What is an eIDAS certificate?
PSD2 technical standards (SCA-RTS) set out that banks must have an interface that enables a third-party provider (TPP) to identify itself and communicate securely to request and receive information or to initiate a payment order. For the identification part, TPPs and banks must rely on certificates issued by regulated bodies called Qualified Trust Service Provider (QTSPs):
- qualified certificates for electronic seals (QSealCs) - used to protect the data or messages during or after the communication, but they do not provide confidentiality of the data (i.e. there is no encryption of application data); or
- qualified certificate for website authentication (QWACs) - which enable a secure communication channel to be established for the transmission of data between the TPP and the bank.
Why are eIDAS certificates needed?
eIDAS certificates enable a bank to understand whether a TPP is a legitimate actor, with the legal right to access a customer’s account, or not. For this purpose, the certificate must include the TPPs’ firm registration number (which it gets from being regulated); the name of the regulator; and the role of the TPP (account information, payment initiation).
When are they needed?
Using eIDAS certificates to identify with banks became law for TPPs on 14th September 2019, along with PSD2 technical standards (SCA-RTS).
What is the situation in the UK post-brexit for UK TPPs?
To address this,
How does this change the status quo fro UK TPPs?
What should UK TPPs do?
You will need an eIDAS certificate (both QWAC and QSealC is advisable) to connect to EU banks. Open Banking Europe provides a list of certificate issuers.
Why do I need both a QSealC and QWCA?
The European Banking Authority (EBA) published an Opinion on the use of eIDAS certificates in December 2018. It set out three possible combinations that could be used to meet PSD2 requirements:
- Parallel use of QWACs and QSealCs (EBA recommends this approach above others)
- Use of QWACs only
- Use of QSealCs with an additional element that ensures secure communication
The EBA clarified that it should be the bank that decides on what type of certificate should be used for identification. The Opinion also explained that while the use of eIDAS certificates is required for the purposes of identification, eIDAS certificates are not necessarily needed for securing the communication session. However, their use is encouraged for that purpose.
Since it is the bank that decides, a TPP should obtain both a QWAC and a QSealC from a provider.
How does TrueLayer use my certificates?
Where you use TrueLayer to access accounts (i.e. as a technical service provider), you need to securely provide your certificate to TrueLayer so that we can present the certificate when acting on your behalf to access accounts. This is in line with European Banking Authority Guidance.
What is TrueLayer doing to help clients with certificates?
We are building self-service functionality into our developer console so that you can automatically register your certificates. In the meantime, one of our team will be able to assist you through the certification process.