This is Part 1 of a multi-part blog series: The limits of identity assurance
The EU Digital Identity Wallet represents one of the most significant shifts in identity infrastructure in the last decade. By the end of 2026, each Member State will be required to offer at least one wallet, with regulated sectors, including banks and payment service providers, expected to accept it by 2027.
What makes this so seismic is its scale and policy momentum. The wallet will be available to EU citizens and residents from 2026, with businesses following after. Each Member State required to provide at least one wallet built to common specifications [1][2]. This creates a new, standardised trust layer for how identity can be used across public and private services in Europe with the aim to make identity verification both smoother and safer.
At a high level, the wallet delivers something the industry has been moving towards for some time: a more standardised, interoperable way of proving identity without repeating the same checks across different organisations. It builds on the original eIDAS framework, which established mutual recognition of electronic identification and trust services across the EU, but takes it further by introducing a common wallet model. That model gives citizens, residents and businesses a way to hold trusted identity credentials and share selected attributes across borders and sectors, rather than relying on fragmented national schemes or repeated document checks which are costly and not customer centric.
This is a clear and focused step towards securing a recognised process that can be followed. That matters but it is also important to be clear about what problem this looks to solve. Whilst the wallet potentially improves how identity is proven at a point in time; it does not, on its own, provide assurance about what happens after that point, and that is where the hidden risks can surface.
Stronger identity does not remove fraud risk
There is a natural assumption that stronger identity proofing will directly reduce fraud. In practice, it has only ever been one part of a constantly moving picture.
Financial institutions already operate in an environment where a customer can be fully verified and still present risk later in the journey. The introduction of the EU Identity Wallet does not fundamentally change that dynamic.
What it improves is knowledge in the origin and authenticity of identity data, that a credential is genuine and issued by a trusted provider (along with any invisible confidence shift within that upstream process). What it does not address is whether the person presenting that credential is acting in a way that is consistent, legitimate, or free from external influence at that moment, or through any digital session.
This matters because the fraud problem has already shifted. The joint EBA–ECB 2025 Report on Payment Fraud puts total fraud losses across the EEA at €4.2 billion in 2024, up from €3.5 billion in 2023 [3].
Crucially, the structure of that fraud highlights why identity alone is insufficient:
- Credit transfers and card payments remain the main areas of loss concentration in the joint EBA–ECB fraud reporting [3]
- The EBA has separately highlighted manipulation-based and social-engineering fraud as a growing concern that requires additional mitigants beyond traditional authentication controls [4]
- The same reporting also shows that remotely initiated fraud remains a significant issue, reinforcing the importance of controls beyond initial identity verification [3]
These are not fundamentally identity creation problems. They are cases where real users are manipulated or legitimate sessions are exploited after successful authentication. These are also not new problems, having been to most events over the past 5 years, I have seen that the constant requirement to keep a handle on the customer's activity and to make sense of it has only grown.
This is further reinforced by the performance of existing controls. The joint EBA–ECB report shows that some strong customer authentication remains effective against the fraud types it was designed to mitigate, especially for card payments, but newer forms of manipulation-based fraud continue to grow [3][4] and other forms of authentication such as SMS OTPs are becoming sunsetted due to the increase of malware (SMS sniffers etc), cost and other authentication methods being a smoother experience.
The control point has therefore shifted. It is no longer just about verifying who the customer is pertaining to be, but understanding what they are doing, and whether that activity aligns with their known "normal" behaviour.
The gap between identity assurance and session risk
The EU Identity Wallet will raise the baseline for identity assurance, particularly in onboarding and high-friction journeys. It should reduce reliance on weaker or more involved methods such as document uploads or knowledge-based verification.
However, stronger proof of identity does not remove the need to assess what happens next. In practice, the same downstream risks still apply:
- Accounts can still be compromised through recovery flows or new-device enrolment
- Legitimate users can still be manipulated into making fraudulent payments
- Mule accounts can still operate using real credentials
- Synthetic and semi-synthetic identities may still be created.
At the same time, although we all live and work in a world where we are consistently given new information around how much fraud there is, and of course the devastating effects on consumers, fraud remains statistically rare but highly concentrated.
The joint EBA-ECB report puts the overall payment fraud rate in the EEA at around 0.002% of total transaction value in 2024, yet the absolute losses still amounted to €4.2 billion [5]. That combination is important. From a business perspective, fraud is not a high-frequency event that is easy to spot through simple rules; it is a low-incidence problem hidden inside very large volumes of legitimate activity. Even small shifts in fraud patterns can quickly translate into significant losses before they become visible at portfolio level.
The concentration also matters because the losses are not evenly distributed across every payment type, channel or customer journey as we know that bad actors are not static in their approach. The same reporting shows that fraud pressure is more pronounced in areas such as credit transfers, card payments and remote transactions, with the EBA highlighting manipulation-based fraud and social engineering as a fraud vehicle of concern [3][4][5]. In those cases, the customer may be genuine, the identity credential may be valid, and authentication may even have been completed correctly. The weak point is not necessarily who the user is, but whether the behaviour around the transaction makes sense.
This creates a structural challenge for fraud teams. A stronger identity layer can reduce uncertainty about the origin and integrity of an identity credential, but it does not provide enough information to judge the ongoing intent, or the risk profile of a specific action at the point it is made. Detecting risk in that environment depends on contextual and behavioural signals that can separate a normal, verified customer journey from an unusual or manipulated one.
This is why treating the EU Identity Wallet as a complete and elevated solution to fraud risk would be a misstep. It addresses one layer of the problem around authentication with good intentions but does not remove the need for controls elsewhere.
In addition, there is also a practical question around failure and fallback. If a wallet-based authentication or credential presentation fails, the relying party will want to offer additional options to consumers to keep the system flowing and customer confidence high, but these also come with their own pitfalls.
When shifting onto another accepted route for the customer, the flows could be as per the below, but with probably negative customer associations alongside them:
- Retrying the wallet flow (frustrating and repetitive),
- Using an alternative electronic identification method (inconsistently supported),
- Document-based checks (higher risk and less seamless),
- Human review (slow and operationally heavy),
- In-branch verification (outdated and inconvenient),
- Or pausing the transaction where the required assurance level cannot be met (a dead end for the customer).
For financial institutions, that failure point is itself a live risk signal. On the face of it, it may reflect ordinary friction, but it may also indicate device change, account recovery abuse, coercion, or attempted fraud and will have to be looked at with all the context available.
This makes fallback design a considered part of the control framework with clear definitions for data collection and understanding, not just a customer experience issue.
In Part 2, we explore the role of live and contextual signals, the implications for banks, and what an integrated approach to fraud controls looks like in a wallet-enabled world.
References
[1] European Commission – European Digital Identity Wallet fact page https://commission.europa.eu/topics/digital-economy-and-society/european-digital-identity_en
[2] EUR-Lex – Regulation (EU) 2024/1183 establishing the European Digital Identity Framework https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng
[3] ECB / EBA – 2025 Report on Payment Fraudhttps://www.ecb.europa.eu/press/intro/publications/pdf/ecb.ebaecb202512.en.pdf
[4] EBA – Opinion on new types of payment fraud and possible mitigants https://eba.europa.eu/sites/default/files/2024-04/363649ff-27b4-4210-95a6-0a87c9e21272/Opinion%20on%20new%20types%20of%20payment%20fraud%20and%20possible%20mitigations.pdf
[5] ECB / EBA – Joint press release on the 2025 Report on Payment Fraudhttps://www.ecb.europa.eu/press/pr/date/2025/html/ecb.pr251215~e133d9d683.en.html