In Norway, access to a range of public and private services is entirely dependent on BankID, a digital credential that in practice functions as a key to society. But few consider that this key is not issued by the state, and that the rules for who gets, and doesn't get, BankID are controlled by private banks. This creates a serious rule-of-law problem: a private entity has been granted a monopoly on a national identity service without being subject to the requirements for transparent and fair case processing that apply in public administration.

Private Monopoly on Public Function

BankID was established as a collaboration between Norwegian banks to ensure secure digital authentication. Today it is an indispensable tool for logging into public electronic services such as NAV (Norwegian Labour and Welfare Administration), the Tax Administration, Altinn and higher education, as well as private services such as banking, insurance and healthcare. But despite this shared societal responsibility, no government authority issues BankID. The service is owned and operated by BankID BankAxept AS, a company controlled by Norwegian banks through Vipps Holding AS.

To obtain BankID, you must first become a bank customer, and this is precisely where the rule-of-law challenges arise. Becoming a bank customer is not a right. It is a private law agreement where the bank is free to refuse. Thus, banks effectively control who gets access to digital credentials without having to follow public case processing practices.

This gives banks decisive power over people's access to society's most central functions without having to follow administrative law principles such as justification, disclosure or the right to appeal. The result is an opaque power vacuum where the rule of law loses out, and here the problem begins. When a digital identity system becomes crucial for participation in society, while simultaneously being controlled by private actors without administrative law responsibility, it becomes a rule-of-law problem when no one can appeal, gain access to information or understand the rejection.

When the Administration Must Justify – But the Bank Can Remain Silent

In public administration, you have the right to have a decision justified, and you have the right to appeal. The Public Administration Act requires objectivity, the right to be heard, and verifiability. These principles do not apply when a private bank rejects an application to become a customer, and they can thus deny you the opportunity to obtain BankID.

Banks can point to "internal risk assessments" as justification, or provide no justification at all. They are also free to reject applicants with payment remarks, foreign citizens with D-numbers (temporary ID numbers), or people with "unclear financial situations." There is no law requiring that rejections be documented, justified or subject to appeal. The consequence is that some people are simply excluded from digital social life without any form of public oversight. You cannot appeal to the Ombudsman, and you cannot access documents. You might just get a brief answer: "We have chosen not to establish a customer relationship," or: "We have chosen to terminate the customer relationship."

What Does the Public Administration Act Guarantee?

The Public Administration Act (fvl.) ensures a number of fundamental rights for citizens when they interact with public authorities:

  1. Right to access to one's own case (§ 18) – you have the right to see how the case has been assessed.
  2. Right to justification for decisions (§ 24–25) – rejections must be explained.
  3. Right to be heard (§ 16) – you must be allowed to express yourself before a decision is made.
  4. Right to appeal (§ 28–33) – the decision can be reviewed again.
  5. Prohibition against arbitrary discrimination (§ 6 and 17) – case processing must be objective and equal for all.

These principles are meant to protect individuals against arbitrary or unjust decisions and to create trust between citizen and state.

What Applies in Banking?

Private banks are not obligated to follow the Public Administration Act. They are thus free to:

  • Reject applications for customer relationships and BankID without providing justification.
  • Keep internal assessments secret.
  • Reject without right of appeal, except for possible complaints to the Financial Complaints Board, which only provides advisory opinions.
  • Avoid the right to be heard, meaning you don't get the opportunity to explain yourself before a decision is made.

Banks must, however, comply with laws such as:

  • The Equality and Anti-Discrimination Act
  • The Anti-Money Laundering Act
  • The Personal Data Act (GDPR)
  • And certain minimum requirements through the EU's Payment Accounts Directive, which in Norway has been followed up through rules on the right to a "basic account" – a simple bank account without associated eID.

According to the EU's Payment Accounts Directive and Norwegian regulations, everyone with legal residence in the EEA has the right to a so-called "basic account." This is a simple transaction account at a bank, but this arrangement only applies in special cases and does not include BankID. This means you may have the right to an account, but not to digital credentials. Without BankID, the basic account is virtually useless in today's digital economy.

Digital Identity and Control Over Behavior

BankID is one of the few eID solutions in Norway that meets what is called security level 4, which is the highest level for electronic ID under the eIDAS framework. This level is required for access to central services such as Helsenorge (Norway's health portal), NAV and the Tax Administration.

The state does offer MinID, but this is at a significantly lower security level and does not provide access to the most important public electronic services. Therefore, you must have BankID, Buypass or Commfides. Most choose BankID, which is tightly integrated with banking and identification.

Thus, we are in a situation where the state requires eID at level 4 and the banks control access to this eID, but the banks operate outside public rule-of-law responsibility.

Imagine a future where the only valid currency is a digital central bank currency (CBDC), as several central banks are already planning. If cash is phased out and all value transfers require both a bank account and digital ID, you are completely at the mercy of the system's conditions. If you then cannot get BankID, or lose it, you will not only be without online banking. You will not be able to pay or receive wages. You will be able neither to buy nor to sell.

What is today a bank product becomes tomorrow an admission ticket to reality.

What happens when such an ID is also linked to your health records, your vaccination status, or your behavior? Authorities will then have a digital tool for social control, and private actors can hold the key.

The Rule of Law Loses in Digitalization

This creates a democratic imbalance: the state requires you to use an eID that you can only get if a private actor accepts you as a customer. Those who are rejected lose not only access to banking, but to all of digital Norway – to healthcare, tax returns, tax cards, university admissions, and in some cases voting through electronic processes.

This has serious consequences. When BankID is necessary to pay bills, open public mail and apply for social assistance, the right to a bank account and an eID becomes not just economic, but existential.

The Digital Wallet – A Promise with Conditions

On the surface, the EU's new eIDAS 2.0 regulation appears to be a solution to digital exclusion. The revised regulation, which entered into force on May 20, 2024, requires member states to offer all citizens a free digital wallet with an electronic ID at the highest security level (level "high"). Norway's national eID strategy points out that this wallet will be issued as a harmonized solution with a common business model for the entire EU/EEA. It will also be able to contain attested attributes, such as driver's licenses, educational certificates, and potentially vaccination status.

This sounds like an open and inclusive solution, and perhaps a long-awaited counterweight to bank-controlled BankID. But behind this promise lies a new type of control mechanism. The digital wallet is not designed as an alternative and independent solution, as MinID has been. It is a platform and it can set conditions.

Where MinID has been weak but accessible, the new digital wallet may become strong but conditional. If access to the wallet is tied to specific requirements, for example health certificates, registered data, or future digital "behavior certificates," then it is no longer a right, but an access for which one must qualify. A digital vaccination passport may become one of many conditions that limit who actually gets access to this "free" identity.

What on paper looks like a universal solution to give digital rights to everyone may in practice become a new filter. It may become a digital eye of the needle, much like obtaining BankID can be, where control over access shifts from banks to supranational regulation. In the worst case, one type of exclusion is replaced with another. Then the solution is not necessarily freer. It is just more structured and even harder to oppose.

A Need for State Responsibility

If the state requires digital credentials to exercise fundamental rights, it must also offer a national state alternative. It is not sufficient to point to MinID when it does not provide access to services like Helsenorge or NAV. A public solution is needed that meets security level 4 and follows the principles of the Public Administration Act with justification, disclosure and the right to appeal.

It is a great paradox that a function as important as access to the state itself has been delegated to profit-driven companies, and now increasingly also to supranational structures like the EU. It is no longer just about what criteria a bank uses to give you access to BankID, but about how access to digital identities and social services will be standardized and controlled in the future through common European solutions. This is not just a technical organizational error. It is a democratic breach of trust, because decisions are made without sufficient transparency, without individual right of appeal, and without individuals being given insight into why they may be denied access.

Those who control identity also control access to society. When this power lies with banks, without public responsibility, and is increasingly shaped by supranational directives from the EU, the rule of law is digitally eroded. If Norway does not introduce a national state system for eID at the highest security level, exclusion, inequality and loss of rights will continue to grow, and many will remain outside a digital society to which they never received the key.

BankID Digital exclusion EU eIDAS Rule of law