Konsentus Powering Trust in Open Ecosystems

EBA Publication of NCA Abbreviations for Inclusion in eIDAS Certificates for PSD2

At the end of July 2019, the EBA officially published a standardised list of the names of the competent authorities.

Share This Post

Two years ago, I was working on a report for the European Retail Payments Board, Payment Initiation Services Working Group, the ERPB being chaired by the European Central Bank. I co-chaired the Identity subgroup along with a Belgian TPP. As an output of these groups, a report was published in November 2017 that is still available on the ECB website. Among (many) other things the report said that to make PSD2 Access to Account work, there were certain requirements that needed to be put in place. Look at Annex 5 for the full list of issues identified by the Identity Expert subgroup.

One recommendation regarding eIDAS qualified certificates was that: if every certificate is to contain “the name of the competent authority” the industry needs a standardised list of the names of the competent authorities.

OK, as an insight its not exactly up there with “E equals MC squared” but we were a diverse group and it was a lot more interesting to argue about redirection models for strong customer authentication. At least we were right and managed to say so!

At the end of July, the EBA officially published such a list and you can find it here.

As it happens, the “name” of the National competent authority (NCA) is not used except as a text string that is carried in the certificate. An example is “Prudential Supervisory and Resolution Authority” which is the name of the French competent authority, translated into English.

What is more important for operational purposes is the “NCA Code” of the competent authority that helps make the Global Unique Reference Number that is used for PSD2 identification of regulated parties. For France the code is “ACPR” and so we know that the Identification number of a French TPP will always be “FR-ACPR-nnnnn”

This list – now published by the EBA – had been made available by the EBA to ETSI and a draft was included in the TS 119 495 standard for Qualified PSD2 certificates (Annex D). The list has changed periodically and the standard went through three versions since November last year to cater for these name changes, but after the Croatian Nation Bank decided that they were not “CNB” but “HNB” there have been no more changes.

Getting this right is important. I know of at least one TPP is that is currently being blocked by ASPSPs because their certificate provider (QTSP) is using the March version of the competent authority list. The QTSP will presumably now have to revoke and reissue the TPP’s certificates with the corrected identifier.

So while the information published by the EBA comes rather late, we are in a stable situation as concerns NCA identifiers. Good news!

If only we were in the same situation for “Authorisation numbers” but that is a story for another day….

Open Banking Exchange Europe also publishes a machine-readable, centralised and standardised directory for the purpose of checking identity and authorisations. Contact us if you are interested.

John Broxis

John Broxis

Managing Director, Open Banking Exchange

Subscribe To Our Newsletter

Keep up to date with all our news and publications.

More To Explore

Talk with Our Team Today

Join us on the Journey

Protect your customers transacting in open ecosystems.

Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.

Name(Required)

Opt-in

On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at insights@konsentus.com.

This field is for validation purposes and should be left unchanged.

Login to your account