Privacy First fire letter on mandating European digital identity in banks

Dear Mr Heinen (finance minister)
Dear Mr Heerma (Minister of the Interior and Kingdom Relations)
Dear Mr Van Weel (Minister J&V)
Dear Ms Herbert (Minister EZK)
Honourable members of the House of Representatives,

Hereby, Privacy First Foundation draws your attention to the fact that the new European anti-money laundering authority AMLA [1] proposes, contrary to the eIDAS regulation, in a recently published consultation paper [2] that anti-money laundering natural persons in non-face-to-face situations should be identified by means of the European digital identity (‘EUDI wallet’).

We urge you to remind the European Commission and AMLA of the obligations under the eIDAS regulation, which should not be undermined by anti-money laundering regulations. This is very important for the many people in the EU who lack digital literacy and for those who cannot or do not want to use digital tools that require Big Tech devices and software.

EBA consultation

AMLA is aware of the obligations under the eIDAS regulation, as Privacy First pointed out in the European Banking Authority's (EBA) consultation. On 6 June 2025, Privacy First participated [3] in a consultation of the European Banking Authority (EBA) [4] on the detailed rules (‘RTS’) on customer due diligence under the Anti-Money Laundering Regulation (AMLR) that will come into force in mid-2027.

In the consultation paper, EBA proposed that in non-face-to-face situations, money launderers will be required to use the European digital identity (‘EUDI wallet’) for identity verification. We have alerted the EBA that their proposed provision conflicts with the eIDAS regulation, which states that the use of the EUDI wallet is entirely voluntary. Furthermore, we have explained in detail that identity verification is associated with high risks for people and, given the dependency relationship, money-laundering providers should be expected to take additional measures to mitigate the risks for citizens.

AMLA adopts EBA text

Recently, AMLA re-launched the detailed rules for consultation [2]. We see from the draft that AMLA has done nothing with our comments on making the EUDI wallet mandatory. Again, the draft states that the use of the EUDI wallet is mandatory and that only in exceptional cases identification by another digital means may take place. Our proposal that some form of alternative, physical identification should always be offered in order to comply with the eIDAS regulation has not been taken on board.

Urgent action needed

Although we intend to participate in the AMLA consultation, we would like to sound the alarm now. After all, it is highly undesirable for European bodies to disregard the requirements of European regulations.

It is important that Article 5a of the eIDAS regulation [5], which states that the use of the EUDI wallet is entirely voluntary, does not become a dead letter. We hope you will do your part to ensure this.

We will also distribute this open letter elsewhere. Furthermore, we will write to AMLA.

Sincerely,
Privacy First Foundation

Nuts

[1] The Authority for Countering Money Laundering and Financing of Terrorism, https://www.amla.europa.eu/.

[2] Announcement: https://www.amla.europa.eu/policy/public-consultations/consultation-draft-rts-customer-due-diligence_en.

[3] Article on our consultation participation: https://privacyfirst.nl/en/articles/digital-identity-stealthily-becoming-mandatory-after-all/, full consultation contribution by Privacy First: https://privacyfirst.nl/wp-content/uploads/Privacy-First-response-EBA-consultation-on-additional-AMLR-rules-June-2025.pdf.

[4] Announcement: https://www.eba.europa.eu/publications-and-media/press-releases/eba-consults-new-rules-related-anti-money-laundering-and-countering-financing-terrorism-package.

[5] https://eur-lex.europa.eu/legal-content/NL/TXT/HTML/?uri=CELEX:02014R0910-20241018#art_5a, para 15.

Update 1 June 2026

Privacy First asks House of Representatives to address risks of EUDI wallet 

Privacy First today sent a letter to the House of Representatives on identification, more specifically digital identification.

Identifying oneself - including showing proof of identity (ID) - is itself a risky activity for people, especially if that ID is copied and stored. Increased digital crime, unsafe practices by those who identify and the government's desire for people to identify themselves before accessing the internet to prove their age are causing the dangers to grow exponentially.

The intention of the Digital Affairs Committee of the House of Representatives to devote additional attention to digital identification prompted the letter. It also plays a role in this that the finance minister, following our fire letter dated 9 March last. on the breakdown of the voluntary European Digital Identity (EUDI) wallet, told the House of Representatives that there would be ‘nothing’ to worry about. Privacy First disagrees.

In today's letter, we explain that as a result of the new anti-money-laundering rules, the EUDI wallet will in practice become mandatory for large companies with anti-money-laundering obligations (including banks), due to the fact that these large companies have virtually no physical offices in the Netherlands anymore and in practice rely on digital identification of their clients. These issues will also come into play in areas other than anti-money laundering.

Moreover, the European digital identification system as based on the eIDAS regulation has serious flaws. One such flaw is that the providers of identification wallets (EUDI Wallet and Business Wallet) are not screened for integrity and lack of conflict of interest.

On the system of identification wallets, we raised a large number of questions in our letter, covering:

• preventing wallets from becoming a means of control,
• the lack of safeguards that the receiving parties do not overask (overidentification),
• the safeguards not in place to prevent unnecessary dissemination of personal data,
• The poor revenue model for wallet providers,
• the non-mandatory ability to use wallets without devices or software from non-EU internet giants.

Privacy First calls on lawmakers for measures to mitigate identification risks. Read HERE the full letter Privacy First sent to the House of Representatives to that effect today (pdf).