In addition to identity assurance and authentication assurance, other important factors include “the reliability and quality of”: the procedures for issuing the eID means, the entity issuing the eID means and “any other body” that might be involved in applying for the issuance of the eID means. (10)
Using this framework, legislatures can then easily specify what assurance level an eID means must have for a given type of transaction. Private businesses may at their discretion require an even higher assurance level than the law may require if they decide their own business risk warrants it. The benefits of extra security, of course, must be weighed against the quality of the customer experience and the extra transaction costs for the business.
Formalising and Implementing eID Schemes: Notification and the eIDAS Network
Enabling interoperability of eID schemes of different Member States requires a method for managing and performing cross-border authentication, as well as a process for formalising eIDAS-approved eID schemes.
The process of formally approving an eID scheme is known as “notification”. Each Member State is responsible for notifying its own eID schemes, ensuring that they meet all the eIDAS security and quality requirements. (11) The process involves a peer review my Member States, and once the eID scheme has been officially added to the eIDAS Network (see below), EU Member States will be required to recognise it “no later than 12 months after the publication to the Official Journal of the European Union”. (12)
The technical infrastructure connecting the various eID schemes and means is known as the eIDAS Network. This network is based on a series of nodes (eIDAS-Nodes), which are implemented at the Member State level. In the context of an individual transaction, each node can both request and provide cross-border authentication.
Driving eID Adoption, Facilitating Commerce
New eID schemes are gradually being developed and added to the eIDAS network. But businesses don’t have to wait for notification in order to benefit from the advantages of electronic identification, including meeting compliance requirements (at the national level), managing business risk and enhancing the customer experience.
The impact of eIDAS on commerce becomes clear when you consider the implications of a clear legal definition of eID throughout the EU. The eIDAS regulation:
- provides legislatures in Member States with a common legal framework when drafting laws governing electronic identity…
- …which in turn creates a stronger incentive for the development of eID schemes and means within each Member State, and
- provides businesses a recognised legal basis for offering their customers eID as a method for verifying their identity and authenticating themselves in a digital environment and signing documents that meet the eIDAS standard for Advanced and Qualified electronic signatures.
While the EC’s promotion of eIDAS stresses cross-border cooperation, note that electronic identification offers tremendous value even for businesses and customers within the same Member State. A good example is Sweden, one of a few Member States where electronic identification achieved wide adoption long before eIDAS.
Swedish BankID, an eID scheme and means developed by a group of large banks, was first issued in 2003. Recognised under Swedish law and widely trusted, BankID has 7.5 million regular users (73% of the population) who routinely use it to authenticate themselves online, authorise transactions and access public services.
BankID is also used for uniquely identifying the signatory when signing agreements. Although eID is not a mandatory element of a valid electronic signature, if signatories of a contract use BankID to uniquely identify themselves, the contract is considered to have been signed with an electronic signature on the advanced level, which has the equivalent legal effect of a handwritten signature in Sweden (i.e., a special legal effect). Due to the existing security infrastructure of BankID, there aren’t any types of contracts that require the use of a qualified electronic signature, which can only be obtained using an electronic signature solution fulfilling industry standards that are not technology-neutral.
Compliance and Customer Experience
To illustrate the importance of eIDAS for commerce, consider two big challenges facing today’s banking industry:
- Stricter compliance regulations
- Tighter competition
The Anti-Money Laundering Directive (AMLD) is a recent EU act affecting the banking and finance industry in particular. For example, new Know-Your-Customer (KYC) requirements now hold banks to a higher standard for identifying their customers. KYC includes verifying the identity of new customers and authenticating the identity of existing customers when accessing certain services.
At the same time, traditional banks are facing new competition from emerging players who are much better at offering the customer experience that today’s consumers expect: a digital experience, first and foremost.
The AMLD recognises multiple methods a bank can use to verify their customer’s identity, each involving trade-off’s such as time and expense to implement on the one hand versus the impact on the customer experience and brand. In-person ID check and eID are both compliant methods under the AMLD, but in terms of providing a modern customer experience, offering eID as a verification method is obviously preferable to requiring customers to pay a visit to a brick-and-mortar bank.
So what are the barriers to implementing eID? Institutional inertia and risk aversion probably top the list. Obtaining approval from internal legal counsel for new digital tools can be a formidable challenge. But not digitalising operations has risks of its own, especially in an increasingly competitive market.
One purpose of eIDAS is to help lower the barriers to digital commerce, which it does in this case by providing clear definitions and categories of electronic identification. The AMLD, in turn, refers to those definitions to specify the requirements for a compliant KYC check using eID. So a bank that wants to offer eID only needs to choose an eID means, with the required level of assurance, under a scheme that conforms to eIDAS. There’s no need to devote extensive legal and IT resources to ensure compliance.
The eIDAS regulation constitutes a major step towards the vision of a Single Digital Market in the EU, fostering and hastening digital transformation in the public and private sectors. It’s key to understand that unlike laws that mandate and restrict behaviour, eIDAS is about enablement, setting legally-recognised standards for digital commerce and public services. With an EU-wide legal framework in place, legislatures at the EU and Member State levels have a common reference for drafting laws, making it easier for private enterprises to roll out new digital tools and services.