iDIN R&R - General Notes on the Rules & Regulations

Owned by Currence
Last updated: Apr 17, 2024 by Margot Markhorst
19 min read

 

 

Contents

 

1 Introduction

Currence Holding B.V. (hereafter: Currence) is the Product and brand owner of the Scheme iDIN (identification service).

iDIN B.V. is a subsidiary of Currence Holding B.V.

1.1 Currence Schemes

In the iDIN R&R you wil find terms ware defined are all written with an initial capital. The meanings of these terms which are used have been laid down in definitions. The definitions are listed in alphabetical order in the section General Regulations – part 2 – Definitions

A Scheme is a system of agreements, consisting of governance agreements, role descriptions, rules and legal conditions, referred to as Rules & Regulations (hereafter: R&R), including a set of technical requirements, grouped in the Technical Standards. This document provides a general explanation of the Scheme and the on this Product based R&R. The R&R clarify the rules and agreements governing all relevant activities relating to the Product. 

The explanation covers the following topics:

  • the background to the development of the R&R; see section 2;

  • a more detailed description of the various Roles relating to the iDIN Scheme; see section 3;

  • a description of the R&R, including an explanation of the Acceptance Regulations, the Certification Procedure, the Licence and Certification Structure and an explanation of the R&R documents, including the Technical Standards; see section 4.

2 Background to the Rules & Regulations

Currence is the Product owner and trademark holder for iDIN Scheme and the Product. In that capacity, it defines and manages the requirements regarding the various Roles that feature in the Currence Scheme, with Currence taking into account the wishes from the market.

The Scheme has been developed to facilitate making digital online identification with iDIN and exchange of personal data via the online or mobile banking environment (hereafter: Online Channel) of the Issuer.

The R&R, including the Technical Standards, is owned by Currence. In that capacity, it defines and manages the requirements regarding the various Roles that feature in the Schemes and the underlying Product. These requirements are necessary for the Product to operate effectively for all parties concerned. The requirements are objective, non-discriminatory, and not more stringent than strictly necessary. A set of rules, the iDIN R&R, has been drawn up in order to set out the requirements in practical terms. Currence consults its Licencees and Certificate Holders when drawing up or amending the rules.

The R&R contain the established rules and also a description of the Roles and activities that parties involved in the Product can carry out. In that context, Currence issues Licence and Certificate Agreements.

Currence helps safeguard the efficiency, quality (including reliability and image) and the integrity of its Product. Currence carries out the following tasks:

  • determining the strategy and policy of the Scheme;

  • developing and, if necessary, revising the Scheme and the underlying Product;

  • drawing up, laying down, and managing the iDIN R&R;

  • certifying Licencees and Certificate Holders;

  • monitoring Licencees and Certificate Holders (with the power to impose sanctions);

  • coordinating anti-fraud measures;

  • facilitating collective consultation structures;

  • public relations, public affairs, communications, brand promotion.

3 Description of Currence Scheme

3.1 iDIN

iDIN is the online identification service with which Users can easily make themselves known to Merchants by using the Authenticaion Tools for onthe Online Channel of their own Issuer. iDIN is the service that enables natural persons (Users), who have been checked against the requirements of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), to perform the following actions, via the Online Channel of their Issuer:

  • Identifying - The User can identify himself by sharing data with the Merchant. This information is provided on behalf of the User, from the administration of the Issuer;

  • Login - The User can log in to the (my environment of the) Merchant by means of a pseudonym, which is agreed upon during an identification transaction. This pseudonym is unique for every User-Merchant-Issuer combination;

  • Confirm age - With this product variant the User can indicate whether he / she is 18 years or older. No other data is shared with this variant;

  • Signing - With this Product variant, the User can sign documents. This variant can only be carried out via a certified Digital Identity Service Provider (DISP).

iDIN enables Merchants to receive data from Users in an efficient manner. The User is redirected from the environment of the Merchant to the Online Channel of his Issuer, where he uses the Authentication Tool provided and logs in to the Online Channel of the Issuer. Then the User gives his Issuer the assignment to provide the data, as shown in the Issuer screens, (encrypted) to the Merchant. The User confirms this assignment with his Authentication tools. After confirming the assignment, the User is redirected to the Merchant's online environment.

IDIN's role model includes

The iDIN Scheme covers:

  • Issuers and Acquirers who are licensed by iDIN B.V.;

  • Validation Service Providers (VSPs), Routing Service Providers (RSPs) and DISPs who are certified by iDIN B.V.

The Roles have been defined for the iDIN Scheme so that a User can use the Online Channel to send (personal) data to a Merchant. In order to be able to conclude an iDIN contract, the Merchant must meet minimum acceptance criteria.
To authorize the iDIN message, the security measures of the Issuer's Online Channel are used. These Online Channels must meet strict security standards that ensure that iDIN transactions by Users can be carried out securely.

3.2.1 iDIN brand

iDIN is identified by means of the iDIN logo, which is protected by trademark law:

iDIN is a registered logo, which is owned by iDIN B.V. The iDIN logo is used, among other things, as a feature for the marketing and use of the digital identification method it stands for. The iDIN logo may only be used in connection with the activities related to it, in accordance with a Licence or Certificate Agreement with Currence to that end.

3.2.2 iDIN QR

An iDIN QR transaction is identified by means of the iDIN QR logo protected by trademark law:

iDIN QR R is a registered logo of which Currence iDEAL B.V. is the owner and it has the same conditions as the iDEAL logo.

The iDIN QR code is used by a broad public and can be used through various channels - invoices, e-mails, shelters, posters, television, smartphones, etc. - displayed. This also offers iDIN the possibility, for example in a physical shop or at the door, to initiate an iDIN transaction via an iDEAL QR code to check someone's age, for example.

4 Organisation of Currence Schemes

4.1 Message model

The message model developed by Currence is based on a so-called four-party model. Acquirers and Issuers with a Licence offer one or more Products to the market on a commercial basis. This produces benefits for all parties. The model forms the basis for the contents of the iDX Standard, part of the iDIN R&R. This is represented in Figure 1. The figure is used to demonstrate the process flow for the Product message in section 4.1.1.


Message model



4.1.1 Process flow for the Product message

  1. The User wishes to log in, identify, sign or verify its age to a Merchant. Therefor the User selects the button for the Product on the Merchant's website and subsequently selects the Issuer with whom the User has access to the Online Channel provided with the correct authorisations and AuthenticationTools;

  2. The Merchant sends the request with the data it has requested – directly or through a DISP – to the Routing Service Provider (RSP) concerned, in accordance with the message protocol described in the MIG;

  3. The RSP sends the data for the Product to the Validation Service Provider (VSP).

  4. The User is then automatically redirected to the Online Channel of his Issuer where the User must authenticate himself;

  5. The User then checks the message data in his Online Channel. If he agrees to provision of the data displayed on the screen4 , the User must authorise the message. The User is then automatically redirected back to the Merchant’s web portal. Parameters sent along with the message enable the Merchant to recognise the context (see 2) and therefore the User;

  6. The VSP sends the status of the Product message and the data to the Acquirer/RSP. The RSP sends the data of a successful Product message to the Merchant directly or through a DISP;

  7. The Merchant requests the status of the transaction from the Acquirer/RSP;

  8. The Merchant confirms the receipt and displays the content of the message to the User on its own website.

4.2 Contract model

Contract model



The contract model developed by Currence forms the basis of the contents of the iDIN R&R. This is represented in Figure 2.

The various Roles in the Scheme are explained on the basis of this contract model in sections 4.2.1 to 4.2.8.

4.2.1 Currence

Currence is the Product and brand owner of iDIN , as described in the iDIN R&R, including the Technical Standards, in which capacity it lays down requirements in relation to the Product and the parties involved in the contract model.

4.2.2 Issuer (Licencee)

The Issuer is the party that has signed a Licence Agreement with Currence. A Licence Agreement is concluded for the Scheme. An Issuer must also have a licence as a Payment Service Provider, or an exemption for this. The Issuer is responsible for the entire Issuing Domain with regard to the activities for the Product, to the extent that they relate to product it has issued/will issue for an appropriate Online Channel. The Issuer is the Institution with which the User has access to the Online Channel by making use of the correct authorisations. The Issuer has an existing or new agreement (e.g. as part of the agreement and/or general terms and conditions for online and mobile banking or payment services; to be filled in by the Issuer) with the User on the basis of which the messages can be authorised. The Issuer facilitates the issuing of the data from its Users by means of messages to the Acquirer. The Acquirer facilitates the issue to the DISP or to the Merchant via the RSP or VSP.

An Issuer may only offer Users the Product if it has obtained a Licence from Currence.

4.2.3 Validation Service Provider (VSP; Certificate Holder)

The VSP is the party that has signed a Certificate Agreement with Currence. A Licence Agreement is concluded for the Scheme. The VSP has an agreement with, and operates on behalf and under the responsibility of, one or more Issuers. The VSP is responsible for processing message traffic concerning the issuing of messages by the Issuers. The VSP must be able to connect to all RSPs in the Scheme.
A VSP may only participate in the Product if the VSP has been certified by Currence and has concluded a VSP contract with at least one Issuer that is in possession of a Licence Agreement with Currence.

4.2.4 User

The User is the individual with access to the Online Channel of his Issuer provided with the correct authorisations and Authentication Tools. The User can authorise the Product message through the Online Channel of the Issuer concerned. The User has an agreement (e.g. as part of the agreement and/or general terms and conditions for the Online Channel; to be filled in by the Issuer) with the Issuer concerning the use of the Product. A User of iDIN can only be a natural person. A User is not subject to any requirements on the part of Currence. Any obligations will be imposed on the User by the Issuer.

4.2.5 Acquirer (Licencee)

The Acquirer is the party that has concluded a Licensing Agreement with Currence. A Licence Agreement is concluded for the Scheme. An Acquirer must also have a licence as a Payment Service Provider, or an exemption for this. Furthermore the Acquirer concludes Product contracts with Merchants / DISPs for the Product. The Acquirer is responsible for the entire Acquiring Domain with regard to the activities for the Product, to the extent that they concern its Merchants and Certificate Holders. The Acquirer is responsible for the correct processing of the issuing of the messages for its Merchants, which have been sent by a User who purchases a product or service from a Merchant. The Acquirer concludes a contract with an RSP to that end.
An Acquirer may only offer Merchants and Certificate Holders the Products concerned if it has obtained a Licence from Currence.

4.2.6 Routing Service Provider (RSP; Certificate Holder)

The RSP is the party that has signed a Certificate Agreement with Currence (a Licence Agreement is concluded for the Scheme) and that has an agreement with or is part of the Acquirer. The RSP offers its service for the routing of a Product message, initiated by a User by means of the Online Channel of his Issuer via the website of the Merchant or the DISP. The RSP is responsible for ensuring that the Product messages are received, verified, processed and forwarded correctly. The RSP makes agreements with an Acquirer concerning the processing of Product messages for the Merchants, Users of an Acquirer or DISP. The RSP has an agreement with, and operates on behalf and under the responsibility of, one or more Acquirers. The RSP must be able to connect to all VSPs in the Schemes.
An RSP may only participate in a Scheme if the RSP has been certified by Currence and has concluded an RSP contract with at least one Acquirer that is in possession of a Licence Agreement with Currence.

4.2.7 Digital Identity Service Provider (DISP) ) – Certificate Holder

 

DISP
A DISP can arrange the technical aspects of the connection of the iDIN message traffic with the Acquirer, in accordance with the Merchant Implementation Guide (MIG) and with the Merchant, in accordance with the technical connection agreed with the Merchant. The DISP is not visible to the User. After all, the User only agrees to its Issuer for sending its iDIN data to the Merchant, not to the DISP. An exception to this rule is when the DISP also offers the Product variant iDIN Signature and is certified for this. In this case, the DISP may be visible in the iDIN message traffic. The DISP can also decrypt and process (e.g. forwarding) the User’s personal data for the Merchant in a safe and secure manner.

The DISP is the party that has signed a Certificate Agreement for iDIN with Currence. The DISP makes agreements with its Merchants concerning iDIN and concludes iDIN contracts with its Merchants itself, in accordance with the Online R&R, including the annex ‘Minimum Acceptance Criteria for Merchants’.

A DISP may only participate in iDIN if the DISP has been certified by Currence and has concluded a DISP contract with at least one Acquirer that is in possession of a Licence Agreement with Currence. A DISP that also wants to offer iDIN Signature needs to go through additional certification with Currence.

4.2.8 Merchant

The Merchant is the party that has concluded a contract with an Acquirer or DISP in order to use the Product. The Merchant offers goods or services to Users in accordance with the Product conditions prescribed by the Acquirer or DISP, which, as a minimum, also include the provisions as described in the R&R annex 'Minimum Acceptance Criteria for Merchants'. If the Merchant purchases this service, the Merchant must provide its Users with the opportunity to authorise a Product transaction via the Online Channel of their Issuer.

Currence has no direct relationship with a Merchant. The Acquirer or DISP is responsible for onboarding a Merchant, in accordance with the requirements as stated in the R&R annex 'Minimum Acceptance Criteria for Merchants' and 'Guidelines and Use of Product Logos' as well as the MIG

 

4.2.8.1 Platform as an iDIN Merchant

A platform as a Merchant within the iDIN Scheme is a party that provides a service or software to its business customers (hereinafter sub_Merchants). The User can deliver its iDIN data via the platform to the sub_Merchants of the platform (Merchant). These sub_Merchants will make use of the platform's iDIN service and can offer iDIN as a Product to the User.

A platform as Merchant has the advantage that all its sub_Merchants do not have to enter into a separate iDIN contract with a DISP or Acquirer, but they can enter into a single contract with the platform (Merchant) for all services offered by the platform.

Examples of platforms (not exhaustive):

  • taking out loans / mortgages / insurances;

  • payroll administration software packages;

  • software packages for the administration of nurseries.

NB An Acquirer or DISP must report a platform to Currence.

The environment of the sub_Merchant can be reached after iDIN verification via the platform (Merchant). The sub_Merchant chooses to join the platform, which allows Users to access the online environment of sub_Merchant. The sub_Merchant hereby determines the purposes and means for the processing of Personal Data, whereby the sub_Merchant chooses to process the personal data of their Users via the verification system of the platform and iDIN for verification purposes. 

  • The platform as an iDIN Merchant only fulfills the role of intermediary (with access to iDIN) (platform = processor);

  • Allowing the User to authenticate itself with the party (sub_Merchant) from which it wishes to purchase a service (sub_Merchant = controler).

4.3 Earnings model

The earnings model is based on the mutual contractual relationships between the parties involved in the Scheme, see Figure 3. Acquirers and Issuers (with a Licence Agreement) and DISPs (Certificate Holder) offer the Product to the market commercially. They can charge their User or Merchant a fee for this, the interpretation of which is at the Institutions' discretion. The Institutions must draw up a mutual agreement on a Fee, if applicable. Currence charges its Licencees and Certificate Holders a fee.

Earnings model

5 Rules & Regulations, including Technical Standards

5.1 R&R

Currence has adopted a uniform set of rules, the Rules & Regulations (R&R), which are to be adhered to by every Licencee and Certificate Holder for the Scheme. Among other things, the R&R include rules covering all relevant activities relating to the Scheme. Currence has compiled the R&R with great care, taking the relevant laws and regulations as the starting point.

The requirements in respect of the various Roles, as described in section 4.2, can be divided into those of a general organisational nature and those that relate to the process associated with the Role fulfilled by the party within the Scheme. The process comprises the various relevant activities that together make up the complete Role. The process-related requirements can be divided into quality requirements and, where necessary, additional detailed requirements of a more operational nature. All requirements are recognisable as such in the documents and, where applicable, are accompanied by explanatory notes.

With regard to the activities for which rules have been made in the R&R, a distinction is made between the Issuing Domain and the Acquiring Domain. The Issuing Domain comprises all activities relating to the authentication of the User by the Issuer and the authorisation of the message by the User. Based on the User’s authorisation, the Issuer provides the requested data as indicated in the message to the Acquirer. The Acquirer facilitates the issue to the DISP or to the Merchant via the RSP. The Acquiring Domain comprises all activities relating to the receipt and processing of the message by the Acquirer (through the RSP) on behalf of a Merchant / DISP.

For both the Issuing and Acquiring Domain, the Licencees must comply with the relevant laws and regulations that apply to them, and with the rules and guidelines prescribed by the regulators in the country where the organisation is based.

5.1.1 Licence and Certificate structure

Institutions wishing to join one of the Schemes must conclude a Licence or Certificate Agreement with Currence:

  • Institutions wishing to fulfil the Role of Issuer or Acquirer are eligible for a Licence Agreement. Licencees are responsible for all activities in their domain.

  • Institutions wishing to fulfil the Role of VSP, RSP or DISP are eligible for a Certificate Agreement. Certificate Holders are responsible for the activities associated with their Role. Institutions wishing to fulfil the Role of Certificate Holder are eligible for a Certificate Agreement.

5.1.2 Acceptance and Acceptance Regulations

An Institution shall be eligible for a Licence or Certificate Agreement if it has demonstrated that it meets the Acceptance Requirements associated with the Role that the Institution wishes to fulfil in the Scheme. The Acceptance Regulations form the basis for this. The acceptance procedure listed here describes the steps the Applicant must take in order to be certified for the Role in question. To start the acceptance procedure, the Institution must send a signed Application Form to Currence for approval. Currence will then send a set of documents to the Institution, including the R&R. The certification procedure will then start.

5.1.3 Certification and certification procedure

 The certification procedure mainly involves carrying out a Control Self Assessment (CSA). A CSA is used by the Applicant to demonstrate that it meets the requirements associated with the Role that the Applicant wishes to fulfil in the Scheme.

The certification procedure covers the activities that the Applicant must perform in order to be able to fulfil a Role as described in the R&R. The certification procedure comprises the following stages:

  1. Carrying out a Control Self Assessment (CSA) by the Applicant/Institution;

  2. Evaluation of the CSA by Currence;

  3. Selective verification by Currence to establish the accuracy of the CSA (and therefore of the implementation of the R&R by the Applicant);

  4. Successful conclusion of the test set by means of the Test Tool (TT);

  5. The Applicant must carry out product verification tests with all Licencees and Certificate Holders already certified;

  6. A new Issuer must have its issuer screens assessed by Currence;

  7. Final evaluation and decision by Currence concerning the granting of a Licence and/or Certificate Agreement;

  8. Monitoring of compliance with agreements to rectify any outstanding issues (of minor importance) revealed by the certification process.

NB If an Institution does not fulfil all functions of its Role, the Institution must declare the provisions regarding the functions concerned ‘Not Applicable’ during certification for the Role in question.

5.1.4 Technical Standard

Currence provides a Technical Standard in the R&R. For iDIN these are the iDx Protocol and the Implementation Standard. The Technical Standard describes the message traffic of a Product message. The Merchant Implementation Guide (MIG) is available for the technical implementation of the Merchant or DISP.

5.2 R&R documentation

Currence is in no way liable for errors or omissions or the consequences of later amendments to the documentation. The R&R consist of the following documents:



  1. General Notes (this document)
    This gives an outline description of the Schemes, with the Roles and Products associated with them.

  2. Agreements
    Licence Agreement: The agreement concluded by a Licencee with Currence after successfully completing the Certification Procedure for the Scheme or Schemes in which it wishes to take part. The Fees annex also applies here;
    Certificate Agreement: The agreement concluded by a Certificate Holder with Currence after successfully completing the Certification Procedure for the Scheme or Schemes in which it wishes to take part. The Fees annex also applies here;

    General Regulations
    GR - part 1 - General Provisions: description and applicability of the General Regulations;
    GR - part 2 - Definitions: definition of terms in the R&R that start with a capital letter;
    GR - part 3 - Council of Licencees: duties and powers of the members of the Council of Licencees;
    GR - part 4 - Schemes Communication: description of how parties may communicate in relation to the Schemes;
    GR - part 5 - Change Procedure: description of how Currence implements changes to the R&R;
    GR - part 6 - Penalty Regulations: description of when Currence may impose a penalty on a Licencee or Certificate Holder. The Tables annex also applies here;
    GR - part 7 - Bilateral fees: description of how and when a Bilateral Fee is applicable.

  3. Acceptance Regulations and Certification Procedure
    Acceptance Regulations: description of the procedure established by Currence that is used to assess whether an Applicant may be accepted to the Scheme concerned in order to be able to fulfil the Role it has applied for;
    Certification Procedure: description of the procedure established by Currence that is used to assess whether an Applicant meets the conditions set out in the R&R on the basis of a Control Self Assessment (CSA) it has itself carried out.

  4. R&R Provisions

    1. Issuer: set of provisions that a Licencee who is certified for this Role is obliged to comply with. For iDIN there are additional requirements for the Framework iDIN and Data Quality iDIN;

    2. Validation Service Provider (VSP): set of provisions that a Certificate Holder who is certified for this Role is obliged to comply with;

    3. Acquirer: set of provisions that a Licencee who is certified for this Role is obliged to comply with;

    4. Routing Service Provider (RSP): set of provisions that a Certificate Holder who is certified for this Role is obliged to comply with;

    5. Digital Identity Service Provider (DISP): set of provisions that a Certificate Holder who is certified for this Role is obliged to comply with; This Role applies only to iDIN;

    6. Appendix I – Framework Issuer iDIN: set of provisions for, among other things, identifying Users to whom an Issuer Licencee is obliged to comply to. These requirements apply only to the iDIN Scheme.

    7. Appendix II – Data Quality requirements Issuer iDIN: set of provisions for the dataset which is used within the iDIN Scheme to whom an Issuer Licencee is obliged to comply to. These requirements apply only to the iDIN Scheme.

    8. Appendix III – Privacy Framework iDIN: set of provisions regarding to the privacy of the data within iDIN, which all licensed and certified iDIN parties are obliged to comply to. These requirements apply only to the iDIN Scheme.

    9. Appendix IV - Additional provisions for offering iDIN Signature: set of provisions for DISP's who want to offer the iDIN Product variant 'iDIN Signature'.

  5. R&R Annexes

    1. Management of IT infrastructure

    2. Operational Agreements

    3. Escalation Procedure

    4. Minimum acceptance criteria for Merchants

    5. Reporting Obligations for Roles

    6. Rules for using Product links

    7. Monitoring and follow-up (suspected) Misuse of a Product

    8. Part 1 - Branding Manual
      Part 2 - Guidelines use iDIN-logo

  6. Technical Standards
    The Technical Standards consist of the following components:

    For iDIN:
    iDx Documentation Suite

  7. iDx 001 Cover document: an overview of the various documents that form the Technical Standard;

  8. iDx_010 Protocol: vsetting down the technical aspects of the Technical Standards with regard to messages for the relevant Product front-end implementation, to which the parties involved in the Scheme must adhere based on their Roles of Issuer and Acquirer;

  9. iDx_025 Messages between Acquirer and Issuer: an overview of the iDx messages exchanged between the Validation Service Provider and the Routing Service Provider;

  10. iDx_035 Messages between Merchant and Acquirer: an overview of the iDx messages exchanged between Merchants and Routing Service Providers;
    Implementation Guidelines
    A document that describes guidelines concerning the implementation and content of the messages for Issuers and Acquirers.
    Software libraries
    A piece of programming language/software to simplify the technical implementations of Merchants
    Merchant Implementatie Gids (MIG):
    A derivative of the Technical Standard. The MIG gives an overview of the guidelines and recommendations that are relevant for the implementation of the Product concerned by Merchants, CPSPs or DISPs. A Licencee can incorporate relevant Technical Standard matters as information in its own publication of the MIG. The MIG is issued by the Acquirer to the Merchant or DISP.

5.2.1 Availability of the Technical Standards

The following is applicable:

  1. For access to the Technical Standards, interested parties first need to complete and sign the ‘Technical Standard application form’ and pay a fee.

  2. The Technical Standard will only be made available via an intranet website specifically set up for this purpose. This is accessed using a username and password. The applicant is responsible for ensuring that unauthorised persons do not gain access to the intranet website.

5.3 Documentation summary