FCA to change rules on eIDAS certificates for payment services

Out-Law News | 09 Sep 2020 | 4:21 pm | 3 min. read

The Financial Conduct Authority (FCA) has outlined plans to update UK regulations to address the potential that providers of payment initiation or account aggregation services are unable to access the information they rely on to provide their services after the Brexit transition period expires.

The UK's Payment Services Regulations 2017 implement the EU's second Payment Services Directive (PSD2) and provide payment initiation service providers (PISPs) and account information service providers (AISPs) – together third party providers (TPPs) – with qualified rights to access online payment accounts operated by account servicing payment service providers (ASPSPs). PISPs rely on that access to initiate payments on customers' behalf, while the payment account data held by ASPSPs is at the heart of the services delivered by AISPs.

The rights of access to the data are conditional on a number of requirements being met, including that the customer consents to the third party access to their accounts. In addition,  PISPs and AISPs must identify themselves to ASPSPs when seeking to connect to their systems. EU regulatory technical standards outline the specific requirements around identification, with PISPs and AISPs obliged to rely on so-called eIDAS certificates.

EIDAS certificates are issued by qualified trust service providers (QTSPs) under the EU's eIDAS Regulation. However, in July the European Banking Authority (EBA) confirmed that eIDAS certificates issued for all UK-based PISPs or AISPs will be revoked at the end of the Brexit transition period – 11pm UK-time on 31 December this year.

In a new consultation paper, the FCA said the EBA's move means PISPs and AISPs "will no longer hold a valid certificate for use in the UK" after completion of the Brexit implementation period. The issue, it said, cannot be remedied at present through the issuance of UK-only eIDAS certificates, but it outlined plans for a different solution.

The FCA said: "Without intervention, TPPs in the UK will no longer be able to access their customer’s account data held with ASPSPs in accordance with UK law after the transition period ends … To avoid disruption to open banking services, we are proposing to change the regulatory requirements to allow for the use of an alternative form of identification."

According to the FCA, eIDAS certificates will still be valid under UK law following the expiration of the implementation period and it will therefore remain open to EU-based PISPs or AISPs to rely on them for identification purposes. On the alternative form of identification it intends to allow too, the regulator said it does not intend to be prescriptive about the specific form of identification that can be used, but it said any alternative identification solution would need to "meet certain criteria".

"It should be a digital certificate issued upon identification and verification of the payment service provider’s identity," the FCA said. "The certificate should be amended if that identity information changes and revoked where that information is unverifiable or the TPP is no longer authorised for its activities. Further, we will require ASPSPs to verify the authorisation status of the TPP, in a way that would not create any obstacles to TPP access, and to satisfy itself of the suitability of the independent third party issuing the certificate. We will also require ASPSPs to specify publicly which additional means of identification it accepts to ensure TPPs are aware."

"We propose that the certificate must include identity information as well as information on the competent authority the TPP is authorised or registered with, and the corresponding registration (FRN) number. We are not proposing to prescribe which alternative certificate should be used, or to specify further detailed attributes for certificates. In so doing, we hope to minimise the potential for disruption to existing market practice, and maximise the options available for ASPSPs and TPPs," it said.

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

It is positive to see that the FCA is engaging with key issues which will enable open banking and open finance more generally well into the future

In a move welcomed by the UK's Open Banking Implementation Entity (OBIE), the FCA said certificates issued as part of the open banking regime are one of the "existing solutions" businesses in the payment services could consider.

"We note the existence of a common certificate (certificate issued by the Open Banking Implementation Entity) already in operation in the UK," the FCA said. "To our knowledge most TPPs already hold that certificate and, where they do not, they could easily obtain one in a short period of time (and free of charge). In addition, we note that many ASPSPs would have to make only limited changes to accept those certificates independently from eIDAS. We also note that there are other providers of directory services in the market."

The FCA's proposals are open to consultation until 5 October. It said it intends to make the necessary regulatory changes as soon as possible to provide firms with certainty, and advised firms to "assess the need for any changes in their systems and processes, and to implement any necessary changes as soon as possible". It said it expects ASPSPs to tell PISPs and AISPs which alternative certificate they will accept "as early as possible".

"It is positive to see that the FCA is engaging with key issues which will enable open banking and open finance more generally well into the future," said Luke Scanlon, an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law. "There are a number of issues that need to be given close attention for this market to work well and if the UK takes action to address these issues we are likely going to see better outcomes for customers."