Under PSD2, eIDAS certificates are required for PSPs to identify themselves. The UK Regulatory Technical Standards for Strong Customer Authentication and Secure Communication (PS19/26) states that they are the only accepted identification standard permitted between open banking services providers in the EU.
On 29 July 2020, the EBA published a statement, followed by a reminder on 9 November 2020, recommending that Qualified Trust Service Providers (QTSPs) revoke the eIDAS certificates of UK financial institutions at the end of the Brexit transition period and that financial institutions wanting to operate in the EU should ensure that they have obtained the necessary authorisation and effectively establish themselves before the end of the transition period.
In response to this, the Financial Conduct Authority (FCA) published amendments to Article 34 of the UKRTS in November 2020. These amendments will permit UK-based PSPs to use an alternative to eIDAS certificates to access customer account information or initiate payments, after Brexit.
European Telecommunications Standards Institute (ETSI) is also extending the European Technical Standard TS 119 495 for PSD2 certificates to include non-EU cases and non-EU countries.
The UK’s Open Banking Implementation Entity (OBIE) currently operates as a certificate issuer used by many in the UK financial industry and has positioned themselves as a supplier of these ‘alternative identification’ certificates. However, at present, OBIE is not a trusted party audited within any of the EU or UK trust frameworks, although they could choose to become one.
The purpose of this white paper is to summarise:
- The regulatory requirements for alternative identification certificates as defined by the FCA.
- How the UK regulatory requirements and technical standards compare to those adopted in the EU and how closely OBIE’s certificate offer aligns to both.
- The ETSI TS 119 495 changes and whether they can be used by the UK as their compliance standard.
- Why and how OBIE issues certificates today, their current suitability as a certificate issuer, and what changes should be put in place to clarify the compliance of their certificates.
- The way forward for certificate issuance to ensure compliance with both UK and EU regulations which OBE believes will enable UK PSPs to continue to provide open banking services.