The key lines as regards PSD2 Access to Account was, “Account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.“
The line on the revocation of certificates appears to have come as a surprise to many people and if true would have some negative impacts on UK banks, TPPs and consumers.
Use of PSD2 eIDAS certificates in the UK Open Banking Market
The UK legislation for domestic Open Banking currently proscribes the use of eIDAS certificates for “domestic” Open Banking transactions. By domestic I mean UK regulated TPPs to UK regulated Banks. Operationally, these PSD2 eIDAS certificates issued by European QTSPs are used today in the market for “domestic” Open Banking transactions, although not exclusively. Mass revocation of eIDAS certificates could cause disruption to UK consumers and business that are increasingly relying on UK Open Banking infrastructure.
Other options do exist such as falling back to OBIE issued certificates or allowing non-Qualified PSD2 look alike certificates, but they bring risks.
Those banks and TPPs that I have spoken to, feel that there is now not sufficient time for them to define, deploy, test, and validate and distribute new security credentials before the 31st December. Even if there were, having a big bang cutover from an old system to a new system would not be desirable and there should (legally and operationally) be some operational switch over period.
Is it necessarily true that “PSD2 eIDAS certificates will be revoked”?
It is clear that in a medium-term (three, six, nine months) the UK will have to change something to step away from a reliance on EU eIDAS certificates, but there is a short term migration issue to be faced.
If certificates are revoked it is because the Qualified Trusted Service Providers (QTSPs) that issued the certificates revoke them. There is no automatic process. The QTSPs community, through the Open Banking Europe QTSP member group, is trying to understand whether they are obliged to revoke them, and what signal would trigger this to happen.
There is nothing to stop an EU QTSP providing a (pure) eIDAS certificate to an institution in a third country, be it Australia, Japan, the US or the UK (after the 31st of December). Consequently, there is nothing in the eIDAS legislation to force QTSPs to revoke eIDAS certificates sold to UK banks or TPPs. However, PSD2 eIDAS certificates are slightly different. The ETSI TS119 495 provides the standard that is used to encode the PSD2 eIDAS certificates, and this by market agreement between the QTSP community, not regulation. This standard i) makes it clear that the purpose of these certificates is for PSD2 Access to Account and ii) provides a list of countries to which such certificates should be issued.
It is, therefore, possible, that if and when the EBA removes the UK from its list of PSD2 countries, the QTSPs will feel obliged to revoke the PSD2 eIDAS certificates or risk facing consequence from their auditors or supervisors for “mis-issuance”, i.e. issuing certificates that are not in conformance with the specification and purpose for which they are issued, as UK TPPs and banks will not be under any PSD2 legislation.
There is precedent the fact that, despite Brexit, there is a willingness that life continues within and between UK and EU. Look at the SEPA schemes that allow the use of SEPA Credit Transfers and SEPA Direct Debits. Despite the fact that the UK is exiting the EU, the UK will continue to participate in the SEPA schemes, as described here.
Some might say that to NOT revoke PSD2 eIDAS certificates would cause risks to EU ASPSPs who rely on these eIDAS certificates as their own way of verifying what TPPs are allowed to do, and that theoretically, a UK TPP could gain access to an EU ASPSP in the case of non-revocation. This should not be a real risk given that the certificates are only used for “identification” of the party (article 34 of the EBA RTS on Strong Customer Authentication and Common and Secure Communications. Firstly, the identification of the party does not change because of Brexit. Secondly, Banks have other checks in place to verify whether the “claimed TPP” is allowed access to the information or allowed to initiate payments.
So what did the EBA intend with their line “PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.” My presumption is that the EBA as a banking authority made a very helpful public statement to wake up a Brexit-fatigued and Covid-concerned market that Brexit will almost certainly happen in just over four months and that this will have real consequences. However, the statement is not a legal opinion, nor a regulatory instrument, and the single line about revoking PSD2 eIDAS certificates may be an accidental consequence from trying to send a clear message, rather than an instruction of what to do on the night of the 31st of December.
The European Commission’s own Stakeholder notice about the withdrawal of the UK in respect to eIDAS describes the impacts of Brexit but does not mention revocation of certificates as one of them.
So, what will happen?
There are a number of discussions now ongoing as people try to assess whether certificates really will be revoked and if they are what is the plan B and then plan C. UK TPP and ASPSP should definitely watch this space.
The best outcome would be that the scope of TS 119 495 is enlarged to allow the UK to keep using them for a cutover period and then extended with new non-PSD codes so that the certificate format used today could be used not only by the UK but by any Open Banking framework globally.
This would avoid short term disruption and really would be an example of Europe leading the way!