Identification and authentication is one of the biggest issues of electronic transactions, especially when it comes to financial transactions. How do we know who is asking for information, payments, or access to critical data is entitled to do so? How can we trust that a provider requesting something from us is the one who claims to be? Apart from specific regulatory and demanding security requirements that can be fulfilled by good actors, the explosion of false claims and digital fraud has a big impact on consumer trust.
With the eIDAS 2.0 regulation we have entered into the digital wallets era, where every interaction aims to happen through the magic application that stores our credentials and gets us access to a variety of services at a fingertip distance. All secured, privacy-preserving, and instantly.
The European Digital Identity Wallet has the potential to solve the customer identity verification ancient problem. But what about verifying the identity of the bank, merchant, or all third-party providers dealing with financial services? A trusted relationship is instated between the two parties: consumer and provider. Financial service providers want to identify a customer, but the customer wants to identify the provider as well before sharing any sensitive data.
While policymakers and technical experts are struggling to finalise eIDAS 2.0, develop standards, and deploy solutions on the market, we should not lose our focus on customer experience. How can we display in a very simple and comprehensive way the following:
-
Is the TPP the actual genuine organisation that it purports to be?
-
Is the TPP registered and allowed to ask for the information they are asking for?
-
Is the data they are asking for being requested legitimately?
Here is the solution to meet customers’ needs, not only business requirements: with the new trust service defined by eIDAS 2.0 – Electronic Attestation of Attributes – all these questions are solved. Each TPP can have a Qualified Electronic Attestation of Attributes assuring the highest level of trust, and the consumer could have a simple traffic light risk check:
-
Green: TPP is known, registered, and allowed to ask for payment information.
-
Amber: TPP is known, registered but asks for more information than necessary; proceed with caution.
-
Red: TPP is known for being fraudulent; do not proceed.
The problem of the PSD2 providers authentication has been addressed already under the eIDAS regulation. The European Telecommunication Standards Institute published a Technical Specification ETSI TS 119495 defining Certificate Profiles and TSP Policy Requirements for Open Banking, used globally.
What a Qualified Electronic Attestation of Attributes brings new is: flexibility in defining several levels of categories (not all TPPs requires the same set of information from customers), the possibility to define proof request templates that would be commonly used across many TPPs, and last but not least how it would help customers to recognise in a very user-friendly and secure way who they can trust.
What is a Qualified Electronic Attestation of Attributes and who can provide it?
Electronic Attestation of Attributes (EAA) is an attestation in electronic form that allows the authentication of attributes. Qualified EAA is an electronic attestation of attributes which is issued by a Qualified Trust Services Provider, operating under eIDAS 2.0 governance, and supervised by a public authority. This specific type of attributes has the legal effect cross-border and relies on authentic sources usually held under the responsibility of a public sector body.
Is this the silver bullet that can solve the strong customer authentication and secure communications required by PSD2, built around the customer’s needs? We’ll see by 2025 when the eIDAS 2.0 will enter into force and we will have the first providers able to issue such credentials.
More information about eIDAS 2.0 Regulation and its status can be found here.
This editorial piece was first published in the Open Finance Report 2023. We encourage you to download the report and find out the latest trends and developments in the world of Open Banking and Open Finance, as the road to Open Data continues.
About Viky Manaila
Viky is an international expert in the field of electronic signatures, digital identity, and digital transformation processes. She has been contributing to the impact assessment for the revision of the eIDAS Regulation in support of the European Commission, to establish a legislative framework for a secure, widely usable, and interoperable Digital Identity for the Digital Single Market – eIDAS 2.0.
About Intesi Group
An Italian private company, Qualified Trust Service Provider according to eIDAS Regulation, Intesi Group has more than 20 years of experience in cryptography, technology development, and trust services provisioning, serving customers from the highest regulated industries such as financial, biopharmaceutical, and healthcare.
