Trust is important for business relationships. Trust means things on different levels: is the business partner able to comply with the contract? Is it able to pay? A common denominator for trust is the verified information about the business partner’s identity. In Finland, companies are identified by the Business ID that the Finnish Patent and Registration Office (PRH) assigns to a company when it is registered to the Business Information System.
According to the draft eIDAS regulation, a European Digital Identity Wallet (EUDI wallet) shall enable the wallet user to authenticate online, make qualified electronic signatures and obtain and share electronic attribute attestations describing the wallet user. The eIDAS regulation assumes that when an EUDI wallet is enrolled to a company, its Business ID and name are retrieved from the Business Information System to the wallet in a reliable way. This is known as issuing the Person identification data to the wallet or anchoring the wallet to the official registries. A wallet is not valid until its anchoring is carried out properly.
The Suomi.fi e-Identification and e-Authorizations services, operated by the Digital and Population Data Services Agency, are key supporting services for the public sector digitalization in Finland. Suomi.fi e-Identification enables the authentication of a citizen or other personal identity code holder and Suomi.fi e-Authorizations indicates which companies they are representing. The e-Authorizations service covers both the roles registered to the Trage register (such as, a CEO or a board member) and the mandates given separately to an individual for a particular matter.
The Finnish Real-Time Economy project has designed a possible future procedure for anchoring a company wallet using Suomi.fi e-Identification and e-Authorizations services. A company can grant an individual a mandate to carry out the anchoring of the company’s wallet to the Business Information System. That approach enables the company to control who has permission to enroll an EUDI wallet for the company.
After procuring an empty company wallet from the market, anchoring would be carried out as follows:
- A company representative uses Suomi.fi e-Identification service to authenticate to the government portal that is used for carrying out the anchoring.
- The government portal uses Suomi.fi e-Authorizations service to confirm for which company the authenticated individual has a mandate to enroll an EUDI wallet.
- The government portal collects the company’s details from the Business Information System and Trade register.
- A competent government agency issues the company’s Person identification data to the wallet. The exact contents of a legal person’s identification data is still work in progress in the EU but it is assumed to contain at least the company’s name and identifier, such as the Business ID in Finland.
We have experimented with this approach in the MiniSuomi test environment. The experiment used Aries technology, but the anchoring can be done also using the OpenID technology proposed by the eIDAS Architecture and Reference Framework. A detailed description of the experiment is available in the attachment (pdf). You can also watch the video below visualizing the same.
In the experiment, a cloud-based wallet was assumed but using a personal mobile wallet for a company is an interesting topic for future study.
The experiment triggered some further questions:
- Issuer of the Person identification data. According to the Business Information Act and Trade Register Act, anybody shall be entitled to obtain excerpts and certificates from the Business Information System and Trade Register. Is issuing the legal person identification data to a company wallet a responsibility of the PRH, some other government agency or the private sector? If PRH is seen as the proper actor, sufficient resources need to be guaranteed for it.
- Agencies’ capability to issue electronic attribute attestations. When agencies (including PRH) start issuing electronic attribute attestations related to their service areas, shall each agency obtain related competencies, processes and systems on their own or shall a centralised public sector capability be built for it? It can be easier to achieve the higher standards required for qualified electronic attestations of attributes using a centralised approach.
- Ownership of the government portal. Shall there be a centralised public sector portal that is a one-stop-shop for wallet holders to request electronic attribute attestations from different public authorities, or does the wallet holder need to look for the attestation they want from the websites of the different authorities? Currently, public sector services are gathered to the Suomi.fi portal managed by the Digital and Population Data Services Agency.