From the 14th September 2019, over 9,000 FIs in Europe have to comply with ‘Open Banking’ under PSD2’s Regulatory Technical Standards (RTS). This means an FI cannot deny access to a Third-Party Provider (TPP) if they are appropriately regulated; but how do they know this and that a TPP are who they say they are?
The EBA has a central register of payment and electronic money institutions that can be accessed either through a web browser interface or downloaded as a JSON (JavaScript Object Notation) file.
For a system to utilise the information in the register it has to be regularly downloaded and a full interrogation and data management system built. It is not accessible on a real-time basis to check TPP transactions.
Organisations listed in the EBA’s central electronic register and those omitted
The register contains information on the following regulated organisations:
- ‘Payment institutions’ as legally defined in Article 4(4) of PSD2;
- ‘Exempted payment institutions’ under Article 32 of PSD2;
- ‘Account information service providers’ under Article 33 of PSD2;
- ‘Electronic money institutions’ as legally defined in Article 2(1) of EMD2;
- ‘Exempted electronic money institutions’ under Article 9 of EMD2;
- ‘Agents’ as legally defined in Article 4(38) of PSD2;
- ‘EEA branches’ as legally defined in Article 4(39) of PSD2;
- ‘Institutions entitled under national law to provide payment services’ under Article 2(5) of PSD2;
- ‘Service providers excluded from the scope of PSD2′ under points (i) and (ii) of point (k) and point (l) of Article 3 of PSD2.
However, it does not contain information on Credit Institutions (banks), which are all allowed to act as TPPs without further registration with the relevant National Competent Authority, although some have asked their Credit Institutions to inform them if they are intending to act as a TPP. There is a separate register published by the EBA containing information on Credit Institutions. The EBA Credit Institution Register contains information on the following:
- Credit institutions;
- EEA Branches of credit institutions; and
- Non-EEA Branches of credit institutions.
However, the EBA Credit Institution register only allows manual searches, and is updated in their words only ‘regularly’. There is thus no easy way to access this data and no guarantee it is up to date.
Validity of the data supplied
The EBA central electronic register of payment and electronic money institutions is not real-time, in that it is publishes updates twice a day and it is only updated by National Competent Authorities (NCAs) once a day. So, if an NCA supplies information that a TPP has had its authorisation withdrawn just after the EBA register has been published, it could be up to 12 hours or even longer before the EBA register is published containing details of the update.
The EBA register also has a disclaimer, stating that the information in it may be out of date:
“This file, which is available for download, reproduces the information contained on the EBA register of payment and electronic money institutions. It is updated on regular basis, with the update times being displayed on the register. For transparency reasons, public users of the register should be aware that there may be a discrepancy between the information contained on the file and the information contained on the actual register depending on the time of the update of the information on the file and the timing of its download.
In addition, if the EBA registry is used by an ASPSP as its sole source for data checking and the information supplied by the EBA is out of date and the transaction is found to be fraudulent, the EBA takes no liability. Account Servicing Payment Service Providers (ASPSPs) are therefore fully liable not the EBA.
Mismatching or missing data
- Although NCAs provide the information contained in the central registers of the EBA and are responsible for its accuracy and keeping the information up-to-date, whilst working with the NCA registers and the EBA registers, Konsentus has observed a number of issues and inconsistencies with the EBA registers. The TPP id, provided by a QTSP within an eIDAS certificate, cannot be found on the EBA Payments Institutions register.Some NCAs have multiple id numbers recorded in their registers for the same TPP. If the QTSP has used a different one to the one the EBA has in its register then the ASPSP will not be able to validate the identity or regulatory status of the TPP.
- The id, from an eIDAS certificate, for a credit institution, cannot be found in the EBA Credit Institutions register.Some NCAs do not provide id numbers for the Credit Institution register of the EBA. Or the ASPSP is unable to access the EBA Credit Institution register programmatically as the only interface is via a web browser.
- The TPP id, from an eIDAS certificate, cannot be found in the EBA registers.The reference numbers on the EBA register are sometimes different to those on the NCA registers. The numbers are either mismatching, in a different format (e.g. removed commas and full stops) or missing all together.
- The TPP id, from an eIDAS certificate, matches multiple records in the EBA registers.Some records are similar but show different payment services have been authorised/registered to the TPP. The ASPSP is not able to identify which TPP record should be used to accept or reject the transaction request for a specific payment service.
- The TPP appears to be authorised but has been suspended by its NCA. The TPP has a status of ‘authorised’ on the EBA register but hidden within the TPP’s record on its Home NCA register there are restrictions on its regulated activities (in effect it has been suspended).
Summary of limitations
The EBA’s central electronic register of payment and electronic money institutions does not contain a single place for checking the authorisation of a TPP. Even when combined with the Credit Institution register there are still issues:
- With data,
- With delays,
- With the NCA reference numbers used on EBA registry,
- With missing identification numbers on the EBA registry,
- The Credit Institution register has no advertised download facility,
- The Credit institution register is only updated regularly,
- Neither registers contain notification when there are changes, nor version history,
- The registers were built for transparency, not interoperability.
Finally, under the RTS for Strong Customer Authentication and Common Secure Communications, ASPSPs are required to provide traceability of all transactions, another aspect that needs to be built to be used in the case of disputes or fraudulent claims. The EBA registry does not provide any sort of tracking when data is updated on it or when an ASPSP checks it, it is just a static registry. Therefore, an ASPSP as previously outlined, needs to build not just interrogation and management software around the EBA database but also a full immutable audit.
The EBA registry, whilst offering a reference point, is not the source data – this is the NCAs and cannot be relied upon by ASPSPs to check the regulatory status of TPPs. The challenge of course is that there are 31 NCAs who all publish in a variety of languages, formats, and update at different times. Furthermore, not all NCAs advise where TPPs regulated by them have been passported to. There is therefore no simple EU or State database solution provided to the market today; the PSD2 RTS has left that for third parties to provide.
