eIDAS certificates: covering all bases
How we’re helping our regulated clients prepare for PSD2 identification in the run-up to 14 March 2020.
At TrueLayer, we specialise in providing reliable connections to banks, so our clients can concentrate on putting banking data to work for their customers. Managing these connections is complex — especially when key aspects of connectivity rely on the individual approaches taken by banks.
What are eIDAS certificates?An important security feature baked into the Second Payment Services Directive (PSD2), is the requirement for banks to identify Third Party Providers (TPPs), before giving them access to customer transaction data, or the ability to initiate payments.Identification enables a bank to understand whether a TPP is a legitimate actor, with the legal right to access a customer’s account, or not. For the identification mechanism, PSD2 links to another piece of regulation — the EU regulation on Electronic Identification, Authentication and Trust Services (eIDAS).Under PSD2, all TPPs must identify themselves to banks using eIDAS certificates. The certificate must include:
- the TPP’s firm registration number (which it gets from being regulated);
- the name of the regulator (e.g. the FCA);
- and the role of the TPP (account information, payment initiation).
- If you are authorised or registered to provide account information services (AIS) or payment initiation services (PIS), you will be required to have your own eIDAS certificates so that the banks can identify you.
- If you are an agent providing AIS on behalf of TrueLayer, you will not need your own certificate, since our certificate will be presented to the bank.
- Qualified Certificates for Electronic Seals (QSealCs) — used to protect the data or messages during or after the communication;
- Qualified Certificates for Website Authentication (QWACs) — which enable a secure communication channel to be established for the transmission of data between the TPP and the bank.
- Parallel use of QWACs and QSealCs (EBA recommends this approach above others);
- Use of QWACs only;
- Use of QSealCs with an additional element that ensures secure communication.