eIDAS certificates are used as identity credentials when interacting with financial institutions. They are the first step in securing an open banking transaction, namely by establishing the identity of the TPP.
As explained in PSD2, TPPs can apply for an eIDAS certificate with a Qualified Trust Service Provider (QTSP). QTSPs are government-approved entities and issue two types of PSD2 eIDAS certificates to TPPs:
- Qualified Website Authentication Certificates (QWACs), which enable a secure channel to be established between the two parties
- Qualified Electronic Seal Certificates (QSealCs), which provide legally assured evidence of transaction data, including data integrity and proof of origin
The use of eIDAS certificates is crucial to ensure independent government-assured trust in the identity of the third party. However, PSD2 explicitly states that the certificates should be used solely “for the purpose of identification” (Article 34). Confirming that a transaction is authenticated and authorised involves two additional steps.
The second step makes sure that the TPP is authenticated. For this, QWACs are used to establish a secure communications channel using Transport Layer Security (TLS). As part of the Mutual authenticated TLS (MTLS) protocol, the TPP signs part of the communications data, passing between the two parties, with its private key. The financial institution can check the signature confirming that it matches the public key certificate. This confirms that the TPP holds the corresponding private key and therefore serves as proof of the TPP’s authentication.
The authentication step can also involve a QSealC to ensure the data integrity and proof of origin of the transaction, using digital seals and signatures to ensure the TPP is authenticated. The confidentiality of the data is provided by the encrypted TLS session.
Although QWACs and QSealCs provide secure identity and authentication mechanisms required by PSD2, they do not provide the regulatory check needed to ensure that the TPP is authorised. A financial institution must know in real-time that the TPP is:
- Regulated by its National Competent Authority
- Approved to perform the service requested (account information or payment initiation)
- Approved for services in the country of the request
- Authorised by the PSU to carry out the transaction
eIDAS certificates, though crucial to identify a TPP, cannot be used to validate the authorisation status of the TPP at the time the transaction is taking place. eIDAS certificates are issued with a lifespan of one to two years and so cannot be relied upon to provide authorisation status, as the information can quickly become outdated. In addition, eIDAS certificates contain no information on passporting and so it is not clear whether the TPP is authorised to operate in another country.