BMDS [DEU] ¦ EUDI Wallet - Draft Digital Identities Act (DIdG)

Germany’s draft Digital Identity Act (DIdG) – what financial crime teams must watch

On 26 March 2026 the German Federal Ministry for Digital Affairs and State Modernisation published a detailed draft law to implement the amended eIDAS framework introducing the European Digital Identity Wallet (EUDI Wallet) . The draft – titled Digitale Identitätengesetz (DIdG) – translates EU obligations into national rules and sets out how Germany will provide at least one EUDI Wallet, how authorities and private actors interact with the Wallet ecosystem, and how identity, attribute and signature services will be governed. For professionals focused on financial crime, anti‑money laundering (AML) and sanctions compliance, the DIdG matters because it reshapes identity proofing, electronic attribute issuance, cross‑border authentication, and the technical and administrative channels through which transactional and identity risks will surface.

Key changes that affect financial crime compliance

The DIdG makes the EUDI Wallet a recognised electronic identification medium in domestic law and clarifies that established identification methods remain valid. Importantly, the draft updates domestic law so that an EUDI Wallet can be used where existing legislation requires identity proof by national eID means (e.g., German ID card eID) – subject to narrow exceptions. That legal equivalence together with new rules on electronic attribute certificates and qualified electronic signatures means financial institutions will be able to rely on wallet‑provided identity assertions, signed attestations and machine‑readable attributes for onboarding, transaction monitoring and evidence chains. At the same time, the draft assigns operational roles – issuance of person identification data (PID), registration of relying parties, certification authorities, and a supervision regime – across federal authorities (BMDS , BVA , BSI , BNetzA and the national accreditation body). Those roles define the interfaces that regulated firms will use and the responsible supervisors they must engage with when assessing trustworthiness of wallets and their operators.

Bastian Schwind-Wagner _Follow

"The Digital Identity Act will transform how institutions verify identity by enabling cryptographically signed, machine‑readable proofs that can streamline onboarding while maintaining stronger audit trails. Compliance teams must update acceptance rules and technical checks so Wallet‑issued PIDs and attribute certificates are validated, recorded and monitored for revocation in real time.

Adopting Wallet evidence reduces friction but creates new concentration and fraud vectors that require updated vendor due diligence, fallback processes and incident playbooks. Early engagement with the designated national authorities and wallet providers will be essential to ensure safe, interoperable integration and to demonstrate regulatory readiness."

Implications for customer due diligence and identity evidence

The draft explicitly recognises that persons may present an identity proof via an EUDI Wallet and makes person identification data (PID) a defined deliverable, with public authorities acting as PID issuers.

For AML screening and CDD, this alters the evidence landscape in three ways:

1. Source and authenticity: the Wallet enables presentation of PID and attribute certificates issued by authentic sources or qualified trust service providers. When a Wallet delivers a PID or a signed attribute (for example, name, date of birth, legal form, registered address or beneficial ownership attributes), firms must adapt acceptance policies to recognise these digitally‑signed items as primary evidence where the legal requirements are met.
2. Assurance level: EUDI Wallets can deliver “high” security level identification on mobile devices. Firms should map Wallet assurance levels to their internal risk tiers and to regulatory thresholds (simplified due diligence, normal CDD, enhanced CDD). Where regulation requires high‑assurance identity proofs (e.g., opening an account remotely for a politically exposed person), a wallet showing “high” assurance should be treated accordingly, subject to internal risk appetite and jurisdictional limitations.
3. Revocation, validity and record‑keeping: the DIdG provides mechanisms for revocation or suspension of wallet validity and an obligation for authorities to manage revocations. Financial institutions must ensure their acceptance processes can account for real‑time or near‑real‑time validity checks (or accept verifiable status information) to avoid onboarding or transacting with revoked credentials. Audit trails must record which signed attribute or PID was relied upon and its cryptographic evidence.

Operational interfaces and reliance decisions

The draft sets out national registries and a registration function for “trusting parties” (i.e., relying parties).

For a bank, an online marketplace, or a payment provider this means:

• A central registration/list of trusted relying parties will be available – integrate with that list to confirm authorised service providers and reduce operational friction.
• Wallet providers and PID providers must publish or be registered; regulated firms should update vendor risk and third‑party diligence processes to include wallet provider certification status, whether the wallet is state‑provided, state‑mandated (in‑house), provided under contract, or privately provided but officially recognised.
• Interaction with providers will use standardized validation mechanisms and connector APIs; compliance teams should align technical validation (status checks, signature verification, attribute schemas) with legal acceptance rules.

Practical consequences for onboarding, KYC and enhanced due diligence

The DIdG could materially lower friction for remote onboarding by enabling electronic attribute certificates (machine‑readable and signed) for common attestations – corporate registration, trade registration extracts, beneficial owner attestations, or supervisory approvals – that applicants can carry in their Wallet.

This moves firms away from scanned PDFs and manual checks, but only where:

• Attribute provenance is clear (issued by an authentic source or a qualified attribute issuer),
• Attribute semantics and schema match the firm’s required data elements, and
• Verification processes include status checks and are recorded in an auditable manner.

For enhanced due diligence (EDD), particularly when a customer is high‑risk or a PEP, the availability of wallet attributes can speed evidence collection but will not replace context‑based judgment. EDD should continue to require source‑of‑funds checks, transaction behaviour analysis and independent verification where the business risk is high. Firms should treat Wallet attributes as evidence in a layered proof model rather than a sole decisive source.

Fraud, security incidents and incident reporting

The DIdG clarifies incident handling responsibilities and provides national mechanisms for responding to wallet security breaches, including suspension or revocation of wallet validity and coordinated notifications.

From a financial crime perspective:

• Wallet compromise can facilitate identity theft and account takeover; fraud detection models must incorporate Wallet validity checks and watch for rapid credential re‑binding or attribute changes.
• Firms must build detection and remediation playbooks that assume Wallet‑based credentials can be revoked centrally – processes for freezing accounts, re‑validating identity, and re‑onboarding users must be defined.
• Where Wallets become an accepted identity channel, suspicious activity reporting (SAR) workflows should include fields for Wallet identifiers, issuer certificates and revocation/status evidence to preserve forensic value.

Data protection and consent issues relevant to AML

The DIdG notes the primacy of GDPR rules and that processing should typically rely on lawful bases including consent or contract.

That raises practical points:

• Wallets give users strong control over which attributes are disclosed and for which purpose; AML processes that previously relied on mandated data collection will need design changes so that consented disclosures are captured, logged and retained in line with retention, transparency and data minimisation obligations.
• Where a Wallet‑driven flow reduces manual data transfers, data protection risk is lower in many respects, but firms must ensure they document the legal basis for processing and keep verifiable logs linking Wallet attestations to the processing purpose (e.g., KYC, sanctions screening).

Interactions with anti‑money laundering law

The DIdG amends cross‑sector laws, including a change to the German Anti‑Money Laundering Act references (Geldwäschegesetz) clarifying the technical and recording aspects of electronic identity proofing.

Two notable points:

• The draft removes the obligation to log the service‑ and card‑specific identifier in certain desktop eID scenarios where the EUDI Wallet is used, recognising technical harmonisation needs. For AML teams this is not a relaxation of KYC obligations – firms must still record that electronic identity means were used and preserve verifiable evidence of the specific PID or signed attribute used for the identification event.
• The Wallet’s cryptographic evidence must be incorporated into audit trails for regulatory inspections – firms must ensure logs are tamper‑evident and preserve signature chains, time stamps and revocation status at the time of onboarding or transaction.

Risk scenarios to plan for now

1. Credential theft and replay: wallets on mobile devices can be stolen or cloned; implement session controls, device binding, multi‑factor steps and anomaly detection for unusual transaction patterns following identity changes.
2. Fraud through malicious attribute issuance: if a qualified attribute issuer or PID provider is compromised or negligent, large volumes of fraud could follow; keep issuer trust lists current and monitor supervisor lists and revocation feeds.
3. Cross‑border discrepancies: EU‑wide rules permit wallet use across member states; firms must be aware of varying national practices around which attributes are treated as “authentic sources” and maintain mapping rules and risk thresholds for non‑German issuers.
4. Third‑party dependencies: reliance on public infrastructure (PID providers, validation services, registry connectors) creates concentration risk. Maintain fallback onboarding workflows and continuity planning.
5. Social engineering on consent: Wallets’ user control means customers actively consent to disclose attributes. Fraudsters may coerce or trick users into consenting. Transaction monitoring must flag anomalous consent patterns (e.g., quick or repeated consent grants to new relying parties).

Immediate actions for financial crime teams

Legal and compliance

• Map current CDD policies to Wallet evidence types – classify which Wallet attributes, PIDs and signature levels meet “verified identity” for each customer risk level.
• Update customer onboarding decision trees to include accepted Wallet evidentiary standards and the required validation checks (signature verification, issuer status, revocation).
• Revisit record retention and audit policies to include Wallet proof artifacts, validation logs and revocation status snapshots.

Technology and operations

• Engage IT to plan integration with national validation endpoints, registries and the planned central registries of trusted relying parties; test signature and attribute schema verification.
• Ensure monitoring solutions ingest Wallet‑specific indicators (Wallet IDs, issuer identifiers, signed attribute IDs, revocation flags).
• Build or adapt real‑time checks for wallet status and revocation; consider caching strategies that prevent acceptance of revoked PIDs while balancing latency and availability.

Fraud and investigations

• Update playbooks to treat Wallet‑driven identity as either higher‑assurance evidence when validated, or as a suspicious vector if revocation or unusual attribute changes occur.
• Train fraud investigators on cryptographic evidence interpretation and where to seek verification from public registries or the responsible authority.

Vendor and third‑party risk

• Revise vendor due diligence to include Wallet providers and PID providers; require proof of conformity, certification status, and clear incident reporting obligations in contracts.
• Include an assessment of operational continuity, data protection controls, and the provider’s interaction model with national authorities.

Supervisory and regulatory engagement

• Reach out proactively to the relevant national authority (as assigned by the DIdG) to understand planned registries, status check APIs, timelines for live services and the form of evidence regulators expect for Wallet reliance.
• Coordinate with industry bodies and trusted peers to develop common acceptance frameworks, sample verification code, and shared best practice on Wallet use for AML.

Conclusion – a strategic opportunity and responsibility

The DIdG’s implementation of the EUDI Wallet creates a standardised, high‑assurance digital identity environment that can materially reduce onboarding friction, improve the quality of identity evidence and enable richer, signed attribute exchanges. For the financial crime community this is both an opportunity and a responsibility: opportunity to streamline CDD and improve forensic trails; responsibility to redesign risk frameworks, validation architecture and incident response to the realities of signed machine‑readable identity artifacts and centralised revocation mechanisms. Firms that move now – updating policies, integrating validation checks, and engaging with authorities and wallet providers – will be better prepared to use Wallet evidence safely, to demonstrate regulatory compliance, and to reduce fraud and financial crime risk in the new digital identity era.

Dive deeper

• Bundesministerium für Digitales und Staatsmodernisierung (BMDS) ¦ Entwurf eines Gesetzes über die Europäische Brieftasche für die Digitale Identität und zur Änderung anderer Rechtsvorschriften, Digitale Identitätengesetz (DIdG) ¦ Link