From authentication to authorisation: Ensuring a successful implementation of EU digital identity wallets
With the adoption of the European Digital Identity Regulation (eIDAS 2.0), we now have a clear timetable for when governments in the European Union must make digital identity wallets (EUDIW) available for their citizens and businesses to identify and authenticate themselves. Tink delves into the payment impact of this game changing regulation, particularly how it can improve the account-to-account (A2A) payment user experience and considers the few remaining issues that should be addressed to secure its full potential.
EU governments must offer certified digital identity wallets by November 2026, providing a trusted digital repository for personal documents.
Interoperable digital identity wallets will improve payment authentication, reducing authentication times and increasing conversion rates at the checkout.
Important dates include November 2024 for initial requirements, November 2026 for wallet availability, and November 2027 for business acceptance.
eIDAS 2.0 is certainly up there amongst the most exciting new regulations in EU finance, and later this week the European Commission will lay out its first set of requirements that member states must follow. Then, by November 2026, EU governments will have offer at least one certified digital identity wallet to citizens and businesses. In doing this, users will be provided with a trusted single digital repository to store and access all of their personal documents, allowing them to digitally identify and authenticate themselves across a range of varied use cases. This will pave the way for better and more seamless digital engagements across a variety of industries and sectors.
The days of needing to find a passport and two utility bills to open a bank account, take out a loan, or rent a home, could be behind us – no matter where in the EU the services are being accessed (although when opening a bank account in another EU country, much will depend on the forthcoming harmonisation of anti-money laundering regulations).
Users might also never have to click ‘forgot my password’ again, as EU citizens will benefit from the ease of single sign-on that helps users manage their growing multitude of digital accounts. This all comes with the peace of mind supported by the data limitation principle, meaning users only need to share their personal details that are necessary for the task.
At Tink, we are particularly excited about how EU digital identity wallets could help improve the way we pay. Our experience of initiating payments across 19 European countries shows us that the best-in-class Strong Customer Authentication (SCA) journeys occur in markets where digital identity services are already widely available. In Sweden, which has benefited from BankID since 2003, a typical authentication flow is a simple two-step process that takes between 10-30 seconds. By contrast, authentication takes more than 30 seconds to complete in most other EU markets, and in the worst-case examples results in a 14-step process of going back and forth between the online banking website and mobile banking app.
Through the introduction of interoperable, Government-issued digital identity wallets, fast and reliable two-step payment authentications process could be levelled up across the region. There are also plenty of reasons why merchants should be excited at this prospect. Tink data shows that conversion rates at the merchant online checkout page is significantly higher where digital identity is present in the authentication flow compared to markets where it is not. This is mainly due to the integration of digital identity into convenient authentication flows (i.e., better user experience and shorter authentication times) meaning payers are less likely to abandon their transactions. Tink data shows that these types of integrated transactions show payer abandonment rates of less than 5%.
A clear road ahead, almost…
Following the adoption of the eIDAS 2.0 regulation into EU law earlier this year, we now have a full itinerary for how and when the new digital identity wallets will come into existence. The three key dates to mark in your calendar are:
21 November 2024: the European Commission will lay out its first set of requirements which governments issuing digital identity wallets will have to follow, as well as how this will fit with other regulation.
21 November 2026: the deadline by which all EU governments need to make at least one certified digital identity wallet option available to citizens and businesses. They have a range of implementation options available to them to achieve this – build a wallet themselves, outsource the build or certify a third-party provider.
21 November 2027: businesses must be able to accept the digital wallet if they require customers to identify or authenticate themselves (subject to some exemptions).
“The requirement on businesses to accept an EU digital identity wallet from November 2027 will be key to its success as it will ensure full reach and a common expectation for users across the region,” said Tink’s Head of Industry & Wallets, Jan van Vonno.
“However, we observe some concern that citizens may be hesitant to adopt these new government solutions, which risks making this regulatory initiative feel like a wasted effort. We understand these worries but think they are not warranted. The ability to identify no matter where you are in the region is a truly compelling proposition that should ensure wide adoption among consumers. Besides, it will be available to people for free.”
And yet, there are still issues to resolve. From a payment perspective, Tink has identified three potential stumbling blocks that will need to be addressed to ensure the successful implementation of EU digital identity wallets – authentication, liability, and authorisation. Let’s go through each one...
Authentication
Starting with probably the easiest to solve. For EU digital identity wallets to be used for payments they will need to support SCA, which is defined in another piece of European regulation – the second Payment Services Directive (PSD2). However, eIDAS 2.0 refers instead to Strong User Authentication (SUA) which aligns conceptually with the PSD2 language but is not explicitly linked. It seems like a small issue, but this is the kind of thing payment provider compliance teams worry about.
Given the additional types of use cases that digital identity wallets will support, it is reasonable that ‘customer’ was widened to the more general ‘user’. The European Commission has already declared that SCA is ‘virtually identical’ to SUA. Nevertheless, it is a small, yet crucial, inconsistency that will need to be ironed out, mainly because under PSD2 the payment service provider (PSP) is the party responsible for enforcing authentication. Assuming Account Servicing Payment Service Providers (ASPSPs, such as banks) will be obliged to allow the new digital identity wallets to be used as an option for carrying out payment authentication, the question is whether this will require outsourcing contracts, since there are currently no exemptions for certified EUDIW providers.
This too will likely be resolved through an amendment of the Regulatory Technical Standards (RTS) for SCA, when reviewed as part of a wider PSD2 update. The issue is timing. It is unlikely that the RTS will be updated before mid-2026, which means the payments industry will need to start working towards integrating digital identity and payment authentication without having full legal certainty on what exactly their obligations are.
Liability
A major question that needs to be clarified is what liability regime would apply when a payment is authenticated with a digital identity wallet – PSD2 or eIDAS 2.0? Under PSD2, a payment service provider is liable to refund the payer whenever an unauthorised or incorrect payment occurs. Yet according to eIDAS, it is ultimately theEUMember State who is liable for any damage caused intentionally or negligently due to a failure to comply with its obligations.
With obligations on PSPs to accept the wallet if a payer wants to authenticate themselves this way the implications are potentially huge. Could this mean, for example, that a Member State will be liable in a scenario when a digital identity wallet is used to authenticate a payer for a transaction that is unauthorised or incorrect?
In short, we think the answer is no.
The European Commission has clarified that eIDAS 2.0 will not override the liability regimes already in place for specific sectors, through other EU regulations. Instead, we expect that, once finalised, the updated PSD2 will include additional details concerning the governance and the relationship between PSPs and technical service providers (TSPs). This is important because it could help avoid situations where the digital identity wallet provider is liable for fraud.
However, there are residual challenges with this approach since TSPs performing Strong Customer Authentication are subject to outsourcing arrangements and audit rights. To achieve pan-European scale, the Regulatory Technical Standards will need to address this to ensure PSPs can accept different digital identity wallets provided by different EU Member States – and not be put off by all the contract paperwork.
Authorisation
Lastly, eIDAS 2.0 is clear that citizens should be able to authenticate themselves for the initiation of payments using an EU digital identity wallet, but it is not clear where it stands on payment authorisation.
From a payer’s perspective, authenticating and authorising payments are often performed within a single step – like tapping a PIN into a card reader. However, technically speaking they represent two separate and important processes in a payment transaction flow. Authorising payments is scrutinised under PSD2, which specifies that the procedure for a wallet to be able to capture ‘payment authorisation’ shall be agreed between the payer and the relevant payment service provider. That said, PSD2 clarifies that payment authorisation can be captured via a payee and a Payment Initiation Service Provider (PISP) which may unlock payment use cases for the EUDIW.
There are also potentially different interpretations of the difference between digital wallet authentication and authorisation during a remote (i.e. online) payment. This is another area that we expect to be formally clarified through updated technical standards. Potentially the eIDAS Implementation Acts and the Architecture and Reference Framework (ARF) could also provide some clarifications, but more alignment may be needed across the European Commission to clarify roles and responsibilities.
Addressing concerns
All three areas of uncertainty with the EU digital identity wallet act as potential roadblocks to the payments industry working towards an integrated payment authentication and initiation flows – preventing it from reaching its full potential.
To address these challenges, and to support industry implementation, the European Commission is undertaking multi-year large scale pilots to further investigate how the EUDIW can be seamlessly integrated into a range of payment journeys with partners from the industry.
Through the European Digital Identity Wallet Consortium (EWC) both Tink and Visa are helping build government knowledge about what is technically possible for the EUDIW, and how they can be seamlessly integrated into existing industry standards to deliver the best payer experience. We hope that this work, and through the joint public-private sector approach, we can deliver good outcomes for citizens, businesses, Governments and payment users – including in time, the clarification of the regulatory questions outlined above.
Continue to follow us for further updates and thought leadership on the progression of EU digital identity and payment. For additional reading in the meantime, see our blog on how the EU digital identity wallet could change the way we pay.
More in Open banking
2024-10-08
6 min read
Lending essentials: how enriched data solutions help lenders tackle constraints
Enhancing your affordability assessment with Tink’s data-enriched solutions helps you put an end to inaccurate data, prevent fraud in loan origination and stay compliant – read on to explore the benefits.
Read more
2024-09-24
4 min read
Why Pay by Bank fits luxury retail like a glove
Pay by Bank offers a solution that addresses the potentially higher transaction fees and fraud risks while enhancing the customer experience for luxury retailers.
Read more
2024-09-03
5 min read
Customer interview – Nordea on consumer engagement
We spoke to Nordea Product Manager Sami Mikkonen about enhancing their mobile app using open banking technology, focusing on improving consumer engagement and financial management.
Read more
Get started with Tink
Contact our team to learn more about what we can help you build – or create an account to get started right away.
