Does open banking require PSD2 eIDAS certification?
At TrueLayer, we specialise in providing reliable connections to banks, so our clients can concentrate on putting banking data to work for their customers. Managing these connections is complex — especially when key aspects of connectivity rely on the individual approaches taken by banks.
What are eIDAS certificates?
An important security feature baked into the Second Payment Services Directive (PSD2), is the requirement for banks to identify Third Party Providers (TPPs), before giving them access to customer transaction data, or the ability to initiate payments.
Identification enables a bank to understand whether a TPP is a legitimate actor, with the legal right to access a customer’s account, or not. For the identification mechanism, PSD2 links to another piece of regulation — the EU regulation on Electronic Identification, Authentication and Trust Services (eIDAS).
Under PSD2, all TPPs must identify themselves to banks using eIDAS certificates. The certificate must include:
the TPP’s firm registration number (which it gets from being regulated);
the name of the regulator (e.g. the FCA);
and the role of the TPP (account information, payment initiation).
What this means:
If you are authorised or registered to provide account information services (AIS) or payment initiation services (PIS), you will be required to have your own eIDAS certificates so that the banks can identify you.
If you are an agent providing AIS on behalf of TrueLayer, you will not need your own certificate, since our certificate will be presented to the bank.
Although seemingly straightforward, this requirement, raised many questions amongst both banks and TPPs.
When should I get these certificates?
The eIDAS requirements applied to banks and TPPs as of 14 September 2019. However, in the run-up to that date, those responsible for issuing the certificates known as ‘Qualified Trust Service Providers’ (QTSPs) were still updating their offerings to match PSD2 requirements. This did not help TPPs to acquire the certificates they were legally required to obtain. Luckily in the UK, the FCA provided some breathing space, but only until 14 March 2020.
What are QWACs and QSealCs?
The types of certificates issued by QTSPs include:
Qualified Certificates for Electronic Seals (QSealCs) — used to protect the data or messages during or after the communication;
Qualified Certificates for Website Authentication (QWACs) — which enable a secure communication channel to be established for the transmission of data between the TPP and the bank.
Where do I get these certificates?
The European Commission (EC) provides a comprehensive list of QTSPs.
Which type of certificate do I need?
The European Banking Authority’s Opinion on eIDAS set out three possible combinations that could be used to meet PSD2 requirements:
Parallel use of QWACs and QSealCs (EBA recommends this approach above others);
Use of QWACs only;
Use of QSealCs with an additional element that ensures secure communication.
Who decides on the type to use — banks or TPPs?
The same Opinion clarified that banks should choose which type of eIDAS certificates TPPs should use. While this makes sense for banks, it creates real problems and expense for TPPs, who have to pay for both these certificates, not knowing whether they will be usable from bank-to-bank.
We have unpacked these answers further, in our eIDAS FAQ.
Are open banking certificates still relevant?
Adding a further layer of complexity was the development of a parallel system of identification by the Open Banking Implementation Entity (OBIE).
In the UK, standards for open banking have developed ahead of some of the final PSD2 rules by the UK’s competition watchdog, the Competition and Markets Authority. To cater for this, the OBIE created ‘Open Banking Certificates’.
For TPPs wanting to connect quickly and securely to the largest UK banks, these certificates were a godsend. Many TPPs came to market using these certificates, and continue to use them to this day.
Here lies a problem. Open Banking Certificates do not meet the legal requirements of PSD2, because they are not issued by an EC approved QTSP. Yet, that does not mean they are irrelevant.
Breathing space
Recognising the situation, the FCA offered some flexibility to TPPs who were struggling to obtain eIDAS certificates but are using Open Banking Certificates. Banks were encouraged to allow TPPs to use ‘an equivalent certificate enabling secure identification (for instance an open banking certificate)’, but eIDAS certificates would need to be obtained by 14 March 2020 at the latest.
Banks have been following the steer for flexibility, and in January 2020 have continued to identify TPPs via Open Banking Certificates. However, this is likely to change over the coming months.
QWACS, QSEALCs and everything in between
With some UK banks having originally calibrated their systems solely for Open Banking Certificates, there is still work to be done on both sides to get ready for 14 March 2020.
The FCA has been categorical that banks should enable TPPs to identify themselves using only eIDAS certificates. That means TPPs could, in theory, discard Open Banking Certificates come 14 March, and use only eIDAS certificates towards the banks. However, it is far from clear which banks have developed systems for direct eIDAS acceptance at this point.
The FCA has encouraged banks to use the Open Banking Transparency Calendar to provide detail on their eIDAS stance. However, the Directory entries demonstrate the complexity arising from banks choosing to accept different combinations of certificates:
The mixed approach is partly down to the FCA providing flexibility for another approach: According to this FCA webpage, if a TPP wishes to voluntarily enrol with open banking (or another ‘API programme’) using its eIDAS certificate for initial identification, then banks using that API programme can continue to use identify via different certificates, e.g. Open Banking certificates.
This is useful, as it allows for some continuity for TPPs already connected using Open Banking certificates — but depends on eIDAS certificates being uploaded to the Open Banking Directory.
What does all this mean for TPPs?
At the very least, regulated TPPs providing AIS and/or PIS should make sure they have sourced eIDAS certificates (both QWAC and QSealC is advisable) as soon as possible.
Most banks based outside the UK, and some UK banks do not support Open Banking Certificates as a means of identification currently, for example, those using the XS2A and STET protocols.
That means obtaining eIDAS certificates as soon as possible is the best approach if you are a regulated TPP. This will also better enable us to ensure your connections are maintained beyond 14 March 2020.
We are guiding our regulated clients through the process of getting and managing eIDAS certificates. Once eIDAS certificates have been obtained, we have developed a process to help our clients cover all bases, whether we are connecting them to banks who use Open Banking certificates, eIDAS-only, or any other combination.
To learn more about this, visit our FAQ on eIDAS. If you are a TrueLayer client, contact your Customer Success Manager at TrueLayer.