(1) The Agency shall not grant a licence under this Act unless the Agency is satisfied that a security procedure related to or issued by an applicant,

(a) is uniquely linked to the user,

(b  is capable of identifying that user,

(c) is created using means that can be maintained under the sole control of that user, and

(d) will be linked to the electronic record to which it relates so that any subsequent change of the electronic record is detectable.

(2) The Agency may, prior to licensing any authentication products or services, stipulate:

(a) the technical and other requirements to be met by certificates issued by the licence holder;

(b) the requirements for issuing certificates;

(c) the requirements for certification practice statements;

(d) the responsibilities of the certification service provider;

(e) the liability of the certification service provider;

(f) the records to be kept and the manner in which and length of time for which they must be kept;

(g) requirements concerning certificate suspension and revocation procedures;

(h) requirements as to notification procedures relating to certificate suspension and revocation; and

(i) other conditions or restrictions that the Agency may consider necessary.

(3) A licence is not transferable.