What is an eIDAS certificate?
PSD2 technical standards (SCA-RTS) set out that banks must have an interface that enables a third-party provider (TPP) to identify itself and communicate securely to request and receive information or to initiate a payment order. For the identification part, TPPs and banks must rely on certificates issued by regulated bodies called Qualified Trust Service Provider (QTSPs):
- qualified certificates for electronic seals (QSealCs) - used to protect the data or messages during or after the communication, but they do not provide confidentiality of the data (i.e. there is no encryption of application data); or
- qualified certificate for website authentication (QWACs) - which enable a secure communication channel to be established for the transmission of data between the TPP and the bank.
Why are eIDAS certificates needed?
eIDAS certificates enable a bank to understand whether a TPP is a legitimate actor, with the legal right to access a customer’s account, or not. For this purpose, the certificate must include the TPPs’ firm registration number (which it gets from being regulated); the name of the regulator; and the role of the TPP (account information, payment initiation).
When are they needed?
Using eIDAS certificates to identify with banks became law for TPPs on 14th September 2019, along with PSD2 technical standards (SCA-RTS).
What is the situation in the UK post-brexit for UK TPPs?
UK authorised TPPs are not able to use eIDAS certificates.
On 29 July 2020, the European Banking Authority instructed QTSPs that UK third party providers must have had their eIDAS certificates revoked by the end of the Brexit transition period (31 December 2020).
Having eIDAS certificates revoked meant that UK-based TPPs would not be able to connect to EU or UK banks, after 31 December.
To address this, in September 2020, the UK’s Financial Conduct Authority (FCA) issued a consultation on new identification rules for the UK, scoping an alternative type of certificate for identification to be used in the UK. The rules, revising Article 34 of the UK-RTS, were finalised on 3 November. These rules are designed to prevent disruption on 31 December, although they will still require changes to be made by TPPs in the months following that date.
What does the revised Article 34 require?
- UK banks must accept at least one other electronic form of identification issued by an independent third party (such as the Open Banking Implementation Entity). This is in addition to continuing to accept eIDAS certificates.
- It must be a digital certificate issued by an independent third party upon identification and verification of the payment service provider’s identity
- The certificate must be revoked as soon as the TPP is no longer authorised to conduct TPP activities
- UK banks are required to verify the authorisation status of the TPP, in a way that would not create any obstacles to TPP access, and to satisfy themselves of the suitability of the independent third party issuing the certificate
- UK banks are required to specify publicly which means of identification they accept to ensure TPPs are aware
- The certificate must include the name of the TPP as well as information on the competent authority the TPP is authorised or registered with, and the corresponding registration number (Firm Reference Number (FRN)).
How does this change the status quo fro UK TPPs?
In the UK, there are already some differences in the way identification towards banks works, versus what happens in Europe. Because standards for Open Banking were developed by the CMA ahead of some of the final PSD2 technical standards, many UK TPPs and banks were already using ‘open banking certificates’ in place of eIDAS certificates. To square this with PSD2 requirements, the FCA previously allowed these certificates to remain in use, as long as the TPP had also obtained an eIDAS certificate and uploaded this to the Open Banking Directory.
The FCA has now said this same arrangement can continue, but with two key caveats:
- the TPP must obtain a new type of certificate that meets the FCA’s ‘revised Article 34 requirements’ and upload this to the Open Banking Directory (or the directory of another API programme) before 31 December 2020 to continue using the existing ‘legacy’ certificates.
- the TPP can only continue this arrangement until 30 June 2021. After this point, TPPs must only identify towards banks with certificates that meet the revised Article 34 requirements.
This is summarised on the FCA’s webpage here.
What should UK TPPs do?
Regulated TPPs will need to stop using open banking ‘legacy’ certificates to identify towards UK banks, and will need to replace them with certificates that meet the revised Article 34 requirements, e.g. OBWACS and OBSEALCs. This will need to happen before 30 June 2021.
TrueLayer will be contacting regulated clients to help them through this migration.
The FCA has opened up the possibility that banks will be able to specify that they accept Article 34 compliant certificates issued by providers other than OBIE. TrueLayer will be helping regulated clients to navigate this fragmentation if it arises.
If you are an unregulated client of TrueLayer, we will manage this change in the background. You will not need to do anything.
EU-based TPPs
You will need an eIDAS certificate (both QWAC and QSealC is advisable) to connect to EU banks. Open Banking Europe provides a list of certificate issuers.
Why do I need both a QSealC and QWCA?
The European Banking Authority (EBA) published an Opinion on the use of eIDAS certificates in December 2018. It set out three possible combinations that could be used to meet PSD2 requirements:
- Parallel use of QWACs and QSealCs (EBA recommends this approach above others)
- Use of QWACs only
- Use of QSealCs with an additional element that ensures secure communication
The EBA clarified that it should be the bank that decides on what type of certificate should be used for identification. The Opinion also explained that while the use of eIDAS certificates is required for the purposes of identification, eIDAS certificates are not necessarily needed for securing the communication session. However, their use is encouraged for that purpose.
Since it is the bank that decides, a TPP should obtain both a QWAC and a QSealC from a provider.
How does TrueLayer use my certificates?
Where you use TrueLayer to access accounts (i.e. as a technical service provider), you need to securely provide your certificate to TrueLayer so that we can present the certificate when acting on your behalf to access accounts. This is in line with European Banking Authority Guidance.
What is TrueLayer doing to help clients with certificates?
We are building self-service functionality into our developer console so that you can automatically register your certificates. In the meantime, one of our team will be able to assist you through the certification process.