PSD2 - understanding eIDAS and TPPs directory services

Paul Olukoya Paul Olukoya

Banks and third party providers (TPP) are struggling to get on top of electronic identification authentication and trust services (eIDAS) certificates ahead of the 14 September deadline.

As the final EU Payments Services Directive (PSD2) implementation date draws closer, firms need to ensure they have complied with the final elements of the directive. One such feature is the use of eIDAS, which are used as a key security feature to authenticate transactions. Banks must obtain certificates with their TPPs, and be able to effectively manage the highly technical elements around the transport and signing of eIDAS certificates.

eIDAS certificates play a key role in PSD2

Introduced in 2014, eIDAS is a set of common standards for electronic transactions across the EU and plays a key role in the security of transactions under PSD2. So called eIDAS certificates are needed to secure and authenticate transactions through newly created banking APIs (or via the fallback option).

Under PSD2 a bank can act as either:

  • the Account Servicing Payment Service Provider (ASPSP), where it is granting a third party access to relevant account information
  • the TPP, where it is accessing relevant account information provided by another bank.

Against both remits, a UK bank must apply to the national competent authority (the Financial Conduct Authority in the UK) for validation and receive an authorisation number. From there, it must register with a public directory and then apply for an eIDAS certificate from a qualified trust service provider (QTSP).

Standardisation is a problem

On the surface, this seems fairly straightforward, but variation across the EU presents several issues for banks as ASPSPs:

  • The point of a public directory is for ASPSPs to check the access rights and identifying information of any given TPP. But different regions across the EU have their own directory services, in different languages, with varying degree of machine readability and a range of mechanisms to keep the information up to date. A centralised body encapsulating this information would improve data integrity and support consistent application of Strong Customer Authentication (SCA).
  • Two types of eIDAS certificates are available for use under PSD2 (QSealC and QWAC), which can be applied independently or in tandem, depending on the bank’s individual risk profile. While the European Banking Authority favours the combined use of QSealC and QWAC certificates, there are no prescriptive guidelines regarding how the information from these certificates should be interpreted by the ASPSP.

What to do now?

TPPs should apply for their eIDAS certificates and register with the relevant directory service. ASPSP should assess the risks associated with each certificate, and establish consistent certificate management processes and appropriate risk frameworks to mitigate the associated risks.

For more information on the use eIDAS certificates please contact Paul Olukoya.

The final PSD2 deadline is fast approaching - but are you ready? Find out more
Article PSD2 – getting to the bottom of ‘wide usage’ Find out more
Article PSD2 - will your API (or fallback) be ready in time? Find out more