • Implement automatic refresh intervals
  • Show clear signature status indicators
  • Provide order comparison tools

Error Handling

Error Cause Solution
EBICS_ORDERID_UNKNOWN Order not found Refresh VEU list
EBICS_ORDERID_ALREADY_FINAL Already executed/cancelled No action needed
EBICS_DUPLICATE_SIGNATURE Already signed by this user Skip signing
EBICS_DISTRIBUTED_SIGNATURE_AUTHORISATION_FAILED No VEU permission Check user permissions

Next Steps