Good to be here today. So we're going to talk about the EEDI wallet and, but not in general terms, in a more specific environment, banking and financial environment. So when it is used to authorize transactions, I think I need this little thing here just by web presentation. Both of us are consultants.
We do, we spent many years in banks. Michael has more of a technical background than me and I have more of a legal slash regulatory background. Michael's been involved in CBDC project, identity based CBDC project for the Bank of England. I did for some work for Digital sma, the European Commission, and I was attending the e IIDA expert group from the dig FSMA perspective. So our focus is on the electronically at tested attributes used in digital wallets, especially used for payments. As you know, I'm not going to bother you with a complicated wells.
One more presentation of the EUDI wallet.
You know, it's a digital Swiss army knife. You know, it can do a lot of things. There's been a lot of presentations about that. What we are going to focus is on the payment use case.
I, and, and more specifically whe when the user can authorize payments using their digital identity wallet, right? There are in fact several pay, pay or banking use case related to the EUDI one. One of them is the, when you onboard a new client, you present your credentials. We're not going to look at that. This is more KYC specific. We're really focusing on payments and so authorize and online and offline payments and maybe tomorrow, hold on, manage A-C-B-D-C. But that's more distant future.
It's the biggest use case of them all.
Probably if you compare, you know, how many times do you present your driving license to how many times do you use your wallet for payment? There is no comparison, right? But when digital identity meets payments, you get into the clash of the s From the regulatory side, it's AI does two meets the PS D two and PSR payment services regulation. Just for you to know, the PS D two is the current regulatory framework for payment in Europe and the PSR is the future regulatory framework.
It's gonna be, it will be introduced next year, and it will be more, it will go further in terms of harmonizations, it can get really complicated. So you have to be, to treat that with caution. As you know, the EI dash two regulation is enacted.
Yes, but many implementing acts are yet to be produced and the future payment services regulation is not finalized. You have proposal that were made, the European Parliament is looking at that. We have a fairly good idea of where things stands. So it's still under construction and, you know, oops, sorry, the floor is pretty wet, so you have to tread carefully, huh?
Okay. There's still quite a bit of uncertainty regarding the technical implementation. We've heard that before. As you know, private sector interaction are key for EDI wallets.
As you probably know, key service providers are required to accept EUDI wallets, right? And, and this is a reference to the, so to the, so-called Swiss Army knife concept.
You know, you, you, you'll use your wallet for a variety of purposes. Payment use case by far the largest huge ecosystem critical for EU citizens. Not only them, but you know, in the use certainly, but very, very specific. Why? Because first of all, payment interaction are very diverse. You have card schemes, you have card payments, you have a account to account transfer, you have direct debits, you have P two P interaction, payment interactions, you have point of sale interactions, you have online interaction. All of these are subject to different parameters.
And you know, you have to, it can be quite technically challenging to take the example of instant payments. This is the latest in Europe, the latest regulatory initiative.
It can be, you have to follow the, the skim rules and it's highly regulated, right? For payments, security and for prevention are very important.
No doubt, no doubt. But convenience is absolutely essential. And user convenience drives user adoption. And user adoption is, can be limited when you have, if you have too many constraints and too many hurdles. And here it's interesting to relate to the, the fact that, you know, payments in general, payment regulation, banking regulations, in fact use a different approach. They use a risk-based approach for payment transaction. In other words, you know, banks are required to identify the risks and if they can see a high risk, they have to put more cons.
You know, they have to adapt their, their, their processes.
But conversely, if they can see transaction that are low risk, they don't need to go that far.
And, and one typical example is for the strong customer authentication requirements. And there is a PSD two, there is a, a clear, very clear, very important in fact, exemption for low risk transactions.
This is a, a concept that is totally foreign to the EIAS framework. You know, the IDAs frameworks, it's hiway and nothing else.
So it's, you know, how that field will fit together. It's still, still a little bit complicated. As you know, the NOBIT and EWC large scale pilots are working on the payment case.
We're midway through the process. I think my, our impression is that nobody's probably a little bit further ahead than EWC, but, but we, we know, we'll, we'll see.
Okay, now, e eaas and QAs, as you probably know, the E IIDA wallet is all about storing and managing PID personal identification data and, and electronically tested attributes. This is clearly said in the regulation. I don't need to go this. What's the difference?
PID, they're effectively identity attributes issued by PID providers in compliance with a high level of assurance. And this is basically PID. They have a narrow purpose to establish the identity of a natural or legal person. Users of PID are designated by member state, and it's basically public sector entities, right? Whereas electronically tested can be attri attributes can be issued by any third party. Any party can be identity attributes, status attributes, or any other attributes.
There is no inherent limitation.
In fact, you can have exactly the same attribute that is either PID or an electronically tested attribute. Now, electronically tested attributes come into two different categories. Standard and high quality. High quality are alcohol qualified.
They are, in fact they are guaranteed electronically attest attestations. They're equivalent to paper-based attestations. They're issued by qualified trust service providers. They have access to authentic sources and subject to stringent identity requirements. And you've seen the list that is opening up a whole new perspective and whole new services for, for private sector entities, because you can see that banks could well be issuing financial and company data as, as, as either electronically tested attributes or, or qualified electronically tested attributes.
Now, payment or in the, the reference to payment, the term is not as, you know, under PSZ two, the terminology is strong customer authentication. It's required for all payments, all internet, all payments above 50 years, except in, in, in certain circumstances.
And basically in the IDAs regulation, you have a, a very well known provision that says, well, if you're a bank and if you're in any times you're required to use strong customer authentication, the wallet user may, he's not, of course, not obliged to do that, but he may use the digital identity wallet to perform SCA, right?
That I've said that is not, how can I say it? It's not a mundane step. It is a critically important step because it has a huge legal impact. When SC CS performed, the payment is legally deemed authorized and liability shifts from the payment service provider to the payer. So it's a step that has huge consequences from a legal point of view. And because of that, you may have seen that the banking community that's asking a lot of question about how this is gonna work, how things are going to be, you know, how banks are going to be responsible when the EUDI wallet is implemented.
We don't have any firm answers on this. What what we know is that the payment services regulation will lead to an implementing act called in the jargon, the regulatory technical standards. And that act omni say that, you know, it will have to take into account the EUDI wallet, right? So Ed addressing SCA and offline interaction, we think is, is critical. And in fact, you may have seen, you probably have seen in the latest call for proposal that the European Commission is asking for effectively pro proposals answers to that specific topic.
The challenge remains quite significant, right?
When you're talking about payments, you have to have integrity of payment messages. Why that? Because there's legal availability of the payment.
You know, you can't say I'm authorizing a payment and no, no, no, no, no, I'm sorry, I'm, I'm withdrawing my, my authorization. So we believe that each signature for that purpose is a solution. You need to have an an audit trail that is Rob who that is able to confirm who did what when. And we believe that you need to have an offline connectivity for two reason. One is because it is absolutely, we think it is essential for POS interaction. I don't think you would have the same quality of POS interaction. And this is already the way digital payment wallets work in, in, in, in payments.
And also going further, you know, once the digital year comes into place, which is likely, you will have to have offline connectivity to MLA cash identity plays an increasing role in payment.
Digital interactions combine identity and payment attributes. This is the, clearly the trend that we are seeing. The A-M-L-C-F-T requirements for payments are converging and LOA substantial. And you have also the, so-called verification of pay imposed. So you have an identity verification check in payment interactions. And we believe that you can, oops, you can do that.
Now there's of course a big debate. You know, how much identity is useful to secure payment, no doubt. And the digital identity, while it can certainly help with that. But so real identity must be disclosable. But at the same time, you have a, a very significant privacy constraint and privacy requirement. That payment interaction should protect privacy and prevent usage tracking.
In fact, that is very much specified in the, in the EUDI regulation. So how can digital year payments be anonymous? You probably have heard of the debate for the, for the digital year. There is no answer today. The where is this leaving us? Three primary conclusions, strong user authentication of the ED, while it is a critical functionality for payments, it's not yet fully specified by the A FR, not yet reflected in the, in the PSR, what format will be used. We have a view, but you may have a different view.
Well, will it work offline? I think that's a very big question.
Second conclusion is that banks are obvious, obvious candidates for QAs.
I mean, think about it. Banks could issue electronically tested IBANs, right? Once you have your electronically tested iban into your digital identity wallet and you make a payment with that electronically tested at iban, you have automated verification of payee and you have, and you can simplify the payment. You can forget about redirection for strong customer authentication.
So, and beyond that payment credential banks could issue financial good financial standing attestations. We've, there was some reference of that yesterday in one of the, in one of the meetings and presentations. Will they seal the opportunity? That's a big question mark, to be honest, not, not a clear answer on that one. And smoothly integrating the strong user authentication, strong customer authentication ceremony into one single process. It's going to be a challenge, but will we'll push key to adoption. So we are doing some work on this. It's far too early to tell how things will turn out.
And now we are turning to a more practical illustration of what can be done with creates for payments. So I turned the, I've already spent too much time, Michael, I'm afraid.
Okay, well I can be quick. And is it the green?
Yeah, there you go. So we've heard over the last few days a number of speakers making the link between payments and identity and also the potential of combining payments and identity into a single procedure, a single fingerprint, touch, face id, whatever, authorizing a payment.
I think, for example, Marie from Visa yesterday talked about a use case, which should involve buying a knife. And you need to present proof of age at the time you're making the purchase. Otherwise the, the seller can't sell you the knife. So that's one example and that's obviously a key capability of, of the European digital identity wallet.
Now, two years ago, last time Stefan and I were at this conference, we gave a similar presentation to this and they gave a little demo and I've recognized a few people in the audience and we gave a demo of combining payments and identity.
And I'm going to give you the same one but updated. But before I do that, we're going to add something into the mix that Stefan's already referred to, which is not just combining payments and identity, but combining identity within the payment.
So here the creditor, the debtor, their accounts cards are all represented with QEAA and that gives you a number of benefits. One, privacy, you no longer need to put the person's actual IBAN in the payment message, which obviously is a constant, is trackable, profil able to. And then the second is you buy cryptographically binding the name of the account holder and their account. What you have is an offline verifiable verification of payee or confirmation of payee as it's name also named. And whereas today they make the, you're making an online call to the payer's bank.
It's pay bank to say, does this name match the account?
Now you don't need to make an online call because you've got a cryptographic attest station to say this is the name associated to the account. So I'm gonna click the next button. I don't know if this just starts up, but this is just a quick little demo. So I'm going to put in an amount to start with. Well no website by the way, as obviously now I'm going to ask for proof of age and loyalty. Membership proof of age is required, loyalty is optional.
So it's just a QR scan to establish secure communication between the website and the wallet. It displays the amount, the payee, they agree to share the loyalty membership, they select an account, they authorize it. And then when they refreshing on the left hand side, you'll see there's four attributes come back. There's the loyalty, membership, proof of age, but also you've got the, the name of the party name, the name of the account holder, and their payment means, which doesn't have the actual IBAN in it, it's just a token.
And then on the other side, so on the payer's wallet side, they also have a copy of the payment and they can see the creditor details. They've got the creditor at station.
And again, you can see the details of the IT attestation, which is in here somewhere. Oh, you stop. You stop. We've basically finished. So
We've got the next speaker just to be fair. Thank you so much guys. Sorry we haven't got time for questions, but thanks for the presentation. Big round applause. Thank you.
