Digital identities have now become an integral of part of our everyday lives. Nine out of ten Germans use the internet, around 80 per cent make online purchases and two thirds of them use online banking.
1 Executive summary
2 Initial situation
3 The challenge
4 Objective: creation of an ID ecosystem
4.1 Strengthening digital sovereignty by means of self-sovereign identities
4.2 Key role for the financial industry
4.3 Harmonisation of the legal framework for identification processes
4.4 Interoperability between identity providers
4.5 Close cooperation between public and private sectors
5 Outlook
1 Executive summary
Digital identities have now become an integral of part of our
everyday lives. Nine out of ten Germans use the internet, around 80 per
cent make online purchases[1] and two thirds of them use online banking.[2]
This trend has resulted in the need for digital identity data,
including personal log-ins, which now form part of every digital
customer journey. However, these are usually stand-alone solutions,
which means a digital identity needs to be set up for each provider. In
Germany, there is still a lack of available and widely accepted
solutions with which people can digitally identify themselves to
business partners everywhere (i.e. across various sectors). This is not
only due to the lack of interoperability among existing solutions, but
also because the identity data collected by businesses may not be used
externally. The resulting lack of widely available digital identity data
is holding back the urgent digitisation of Germany, and also of Europe.
It is, therefore, all the more important to create an ecosystem for
the use and management of digital identities that can be employed across
sectors and providers. The aim must be to enable people and, by
extension, companies and things (Internet of Things) to be seamlessly
integrated into digital value creation processes based on digital
identities. At the core of an ecosystem of this kind is the provision of
identity data that have already been confirmed by one party (e.g. a
bank) and which other business partners can rely on. The identity data
should be controlled by the respective identity subject, in keeping with
the principle of digital sovereignty and in line with data protection
legislation.
Businesses must work together with government to achieve this goal of
a flourishing ID ecosystem. It would require new and close cooperation
between the public and private sector, whose objective might even extend
to formulating standardised procedural and organisational rules (a
governance structure) as well as minimum technical standards. The
ecosystem would not compete with existing providers of identity
solutions, on the contrary, it would allow them to (further) develop
their offers and innovations in a joint environment.
However, to achieve this, the legal and regulatory requirements for
verifying identities, which are currently inconsistent, need to be
harmonised across the different economic sectors. The only way to ensure
that the new standards are widely accepted and that the market can
adapt to them quickly is for the ecosystem to allow identity data to be
used and exchanged across all sectors and for all parties. To achieve
this, there needs to be equivalent requirements for the identification
processes and mutual recognition by the respective supervisory
authorities for all the regulated areas. The most effective way to
attain full harmonisation would be by creating a standardised,
cross-sector legal framework.
The ID ecosystem should be launched as a national initiative which
could then also be developed into a standardised European framework and
interoperable identity solution. European payment transactions provide a
good example of how the rules and technological standards might be
standardised. The private banks expressly welcome the German
government’s initiative launched late last year to create an open
European ecosystem of digital identities.
In
order for an ecosystem of digital identities to become a reality, the
current legal framework needs to be adapted by incorporating the
following measures.
- There must be a general equivalence of requirements for
identification processes in sector-specific rules (including in
anti-money laundering and terrorist financing, in the telecommunications
sector, the public sector and for trust services). Where these rules
are based on European legislation, full harmonisation in the form of a
European regulation will be required.
- The most effective way to achieve full harmonisation would be using
a single cross-sectoral European legal framework, which could then act
as a reference for sector-specific regulations. This would also ensure
that the scope of the data collected by those obliged to check
identities is identical in order to make them re-useable throughout the
EU.
- Furthermore, the legislator must continue to create the framework
conditions required to ensure legal certainty in the relationship
between identity verifier and issuer. This should also include taking
account of questions of legal responsibility, such as liability limits,
in order to ensure a fair balance of interests and to provide the
necessary incentive.
The upcoming revision of the eIDAS Regulation[3]
should be used to define horizontally standardised requirements in the
sense of full harmonisation at European level, thereby making the whole
cross-border verification process much easier.
more at BDB
© BDB - Bundesverband Deutscher Banken
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article