'Open banking' enables you to use certain 'account information' and 'payment initiation' service providers (TPPs) to extract your payment data or initiate payments from your payment accounts with banks and other payment service providers (ASPSPs). There are 2 million users in the UK. Open Banking was driven by UK competition law enforcement against banks who were hogging access to payment account data; and by changes to the EU Payment Service Directive as a result of similar concerns across Europe. A key feature of the Open Banking regime is that TPPs' systems must authenticate themselves using a certificate that complies with an EU identity regime (eIDAS), from which Britain excluded UK based TPPs by leaving the EU. The FCA has now come up with the quick fix described below to try to support the continuity of Open Banking after 31 December...
In July, the European Banking Authority confirmed that eIDAS certificates issued to UK-based TPPs by EU trust providers will be revoked on 31 December, even though UK law would recognise them as valid under its new UK eIDAS Regulation.
The FCA does not have the ability to delay the revocation of eIDAS certificates; there is no scope within eIDAS to issue UK-only certificates; and there are not yet any UK trust providers qualified to issue eIDAS certificates under the new UK eIDAS Regulation.
That means TPPs in the UK will no longer be able to access their customer’s payment account data held with their account service payment service providers (ASPSPs) after 31 December without a further change to UK eIDAS requirements, so the FCA has amended them to allow for the use of an alternative form of authentication certificate.
As a result of the recent changes, UK ASPSPs must now accept at least one other electronic form of identification issued by an independent third party, in addition to continuing to accept eIDAS certificates.
The additional form of identification must:
- be a digital certificate issued by an independent third party upon identification and verification of the payment service provider’s identity;
- include the name of the TPP as well as information
on the competent authority the TPP is authorised or registered with, and
the corresponding registration number (Firm Reference Number (FRN));
- be revoked as soon as the TPP is no longer authorised to conduct TPP activities.
An ASPSP must:
- verify the authorisation status of the TPP in a way that would not create any obstacles to TPP access;
- satisfy itself of the suitability of the independent third party issuing the certificate;
- specify publicly which means of identification it accepts to ensure TPPs are aware (e.g. on the Open Banking Implementation Entity (OBIE) transparency calendar or on their website).
To ensure continuity of service and enable TPPs to use the existing 90-day reauthentication cycle, the FCA will allow ASPSPs to accept a certificate obtained from a provider of an API programme that does not meet the amended requirements until 30 June 2021, so long as:
- TPPs have also presented a compliant certificate, as described under the amended requirement, to that non-qualifying API programme;
- that API programme verifies the certificate; and
- continues checking, on behalf of the ASPSP, the status of the TPP’s compliant certificate.
So, a legacy OBIE certificate may be used during that period, provided that the TPP has presented a valid certificate to the OBIE.
The FCA has removed the need for the certificate to include the address of the TPP and issuer; the need for revoking the certificate if identity information is unverifiable; and the need for a certificate to be amended (as, technically, a certificate can only be revoked).
ASPSPs must:
- assess the need for any changes to their systems and processes and implement any necessary changes by 31 December, and tell TPPs which alternative certificate they will accept as early as possible.
- continue accepting valid eIDAS certificates. This includes
for UK firms until their certificates are revoked, even after 31
December where applicable; as well as for EEA-based firms that benefit
from the UK's Temporary Permission Regime to continue providing their
services in the UK after Brexit.
TPPs whose eIDAS certificate is likely to be revoked must have an alternative certificate(s) as soon as possible ahead of 31 December.
No comments:
Post a Comment