Updated PSD2 Certificate standard, ready for Open Finance
In 2019, ETSI TS 119 495 was published to be a European standard for issuing PSD2 compliant eIDAS certificates. In April 2021, it has been updated and reissued to cover global use cases and Open Finance use cases.
Background to TS 119 495
PSD2 mandated Open Banking in Europe, providing it is carried out in compliance with the European Banking Authority’s Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Communication (also known as the EBA RTS for SCA and CSC or the RTS). Within the RTS, the EBA mandates eIDAS certificates for standardisation, but introduced further data requirements above the existing international technology standards bodies.
The eIDAS regulation sets the standards required for Trust Service Providers (TSPs) and the provision of trust services through technical mechanisms across the European Union (EU), such as Digital Certificates and Cryptographic Signatures.
The European Telecommunications Standards Institute (ETSI) is an independent industry body formed of technology providers within Europe. It is recognised by the European Commission (EC) as a market standardisation body that ensures that the regulations from the EC (DG CONNECT) are harmonised and operationally interoperable across the EU Member States.
ETSI got involved and created a standard that was SEPA based and limited to regulated Credit Institutions, E-Money Institutions (EMIs), and Payment Institutions (PIs). This standard went live and is now used by all Banks and Third Party Providers (TPPs) operating in the EEA for PSD2 Open Banking activities.
Hello, Open Finance
With the introduction of Open Finance, TS 119 495 needed to be extended.
There are three Open Finance cases where there are demands for certificates that are standardised but where PSD2 compliancy is not required or cannot be met.
There are a number of countries that want a solution that is in line with European norms and infrastructure but which are located outside the EU. A key case was the UK which, before Brexit, was using PSD2 compliant eIDAS certificates for Open Banking. Ahead of Brexit, the EBA made it clear that PSD2 certificates should be revoked. Needing an alternative and not wanting to change technical standard, the main UK provider of certificates simply started minting their own, following the technical format of TS 119 495 but ignoring the rules around its usage. Other countries are looking at the EU trust framework and like the idea of eIDAS certificates and a common standard but until now, could not use the standard without breaking it.
Within Europe, banks are increasingly offering services via APIs that are not regulated by PSD2. Sometimes they are for existing TPPs that already hold a PSD2 certificate. Sometimes they are for other companies that are not regulated under PSD2, whether they are corporate customers, auditors, partners, or other technology companies. Obviously, the banks want to use the same PSD2 security methodology without having to change formats – but the certificate issuers (QTSPs), who are regulated and audited, could not offer similar certificates that broke the rules of the standard.
The updated standard allows parties to obtain certificates for the purposes of identification, even if those parties are not regulated for PSD2 Open Banking.
Backwards Compatibility Towards an Open Future
The changes made to TS 119 495 widen the security model to include other types of certificate and to extend the existing certificates currently used for open banking into new regulatory areas. This means that existing certificates do not have to be reissued and will not change, and also allow new certificates to be issued to non-regulated parties, as long as they can be properly identified. This enables the financial community to comfortably move forward into new areas of Open Finance, without the worry of having to substantially adapt or alter any existing Open Banking implementations they have in place to facilitate that move.