Electronic identification, authentication, and trust services (eIDAS) commonly refers to regulation which was implemented by the EU to support online identification and the authenticity of documents. The EU regulation 910/2014 sets the standards for electronic identification (eID), electronic transactions, qualified certificates, time stamps, electronic signatures, and other online authentication services.
Before eIDAS, a user had to be physically present in a Registration Entity to verify their identity and obtain a certificate. The ability to verify identities online revolutionised the ecosystem, evolving the EU’s Digital Trust Services Market, enabling organisations to onboard customers digitally at any point.
The regulation has been instrumental in the development of open banking, regulated by the second Payments Services Directive (PSD2). The intention was for financial institutions and third parties to interact with each other easily and securely. As EU-wide regulation, eIDAS allowed parties to trust each other within the Access to Account (XS2A) transaction chain even if the transaction was cross-border.
The eIDAS regulation applies to Trust Service Providers (TSPs), commercial organisations which provide digital services. TSPs specialise in trust services through mechanisms which secure information and protect it from tampering, such as cryptographic signatures and digital certificates. This allows users to ‘trust’ the received information – an essential part of online communications.
TSPs can become qualified through a written ‘Conformity Assessment’ from their regulator. Under eIDAS, Qualified Trust Service Providers (QTSPs) receive national accreditation and therefore must be compliant to a standard of quality in areas such as security and interoperability. QTSPs are regulated by their respective EU country, under an appointed Member State Supervisory Body (MSSB).
In the world of open banking, eIDAS certificates are used by third parties as identity credentials when interacting with financial institutions. They are used as a way for the financial institutions to identify the third parties, with a view to carrying out account information or payment initiation transactions on behalf of the customer.
QTSPs are responsible for providing eIDAS certificates in Europe, after carrying out a series of checks on the third party.
eIDAS certificates contain several information points, including:
In the implementation stage, there are two types of eIDAS certificates:
PSD2 eIDAS QWACs and QSealCs also contain an entity’s authorisation number, their PSD2 roles, and the name of their home National Competent Authority (NCA).
There are three steps to verifying an open banking transaction – identification, authentication, and authorisation. eIDAS certificates are useful tools for the first step, but financial institutions also need to be certain that the third party is authorised to carry out the transaction at the time of the request.
As laid out in the Regulatory Technical Standards (RTS) on strong customer authentication and secure communication, eIDAS certificates are to be used “for the purpose of identification” (Article 34(1)). eIDAS certificates are only issued with a lifespan of one to two years and so cannot be relied upon to provide authorisation status, as the information can quickly become outdated if a TPP is In addition, eIDAS certificates contain no information on passporting and so it is not clear whether the TPP is authorised to operate in that country.
Unfortunately, several financial institutions still solely rely on eIDAS certificates for identification and authorisation, which exposes them to additional risk.
Konsentus Verify carries out a two-step process to validate the identity and authorisation status of a TPP. The first step involves checking the eIDAS certificate for the following data points:
After confirming the identity of the TPP, Konsentus carries out an instant, real-time check of the relevant institutions among 70+ trust service providers and 31 NCAs (which maintain over 115 registers containing regulatory information).
This ensures that a financial institution only ever approves a transaction with a third party that is authorised for the appropriate service in that country at that time. Konsentus Verify protects customer data from any unauthorised or fraudulent use, upholding the reputation of financial institutions and shielding them from compliance fines and the costs of managing disputes.
