TPP Regulatory Status

Checking the regulatory/approved status of a TPP is challenging:

  • EBA Electronic Central Register holds approved/regulated status of TPPs, but does not hold any data regarding eIDAS Certificates and Seals
  • Scheme Regulatory Databases (e.g. UK Open Banking), where appropriate, are not compulsory to register with
  • National Competent Authority Databases are not Machine Readable
  • National Competent Authorities have no legal obligation to notify Scheme Regulatory Databases other than a general published bulletin when they revoke a TPP
  • National Competent Authorities have no SLA in place about notifying passported NCAs when a TPP is revoked
  • National Competent Authorities shall ensure that all changes to the content of their national public registers related to the granting or withdrawal of authorisation or registration are inserted in the EBA Electronic Central Register by the end of the same day. There may be a window between when a National Competent Authority withdraws authorisation or registration of a TPP in a Member State, and that information being updated on the EBA Electronic Central Register
  • TPPs will use eIDAS Certificates and Seals and these need to be checked with the correct Qualified Trust Service Provider (QTSP), of whom there are many across Europe

FI needs to reference numerous databases to ensure a TPP is both registered and/or approved to provide the services and has not been revoked.

The Konsentus platform will thus look to reference:

  • 1 Central EBA Register
  • 31 EU & EEA Competent Authority Databases
  • 30+ Qualified Trust Service Providers

Konsentus continually checks that no TPP has been revoked at any point and will be able in the shortest feasible time to notify FIs when a TPP is revoked and ensure Payment Service User’s data is never passed to a revoked/non-registered/non-approved TPP.

Once a TPP is revoked and a bulletin issued by the relevant NCA it is the responsibility of the FI to ensure that no data is sent to the TPP. It is crucial that FIs have the latest information, in a timely manner thus protecting consumers and FIs. The risk is both to the FI’s brand reputation and also to the potential of National Competent Authority remedial action.

TPP Regulatory Checking via Dedicated API

The TPP must identify themselves to the FI using the means appropriate to the FI’s specific API.

FIs may choose to develop APIs to recognised standards (e.g. UK Open Banking, STET, The Berlin Group etc.) or develop their own specific APIs.

Through the use of eIDAS certificates, the FI will have immediate verification of the identity of the TPP. The certificate will also contain the regulatory status as at the time the certificate was issued by the Qualified Trusted Service Provider.

However, the eIDAS certificate only confirms at a previous point in time and may not reflect their current status; this presents a risk to the FI. 

FIs must know the current regulatory status of TPPs before releasing account holder information or executing transactions.

The Konsentus platform provides the following services:

  • Verification of the TPP eIDAS certificate, every time the TPP accesses the PSU account data, to check the identity and role of the TPP.
  • Verify the TPPs regulated status on the EBA Electronic Central Register repository and National Competent Authority daily bulletins.
  • Verify the TPP against the FI’s relevant scheme (e.g. UK Open Banking, STET etc.) to determine the TPP’s status, where appropriate.
  • Issue a secure access token to the TPP, via the FI, for access to the PSUs account(s) once verification and checking are satisfactorily completed.
  • Verification of the TPP eIDAS Seals and certificates on all payment and account access instructions carrying a qualified Seal.
  • Verify that the access token presented to access the PSUs account is valid and holds the correct “explicit consents” granted by the PSU.
  • Check the PSU has not revoked the TPPs access through the FI’s online banking application.
  • Re-issue access tokens to TPPs when existing tokens have expired.
  • Konsentus will return the results to the FI.