Digital Identity in Germany – market status, trends, and regulations that you need to consider

What is an electronic identity (eID)?

If you live or work in the Nordics, you should be very familiar with using eIDs. 90% of the population has an eID and use this on average four times per week.

An eID could be said to be the digital equivalent of your physical identity paper, like a passport, or a driver’s license. You can use the same passport for travelling to any country, as well as for proving who you are in any context. An eID does the same thing, but digitally, within one’s country.

An eID is issued by trusted entities, typically banks or governments. To get an eID, you will identify yourself using various means, often including a face-to-face meeting, which may be outsourced to the postal service.

An eID is used for the following purposes:

• It simplifies the process of onboarding to new digital services, as your identity has already been verified.
• Authentication. When logging back into your existing services. This means that you will have the same login information (username and password, and the second factor such as a pin code) for many different services.
• Electronic signatures. Signing contracts and legally-binding agreements.
• Attribute verification. Where you prove only some part of your identity, for example that you are over a given age.

Some concrete examples of BankID (eID) usage Norway:

Market status in Germany

Neuer Personalausweis (nPA) was introduced in Germany in November 2010. This is a physical identity card, but also has the ability to do digital identity. Initially people had to activate the digital part to use it, which very few did. But even when the digital identity on the card is activated by default, there is very little usage, and most people do not even know about this possibility. And there are several reasons for this:

• In the initial implementation, the user would have to buy a card reader. And not to mention to make this work on the computer. This in turn also means that the card did not work with a phone or a tablet. However, this has been changed so it now works both on iPhone and Android phones.
• There are very few services where you can use it, which is a classic chicken-and-egg problem with digital identity. It does not help that the digital identity solution is very secure and reliable, when there are no services where you can use it such as in Norway where one can use it for even booking a tanning salon appointment.

If we look at the Nordics, the usage of eID is very successful. With a population of around 26 million, the penetration is around 90%, and on average, people use this four times per week. So why is Germany, and other countries outside the Nordics so far behind on eID usage?

This is a complex question to answer, and there are a combination of answers.

The German population seems to be much more privacy aware than the Nordics, and much more reluctant to share information online or use online services. This combined with lower trust, both between people and towards public institutions, makes establishing eID much more complicated. All this makes it more difficult to provide online services, especially for banking services which are required to collect a lot of personal information due to the Anti-Money Laundering (AML) directive.

^{Source: https://ourworldindata.org/trust}

Another barrier to eID adoption is that German organizations have arguably been slower with digitization compared to other European countries. For banks, the main differentiator used to be the number of branches, and they had difficulties in seeing the value of digital. We still see the same thing, with for example the slow adoption of Apple Pay in Germany.

From an organizational point of view, there is skepticism towards cloud solutions, one of the reasons being concerns over whom has access to the information. And rightfully so, as for one, Germany has a history of surveillance by the political system up to the middle of the 20th century and also the uncovered surveillance of organizations in the US. As a result, there are also concerns about using cloud solutions.

Consequently, cloud solutions are taking off slower in Germany than in the Nordics.

Another interesting challenge in Germany is the Chaos Computer club. Although they have an important role of pointing out vulnerabilities, they may be overstepping, by always attacking new services such as the most recent COVID-19 tracking app (PEEP-something) endorsed by Angela Merkel’s government, and always making them look bad, even for the most minor challenges. It is also strange that they do not do the same with the social media.

Regulations

There are many regulations in place, especially in the financial sector. The purpose of the regulations are to protect individuals and society. GDPR (General Data Protection Regulation / DS GVO Dateschutzgrundverordnung) should be familiar to most of us now, and regulates how organizations are allowed to collect, store and use personal information about individuals.

Less known by the general population is the AMLD (Anti-Money Laundering Directive / GWG Geldwäschegesetz), which is in place to prevent money laundering (it is important to remember that the AMLD is in place to prevent terrorism and slavery among others). Because of the AMLD, financial institutions must know the identity of their customers, as well as monitoring the behavior for suspicious activity, for example transferring large amounts of money to certain countries.

One of the implications of AMLD is the challenge for onboarding customers digitally, meaning you do not meet them physically. Traditionally, when signing up for a bank account, you would have to visit a bank branch, and provide physical identity papers, which will be checked by an employee. In the digital world, there is an increasing requirement for doing this digitally, without any human interaction. For banks this means saving time and money as well as achieving greater geographic reach of customers. For the individual this means that they do not need to travel and can sign up a lot faster.

Market demand

In the Battle to On-Board Report, we asked consumers about their experiences with online financial services. One of the major findings was that almost 4 out of 10 consumers have abandoned an online banking application. The main reasons are that takes too much time, it requires too much information, you have to provide physical information and that the language is confusing. The numbers and reasons were pretty consistent in the six countries where we conducted the research: United Kingdom, Germany, Netherlands, Norway, Sweden, Finland.

When asked about digital identity, about 31% of Germans responded that they have a digital identity (compared to over 61% in the Netherlands and over 91% in Sweden). Which is interesting, since there is very low usage.

People were also asked whom they would trust with their identity data, and in all countries, banks ranked highest (with the exception of Netherlands, where it was the Government). Looking at identity schemes in different countries, we see that the bank driven systems seems to be most successful. The banks are threatened by the neo-banks and need to play their trust-card. Having trust (and not money) as their main product, they should move into the identity space. They also have long experience with fulfilling regulations, and monitoring and fighting fraud, which are both important aspects of identity solutions.

In general, people want to have more digital services, but they need to be able to trust these services, and this is where banks can play an important role. The Nordics can be seen as an example of how this can be done. As stated before, more than 90% of the population uses their eID 4 times per week or more.

Even though the Nordic model is not directly transferrable to Germany, it is quite clear that trusted parties are needed in the eID space. Banks will have an important role as such players, given their experience with identifying users, as well as already being trusted and also used to fraud monitoring and complying with regulations. We already see this happening with yes® and Verimi, as described below.

To simplify for the end-users, they should be able to use the same eID everywhere, even across the public/private sectors. A Norwegian citizen can use BankID (or one of the other eIDs) for filing taxes and starting a new company on the government website. That the government decided to accept BankID, was one of the accelerators for eID usage in Norway. Typically, citizens are in touch with the government once or twice per year, but we have seen with the usage of eID, this is about once or twice per month.

In the Netherlands there is a public digital identity called DigiD, which currently is the only eID for logging into public services. There is currently work ongoing to open up for allowing the use of other eIDs to accessing public services. One candidate for this would be iDIN, which is the eID issued by the Dutch banks.

BaFin

BaFin (www.bafin.de) is the German Federal Financial Supervisory Authority.

“It is an autonomous public-law institution and is subject to the legal and technical oversight of the Federal Ministry of Finance. It is funded by fees and contributions from the institutions and undertakings under its supervision.”

^{Source: https://bafin.de 2020-03-23}

BaFin defines the German interpretation of the regulations, and enforces these in Germany, as well as taking actions whenever regulations are not followed. For AMLD there will be fines on the company for non-compliance. The consequences of non-compliance will be further increased in newer versions of AMLD, putting more personal responsibility and liability for members of the board.

Banks in general are careful to take risk, and afraid of any negative publicity for not being compliant. Their main product is trust, which may be challenged if they are not able to follow the regulations. This is one of the reasons banks have been slow in adopting new and digital services. Of course, this is now being challenged by the neo-banks, which do not have any branches and no legacy infrastructure, and where the users do everything from a mobile app.

Signicat’s identity solution will assist banks and other financial institutions in complying with regulations.

Current eID players in Germany

The use of eID in Germany is still very low, and there are still not a lot of services where you can use an eID, so this is a chicken-and-egg problem. However, there are initiatives in place to improve this.

“The interaction between citizens and companies with the administration should become significantly faster, more efficient and more user-friendly in the future.”

“With a view to 2022, the success of the digitization programs will not only be measured by whether all administrative services are available online, but above all by the level of acceptance and use among citizens and companies.”
Source: 2020-04-02

There are currently several eIDs in Germany out of which we will look at three in more detail: Neuer Personalausweis, yes® and Verimi, each introduced in the following sections.

Neuer Personalausweis

The Government is trying to push the nPA (Neuer Personalausweis = German identity card) as the eID of choice. The technical implementation is excellent, but the usability could be improved. There are two ways of using the card. For a web session, the end-user is required to have an ID card reader or use a mobile app on a smartphone which reads the ID card and prompts the user for a PIN. It can also be used instore, where a trained agent can verify the card, the owner, and use the 6-digit number printed on the card as the identifier for the nPA-service. Due to the lack of services using the nPA online, most users are not even aware of the possibility of digital usage of the nPA. And of those who are aware, very few have used it.

yes®

yes® (www.yes.com) is a private initiative for eID in Germany, where they have created a frontend for utilizing the banks’ userbase. The banks part of the cooperation is currently Savings- and Cooperative banks – Sparkassen and Volks- & Raiffeisenbank. The identification is done directly at the banks Identity store. No central IDP is part of this solution. Being regulated, banks have already identified their users, and this information can be reused to simplify onboarding for other services.

yes® provides a verified identity which can be reused, for example for authentication, electronic signatures and payment services. It can be used for onboarding with for example insurance and other organizations, but as the BaFin requirements on eID verification are very strong, using this for financial onboarding will only be possible in combination with qualified electronic signatures (QES).

Verimi

Verimi (www.verimi.com) is another German scheme, and similar to yes® in many ways. This will also allow the end-users to re-use their identity for other services. Verimi is presented as an independent Identity Provider, similar to the Norwegian BankID.

End-users of each of the 13 consortium members will have the option to create a Verimi ID. If the consortium members made this simple or even automatic for their existing user base, this would increase adoption of eID usage in Germany.

Verimi is building up the customer base using video identification or nPA, which makes the eIDs BaFin -compliant. This means that the eID can be used for onboarding to other financial services. Verimi offers qualified electronic signatures as well.

Summary

Even though the German market is several years behind the Nordics in eID adoption, there are interesting things happening, especially with the new initiatives yes® and Verimi. With these, more people will be aware of the eIDs, and hopefully also the possibilities they give.

Hopefully more service providers will accept eIDs, to simplify user onboarding and authentication, as well as saving cost and time when acquiring new customers, and to provide new services, such as electronic signatures.