The Consequences of a TPP Changing Legal Identity

When a third party provider (TPP) changes its legal identity there are wider ramifications that Financial Institutions must be aware of to ensure they safeguard their customers’ data and funds.

Share This Post

If a TPP has changed its legal identity it is possible that it can be incorrectly granted customer account access. This article highlights the importance of validating the regulatory status of a TPP and not just its identity, each time a transaction request is made, so unauthorised account access is never granted. 

A TPP uses its eIDAS certificate to identify itself to an ASPSP (Financial Institution) when it is requesting access to end-user account information or funds. But what happens when a TPP changes legal identity? In a recent example, a TPP was acquired by a bank, which tried to use the TPP’s eIDAS certificate, containing its previous legal name, to complete an open banking transaction. 

By checking both the TPP’s identity and current regulatory status at the time of the transaction, the ASPSP determined that the entity no longer existed and therefore that account access could not be granted. Without this verification stage, there could have been significant legal and financial consequences through any potential misuse of data.

Mergers and Acquisitions 

When a TPP changes legal identity – specifically changing its Authorisation Number – then its eIDAS certificate should be revoked. In an acquisition, the TPP becomes part of the acquiring organisation. In a merger, a new separate entity is created. Either way, the TPP is withdrawn and its eIDAS certificate becomes void. 

However, QTSPs – the entities in charge of issuing and managing eIDAS certificates – have no obligation to revoke certificates when an organisation changes its legal identity. Unless requested by the TPP itself, QTSPs are not required to update the certificate when changes occur. Ensuring the information in an eIDAS certificate is for a legitimate TPP therefore becomes the responsibility of the ASPSP and not the QTSP.   

This means that eIDAS certificates often fail to provide correct and current data. The market is moving at a rapid pace – new TPPs emerge, change the services they provide, expand their offering by passporting into additional countries, or have their regulatory status withdrawn – yet an eIDAS certificate only needs to be updated once every two years. 

A comparable scenario is a car driving out of a garage after passing its MOT inspection and immediately crashing into a brick wall. If the vehicle was being sold online, the purchaser could inspect its paperwork or pictures taken before the accident and might assume it was still worth buying. It still has a valid MOT after all, so why wouldn’t it be roadworthy? Unless time is taken to physically inspect the vehicle, it would appear as if nothing was wrong. Yet a lot can change in a short space of time, meaning a car that was once roadworthy can be written off in an instant, and the evidence which “proves” the car is worth buying can quickly become out of date.  

The same can happen with a TPP, who can have its regulated ability to perform certain functions in given territories removed at any time. ASPSPs must be sure to monitor many different data sources when making decisions about which TPPs are allowed to access the data they hold. Even if a TPP looks to be regulated from the information given in its eIDAS certificate, further checks must always be carried out to check its current authorisation status. 

Double Checking: Identity and Regulatory Status 

In this example, the bank that acquired the TPP wrongly assumed that they could use the TPP’s old eIDAS certificate. From the perspective of the account holder, an entity that did not exist was trying to access their account – which could have resulted in a GDPR breach with associated financial losses and brand damage. 

Konsentus Verify consolidated all the data from the QTSPs and the NCA and EBA registers (which contain regulatory statuses and information on passporting) and identified that the TPP was no longer a regulated entity. It supplied this information to the ASPSP in real time, enabling the ASPSP to make an informed decision to block the unauthorised transaction. 

These cases are likely to become more common as the market evolves. The number of withdrawn TPPs is rising rapidly – from 4 in 2019, to 12 in 2020, to over 20 in 2021. In fact, in the last month at Konsentus, 1.3% of all transaction requests tried to use a ‘valid’ eIDAS certificate even though the TPP’s legal status had changed. 

As the European fintech market matures, we are likely to see an increase in M&As, consolidations, and TPP business models failing. It is important for ASPSPs to have the required checking procedures in place. This will ensure that they never inadvertently give unauthorised third parties access to end-user account data or funds.

Subscribe To Our Newsletter

Keep up to date with all our news and publications.

More To Explore

What Makes a Successful Open Banking Ecosystem?

Brendan Jones, CCO, Konsentus, draws upon his wealth of experience in managing protected and trusted open ecosystems to set out what he sees as the key drivers for success and how countries looking to set up open data frameworks can learn from the experience of the early adopters.

Read More

Talk with Our Team Today

Join us on the Journey

Protect your customers transacting in open ecosystems.

Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.



On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at

Login to your account