As we know, the future regulations eIDAS 2 aims to bring digital identity closer to citizens and facilitate their day-to-day digital interactions, all under conditions of security and safety. privacy reinforced.
The result of a long process - the first draft was presented in June 2021 after the inadequacy of the provisions on digital identity in the current eIDAS regulation was noted - it is now in the trialogue phase, the final stage in harmonizing the positions of the Council and the European Parliament on a final text , the outlines of which were announced at the end of June 2023.
At the heart of the new regulation is the digital identity wallet, which will be mandatory for member states - who will be obliged to make it available to their nationals - and which will meet a triple ambition:
- Enhanced safety, as illustrated by the High warranty level;
- Increased protection of privacy to prevent public or private actors from monitoring and/or controlling the use of portfolios by holders; and
- Diversified use cases, reflecting the ability of wallets to combine certified public as well as private attributes in integrated digital interactions. A use case illustrating this capability could be car rental, where attributes such as driving license, address and tax residence, as well as payment, could be integrated into a single digital interaction.
We also know that, among the use cases that eIDAS 2 wallets are designed to handle, there is that of digital finance, and particularly payments. This choice should come as no surprise, given that payment wallets today meet real consumer expectations and have become an established part of the banking landscape since the arrival of X-pay solutions on the market. Indeed, it's hard to imagine a wallet with certified identity attributes, validated by public authorities and with a universal vocation, not being able to find applications in banking, of course, to meet the identity verification requirements of LCB/FT regulations - which no-one disputes - but also to authorize online or offline payments - which, however, is not a matter of consensus today, and in particular faces a reserved position from the European banking sector, but, on the other hand, a very favorable position from payment originators (TPP) and fintech .
Although the final text of the eIDAS 2 regulation is not yet known, it is likely to require payment service providers to recognize eIDAS 2 wallets as strong authentication mechanisms in payment transactions, a situation likely to shake up the practice of strong authentication "by redirection" currently deployed on a massive scale by bank account holders (ASPSPs), particularly in offline interactions. In the long term, this could lead to a major change in payment procedures, making them less dependent on ASPSPs.
And while digital identity wallets will play an important role for traditional digital payments, they will also play a significant role for central bank digital currencies, starting with the digital euro. This, in any case, is what emerges from a reading of the recent draft digital euro regulation which will require interoperability and/or integration of digital euro functionalities in eIDAS 2 wallets (see in particular articles 25 and 33 of the draft regulation).
The ambitious goals set for digital identity portfolios in the current legislation are therefore high, and illustrate that the potential of convergence between the worlds of digital identity and payments, to secure financial transactions and combat fraud, of course, but also to transform digital uses by combining identity, status and payment attributes in unified interactions, and erasing the separation between the act of sale and the act of payment. Ultimately, digital identity wallets could be used to the Swiss army knives of digital interactions, offer new services to consumers and, of course, play a decisive role in payments, at the very least as payment authorization instruments, and perhaps eventually as payment initiation instruments. In this context, we believe that their greatest potential lies in relationships between private individuals and with professionals or micro-businesses.
However, while the ambition is real, there are a number of considerations that lead to a certain circumspection and temper the expectations we may have of digital identity portfolios:
- The first is common sense: aiming high in terms of the security of digital interactions, privacy and the diversity of uses, we run the risk of coming up against a host of practical difficulties by limiting the scope for compromise (aiming for " good enough " rather than " highest level "). From this point of view, we remain rather perplexed by the draft validated by the European Parliament last March, which multiplies specifications and functionalities but does not address their concrete applicability, nor does it tackle the question of the economic model likely to enable mass deployment, at reasonable cost to operators, of digital identity portfolios meeting such ambitious specifications. At the heart of this issue is the requirement for a high eIDAS guarantee level for digital identity wallets, which must be reconciled with smooth digital interactions for payments. As we know, this level is currently unavailable in France - an anomaly in European countries - and is proving restrictive, especially if we consider the transcription made by ANSSI in its 2021 PVID repository. In any case, let's hope that the final draft mitigates the most striking aspects of the maximalist approach adopted by the European Parliament;
- The second is linked to certain provisions of the eIDAS 2 project, whose DNA remains marked by a state conception of digital identity - which carries its own legitimacy but does not fit naturally into a digital payments ecosystem largely dominated by private-sector operators. By way of illustration, it is worth noting the requirement for any person acting in a professional capacity and as a "relying party" of a digital identity wallet to be registered with the Member States - in practice, any seller of goods or services likely to accept a digital identity wallet, which will also be compulsory for key service providers, notably banks and financial establishments. It is hard to understand the point of such an obligation, which is not included in national digital identity schemes, can only hinder the spread of digital identity portfolios in commercial flows, and has no real justification in interactions with mutual authentication;
- Finally, there's the question of method and, to put it plainly, the choice of technical specifications applicable to digital identity portfolios. These choices are currently conditioned by the use cases identified as priorities, namely mobile driving licenses and online authentication/identification. Indeed, the ARF - Architecture & Reference Framework - document outlining the technical specifications for digital identity portfolios highlights :
- The ISO 18013-5 specification for mobile driver's licenses and its derivatives (ISO 23220-4) based on the mdoc format, in particular for offline interactions; and
- Verifiable Credentials specifications from the World Wide Web Consortium (W3C), based on the JSON and JSON Web Tokens formats.
Admittedly, the ARF document is built by successive iterations - an approach that is certainly relevant given the complexity of the subject - which of course leaves open the prospect of the document evolving to reflect payment-related use cases, and also envisages a lighter configuration that is less restrictive, but whose conformity with the specifications of the draft regulation is not proven. It should be noted, however, that the initial choices of specifications for digital identity portfolios did not include key payment interaction data, reflecting the lack of representation of the stakeholders concerned within the eIDAS Expert Group. It should also be noted that some of these specifications pose difficulties with regard to privacy requirements, and are too recent (or not yet adopted) to be fully evaluated and tested in payment environments. As an illustration of these difficulties, we note that the authentication of relying parties, which in our opinion is essential, at the very least for payment interactions in P2P or P2Pro mode, is not fully addressed by the specifications mentioned. Similarly, it is hard to see how irrevocability (non-repudiation) of payments is ensured with these specifications, which were not in fact designed for reciprocal interactions, and for which the establishment of an audit trail that can be presented in court is necessary. Finally, it is regrettable that the ARF has not yet taken into account the qualified electronic signature functionality, which is included in the text of the draft eIDAS 2 regulation and is particularly well-suited to payment interactions. All this raises questions about the prospects for payment use cases in digital identity portfolios, particularly in situations where they offer the greatest potential, namely P2P and P2Pro interactions.
There's no doubt that the Large Scale Pilots currently underway, designed to test the functionalities of digital identity wallets in a variety of use cases, will shed useful light on these issues, and in particular on the NOBID consortium's project focusing on the payment use case.(See the link below for an initial presentation, which appears to focus on online use only, without mutual authentication).
https://www.youtube.com/watch?v=W32rJcJNso8
Admittedly, the text of the eIDAS 2 regulation has not yet been finalized, we are still a long way from the final version of the ARF document, and the Large Scale Pilots have not yet really been implemented. It is therefore too early to give an authoritative opinion on the prospects for digital identity wallets for payments, but the prevailing impression to date is that of a gap between, on the one hand, the great ambition carried by the eIDAS 2 and Euro numérique draft texts for digital identity wallets and, on the other hand, the first indications of the concrete modalities of implementation. Will this gap be closed, and if so, how? The answers are not yet known.
Notice FRANCE PAYMENTS FORUM
The position expressed by Stéphane MOUY above essentially reflects that of our association, FRANCE PAYMENTS FORUM.
We would like to emphasize several points here:
- In conjunction with the Fédération des Tiers de Confiance du Numérique (FnTC), our Electronic Signature WG has drawn up a position paper on electronic signatures in payments. In terms of priorities, we would like to see electronic signatures rapidly implemented for certain payment transactions, mainly online.
- We support the idea of using digital identities, but continue to believe that a specific Digital Identity should be developed for payments, what we call a European Payment Identity (EPI) compatible with the future eIDAS2 regulation, and managed directly by payment institutions and their organizations.
- We believe that the effectiveness of certain security devices, such as smart cards, makes a specific wallet inappropriate for certain face-to-face payment transactions, and we don't think that a digital identity can bring any short-term benefit to these payment flows. There's already a lot to be done to consolidate this technology.
- However, we are in favor of a major qualitative leap in payment security in the next 7 to 10 years, and digital identity can make a major contribution to this.
- Finally, the draft regulation on the digital euro imposes a middle way, namely compatibility with the European digital identity wallet defined by the future eIDAS2 regulation.
- France Payments Forum will draw up a position paper on digital identity, to be drafted by Stéphane Mouy.
