Skip links

Konsentus Verify: Guidance post Brexit

The interface to Konsentus Verify will not change once the UK leaves the European Economic Area (EEA) at the end of the Brexit transition period on the 31st December 2020.

However, from this date, the UK will no longer be a member of the EEA and the GB-FCA (Financial Conduct Authority of the UK) will no longer be a National Competent Authority of an EU Member State. Therefore, the regulatory information provided by Konsentus Verify will have to be interpreted appropriately depending on the jurisdictions of the Financial Institution (ASPSP) and the third-party provider (TPP).

The information below provides guidance on how to interpret the information provided by Konsentus Verify, post-Brexit, for the following four possible scenarios:

  1. EEA-based ASPSP and an EEA-based TPP
  2. EEA-based ASPSP and a UK-based TPP
  3. UK-based ASPSP and an EEA-based TPP
  4. UK-based ASPSP and a UK-based TPP

1. EEA-based ASPSP and an EEA-based TPP

When an EEA-based ASPSP receives an eIDAS certificate from an EEA- registered TPP the Konsentus Verify service will:

  • Validate the TPP’s eIDAS certificate
  • Return the name and authorisation number of the TPP
  • Check the authorisation status of the TPP in its home Member State
  • Return the payment services the TPP is authorised to provide in its home Member State

If the TPP is not registered in the same Member State as the ASPSP and is passporting its services, Konsentus Verify will also:

  • Check the TPP’s passporting rights for the host Member State
  • Return the payment services the TPP is authorised to provide in the host Member State

This information allows the ASPSP to decide whether to accept the TPP’s access request or not.

2. EEA-based ASPSP and a UK-based TPP

When the Brexit transition period ends on the 31st December 2020, UK registered TPPs should not attempt to access accounts held by EEA-based ASPSPs, as they will no longer have the right to passport their services into the EEA. However, EEA-based ASPSPs cannot rule out the possibility that this may happen and should amend the logic of their API gateways to identify and reject attempts from UK registered TPPs to access their accounts.

If an EEA-based ASPSP receives an eIDAS certificate from a UK registered TPP, the Konsentus Verify service will:

  • Validate the TPP’s eIDAS certificate (which may not have been revoked)
  • Return the name and authorisation number of the TPP
  • Check the authorisation status of the TPP on the GB-FCA register
  • Return the payment services the TPP is authorised to provide in the UK
  • Check the TPP’s passporting rights for the host Member State
    • The GB-FCA should have removed the TPP’s passporting rights on the 31st December 2020, but we cannot be certain that this will happen immediately
  • Return the payment services the TPP is authorised to provide in the host Member State

If the TPP’s eIDAS certificate has been revoked, as requested by the European Banking Authority, then the ASPSP should reject the access request from the TPP.

If the TPP’s passporting rights have been removed from the GB-FCA register this will indicate that the TPP has no right to access accounts in the host Member State and the ASPSP should reject the access request from the TPP.

If neither of the above actions have taken place, the ASPSP should still reject the TPP’s access request as the TPP is registered in the UK by the GB-FCA, which is no longer a recognised National Competent Authority in the EEA. Konsentus Verify would have returned the information that the TPP was registered by the FCA in the UK (GB country code) and the ASPSP should use this information to reject the request.

3. UK-based ASPSP and EEA-based TPP

When the Brexit transition period ends on the 31st December 2020, EEA-registered TPPs can still access accounts held by UK-based ASPSPs if they have registered with the GB-FCA under the Temporary Permissions Regime.

When a UK-based ASPSP receives an eIDAS certificate from an EEA-registered TPP the Konsentus Verify service will:

  • Validate the TPP’s eIDAS certificate
  • Return the name and authorisation number of the TPP
  • Check the authorisation status of the TPP in its home Member State
  • Return the payment services the TPP is authorised to provide in its home Member State
  • Check the TPP’s passporting rights for the UK
    • The TPP’s home NCA should have removed the TPP’s passporting rights to the UK on the 31st December 2020, but we cannot be certain that this will happen immediately
  • Return the payment services the TPP was authorised to provide in the UK (this information should be ignored)
  • Check the TPP has registered with the GB-FCA and is on the Temporary Permissions Register

If the TPP is not on the GB-FCA’s Temporary Permissions Register, the ASPSP should reject the TPP’s access request.

If the TPP is on the GB-FCA’s Temporary Permissions Register but has had its authorisation withdrawn from its home Member State, the ASPSP should reject the TPP’s access request.

The ASPSP should only accept the request if the TPP is authorised by its home NCA and registered with the GB-FCA on the Temporary Permissions Register.

4. UK-based ASPSP and a UK-based TPP

When the Brexit transition period ends on the 31st December 2020, UK-based TPPs will no longer be able to use an eIDAS certificate to identify themselves to UK-based ASPSPs.

UK-based ASPSPs must accept at least one other electronic form of identification issued by an independent party for the identification of UK-based TPPs. This additional form of identification must be a digital certificate issued by an independent third party. The certificate must include the name of the TPP as well as information on the competent authority the TPP is authorised or registered with, and the TPP’s corresponding registration number assigned by the competent authority.

When a UK-based ASPSP receives a digital certificate from a UK-registered TPP the Konsentus Verify service will:

  • Validate the TPP’s certificate and the independent third party that issued the certificate
  • Return the name and registration number of the TPP as well as information on the competent authority the TPP is authorised or registered with
  • Check the authorisation status of the TPP on the GB-FCA register
  • Return the payment services the TPP is authorised to provide in the UK

This provides the ASPSP with all the information it needs to decide whether to accept the TPP’s access request or not.

  • Sign Up
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.