Konsentus offers three services to Financial Institutions, facilitating their compliance with EU regulation on PSD2 open banking:
Konsentus delivers a cloud based (SaaS) RESTful API regulatory checking service.
Konsentus facilitates checking the regulatory status and eIDAS Seal Certificates of Third Party Providers, along with the issuing of access tokens to enable FIs to be PSD2 open banking compliant.
Under PSD2, FIs can only share data with regulated third-parties. However, there is no single machine-readable database that provides FIs with the TPP verification information required, in real time, when TPPs access their online open banking interfaces. In addition, there are numerous PSD2 schemes being promoted within Europe (e.g. Berlin Group, UK Open Banking, STET, CAPS etc.) which all use different schema.
Each National Competent Authority across Europe has its own operating rules and procedures. They publish information using their own formats and terminology, and there is no single rule book that they adhere to, or timetable that they work to.
It is estimated that there are in excess of 100 databases that FIs need to reference and check for the regulatory status of a TPP comprising:
1 EBA Central Register
31 EU & EEA Competent Authority Databases
73+ Qualified Trust Service Providers
Konsentus provides a single source of data on all regulated organisations. Konsentus provides the regulatory checking of Third-Party Providers, initially when the third-party requests access to the customer’s account, and then subsequently when they collect data or execute transactions. Konsentus acts as a central system of record of all regulated parties across Europe and the EEA and verifies the regulatory Access Rights of TPPs.
Under PSD2 Payment Service Providers (PSPs) will rely on eIDAS Seals and Certificates to provide proof of origin, identity and data integrity services on payment initiation and account access requests. These Qualified Seal Certificates will be issued by Qualified Trust Service Providers (QTSPs) in collaboration with national Competent Authorities who will provide the QTSPs with a unique identification number for the PSP, the PSD2 roles for which the PSP is approved and the identity of national Competent Authority.
The existence of a Seal Certificate is not sufficient to guarantee the integrity of the identity of the owner nor the integrity of the data protected by the certificate. Each time the certificate is used and presented, the recipient must check that the certificate was issued by a QTSP, that the certificate has not expired and that the certificate has not been revoked.
Konsentus will check that the issuer of the certificate is a registered QTSP, that the certificate has not been revoked by checking the QTSP’s Certificate Revocation List (CRL) or On-line Certificate Status Protocol (OCSP) server, that the certificate has not expired and what roles the PSP, identified in the certificate, is registered for.
The information in the certificate will be true at the time of issue but over time the roles for which the TPP is approved may change or be revoked. Therefore the eIDAS certificate cannot solely be relied upon to know the regulated status of a TPP. This is why Konsentus will always check, in real-time, with the identified national Competent Authority what the approved and regulated status of a TPP is at the time of the transaction.
Konsentus provides secure Consent and Preference management access tokenisation services to FIs using open standards (OAuth 2.0, OpenID Connect, ODI FAPI etc.). Konsentus issues the access tokens for Client Credential Grants and Authorisation Code Grantson behalf of the Financial Institution, which passes them to the third-party providers. to present each time they access the open banking application programming interface (API).
Konsentus checks the access tokens that are presented to the FI’s open banking API to ensure that the third-party provider has the appropriate payment service user consent and is a regulated TPP, at the time of the transaction. This may involve Konsentus checking the identity of the TPP using its eIDAS certificate and checking its national competent authority’s database to validate its regulated status and PSD2 roles.
Article 23 of PSD2 states:
Where access to payment accounts is offered by means of a dedicated interface, in order to ensure the right of payment service users to make use of payment initiation service providers and of services enabling access to account information, as provided for in Directive (EU) 2015/2366, it is necessary to require that dedicated interfaces have the same level of availability and performance as the interface available to the payment service user.
Konsentus will deliver an uptime equal to or greater than the FI’s existing online channels in order to meet the regulatory requirements.
Using Konsentus services, FIs enable their customers to securely participate in the open banking eco-system, confident in the knowledge that their data will only be provided to approved TPPs.
Konsentus holds the consumer consents and preferences after the FI has carried out Strong Customer Authentication (SCA) with the Payment System Users (PSUs) and issues the access token to the FI. This is passed to the TPP who uses it each time they want to access PSU data via the FI’s API. The access token binds the PSUs “explicit consents” with their nominated accounts, the period for which access has been granted and the TPP.
Konsentus provides a complete management suite of services that enable PSUs, via their online bank portal/app, to have full visibility of whom they have given consented access to, and to proactively manage those consents and preferences.