CINDR.LA EXECUTION SYSTEMS
STRATEGY BRIEF · 2026-04-28 PoPEye WORLDLINE · DISTRIBUTION RESTRICTED
PoPEye Worldline · 7 months to CCD2

PoPEye — point-of-purchase evidence for the moment of consent. Already in Worldline's channel.

CCD2 goes live 20 November 2026. Every online BNPL transaction needs fresh affordability checks, standardised disclosure, and auditable consent. No integrated product exists today. PoPEye — the Point-Of-Purchase Evidence-Yielding Engine — is the wallet-resident layer that delivers all three in under three seconds at the moment of consent, anchored to qualified trust services. Worldline brings the merchant channel. IDCanopy holds the bureau + identity moat underneath. CINDR.LA designs, architects, and operates the layer.

CCD2 is the first deadline. PoPEye is the product that answers it. KYARA is the receipt authority it grows into. KYA-OS is the protocol layer that keeps it interoperable.

CCD2 Enforcement — T-minus
20 November 2026
Days
Hours
Min
Sec
First-mover window shrinks daily as Signicat ships PSP-adjacent. Worldline anchor must close before it does.
01 · The Shock

What CCD2 breaks for every online BNPL merchant

EU Directive 2023/2225 — Article 18 mandates a fresh, verified, per-transaction creditworthiness check. Behavioural scoring is out.
€191B → €293B
EU BNPL GMV 2025 → 2030
The entire BNPL volume in Europe has to satisfy CCD2 per transaction. No carve-out. No grace period for "large online suppliers" — that phrase was written around Worldline's merchant base.
0
Integrated products on market
White space confirmed. Signicat sells identity+credit bundles direct to banks. Algoan sells open-banking affordability. Nobody combines consent + bureau + wallet + MCP — and nobody sells through PSPs.
6–12 mo
First-mover window
KYA/agentic-commerce stack became real Q1 2026 (MCP-I to DIF, Google AP2, Mastercard Agent Pay). One Sumsub or Trulioo PM decision collapses the window. Worldline anchor is the lock.
02 · The White Space

Four capabilities — nobody has them together.

Click each to see why it matters. All four together = our wedge.

The only differentiated position in the market.

Individually, each of these is available. Bundled into one flow, delivered via a PSP channel with wallet-ready consent + MCP exposure — nobody has this today. It's the full compliance stack plus the agentic future in one product.

Wallet-resident consent + SECCI disclosure EUDI wallet delivers the standardised disclosure + captures specific, informed consent with an auditable receipt.
Multi-bureau fresh credit orchestration CreditSafe + Schufa + Experian + CRIF — one call, per-country routing, data-freshness enforced for CCD2 Article 18.
MCP-exposed agentic checkout (KYA) Consumer AI agents and merchant systems plug in via MCP. Know-Your-Agent compliance out of the box.
PSP-resold channel Worldline passes through to its merchant base. Signicat sells direct to credit providers — they can't do this.
US all four Wallet consent Bureau orch. KYA · MCP PSP channel
02b · The regulation, in depth

What Article 18 actually requires — and why the consent receipt is the only clean way to prove it.

For compliance officers, product leads, and anyone who signs the procurement ticket. Stop on any heading for depth; skip to §02c for the merchant-shape breakdown.
Why CCD2 exists, and what changed from CCD1

Directive (EU) 2023/2225 was adopted 18 October 2023, entered into force 19 November 2023. Application is 20 November 2026 (Art. 48). On that date Directive 2008/48/EC (CCD1) is repealed and the new regime is directly enforceable in national courts.

CCD1 carved out short-term, low-value, fee-free credit (CCD1 Art. 2(2)(f)) — the exact shape BNPL took. CCD2 closes the carve-out. Operative scope changes beyond the §02b summary: the lower-threshold carve-out is cumulative (below €200 is in scope unless also non-deferred, interest-free, and fee-free — a test almost no BNPL product passes); the "large online supplier" exemption (Art. 2(2)(h)) is materially narrowed (most merchants who relied on the CCD1 version no longer qualify); leasing with purchase option or acquisition obligation is in (Art. 2(2)(d)); P2P and crowdfunded consumer credit — not in CCD1 at all — are captured.

Article 18 — creditworthiness, in detail

Article 18 is the centre of gravity. Three rules compound:

  1. Assessment is mandatory before every agreement, and before any material change. Not per consumer — per transaction. A repeat BNPL customer buying their second €400 basket that month needs a fresh assessment against that new obligation. The last one does not carry over.
  2. It must rest on relevant, sufficient, proportionate information about the consumer's income, expenses, and financial circumstances — verified where necessary through independently verifiable documentation (Art. 18(1)–(2)). "Where necessary" is the proportionality hinge: a documented judgement the creditor has to defend, not a free hand.
  3. Behavioural and inferred data cannot be the principal basis. Device signals, checkout behaviour, merchant-risk models, and social-graph proxies can inform a decision; they cannot carry it. The underlying evidence must be actual financial data. Germany's transposition is explicit on this and additionally prohibits social-media data in creditworthiness.

Three consequences flow from the text. A negative assessment means no credit — Art. 18(6) is a prohibition on granting credit the consumer cannot plausibly repay, with creditor liability attached ("we charged a higher APR instead" is not a defence). Automated decisions carry a human-review right layered on top of GDPR Art. 22 and the CJEU Schufa ruling (C-634/21, December 2023) — consumers must be told the decision logic and can demand human intervention. And proportionality cuts both ways: shallow checks are defensible at the shallow end and indefensible at the deeper end, with the burden of explaining why a given depth was adequate on the creditor.

Product implication: Article 18 does not specify a rail. It specifies an outcome. A documented policy mapping product, ticket, duration, and risk signal to required evidence depth is the defensible form — and the artifact a class-action plaintiff will demand in disclosure.

Consent — narrower than GDPR, specifically

Creditworthiness consent under CCD2 is tighter than the GDPR baseline on four points (Art. 18, read with Arts. 10–12 and the Schufa ruling):

  • Specificity. Consent must reference the specific assessment for the specific credit agreement. "I authorise credit checks" is not enough.
  • Freely given, unbundled. Consent to creditworthiness cannot be tied to consent to marketing, profiling, or any unrelated processing. The bundled-consent pattern common in BNPL checkout UX is non-compliant as of 20 November 2026.
  • Fresh consent per fresh check. Re-assessment on material change requires new consent. A one-time consent does not authorise indefinite bureau or AIS pulls.
  • Data minimisation and right to information. The consumer must be told which data was accessed, from which source, and what decision resulted. Only data proportionate to the assessment may be collected.

The artifact that proves compliance is the consent receipt: a signed, timestamped record binding specific consumer, specific creditor, specific transaction, evidence sources, and decision. CCD2 does not mandate a receipt format. It mandates an outcome that a receipt is the only clean way to deliver.

Withdrawal, modification, and re-assessment (Arts. 26–30)

The 14-day consumer withdrawal right carries over from CCD1. Two CCD2 additions matter for merchants: material modification triggers a new SECCI, new consent, and — where it materially changes the consumer's financial obligation — a new creditworthiness assessment (top-ups, limit increases, and restructurings are procedurally new agreements, not amendments); and forbearance is not optional — before enforcement, the creditor must offer reasonable forbearance measures.

Enforcement — where the commercial exposure actually lives

CCD2 requires "effective, proportionate, and dissuasive" penalties (Art. 44). National legislatures set the specific amounts. What ships uniformly across the EU:

  • Contract voiding and claw-back. Consumers can void non-compliant agreements and recover interest, fees, and default charges. This is the line-item exposure on a BNPL book — not the supervisory fine.
  • Collective action under Directive (EU) 2020/1828. Qualified consumer associations can bring representative actions. The German Verbandsklage and the French action de groupe are the most active venues. One class action on systematic consent-bundling or shallow Art. 18 checks lands at multi-million-euro scale and becomes a precedent across the merchant's book.
  • Private right of action. Individual consumers can claim damages for improperly assessed credit. The discovery burden — consent records, assessment logs, decision rationales on demand — is the operational part.
  • Supervisory penalties. National competent authorities (BaFin, FMA, ACPR, Banca d'Italia) gain explicit CCD2 powers; calibrations are set in national law [NEEDS SOURCE on published CCD2-specific BaFin penalty ranges — CCD1 precedent was €250k–€5M for material violations].
  • Cross-authority reporting. Regulators must flag cross-border non-compliance to peer authorities. A merchant in DE and AT cannot contain a problem to one market.
Transposition uncertainty — what it actually looks like

Germany passed transposition on 17 April 2026 (amending BGB and KWG, introducing the Sales Finance Supervision Act; Bundesrat consent expected May 2026). France transposed by Ordonnance of 3 September 2025. Austria's draft is in consultation, Q2 2026 targeted. Italy, Spain, Netherlands, Belgium have drafts in flight.

The directive text sets the floor for pan-European operations. What varies is the implementation layer — registration, supervisory templates, penalty calibrations, exact Art. 18 verification wording — landing on a rolling calendar through Q3 2026, often weeks before application. Waiting for perfect clarity is not a strategy. Directive-level obligations are stable enough to build against today; national additions layer on as configuration.

What this means for the Worldline channel

02c · Who this breaks for on 20 November 2026

CCD2 does not hit everybody the same way — four merchant shapes, four exposure profiles.

BNPL · Instalment · Leasing · Revolving — what breaks for each, and why waiting is not a strategy.

CCD2 does not hit everybody the same way. Four distinct merchant shapes sit underneath one Worldline checkout, each with a different compliance surface and a different pain profile. The Orchestration Layer handles them with one platform; the commercial pitch splits by buyer. What follows is what breaks, for whom, and why waiting is not an option.

BNPL (≤3 months, ≤€3,000) — the volume track

The consumer-PM buyer. Pay-in-3, Pay-in-4, short-duration deferred payment — the product that built the €191B EU BNPL volume and is on track for €293B by 2030. The CCD1 short-term exemption that made this product lightweight is gone. Every transaction now needs a standardised SECCI before commitment (Directive (EU) 2023/2225, Arts. 10–12), a per-transaction creditworthiness assessment based on verified financial data (Art. 18), specific and unbundled consent, and a signed receipt proving all of it.

What breaks. Contract voiding and claw-back of interest, fees, and default charges on any non-compliant agreement — applied across the book, not per case. Collective actions under Directive (EU) 2020/1828 (German Verbandsklage, French action de groupe) against systematic consent-bundling or shallow Art. 18 checks. Supervisory exposure to BaFin, FMA, ACPR, Banca d'Italia. And — specific to BNPL — a liability-apportionment fight between merchant and BNPL provider that is ambiguous today and adversarial tomorrow: whichever side cannot produce an audit-trailed consent receipt carries the loss.

Why BNPL cannot wait. Volume spikes with seasonal checkout load (peaks above 1,000 TPS for tier-1 merchants). A compliance layer retrofitted mid-peak is a re-platforming project, not a patch. The 20 November 2026 date is fixed. The only question is whether the merchant enters peak with defensible infrastructure or with exposure.

Instalment credit (€1,000–€5,000, 3–24 months) — the higher-assurance track

The consumer-finance-PM buyer. Often a different internal owner at the same merchant as BNPL — different budget line, different compliance appetite, different SLA expectations. Same Orchestration Layer backend; different commercial face. The rule is load-bearing: one platform, two tracks — do not collapse into a single "consumer credit" offering.

What changes at this ticket band is the evidence floor. Bureau data alone is rarely enough to defend an Art. 18 assessment on a €3,000 24-month obligation — the directive's proportionality standard ("verified where necessary through independently verifiable documentation") pushes toward independently verifiable income and expense evidence. Policy-triggered AIS for higher-assurance flows is how that surface closes at checkout latency.

What breaks. The exposure profile shifts from volume-class (many small void-and-claw-back events) to ticket-class (fewer, larger, material voiding actions). "We used bureau data" is a weaker Art. 18 defence at €3,000 than at €150. Under Directive 2020/1828, a qualified consumer association can build a representative action on one or two systematically mis-assessed instalment products and apply the precedent across every similar agreement on the book.

Why instalment credit cannot wait. Higher-assurance evidence requires contracted AIS capacity, configured policy thresholds, and SECCI templates calibrated per national transposition — procurement-cycle decisions, not deployment tasks. Starting in Q3 2026 for 20 November 2026 is late.

Consumer leasing (purchase option / acquisition obligation only) — narrow, design-partner

The lessor buyer. CCD2 Art. 2(2)(d) is the key line: leases without acquisition obligation are out; consumer leases with a purchase option or acquisition obligation are in. Pure operational leasing is not routed through this platform unless local legal review puts it in scope.

The v1 posture is explicit and narrow: its own product mode, SECCI template, and pricing band; AIS-heavy evidence default (bureau-only not permitted at this scale under the v1 policy matrix). Available for design partners and first lessors — deliberately small to prove the product mode works before offering it broadly. Lessors have longer sales cycles and richer affordability-signal expectations than BNPL merchants; leasing carries its own commercial band because the evidence mix and unit economics differ.

What breaks. Same enforcement vectors as instalment credit, compounded by contract length — a voided lease is a multi-year revenue claw-back, not a ticket-level one. Mid-term payment changes and end-of-term purchase-option exercises each trigger the Art. 18 re-assessment rule. A lessor without re-assessment infrastructure at modification events carries cumulative exposure across the book.

Why leasing cannot wait. For design-partner lessors, scoping and evidence-calibration work starts now — leasing ships only if that validation runs parallel to the Worldline PoC.

Revolving, overdraft, credit cards with deferred-payment features — flagged, v1.1+

In scope under CCD2, but a different operational shape: continuous obligation rather than per-transaction credit, with re-assessment triggered by material change across the life of the facility. Compliance logic carries over — SECCI, Art. 18, specific consent, receipt — but the surface is a portfolio-review flow, not a checkout flow. Not a v1 commitment. The envelope and receipt schema are designed to absorb revolving as a future product mode without re-architecture.

Why all four tracks read the same calendar

The 20 November 2026 date does not discriminate by product shape. What discriminates is the exposure vector each shape creates: BNPL runs out of peak-season time fastest, instalment credit carries the largest per-case class-action risk, leasing compounds exposure over years, revolving is a later problem but not a different one. One platform, priced in four bands, handling the obligations each track actually faces — that is what it takes to walk into 20 November 2026 with defensible infrastructure across a merchant's full credit offering, not a checkout patch on one product while the rest of the book is exposed.

03 · Why the acquirer funds it

The compliance demand is inside your merchant base. It is not a new market to find.

CCD2 creates a productized compliance need that merchants will bring to their acquirer. The question is who owns the answer when they ask.

CCD2 creates compliance demand inside merchant portfolios. Every BNPL and consumer-credit merchant that runs through the Worldline channel will need a productized answer by 20 November 2026. They will not build it themselves. They will ask their acquirer.

The acquirer has one structural choice: wait for third-party vendors — Signicat, Sumsub, Trulioo — to productize the layer and own the merchant relationship, or fund the regulated evidence layer now and distribute it as a proprietary product. The first path cedes the relationship. The second path creates a durable channel position.

PoPEye is distributed through existing acquirer rails and relationships. CINDR.LA does not need to find merchants. The acquirer selects which segment to activate first and controls the rollout pace. The build is funded once; the distribution is the acquirer's channel.

Your merchant base will need this. Fund the layer now and own the distribution position before someone else productizes it for your customers.

The evidence layer — what PoPEye orchestrates

Evidence sources
Creditworthiness data
CreditSafe · Schufa · CRIF · KSV1870 · Experian — per-country bureau routing for Article 18 fresh-check compliance. PoPEye orchestrates; no single bureau is the moat.
AIS evidence routes
Open-banking affordability
Tink · TrueLayer · Plaid Europe — account-information service data as a supplementary affordability signal. Routed and receipted through the same PoPEye consent flow.
Identity / trust routes
Verified identity anchors
Namirial · Signicat · Criipto · national eID providers (Bund-ID, ID Austria, SPID/CIE) — qualified trust services and eIDAS-grade identity, routed per regime.
PoPEye
Orchestration + receipt layer
Regime-shaped orchestration across all evidence providers — consent capture, bureau routing, identity verification, and signed KYARA receipt in one flow. The moat is the layer, not any single source.
04 · The Consumer Flow

Five steps from cart to receipt. Click any to see what happens.

End-to-end latency target: < 3s p95. Consumer sees a SECCI panel + one consent tap. Merchant gets a signed decision.
1
Checkout trigger
2
SECCI disclosure
3
Consent + wallet
4
Fresh credit check
5
Decision + receipt
05 · Competitive Landscape

Who else is closest — and where they can't reach us.

Hover each card for the gap our architecture exploits.
HIGH

Signicat

Identity · Credit · Wallet
hover →
Signicat can credibly approach the identity side of this market. The open question is who productizes the regulated transaction receipt first: identity-first providers, payment acquirers, or a PoPEye / KYARA layer anchored through the right trust-service partner.
MED

Algoan

Open-banking affordability
hover →
Named CCD2 page, UK expansion. No identity, no wallet, no consent-receipt, no MCP. More partner-candidate than competitor — could become a bureau-alternative in our orchestration.
MED-latent

Sumsub

KYC · KYB · KYA leadership
hover →
Already publishing KYA thought leadership. One PM decision from pairing KYA with CCD2 and they collapse the window. First-mover speed is the mitigation.
MED-latent

Trulioo

Global identity verification
hover →
Strong in identity breadth. No consent-receipt, no bureau orchestration, no PSP channel. Could acquire their way in — watch for M&A around CreditSafe-adjacent targets.
06 · Commercial Engagement Model

Three entry points. Each one builds on the last.

Structured to let Worldline validate at each tier before committing to the next. Commercial floors are set internally — no unpaid discovery, no free implementation.

Tier 1 — Paid Scoping Sprint

A time-boxed engagement to establish mutual product fit, compliance fit, and architecture readiness before committing to a full build. CINDR.LA / IDCanopy deliver a structured scoping memo and a go / no-go recommendation for Tier 2.

Partner funds: Scoping engagement at consulting-band rates
CINDR.LA / IDCanopy delivers: Product fit assessment · compliance fit assessment · architecture sketch · commercial-fit assessment
Partner receives: Scoping memo · architecture sketch · commercial-fit assessment · go / no-go for Tier 2
Out of scope: Implementation · regulator coordination · merchant integration
Decision point: Ratify Tier 2 founding-partner commitment or wind down

What this tier establishes

Market fit: CCD2 exposure across Worldline merchant base — which segments, which product modes, which countries first
Compliance fit: Regime-by-regime obligations mapped to PoPEye capabilities
Architecture fit: Integration path through Worldline rails — PSP adapter, merchant SDK, channel rollout model
Commercial fit: Tier 2 scope, governance model, and founding-partner terms framed for decision

Tier 2 — Founding Partner Build

Worldline funds the PoPEye implementation for one product mode and one launch market. CINDR.LA / IDCanopy deliver a working PoPEye instance integrated into the Worldline channel, ready for CCD2 enforcement on 20 November 2026.

Partner funds: Founding-partner build at mid-market consulting bands
CINDR.LA / IDCanopy delivers: PoPEye implementation for one product mode (BNPL / instalment / leasing / general consumer credit) and one launch market — including consent architecture, evidence routing, receipt schema, and integration with at least one bureau / AIS / identity provider per regime
Partner receives: Working PoPEye instance · acquirer-channel integration plan · governance commitment
Out of scope: Multi-market expansion (Tier 3) · white-label rebranding (separate)
Decision point: Roll into Tier 3 distribution / OEM agreement

Founding-partner position

First-mover advantage: Worldline merchant base is the initial deployment — ahead of any competing acquirer channel
Product input: Founding-partner governance gives Worldline structured input into the PoPEye roadmap for the launch market and product mode
Channel lock: Tier 3 OEM terms prefer founding partners — distribution rights negotiated from a position of live deployment, not speculation
Commercial discipline: Worldline provides channel access and segment selection. CINDR.LA does not identify merchants — the acquirer activates the segment it already owns

Tier 3 — Distribution / OEM Agreement

White-label, co-branded, or embedded distribution through the Worldline acquirer channel. Commercial structure depends on exclusivity, markets, transaction volume, support burden, and IP arrangement. This is the durable channel position.

Partner funds: Separate commercial structure — terms set at negotiation
CINDR.LA / IDCanopy delivers: White-label / co-branded / embedded PoPEye distribution through the acquirer channel · ongoing platform updates · tier-aligned support
Partner receives: Market-specific PoPEye distribution · ongoing updates · expansion path to additional markets or product modes
Out of scope: Open-market sales outside agreed segments
Decision point: Renewal / expansion to additional markets or product modes

Expansion architecture

Market expansion: Launch market proves the model. Tier 3 renewal frames next-market activation at lower cost and risk
Product-mode expansion: BNPL is the CCD2 wedge. Instalment credit, leasing, and general consumer credit follow the same architecture at incrementally lower integration cost
Agentic extension: KYARA receipt layer extends naturally to agentic-commerce compliance as KYA-OS interoperability matures
Regulatory runway: PSD3/PSR, FIDA, and verticalized regulated transaction surfaces extend the same architecture beyond CCD2
07 · Path to 20 Nov 2026

Seven months — implementation complete before the deadline.

Backward-planned from the 20 November 2026 enforcement date. Tier 1 scoping sprint is the gate.
May 2026
Tier 1 · Paid Scoping Sprint
Product fit, compliance fit, architecture, and commercial-fit assessment. Worldline selects launch market and product mode. Scoping memo and Tier 2 go / no-go delivered.
Jun 2026
Tier 2 founding-partner engagement · Worldline selects merchant segment
If the acquirer wants a live merchant proof, the acquirer provides the merchant segment and distribution access. CINDR.LA / IDCanopy provide the regulated evidence layer, consent architecture, receipt schema, and implementation leadership. Tier 2 contract formalises the build scope.
Jul–Sep 2026
8-week build · W1-W8
Foundations → consent engine → creditworthiness → receipts / KYARA receipt schema → integration → compliance hardening → UAT → production cutover.
Oct 2026
Shadow mode · legal review
Merchant traffic in shadow mode. External counsel and merchant legal team review KYARA receipts and consent flows. Compliance sign-off before production cutover.
20 Nov 2026
CCD2 enforcement · deployment goes live
Production cutover complete. ≥1000 consent-bound transactions in first wave. Zero compliance findings from legal review. Case study ready for Tier 3 distribution rollout.
08 · The Agentic Wedge

CCD2 is the ticket in. KYARA / KYA-OS is the category.

Every capability built for CCD2 — signed consent, verified identity, bureau-fresh affordability — is exactly what agentic commerce needs for Know-Your-Agent compliance. KYA-OS interoperability makes it reusable beyond BNPL. KYARA turns those receipts into a portable, agent-aware, regulator-verifiable authority layer. CCD2 is the first wedge; KYARA is the decade-long position.

MCP-I → KYA-OS (Mar 2026) Vouched donated the MCP-Identity framework to DIF. KYA-OS is the open agent-identity and delegation protocol emerging from that work.
Google AP2 · Mastercard Agent Pay · Visa TAP Agentic payments are shipping. The regulated evidence and receipt layer is empty — that is the CINDR.LA / IDCanopy position.
KYARA — Know Your Agent Receipt Authority Extends the CCD2 consent-receipt primitive to machine-initiated purchases. Who acted, under whose authority, against what mandate, with what compliance result — one receipt, regulator-verifiable.
09 · KYA Anatomy

Four questions. One receipt. Regulator-grade proof.

KYC asks one question of a human. KYA asks four of the software — and CCD2 forces a human-in-the-loop gate on top. Click any card or claim to expand.
+
Q01 · Identity

Who operates this agent?

Legal entity. Registered in our operator registry. KYB-grade.

Operators pass IDCanopy KYB onboarding before issuing any agent. Operator DID + Agent Issuer Certificate minted. Registry resolution on every transaction. No registered operator → transaction rejected before SECCI renders.

+
Q02 · Provenance

What model. What build.

Reproducible. Audit-traceable. Pinned per transaction.

Agent declaration at registration captures model family, version, capabilities, hosting, key custodian. Version written into every KYA receipt. Regulator traces a disputed CCD2 transaction back to the exact agent build that initiated it.

+
Q03 · Authority

What mandate, what scope.

Verifiable Credential. Signed by consumer's wallet.

Consumer signs a mandate VC once per scope: merchant allowlist, MCC categories, per-transaction ceiling, rolling-period ceiling, allowed regimes, expiry. CCD2 forces requiresHumanConfirmation=true regardless of what the mandate says — policy engine overrides.

+
Q04 · Envelope

What is it allowed to do.

Enforced at the action point. Seven checks before any engine fires.

Signature valid · not revoked · not expired · scope match · period ceiling fresh · action assertion fresh · operator in good standing. Any fail → reject before SECCI even renders. Reason returned to merchant.

Art. 5 Pre-contractual info to consumer Art. 10 SECCI in good time before bound Art. 14 14-day withdrawal right Art. 18 Creditworthiness assessment Art. 36 Competent authority
// CCD2 KYA receipt — W3C VC, BBS+ signed { "@context": [...v2, idcanopy/kya/v1], "type": ["VerifiableCredential", "KYAReceipt"], "issuer": "did:web:idcanopy.com", "id": "urn:uuid:7c9e6679...", "credentialSubject": { "agent": { did, operator, version, tier: "L2" }, "mandate": { credentialId, consumerDid, scopeHash }, "transaction": { merchantId, amount: 489.00 EUR, regime: "ccd2_credit" }, "consent": { humanConfirmed: true, confirmedAt, secciAcknowledged: true, withdrawalRightNotified: true }, "decision": { outcome: "approved", bureauReceiptIds: [...], reasoningChainHash, article18Applied: true } }, "credentialStatus": StatusList2021, "proof": { bbs-2023, ... } }
agent.tierL2 — DID + VC delegation. Required for CCD2. Policy engine rejects L1 agents server-side.
mandate.scopeHashHash of the clause that authorised this transaction — proves which without disclosing the full mandate.
consent.humanConfirmedThe line between "agent-delegated transaction" and "specific consent by the consumer". CCD2 requires true.
consent.secciAckConsumer tapped through the SECCI render before confirming. CCD2 Article 10.
consent.withdrawalRightNotified14-day withdrawal right displayed per Article 14. Defends against consumer protection challenges.
decision.reasoningChainHashHash over full Article 18 creditworthiness reasoning. Regulator verifies without inspecting bureau data.
proof (BBS+)Selective disclosure. Regulator verifies humanConfirmed=true without seeing consumer DID. GDPR-aligned.
credentialStatusStatusList2021 entry. Revocable. Regulator can re-verify at any future date without calling us.
Conservative reading

CCD2 means the consumer, not the agent.

  • Article 5 specifies "consumer" receives the SECCI
  • Article 10's "in good time before the consumer is bound" implies human reading time
  • Recital 4 "informed decisions" reads as human cognition
  • No EU court precedent accepting agent-mediated SECCI consent
→ Agent prepares. Human confirms.
Aggressive reading

Maybe, with a power of attorney.

  • Member-state contract law generally permits representatives
  • Power of attorney can include credit decisions
  • Notarised mandate may carry weight in court
  • But untested. Ambiguity blocks enterprise procurement.
→ Legally possible. Commercially risky.
IDCanopy v1 · our pick

Conservative. Forced human gate for ccd2_credit.

  • Removes ambiguity that blocks enterprise procurement
  • Removes the "was agent really the consumer?" attack surface
  • Forces a novel hybrid model that AP2 alone cannot enforce
  • Becomes the reason for our layer — we are what AP2 cannot be
  • When the law catches up (EBA 2027-2028) we are the reference implementation
→ Policy engine overrides any mandate with requiresHumanConfirmation=false for CCD2.
10 · Engaging

Three things Worldline does to move from here.

CINDR.LA handles the regulated evidence architecture. Worldline brings the channel, the decision, and the segment.
Step 1

Designate a product-level decision owner for CCD2

A named owner inside Worldline who can commit to the Tier 1 scoping engagement and represent the merchant-channel interest in the architecture discussion. This is a commercial and product conversation, not an infrastructure procurement.

Step 2

Commission Tier 1 — Paid Scoping Sprint

CINDR.LA and Worldline run a time-boxed product, compliance, and architecture-fit assessment. Output: scoping memo with Tier 2 go / no-go recommendation. Worldline receives the full assessment regardless of the Tier 2 decision.

Step 3 (on Tier 2 go)

Worldline selects the launch merchant segment

The acquirer identifies which part of its merchant base activates first — product mode (BNPL / instalment / leasing), geography (DE / AT / FR), and volume threshold. CINDR.LA / IDCanopy deliver the regulated evidence layer. Worldline owns the distribution.

CCD2 is the first wedge; PSD3/PSR, FIDA, and verticalized regulated transaction surfaces (insurance distribution, investment suitability) extend the same architecture.

Talk to CINDR.LA about Worldline CCD2 readiness.

Architecture deep-dive, scoping a Tier 2 founding-partner build, or shaping the Worldline-channel engagement — reach CINDR.LA directly.