Emission allowances represent a financial value that has increased significantly in recent years. As a consequence, the emissions trading system risks becoming a magnet for fraud, money laundering or other crimes (financial or otherwise). The NEa has taken various measures to ensure the security and integrity of the CO2 registry.
Security and integrity measures
In order to gain admission to the Dutch CO2 registry, users must go through a strict know-your-customer (KYC) procedure. The NEa requests various documents and performs a risk analysis. Since 2021, an additional registration requirement applies: account holders with a voluntary trading account must be registered with the Dutch Chamber of Commerce. As a result, these account holders fall under the supervision of Dutch financial regulators, which adds an extra layer of supervision.
The NEa also monitors transactions of emission allowances to keep insight into the trade flows. This also happens with incoming or outgoing transactions from other countries. The EU Member States may share this information among themselves. The NEa always observes the strictest requirements for protecting the privacy of the users of the registry.
The NEa maintains close contacts with other regulators, such as the Dutch Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB). The NEa and these organisations exchange information about and developments in the market. In addition, the NEa can report unusual transactions to the Financial Intelligence Unit (FIU) involving emission allowances if it sees fit.
Various technical measures are put into place in the CO2 registry to ensure its security.
- Two-factor authentication – login to the CO2 registry via two-factor authentication. First, the user logs in with an email address and password. Next is the second authentication step: enter a code generated by a QR app on the user’s phone. Many actions, such as making transactions or marking accounts as trusted, are also subject to two-factor authentication.
- Trusted account list – By default, transactions can only be made to accounts that the account holder has designated as trusted and are on the trusted account list. The account holder can turn this feature off. It takes four working days for an account to be placed on the trusted account list. This delay is a security measure.
- Four-eye principle – Many actions in the registry require two users by default: one user to initiate the action and another to approve it. The account holder can choose to set this to one person.
- Transactions only between 10 AM and 4 PM – Transactions are only processed between 10 AM and 4 PM on working days, i.e. not on Saturdays and Sundays nor on public holidays.
- Delayed transactions – Some transactions are made with a delay. This prevents malicious persons from transferring allowances quickly.
In addition to technical security measures in the CO2 registry, there are measures you can take as a user to prevent attackers from accessing your accounts. You can find these measures in the ‘Security of the emissions trading registry’ data sheet.
Most important measures:
- Never log into the CO2 registry using your mobile phone. This poses a serious risk of revealing your data (your email address, password or the QR code you generate on your smartphone) to attackers.
- Set a password or PIN code to lock your mobile phone.
- Only install apps on your mobile phone that come from trusted suppliers in the official application store of your operating system.
- Make sure the computer system you want to use to log into the CO2 registry:
- always has the most recent updates of the operating system installed
- has a virus scanner installed that is always updated with the latest virus definitions and scans for viruses at least once a week
- has no illegal software installed
- If you use a Wi-Fi network, make sure it is well secured. Public Wi-Fi networks are not secure.
- Never share your password and QR codes with others, not even colleagues. The NEa will never ask you for these data.
- Do not let others watch you type in your password.
- Use your password for the CO2 registry exclusively for this system and do not re-use it for other applications or files.
- Always log off before leaving your computer and lock your system so others cannot access it during your absence.
- Never save your email address and password in your browser.
If you notice something suspicious, please contact the NEa Helpdesk as soon as possible.