If a TPP has changed its legal identity it is possible that it can be incorrectly granted customer account access. This article highlights the importance of validating the regulatory status of a TPP and not just its identity, each time a transaction request is made, so unauthorised account access is never granted.
A TPP uses its eIDAS certificate to identify itself to an ASPSP (Financial Institution) when it is requesting access to end-user account information or funds. But what happens when a TPP changes legal identity? In a recent example, a TPP was acquired by a bank, which tried to use the TPP’s eIDAS certificate, containing its previous legal name, to complete an open banking transaction.
By checking both the TPP’s identity and current regulatory status at the time of the transaction, the ASPSP determined that the entity no longer existed and therefore that account access could not be granted. Without this verification stage, there could have been significant legal and financial consequences through any potential misuse of data.
Mergers and Acquisitions
When a TPP changes legal identity – specifically changing its Authorisation Number – then its eIDAS certificate should be revoked. In an acquisition, the TPP becomes part of the acquiring organisation. In a merger, a new separate entity is created. Either way, the TPP is withdrawn and its eIDAS certificate becomes void.
However, QTSPs – the entities in charge of issuing and managing eIDAS certificates – have no obligation to revoke certificates when an organisation changes its legal identity. Unless requested by the TPP itself, QTSPs are not required to update the certificate when changes occur. Ensuring the information in an eIDAS certificate is for a legitimate TPP therefore becomes the responsibility of the ASPSP and not the QTSP.
This means that eIDAS certificates often fail to provide correct and current data. The market is moving at a rapid pace – new TPPs emerge, change the services they provide, expand their offering by passporting into additional countries, or have their regulatory status withdrawn – yet an eIDAS certificate only needs to be updated once every two years.
A comparable scenario is a car driving out of a garage after passing its MOT inspection and immediately crashing into a brick wall. If the vehicle was being sold online, the purchaser could inspect its paperwork or pictures taken before the accident and might assume it was still worth buying. It still has a valid MOT after all, so why wouldn’t it be roadworthy? Unless time is taken to physically inspect the vehicle, it would appear as if nothing was wrong. Yet a lot can change in a short space of time, meaning a car that was once roadworthy can be written off in an instant, and the evidence which “proves” the car is worth buying can quickly become out of date.
The same can happen with a TPP, who can have its regulated ability to perform certain functions in given territories removed at any time. ASPSPs must be sure to monitor many different data sources when making decisions about which TPPs are allowed to access the data they hold. Even if a TPP looks to be regulated from the information given in its eIDAS certificate, further checks must always be carried out to check its current authorisation status.
Double Checking: Identity and Regulatory Status
In this example, the bank that acquired the TPP wrongly assumed that they could use the TPP’s old eIDAS certificate. From the perspective of the account holder, an entity that did not exist was trying to access their account – which could have resulted in a GDPR breach with associated financial losses and brand damage.
Konsentus Verify consolidated all the data from the QTSPs and the NCA and EBA registers (which contain regulatory statuses and information on passporting) and identified that the TPP was no longer a regulated entity. It supplied this information to the ASPSP in real time, enabling the ASPSP to make an informed decision to block the unauthorised transaction.
These cases are likely to become more common as the market evolves. The number of withdrawn TPPs is rising rapidly – from 4 in 2019, to 12 in 2020, to over 20 in 2021. In fact, in the last month at Konsentus, 1.3% of all transaction requests tried to use a ‘valid’ eIDAS certificate even though the TPP’s legal status had changed.
As the European fintech market matures, we are likely to see an increase in M&As, consolidations, and TPP business models failing. It is important for ASPSPs to have the required checking procedures in place. This will ensure that they never inadvertently give unauthorised third parties access to end-user account data or funds.