- The EBA reminds financial institutions that the transition period between the EU and UK will expire on 31 December 2020, which will end the possibility for the UK-based financial institutions to offer financial services to EU customers on a cross-border basis (passporting).
- Financial institutions wishing to operate in the EU and offer services to their EU customers should ensure they have obtained the necessary authorisations and effectively establish themselves before the end of the transition period.
In particular, the EBA warns UK-authorised payment and electronic money institutions wishing to continue to offer services to EU-based customers that it is illegal for them to provide payment or electronic money services in the EU after 31 December 2020, unless they have been adequately authorised beforehand by an EU competent authority.
Furthermore, account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.
Article 34 of the Commission Delegated Regulation (EU) 2018/389, states:
- For the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication as referred to in Article 3(39) of that Regulation.
Qualified certificates for electronic seals and for website authentication, mentioned above, are respectively eIDAS certificates known as QSealC and QWAC.
These eIDAS certificates are issued by Qualified Trust Service Providers (QTSPs) who operate in compliance with Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and ETSI TS 119 495 – Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/2366.
Under PSD2, Third Party Providers (TPPs), such as AISPs and PISPs, must be authorised to provide payment services within the EEA by their home National Competent Authority (NCA). Once they have been registered by their NCA they can apply to any QTSP, within the EEA, for their eIDAS certificates. These certificates are used by the TPP to prove their identity when requesting access to a Payment Service User’s (PSU) account information or for initiating a payment on the PSU’s behalf with an Account Servicing Payment Service Provider (ASPSP). TPPs purchase their eIDAS certificates from the QTSP under the QTSP’s standard terms and conditions. The QTSP has obligations to verify the identity of the TPP and, as part of that process, checks with the TPP’s home NCA that they have been authorised to provide payment services in the TPP’s home Member State. The TPP can inform their home NCA that they wish to provide payment services in other Member State, under the passporting rules, but this does not form part of the certification process.
The UK NCA is the Financial Conduct Authority (FCA) which stated in an article entitled: Strong Customer Authentication, First published: 02/09/2019 and last updated: 18/06/2020, “we expect all ASPSP and TPPs to rely on eIDAS certificates for the purpose of identification. This means that an ASPSP must ensure that its interface is capable of enabling a TPP to identify itself using only its eIDAS certificate.”
The UK Open Banking Directory also relies on eIDAS certificates to authenticate the identity of a TPP wanting to automatically enrol itself on the directory.
The UK open banking ecosystem has been instructed by the FCA to use and rely on eIDAS certificates for the safe and proper functioning of the UK internal market. If, as suggested by the EBA, “their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked” then the UK open banking market will come to stand still after the 31 December 2020.
But why should these UK authorised TPP eIDAS certificates be revoked? Their identity is still the same after 31st December 2020. The payment services they can provide to UK PSUs holding accounts with UK based ASPSPs, is still the same. True, these TPPs will no longer be able to provide payment services or access accounts held by EEA ASPSPs, based on their UK FCA registration.
And even if a UK registered TPP should attempt to access an EEA ASPSP, their eIDAS certificate clearly states that they were registered by the FCA and the ASPSP can reject the TPP’s transaction. So again, there is no need to revoke eIDAS certificates issued to UK registered TPPs to ensure that they cannot access EEA PSU accounts.
As stated above by the EBA “Financial institutions wishing to operate in the EU and offer services to their EU customers should ensure they have obtained the necessary authorisations and effectively establish themselves before the end of the transition period”. So, any UK TPP wishing to continue to offer its payment services in the EEA after 31st December 2020 should ensure that they have registered with, and been authorised, by an EU based NCA, before 31st December 2020 as well as maintain their UK FCA registration. They would also need to have purchased another set of eIDAS certificates, based on their EU NCA registration, for use in interactions with EEA based ASPSPs. However, they should retain their existing eIDAS certificates, based on their UK FCA registration, for use in interactions with UK based ASPSPs.
It may be the case that some ASPSPs are not fully checking the PSD2 eIDAS certificates presented to them by TPPs wishing to access PSU accounts they hold. They may be relying on the fact that if the TPP’s eIDAS certificate has not expired or been revoked then the TPP is authorised to access the accounts they hold. In which case they would not know which NCA authorised the TPP and what payment services the TPP is authorised to provide and in which Member States. If this is the case, then the ASPSP may provide PSU account access to a TPP that is no longer authorised, breaking their responsibilities under PSD2 and possibly GDPR.
If the ASPSP were to use the Konsentus Verify service it would have all the data needed to determine:
- The identity of the TPP
- The identity of the NCA that authorised the TPP
- The identity and status of the QTSP that issued the TPP with its eIDAS certificates
- The payment services the TPP is authorised to provide both in its home Member State and any other Member State where it has authorisation to provide payment services.
The data provided by Konsentus Verify gives the ASPSP all the information it requires to comply with PSD2 and make informed decisions about the identity and authorisation status of a TPP before processing any account information or payment initiation request from the TPP or rejecting the request. Konsentus Verify also maintains an immutable log of all TPP verification requests made by the ASPSP so that in the event of a dispute with a PSU or a TPP it has the necessary transaction history to effectively manage the dispute.