On 25th June 2019 the FCA stated that any CMA9 ASPSP, or any other UK ASPSP, must “ensure that its interface is capable of enabling a TPP to identify itself using only its eIDAS certificate.”
Konsentus has responded to this by launching its new dedicated eIDAS checking service. Designed for ASPSPs in the UK using the UK Open Banking Standard, it enables them to comply with the FCA requirement of being able to check eIDAS certificates of any TPP who is not registered, or does not intend to register, on the Open Banking Directory.
Brendan Jones, Chief Commercial Officer of Konsentus commented: “PSD2 Open Banking requirements are still evolving as we move towards the 14th September deadline for ASPSPs to be live. Konsentus, with its nimble architecture, is pleased to be able to launch this new service quickly to support the requirements the FCA has clearly outlined that all ASPSPs in the UK must be in a position to verify a TPP based on their eIDAS certificate(s) alone”.
The FCA stated as background to this requirement that “In the UK, the development of an Open Banking standard in response to the CMA Order has also led to the development of a functioning infrastructure for identification. Authorised and registered third party providers (TPPs) that have already joined the Open Banking Directory have been issued with certificates by Open Banking, “OB Certificates”, and are currently using these to identify themselves toward ASPSPs. This system has received positive feedback from TPPs and ASPSPs.
“A small number of firms have proposed an approach of maintaining the Open Banking identification process, while at the same time, relying on eIDAS certificates for identification. The FCA understands that the proposed approach would entail a TPP having to enrol in the Open Banking Directory. As part of the enrolment, the TPP would use its eIDAS certificate to identify itself. Once registered, the TPP would receive a certificate from Open Banking. The TPP would then gain access to ASPSP APIs by using its Open Banking certificate.”
They went on to state that “Our view is that this approach can be taken and would not be a bar to gaining an exemption, but only if TPPs agree voluntarily to use Open Banking certificates for identification. Accordingly, an ASPSP that allows a TPP to identify itself in this way, must also ensure that its interface is capable of enabling a TPP to identify itself using only its eIDAS certificate”.