Demystifying the payment scope related to the European Digital Identity Wallet
A wide variety of digital wallets have been introduced in recent years. They have varying degrees of functionality, ranging from making in-store payments and earning loyalty points, to entering restricted areas, logging in to online services (eID) and signing. Besides the existing digital wallets (e.g. Apple, Google), the European Commission now proposes a European Digital Identity Wallet (EDIW) that will be available to all EU citizens, but there is some debate about its relevance for payments use cases. This article sets out to demystify the EDIW’s scope in a payments context.
To enable generic functionality for EU citizens, the EDIW must contain three elements: personal identification data (PID), a qualified signature, and various electronic attestations of qualified and non-qualified attributes. These three elements enable EU citizens to use the EDIW as a way of identification or to confirm certain personal attributes for the purpose of access to public and private digital services across the EU.
Numerous intended use cases
The EDIW is aimed at supporting a large number of use cases. Just some examples could include requesting medical certificates, reporting a change of address, opening a bank account, filing tax returns, applying for a university place (in the home country or in another Member State), storing a medical prescription that can be used anywhere in Europe, proving your age, renting a car using a digital driving licence, and checking in to a hotel.
While many of these use cases appear to be straightforward, there is some debate about the role of the EDIW in payments-related use cases. Payments were not actually mentioned as a use case in the first draft of eIDAS2.0. Since the publication of that first draft, however, the use case for payments has become a point of discussion.
Timeline of discussion about use for payments
In May 2021, the European Commission posted content related to the EDIW. It mentioned using the wallet to open a bank account as one of the use cases, although payments were not explicitly mentioned as a use case.
In November 2023, the European Commission published a press release about the final agreement on the EDIW together with a Q&A. The press release states that “the Wallet will allow users to make payments” and that large-scale pilots “have started testing the EDIW in a range of everyday use-cases, including digital payments”. In the press release, no specific definition of the payments use case is given. In the Q&A, however, it is mentioned that users will be able to use the EDIW “to authorise online transactions, in particular where strong user authentication is required”. Additionally, “initiating a payment” is mentioned as one of the examples. This Q&A suggests that authorising payments would be in scope of the EDIW.
So the European Commission claims that an EDIW contains attestations of attributes as well as being able to generate electronic signatures. But the question remains: how does the payments use case fit in?
INNOPAY’s view on the EDIW’s scope for payments
In our view, some parts of a payments flow are in scope as an EDIW use case, while other elements remain out of scope. We believe banks must accept EDIWs for the purpose of identification and authentication, both in onboarding and payments. Payments authorisation, however, remains under banks’ own control and falls outside the scope of the EDIW (see Figure 1). This means that, in line with PSD2 requirements, banks may establish contracts (bilaterally) or setup schemes (multilaterally) with issuers of EDIWs to delegate payment authorisation to the EDIW. However, setting this up at EU scale is not trivial, nor is it compulsory for banks to enter in such contracts/schemes.
Identification: the EDIW simplifies onboarding processes
Identification for the purpose of opening a bank account is one use case of the EDIW. This use case simplifies the process of onboarding customers. When opening a bank account, banks need to validate and verify a customer’s identity for ‘Know-Your-Customer’ (KYC) purposes. Use of the EDIW can significantly improve banks’ existing onboarding processes (see Figure 2). This is beneficial for banks because the onboarding and KYC process is cost-intensive. Meanwhile, EU citizens benefit because identification with the wallet is very easy compared to existing processes, especially in an online context.
Authentication: the EDIW complements login solutions offered by banks
Authentication for both login and payments is another use case of the EDIW. In fact, the European Commission specifically mentions this in the Q&A about the EDIW:
“Will users be able to use the EU Digital Identity Wallet for banking?
Yes, citizens will be able to use the EU Digital Identity Wallet for identification and authentication for payments, opening an account and other services in full security and protection of personal data. In all these cases, the wallet will not replace, but complement solutions offered by banks.”
This means that European banks need to accept the EDIW as a valid authentication mean for logging in to online banking environments (see Figure 3 for a hypothetical visualisation of how this would look in practice).
As indicated by the European Commission, the EDIW will not replace the existing alternatives (such as card readers, digital identity solutions and banking apps), but instead complements the solutions offered by banks.
Authorisation: banks do not need to accept the EDIW for payment authorisation
Authorisation is the main point of contention in most of the discussions about payments and the EDIW. At INNOPAY, we believe payment authorisation remains outside the primary scope of the EDIW. While the EDIW serves as a versatile tool for identification and authentication, it is not designed to handle the payment-specific authorisation dialogues that are currently handled by banks. This distinction is crucial, particularly considering the liability aspects tied to payment authorisation, where banks have both control and responsibility. The liability for errors in payment details or fraud remains a significant challenge, making the inclusion of payment authorisation within the EDIW’s functionalities not only complex, but also potentially a legal minefield.
Banks and others need to keep a close eye on EDIW developments
The landscape surrounding payments and the EDIW will be tinged by uncertainty for the foreseeable future. For banks and financial institutions, vigilance is key to staying ahead in this environment. As the European Commission continues to implement acts that further specify elements of the eIDAS regulation, it is crucial to stay informed. With our expertise in both digital identity and payments, INNOPAY offers guidance to help you navigate these changes effectively. Reach out to us to ensure your organisation remains prepared and responsive in the face of these critical developments.