May 13, 2018
Posted by: Brendan Jones
Identifying an approved TPP in PSD2 open banking:
The Challenges of using eIDAS Certificates
and Scheme Regulatory Database
A key part of PSD2 open banking is that ASPSPs, or as they are more generically called Financial Institutions (FIs), must be able to have confidence in who they are giving Payment Service Users’ data too. Under PSD2 all Third Party Providers (TPPs) will be required to obtain approved/registered status with their National Competent Authority (NCA) in accordance with Article 5 of Directive (EU) 2015/2366.
Further on obtaining approval all TPPs, other than those in the UK, are issued with an eIDAS certificate from a Qualified Trust Service Provider (QTSP). In the UK the PSD2 Stakeholder Group, managed by the New Payment System Operator has written to the Department of Business, Energy and Industrial Strategy (BEIS) on 20th March 2018 stating that the UK needs to create a QTSPs that that will issue Qualified Certificates in order to comply with EU law post 2019 and thus will issue eIDAS certificates to UK approved/registered companies.
There has been much discussion around whether FIs can use the eIDAS certificates presented to an FI as proof that they are approved by their NCA, and thus have access to end users data. This issue has been documented and described in the ERPB report of November 2017. The report can be downloaded from the following page: https://www.ecb.europa.eu/paym/retpaym/euro/html/index.en.html
The key section states:
Considering that the NCA is not obliged to inform the QTSP, and the QTSP is not obliged to check the NCA register, it is clear that although we can trust the certificates for Identification, in the case that an NCA has withdrawn a license and the certificate has not yet been revoked, there is a period when the roles in the certificate will not be accurate. In the case that anybody wishes to check the up to date role of an ASPSP, then they must look at the Home NCA of that entity.
Or in summary whilst an eIDAS certificate confirms who a TPP is, it does not prove they are still approved on the NCA database at the time of use and have not been revoked at some point after the issuance of the eIDAS certifcate.
So is the solution to be found in Scheme Regulatory Databases such as UK Open Banking etc. In theory yes as all of these bodies have made it clear they will offer machine readable databases for FIs to connect to and verify that a TPP is approved by an NCA.
If we take the UK as an example Open Banking Limited is a commercial organisation established to become the vehicle to enable the UK banking industry to perform self-regulation with respect to the Competition and Market Authority's (CMA) demands, thus avoiding the overhead of getting the FCA involved. However, it has no statutory powers to regulate the business; these powers are retained by the FCA.
By contrast, the FCA is the UK's competent authority and performs the statutory regulation. Only the FCA can authorise payment organisations and register account information providers. The purpose of Open Banking's database is to bind API providers (i.e. ASPSPs and TPPs) to the arbitration rules necessary to achieve a self-regulating industry. Open Banking has been designated by the FCA, so the question is do all TPPs have to register with a scheme regulatory database like Open Banking for the market they wish to access APIs in. Again if we look at the UK and the Open Banking group it appears not as the Operational Governance Rules and Guidelines for March 2017 Open Data state, and specifically paragraph 4.3.2…
d) A User does not have to be registered to access Provider APIs, but will still be required to accept the Participation Conditions on the Open Banking website prior to access through Open Banking.
...and paragraph 5.2.
5.2 API User - Validation and Registration
a) The Registration process will be optional for Users who will in all cases be required to accept the Participation Conditions via a tick box on the OBS website.
b) Any User that does not register will be required to accept the Participation Conditions via a tick box on the OBS website, but will not be able to take advantage of any support services offered by Open Banking as defined in these rules and guidelines. This includes disputes resolution, complaints handling and application and security monitoring.
...and paragraph 5.3.3 Withdrawal from the Central Register
d) API Users will be permitted to withdraw from the OBS at any point following the withdrawal process via their access to the Central Register (refer to Service Levels). e) Where an API Provider or an API User has withdrawn from the OBS, the Central Register must be updated (refer to Service Levels).
Thus in summary the FCA database will be definitive; Open Banking's database will be useful, but is not definitive as whilst TPPs are encouraged to register with UK Open Banking they do not have to. Yes they have to be NCA approved/registered and this is passported over to the market they wish to operate in there is no obligation for them to then register with the scheme regulatory database e.g. Open Banking etc operating in that market.
Further in the case of UK Open Banking only those FIs that sign up to use the UK Open Banking standards will in effect be able to access the Open Banking database. This means any FI that chooses to use its own API format, and there is no regulation that says they cannot, will still require an alternative method of checking that a TPP is approved.
If a NCA revokes there is an obligation to advise the NCA where it has passported into, but no SLA on the speed of this has been published.
So what is the role of an NCA, well the FCA state that their role in regulating AIS and PIS providers is:
“We are responsible for ensuring AISPs and PISPs are registered or authorised. For businesses that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers have no capital requirements and need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII (link is external).”
Thus the FCA states that AISPs are registered, while PISPs will be authorised by the FCA and the FCA will hold a list of all of these organisations. The challenge is the FCA along with other NCA do not generally offer machine readable databases.
This though may be addressed in that in December 2017 the EBA published the Final Report on:
Draft Regulatory Technical Standards setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein, under Article 15(4) of Directive (EU) 2015/2366 (PSD2),
Draft Implementing Technical Standards on the details and structure of the information entered by competent authorities in their public registers and notified to the EBA under Article 15(5) of Directive (EU) 2015/2366 (PSD2)
That can be found here: https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/technical-standards-on-the-eba-register-under-psd2/-/regulatory-activity/consultation-paper;jsessionid=FCEC94A753094C0EC81338A0DD4302BF
The EBA database it has stated will allow:
So what are the next steps for the EBA in relation to the database, well the final draft RTS and ITS will be submitted to the Commission for adoption. Following the submission, the RTS will be subject to scrutiny by the European Parliament and the Council before being published in the Official Journal of the European Union.
The EBA will be able to carry out the development of the EBA Register only after the adoption of the draft RTS and ITS. Therefore, the EBA has currently not published a date on when the database will be available.
So in overall in summary:
What does all this mean
Konsentus is providing a platform that provides consent and preference management services to facilitate FIs complying with PSD2 open banking. Whilst the EBA have stated the intent to create a centralised machine readable database, there is no confirmed launch date.
Konsentus believe the best way to ensure that FIs do not pass data to TPPs who are not approved/registered is to integrate, and if necessary manually check NCA databases in all 31 EEA states, as well as using the EBA central database; when it becomes available. In addition FIs will need to check the eIDAS Seal Certificates with the relevant (there are around 34) QTSPs. Just using scheme regulatory databases will not allow FIs to ensure they only share data with approved/registered TPPs.
Brendan Jones CCO / Co-Founder of Konsentus Ltd. Konsentus provides a SaaS based consent and preference management solution for EU FIs facilitating them to be PSD2 open banking compliant. He has over 30 years’ experience in the UK & international payments industry, having held executive positions in banking, payment & technology companies including Giesecke & Devrient, Bank of America MBNA & the Datacard Corporation.