COVID-19 digital payment enabler, digital identity, a catalyst for trust.
The digital revolution has become irreversible, including for payment.
The pandemic crisis has made digital technology a must-have, as much to continue our exchanges in the professional context or to maintain the link with our loved ones as in our payment processes.
In addition to the increase in the volume of local contactless payment transactions (in France from 18% in 2019 to 30% in July 2020), online purchases, originally promoted as a service facility for the consumer, have become a prerequisite for satisfying many of our essential needs (food, culture, equipment related to teleworking, etc….), while helping to maintain certain commercial activities that are in jeopardy.
Securing these remote payment paths (which is to be reinforced by the end of the year by strong authentication, as prescribed by the PSD2) is becoming all the more of a challenge, which will also help to secure access to the account and avoid transfer fraud. In fact, fraudsters’ attacks combining phishing attacks, to retrieve login/password, and hacking of the mobile number (by SIM swapping) to receive the SMS OTP, are becoming commonplace. Thus a person, even if warned, can have his account emptied very quickly. In instant mode, transfer fraud becomes even more scary. Following the same trend as in 2019, Great Britain has recorded more than 200 million pounds sterling in fraud during the first half of 2020, in instant “push” payments, early iniative of the Request to Pay process.
This irreversible revolution towards the digital journey and instant services also concerns the contracting of banking services, which must ensure regulatory compliance linked to digital (proof of consent for GDPR, evidential value of the signature of the contractual act) while ensuring sectorial compliance (AMLD for account opening). This framework is all the more justified, given the increase in fraud and attacks on account opening or usurpation observed this year: According to Experian’s latest report, 57% of companies report an increase in fraud losses in 2020 compared to the previous year, compared to 55% in 2018 and 51% in 2017.
This issue of securing remote identification must be associated with that of the user journey. The 100% digital, fluid and secure path to open up a new payment service, to which generations Y and Z aspire, has made new followers, including out of absolute necessity during the first period of confinement, when even postal services were severely disrupted. However, the abandonment rate at the opening of accounts (close to 60% according to the last study by Signicat) is increasing, in particular due to the fear of data capture. In this context, the European harmonization of the ALMD legislative framework and the definition of common practices for remote identification are becoming urgent. The revision in 2021 of the AMLD Directive, potentially in the form of a regulation, could lead to the definition of common requirements. In the meantime, ANSSI has just launched a public consultation in France for a new remote identification referential. Could this specification book serve as a basis for future European regulations in this area?
Trust, the cement of the European digital and payments strategy.
2021 will be a pivotal year for Europe to take its digital destiny into its own hands and organize new rules to foster the economy in a single European market that protects people, businesses and European sovereignty. Europe maintains its principle of openness and respect forfree competition, while ensuring a fair and trustworthy market in the face of the covetousness or stranglehold of certain American and/or Asian BigTech companies.
The announcement of the Digital Services Act and Digital Market Act follows the announcement of a draft Data Governance Act regulation. This European “new deal” would make the data portability instituted by the GDPR effective by creating an alternative model to the BigTech model by instituting the role of data sharing service provider. This trusted intermediary would then be the helper, the guardian angel and the digital advisor of the individual or legal entity, to manage their digital life. The bank, a trusted actor in the physical world, could take on this role as a new trusted third party in the digital world to offer new personalized payment services, particularly in the open vision of Open-Banking.
These cross-sector regulatory announcements are complementary to the European payments strategy unveiled in early autumn: trust is the glue that binds consumers together in their appropriation of interoperable, secure and instantaneous digital payment methods. To build these digital pathways in a relationship of trust, digital identity is the keystone of the European payments strategy.
Thus, the revision in 2021 of the eIDAS Regulation, whose electronic identification component has been, until now, limited to public sector use, will be decisive in facilitating the use of digital identity in the private sector. The opening up to the private sector concerns both the use of electronic means of identification notified by States for digital journeys of private services, and the creation of new private services exclusively dedicated to strong authentication (potentially derived from an already qualified electronic means of identification) or online identification, for example for opening a bank account. Identification models could be opened up for management in compliance with the principles of minimization of the GDPR, by attributes, credentials or attestations.
The Directorate General for Financial Stability, Financial Services and the Union of Capital Markets in Europe (FISMA) has just assigned two European experts, Ronny Khan and Stéphane Mouy, a 6-month mission to further explore the scope of possible interoperable digital identity solutions, linked to eIDAS, that can be used by the financial sectors to enable KYC portability (i.e. the portability of digital identities of persons already enrolled by a bank), while complying with GDPR and AMLD requirements. Their report should propose an operational roadmap and integrate the vision of “KYC custodians/utilities“, specialized providers of trusted data sharing services.
Is digital identity also the keystone of new European payment architectures?
The European Payment Council has just published its first version of a rulebook for a SEPA-Request-to-Pay scheme, restricted to interoperability in a 4 corner model. The identification of the payer is proposed by an IBAN, an alias or a proxy; and the identification of the payment beneficiary by name and IBAN. Innovative digital identity solutions, both compliant with the GDPR and adapted to the anonymous RTP use case, probative value and the fight against fraud, could be studied to enable interoperability with new models and/or to access new functionalities (electronic invoicing, tax payment, etc….). As for strong authentication, delegation of authentication might be considered through the integration of other relevant additional data and/or metadata in RtoP messages.
Both EPI and digital Euro for retail could also benefit from an integrated digital identity vision providing a seamless user experience with an end-to-end digital journey: from remote identification for enrollment, to strong authentication for the payment transaction. However, this path, in compliance with various industry regulations, will have to satisfy the need for trust with a security and privacy by design approach.
And the other future? Players are beginning to imagine new decentralized payment architectures, based on blockchain transactions (DLT) (Qonto, Nuggets, Facebook’s Fastpay), which could be associated with Self Sovereign IDentity (SSID) digital identities. The future will ultimately see smart contract transactions between a DID, a decentralized identifier in the form of a URL address, a payer and another DID, the payment recipient.