What the FCA’s latest eIDAS update means for TPPs?

null
Jack Wilson, VP Policy & Research
6 Nov 2020
Background image

At TrueLayer, we specialise in providing reliable connections to banks, so our clients can concentrate on putting banking data to work for their customers. As we previously blogged – managing these connections is complex – especially when key aspects of connectivity rely on the individual approaches taken by banks.

Under the Second Payment Services Directive (PSD2), third party providers (TPPs) are required to identify themselves to banks using electronic certificates, called eIDAS certificates. For more information on what they are, see this post.

This blog covers recent developments in the eIDAS space and explains what TPPs need to do next.


EBA orders UK eIDAS certificates to be revoked

On 29 July this year, the European Banking Authority instructed that UK TPPs must have their eIDAS certificates revoked by the end of the Brexit transition period (31 December 2020).

This meant that UK-based TPPs would not be able to connect to EU or UK banks, after 31 December.

FCA response

Understanding the seriousness of the situation, in September the UK’s Financial Conduct Authority (FCA) issued a consultation on new identification rules for the UK, scoping an alternative type of certificate. The rules, revising Article 34 of the UK-RTS, were finalised on 3 November in this paper. These rules are designed to prevent disruption on 31 December, although they will still require changes to be made by TPPs and banks.

What does the revised Article 34 require?

  • UK banks must accept at least one other electronic form of identification issued by an independent third party (such as the Open Banking Implementation Entity). They must also continue to accept eIDAS certificates.

  • It must be a digital certificate, issued by an independent third party once the payment service provider’s identity has been verified.

  • The certificate must be revoked as soon as the TPP is no longer authorised to act as an AISP or PISP.

  • UK banks are required to verify the authorisation status of the TPP, in a way that would not create any obstacles to TPP access, and to satisfy themselves of the suitability of the independent third party issuing the certificate.

  • UK banks are required to specify publicly which means of identification they accept so that TPPs are aware.

  • The certificate must include the name of the TPP, information on the competent authority the TPP is authorised by or registered with, and the corresponding registration number (Firm Reference Number (FRN)).

How does this change the status quo?

In the UK, there are already some differences in the way identification towards banks works, versus what happens in Europe. Because standards for Open Banking were developed by the UK Competition and Markets Authority (CMA) ahead of some of the final PSD2 technical standards, many UK TPPs and banks are already using ‘open banking certificates’ in place of eIDAS certificates.

To square this with PSD2 requirements, the FCA previously allowed these certificates to remain in use, as long as the TPP had also obtained an eIDAS certificate and uploaded this to the Open Banking Directory.

The FCA has now said this same arrangement can continue, but with two caveats:

  • The TPP must obtain a new type of certificate that meets the FCA’s ‘revised Article 34 requirements’ and upload this to the Open Banking Directory (or the directory of another API programme) before 31 December 2020 to continue using the existing ‘legacy’ certificates.

  • The TPP can only continue this arrangement until 30 June 2021. After this point, TPPs must only engage with banks using certificates that meet the revised Article 34 requirements.

What should TPPs do?

In the short term:

  • Regulated TPPs who are connected to banks with open banking certificates should make sure they have sourced a new certificate that meets the revised Article 34 requirements before 31 December 2020.

  • The Open Banking Implementation Entity can provide these certificates as OBWACS and OBSealCs already meet the revised Article 34 requirements. The new certificates will need to be uploaded to the Open Banking Directory.

  • Regulated TrueLayer clients can find out how we can help with this process by contacting their CSM.

  • If you are an unregulated client of TrueLayer, we will manage this change in the background. You will not need to do anything.

In the longer term:

  • Regulated TPPs will need to stop using open banking ‘legacy’ certificates to identify towards UK banks, and will need to replace them with certificates that meet the revised Article 34 requirements, e.g. OBWACS and OBSEALCs. This will need to happen before 30 June 2021.

  • TrueLayer will be contacting regulated clients to help them through this migration in the new year.

  • The FCA has opened up the possibility that banks will be able to specify that they accept Article 34 compliant certificates issued by providers other than OBIE. TrueLayer will be helping regulated clients to navigate this fragmentation if it arises.

  • If you are an unregulated client of TrueLayer, we will manage this change in the background. You will not need to do anything.

TrueLayer’s commitment to customers

We’d like to reassure all TrueLayer customers that there will be no disruption to your open banking connectivity as a result of these developments. We’ve managed many migrations like this successfully, and we intend to use the same tried and tested methods for this migration.

For TPPs who aren’t customers of TrueLayer, this is a great moment to consider the value TrueLayer’s connectivity service can bring to your business. With TrueLayer, you won’t have to worry about banking connections again. Contact us to find out more.

Latest
checkout
6 Dec 2024

3 tipping points for change within ecommerce payment experiences

Cart abandonment
2 Dec 2024

How to reduce ecommerce cart abandonment

dev sec ops shared responsibility
27 Nov 2024

Devising a delegated alerts model for SecOps

Categories to explore