The EBA issues Opinion on the use of eIDAS certificates under the RTS on SCA and CSC

 In Briefings, Fintech, Payment Services

On 10 December 2018, the European Banking Authority (“EBA”) issued an opinion to clarify the use of qualified certificates for electronic seals (“QSealCs”) and qualified certificates for website authentication (“QWACs”) under Article 34(1) of the Regulatory Technical Standards on strong customer authentication and common and secure communication.  (‘the RTS”). This new opinion sheds light on the use of eIDAS certificates for the identification payment service providers (“PSPs”) through the access interface. While the opinion’s recommendations are non-mandatory and are directly addressed to competent authorities, they are also instructive for PSPs.

The RTS allow for third-party providers to access payment service user (“PSU”) information and initiate transactions on a PSU’s account through either an adapted PSU interface or a dedicated interface for third-party providers (“TPPs”) like account information service providers (“AISPs”), payment initiation service providers (“PISPs”), and card-based payment instrument issuers (“CBPIIs”). One of the requirements of this dedicated interface, in Article 30 of the RTS, is that it allow AISPs, PISPs and CBPIIs to identify themselves. This should allow account servicing payment service providers (“ASPSPs”) to properly identify and authenticate AISPs, PISPs and CBPIIs seeking access to the interface, and prevent access to unregulated entities.

Article 34 of the RTS states that for this identification, PSPs shall rely on either QSealCs or QWACs, which are referred to in the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation (EU) 910/2014. These eIDAS certificates shall contain as the registration number the authorisation number of the TPP available in the public register of the home Member State. They shall include the role of the PSP, which may be (i) account servicing; (ii) payment initiation; (iii) account information; and/or (iv) issuing of card-based payment instruments, and they will also include the name of the competent authorities where the PSP is registered.

eIDAS certificates such as QSealCs and QWACs are provided by qualified trust service providers (“QTSPs”). QSealCs are similar to qualified electronic signatures but are applicable to legal persons. They ensure the authenticity of the sealed data, but the data is not confidential. QWACs, on the other hand, make it possible to establish a confidential and authentic channel of communication, but the person connecting to the website cannot prove that authenticity to third parties, and thus QWACs do not give legally assumed evidence of a transaction. Thus, while QSealCs are used for validating the integrity and origin of the data sent from TPPs, QWACs are used to send that data confidentially and to validate that it is the TPP sending it.

Given the legal requirements of the RTS, which require that TPPs are able to identify themselves to ASPSPs, apply secure encryption throughout the communications sessions to safeguard the confidentiality and integrity of the data, and that the data provided is originated by the PSP identified in the certificate, the EBA is recommending that competent authorities encourage ASPSPs to use both the QSealC and the QWAC in parallel, although it reiterated that the use of eIDAS certificates was not mandatory for securing the communication channel. It has also clarified  that the PSP that should decide what type of eIDAS certificate is to be used should be the ASPSP, as it is the ASPSP who provides the interface and ensures the security of the communication session.

Industry feedback also demonstrated concern for whether PSPs should hold single or multiple eIDAS certificates for the same role (whether AISP, PISP, or CBPII) that they want to accommodate. The EBA clarified that each PSP should decide whether to hold single or multiple certificates for each role. However, when PSPs are providing services through agents or EEA branches, or when they have outsourced activities related to access an online account held within an ASPSP to a technical service, the EBA is directing competent authorities to encourage PSPs to consider using one certificate per agent, EEA branch or technical service provider, and to ensure that ASPSPs accept eIDAS certificates presented by agents or outsource providers acting on behalf of TPPs.

Regarding the role that the PSP should be identified as having on the certificate, the EBA has stated that payment institutions and electronic money institutions acting in their capacity as TPPs can be assigned the roles that correspond to the specific payment services for which they have received authorisation. On the other hand, authorised credit institutions acting as TPPs may be assigned the three roles of ‘payment initiation’, ‘account information’ and ‘issuing of card-based payment instruments’ because they can provide all of these services without having to request specific authorisation for each of these roles.

One lingering concern by the industry was that these eIDAS certificates would not accurately present the authorisation status of each PSP at all times. As such, ASPSPs would want to independently verify the authorisation status of the TPPs seeking access, which would be time-consuming. To avoid this scenario, which would be contrary to the intention of Article 34(1), the EBA is recommending that competent authorities establish a process for the revocation of eIDAS certificates if authorisation has been withdrawn or authorisation for a specific payment service has been revoked. The competent authorities would create an email address to receive notifications of eIDAS certificates from QTSPs, and the EBA would make that email address public. QTSPs could then inform competent authorities about any certificates issued to PSPs authorised by the relevant competent authority. In case of revocation, PSPs would be responsible for initiating the revocation of a certificate with the QTSP that issued it, and either the PSP or the QTPS would then inform the competent authority of the revocation of the certificate at the same email address. Finally, if the competent authority has withdrawn an authorisation for a PSP but it has not been informed about a revocation of the respective eIDAS certificate, the competent authority itself may request the revocation from the QTSP that issued it. This will allow ASPSPs to trust the eIDAS certificates to provide the security and assurance needed to authorise a transaction through the interface.

These clarifications around the use of eIDAS certificates under the RTS, and the proposed process for revoking eIDAS certificates due to a change in regulatory status, will prove useful to ASPSPs and TPPs alike as the September 2019 deadline for the interfaces to go live approaches.

DALIR is available to assist firms with their legal and regulatory needs regarding the implementation of the revised Payment Services Directive (PSD2) and related regulations and guidelines. Do not hesitate to get in contact with the team if you have any questions.