The European Digital Identity Wallet is widely presented in mainstream media as a practical tool for citizens: an app for storing your ID card, driving licence, or diplomas. That view is accurate on the surface, but it misses the architectural change the wallet introduces for financial institutions. The wallet is not a container of digitised documents. It is a system that produces verifiable attestations, and that single fact reshapes how organisations build identity trust into their KYC processes.
The European Digital Identity Wallet is a member-state-issued app that holds cryptographically signed attestations of a person's verified identity attributes, issued by accredited trust providers, which financial institutions can verify in real time rather than collecting and re-checking document copies. That is the definition worth anchoring on, because everything else follows from it.
The fundamental difference between a scanned PDF and a wallet attestation lies in the nature of the information carried. A traditional document, even an authentic one, remains a visual representation designed to be read by a human. It can be copied, falsified with generative AI tools, or reused out of context, and its validity rests on the ability of whoever checks it to spot anomalies.
A wallet attestation works differently. It is issued by a qualified authority, cryptographically signed, time-stamped, and structured as machine-readable data. It does not contain a photo of your passport, but the verified attributes that passport certifies: surname, first name, date of birth, nationality, document validity. Each attribute is digitally signed, creating a cryptographic proof that artificial intelligence, however sophisticated, cannot forge.
This architecture addresses a vulnerability the financial industry knows well: the industrialisation of document fraud. Generative AI has lowered the technical and financial barriers to forgery to the point where mass-producing visually flawless fake documents, even deepfakes that bypass biometric verification, has become trivial. In that context, verifying a document's appearance no longer guarantees anything. What makes the difference is the ability to verify a cryptographic signature issued by a trusted authority, which is exactly what the EUDIW provides.
The wallet introduces a mechanism rarely present in current KYC journeys: selective disclosure. Instead of transmitting an entire document with all the information it contains, including data not needed for the transaction, the user can choose to share only the attributes strictly required.
A concrete example: a financial institution must verify that a client is of legal age to open an account. With a traditional document, the client transmits their exact date of birth, place of birth, and often their full address. With the wallet, they can transmit only a cryptographic proof of being of legal age, without revealing their precise date of birth.
This is no minor detail. It directly addresses one of the major blind spots of traditional KYC: the over-collection of personal data. The more data an institution collects and stores, the more it exposes itself to breach risk. And in the current environment, marked by massive breaches affecting tens of millions of French citizens (Viamedis, Cegedim Santé, Free Mobile, SFR), that exposure becomes systemic.
Exfiltrated data does not disappear. It circulates, is resold, and accumulates on criminal marketplaces to form identity kits: coherent sets of real attributes, complete enough to pass a classic document check months or years after the initial incident. Selective disclosure reverses this logic. Less data collected means less exposure surface, which means less vulnerability to post-breach impersonation, and stronger alignment with GDPR data-minimisation principles.
Trust in a wallet attestation rests on the issuance chain. Credentials are not self-declared by the user. They are issued by Qualified Trust Service Providers (QTSPs), accredited and supervised at national level. These providers play a role equivalent to certification authorities in the eIDAS 2.0 regulation (Regulation (EU) 2024/1183) and its electronic-signature lineage: they certify that the attributes in the wallet have been verified according to procedures consistent with the required levels of assurance.
For a financial institution that accepts an EUDIW credential, this means the initial verification risk has already been borne by an accredited trusted authority. The institution no longer has to redo the full set of document checks. It cryptographically verifies that the attestation is valid, not revoked, issued by an accredited QTSP, and matched to the level of assurance required for the intended operation.
This redistribution of risk is fundamental. It moves the industry from a model where each player independently verifies the same documents, with duplicated effort, inconsistencies, and delays, to one where initial verification is pooled through a common trust infrastructure. This is precisely the native-compliance model: trust is built at the source, into the architecture, rather than added afterwards through redundant KYC controls.
The interaction between a financial institution, the relying party, and the European Digital Identity Wallet follows a standardised pattern currently being finalised at European level. The typical onboarding flow unfolds in four steps:
The EU Digital Identity Wallet onboarding flow: the institution requests attributes, the holder authorises, signed credentials are transmitted, and the institution verifies them automatically.
What fundamentally changes compared with a classic document-based journey is the input itself: the institution receives structured, machine-readable data that is verifiable in real time. There is no more manual re-keying, visual comparison, or interpretation of heterogeneous formats. The control becomes automatable without loss of reliability. On the contrary, reliability increases, because it rests on cryptographic proof rather than on necessarily fallible human judgement.
The levels of assurance defined under the regulation, low, substantial, and high, are not abstract categories. They operationally translate the degree of trust an institution can place in a verified identity, and therefore the level of additional due diligence required.
A credential at a high level of assurance certifies that the identity was verified in physical presence, with a check of an authentic document and a biometric capture including liveness detection to detect deepfakes and presentation attacks. For a bank or payment institution, accepting a high-assurance credential means that most of the initial impersonation risk is already controlled by the issuing authority.
The direct consequence: institutions can considerably lighten redundant controls. There is no need to ask again for a selfie with an ID if a biometric verification with liveness has already been carried out by an accredited QTSP. At the same time the real level of trust increases. This equation, reduced documentation combined with increased evidentiary value, is exactly what the AMLR's risk-based due diligence framework (Regulation (EU) 2024/1624) calls for: controls that are proportionate to risk, demonstrable, and effective.
The December 2027 deadline requires regulated-sector entities, banks, payment institutions, and crypto-asset service providers, to accept EUDIW credentials as a means of identification and strong authentication. This obligation is not optional. It applies within the framework of the Strong Customer Authentication (SCA) requirements already in force for payment services.
Concretely, institutions must adapt four things:
This transformation cannot be treated solely as an IT project. It requires rethinking how organisations conceive of identity trust: moving from a "collect, archive, verify" logic to one that receives verifiable proofs, orchestrates the signals, and maintains consistency over time.
The institutions that grasp the European Digital Identity Wallet will not treat it as one more document to check. They will see the architectural shift it enables: from document-based compliance to compliance built into the infrastructure. The wallet is not an additional channel bolted onto an existing process. It is the layer that finally makes proportionate, automated, and demonstrable compliance possible. With the acceptance obligation arriving in December 2027, the institutions that prepare now will convert a regulatory requirement into an operational advantage.
The European Digital Identity Wallet (EUDIW) is an app that each EU member state must make available, allowing citizens and businesses to store and share cryptographically signed proofs of their identity attributes. For financial institutions, it provides verified, machine-readable identity data that can be checked in real time instead of relying on scanned documents.
A scanned document is a visual representation that can be copied or forged, and its validity depends on a human spotting anomalies. An EUDIW attestation is cryptographically signed, time-stamped, and machine-readable, issued by an accredited authority. Its origin is provable, which is something a PDF or photo can never offer.
By December 2027, regulated entities including banks, payment institutions, and crypto-asset service providers must accept wallet credentials for identification and strong authentication. The obligation sits within the existing Strong Customer Authentication requirements and is not optional.
Yes, when the credential carries a high level of assurance. Because the initial identity verification has already been performed and guaranteed by a qualified provider, institutions can remove redundant controls such as repeat selfie checks while the real level of trust increases.
Qualified Trust Service Providers (QTSPs), accredited and supervised at national level, issue and stand behind wallet credentials. They certify that the attributes have been verified to the required level of assurance, so the verification risk is borne at source rather than repeated by every institution.
Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details or stay in touch via our newsletter ⬇️.