Konsentus Powering Trust in Open Ecosystems

Chaos or Continuity? To Revoke or Not to Revoke PSD2 eIDAS Certificates during Brexit Cutover

The EBA has stated that following Brexit, eIDAS certificates will be revoked. If true, this will cause problems for UK-to-UK Open Banking operations.

Share This Post

On 29 July 2020, the European Banking Authority (EBA) released a statement, calling on financial institutions to get ready and spelling out some of the consequences (see the previous article here).

The key lines as regards PSD2 Access to Account was, “Account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.

The line on the revocation of certificates appears to have come as a surprise to many people and if true would have some negative impacts on UK banks, TPPs and consumers. 

Use of PSD2 eIDAS certificates in the UK Open Banking Market

The UK legislation for domestic Open Banking currently proscribes the use of eIDAS certificates for “domestic” Open Banking transactions. By domestic I mean UK regulated TPPs to UK regulated Banks. Operationally, these PSD2 eIDAS certificates issued by European QTSPs are used today in the market for “domestic” Open Banking transactions, although not exclusively. Mass revocation of eIDAS certificates could cause disruption to UK consumers and business that are increasingly relying on UK Open Banking infrastructure.

Other options do exist such as falling back to OBIE issued certificates or allowing non-Qualified PSD2 look alike certificates, but they bring risks.

Those banks and TPPs that I have spoken to, feel that there is now not sufficient time for them to define, deploy, test, and validate and distribute new security credentials before the 31st December. Even if there were, having a big bang cutover from an old system to a new system would not be desirable and there should (legally and operationally) be some operational switch over period.

Is it necessarily true that “PSD2 eIDAS certificates will be revoked”?

It is clear that in a medium-term (three, six, nine months) the UK will have to change something to step away from a reliance on EU eIDAS certificates, but there is a short term migration issue to be faced.

If certificates are revoked it is because the Qualified Trusted Service Providers (QTSPs) that issued the certificates revoke them. There is no automatic process. The QTSPs community, through the Open Banking Europe QTSP member group, is trying to understand whether they are obliged to revoke them, and what signal would trigger this to happen.

There is nothing to stop an EU QTSP providing a (pure) eIDAS certificate to an institution in a third country, be it Australia, Japan, the US or the UK (after the 31st of December). Consequently, there is nothing in the eIDAS legislation to force QTSPs to revoke eIDAS certificates sold to UK banks or TPPs. However, PSD2 eIDAS certificates are slightly different. The ETSI TS119 495 provides the standard that is used to encode the PSD2 eIDAS certificates, and this by market agreement between the QTSP community, not regulation. This standard i) makes it clear that the purpose of these certificates is for PSD2 Access to Account and ii) provides a list of countries to which such certificates should be issued.

It is, therefore, possible, that if and when the EBA removes the UK from its list of PSD2 countries, the QTSPs will feel obliged to revoke the PSD2 eIDAS certificates or risk facing consequence from their auditors or supervisors for “mis-issuance”, i.e. issuing certificates that are not in conformance with the specification and purpose for which they are issued, as UK TPPs and banks will not be under any PSD2 legislation. 

Other Considerations

There is precedent the fact that, despite Brexit, there is a willingness that life continues within and between UK and EU. Look at the SEPA schemes that allow the use of SEPA Credit Transfers and SEPA Direct Debits. Despite the fact that the UK is exiting the EU, the UK will continue to participate in the SEPA schemes, as described here.

Some might say that to NOT revoke PSD2 eIDAS certificates would cause risks to EU ASPSPs who rely on these eIDAS certificates as their own way of verifying what TPPs are allowed to do, and that theoretically, a UK TPP could gain access to an EU ASPSP in the case of non-revocation. This should not be a real risk given that the certificates are only used for “identification” of the party (article 34 of the EBA RTS on Strong Customer Authentication and Common and Secure Communications. Firstly, the identification of the party does not change because of Brexit. Secondly, Banks have other checks in place to verify whether the “claimed TPP” is allowed access to the information or allowed to initiate payments.

So what did the EBA intend with their line “PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.” My presumption is that the EBA as a banking authority made a very helpful public statement to wake up a Brexit-fatigued and Covid-concerned market that Brexit will almost certainly happen in just over four months and that this will have real consequences. However, the statement is not a legal opinion, nor a regulatory instrument, and the single line about revoking PSD2 eIDAS certificates may be an accidental consequence from trying to send a clear message, rather than an instruction of what to do on the night of the 31st of December.

The European Commission’s own Stakeholder notice about the withdrawal of the UK in respect to eIDAS describes the impacts of Brexit but does not mention revocation of certificates as one of them.

So, what will happen?

There are a number of discussions now ongoing as people try to assess whether certificates really will be revoked and if they are what is the plan B and then plan C. UK TPP and ASPSP should definitely watch this space.

The best outcome would be that the scope of TS 119 495 is enlarged to allow the UK to keep using them for a cutover period and then extended with new non-PSD codes so that the certificate format used today could be used not only by the UK but by any Open Banking framework globally.

This would avoid short term disruption and really would be an example of Europe leading the way!

Subscribe To Our Newsletter

Keep up to date with all our news and publications.

More To Explore

Talk with Our Team Today

Join us on the Journey

Protect your customers transacting in open ecosystems.

Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.

Name(Required)

Opt-in

On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at insights@konsentus.com.

This field is for validation purposes and should be left unchanged.

Login to your account