Eldo Devole
6 months after the publication of the Commission’s proposal, the debate continues about what eID is. How can it be used? What business case could be behind it and what will this eID wallet look like? Who will offer such a wallet and above all, with what added value?
What is clear, however, is that the EU-ID wallets are coming and that they will include attributes in addition to the identity.
Different players are currently analyzing whether they should become wallet providers. For this, the technical requirements for security are very demanding. The discussions about offline capabilities, self-sovereignty and identities, etc. are very important, but from my modest perspective, not of primary importance for banks.
Regardless of who or how many “make the running”, or which schemes will establish themselves, it will be important to clarify which use cases a company provides (e.g., a financial institution) in order to make them usable in a scheme.
The main question is therefore, not how the tracks that will enable an European eID solution will look like, but which vehicles will run on them, and with which added value for the consumer.
The first step could be made by finding a clear definition about eID. The BSI defines eID as follows: “The electronic proof of identity (short eID), is a proof, which can reliably prove the identity of a person in the digital world by means of a data chip. * (BSI) [1]” This description is very precise, but at the same time, from our point of view, it only represents the basis of the eID.
The added value is the unique identification online. This at least clarifies with what someone identifies themselves. The question of “how” is being currently pursued by a large number of companies. We now want to address the question of why the customer would want this and with what added value.
eID represents more than just the data on the ID card. For different use cases, a user needs different data. Essentially, the data on the ID card is just the basis and anchor point for a variety of identity components (attributes), such as: doctor, student, employee, vehicle owner, retiree, etc.
The diversity and combination of this data, as well as the certainty that it is real data, is in our eyes the real value-added promise of the eID. We want to call this promise “Relevant ID”. It is not primarily important whether it is the eID of a natural or legal person or even of an object/machine.
- Relevant eID is the totality of verifiable data for an electronically achievable business success between two or more traders.
So, the questions that should be asked are the following:
- What data do I need that will help me offer better/new products and services by aggregating it with my own data?
- For which data sets can I act as a verification agent in such a scheme?
- What data aggregations and processes can I offer to other participants via eID Scheme?
These questions include a variety of follow-up questions that are directly related to the degree of digitization of the processes and the scope for action in the processing and aggregation of data.
- What does my data infrastructure look like?
- Which touchpoints do I have that generate or output data?
- Which digitalization projects are being implemented at my company? Is the topic of eID considered in these projects?
“Relevant identity” thus describes an aggregation of data that is necessary to achieve business success. This point includes three elements:
- Privacy by Default
- Added value
- User Experience
It addresses three very essential elements at the same time, which seem to be diametrically opposed to each other: the need of the service providers for data, as well as the fundamental right of the consumer to privacy. Whereas in our opinion, privacy by default should be an essential part of the offer to the end customers and could essentially be addressed by the introduction of a “relevant ID”.
In our view, banks are in a promising position when it comes to eID. They enjoy the trust of the customers, have performed extensive identification of the customers according to the Prevention of the Money Laundering Act, and know the pitfalls of transactional business in an omnichannel world. Banks should focus on leveraging these strengths while offering added value.
Furthermore, we believe it is important to give B2B use cases a higher priority in the discussion than the ones in the B2C context, which was mentioned above and used as an example. The added values of verifiable attributes such as the power of representation are of equal or greater interest.
The following could serve as an example of a use case for eID.
- How does a bank employee identify himself to a customer online?
- How does an employee with power of representation identify himself to a service provider?
The eID use cases do not only go in one direction: like an end customer that identifies himself to the company but represent bidirectional data transactions that are more than just the data on the ID card. So, the attribute that is most important in the use case is the employment relationship of the caller and their responsibility.
Banks can prepare strategically and technically for the introduction of eID schemes and set the course to be ready for this change. In doing so, they should focus on their customers and use cases and not just on the classic identification case and the technical infrastructure that enables this identification.
The question of acceptance and diffusion of eID solutions (independent of the scheme) is decided with the actual value proposition to the end customer. From our point of view, the focus should be on creating this.