Two years ago, I was working on a report for the European Retail Payments Board, Payment Initiation Services Working Group, the ERPB being chaired by the European Central Bank. I co-chaired the Identity subgroup along with a Belgian TPP. As an output of these groups, a report was published in November 2017 that is still available on the ECB website. Among (many) other things the report said that to make PSD2 Access to Account work, there were certain requirements that needed to be put in place. Look at Annex 5 for the full list of issues identified by the Identity Expert subgroup.
One recommendation regarding eIDAS qualified certificates was that: if every certificate is to contain “the name of the competent authority” the industry needs a standardised list of the names of the competent authorities.
OK, as an insight its not exactly up there with “E equals MC squared” but we were a diverse group and it was a lot more interesting to argue about redirection models for strong customer authentication. At least we were right and managed to say so!
At the end of July, the EBA officially published such a list and you can find it here.
As it happens, the “name” of the National competent authority (NCA) is not used except as a text string that is carried in the certificate. An example is “Prudential Supervisory and Resolution Authority” which is the name of the French competent authority, translated into English.
What is more important for operational purposes is the “NCA Code” of the competent authority that helps make the Global Unique Reference Number that is used for PSD2 identification of regulated parties. For France the code is “ACPR” and so we know that the Identification number of a French TPP will always be “FR-ACPR-nnnnn”
This list – now published by the EBA – had been made available by the EBA to ETSI and a draft was included in the TS 119 495 standard for Qualified PSD2 certificates (Annex D). The list has changed periodically and the standard went through three versions since November last year to cater for these name changes, but after the Croatian Nation Bank decided that they were not “CNB” but “HNB” there have been no more changes.
Getting this right is important. I know of at least one TPP is that is currently being blocked by ASPSPs because their certificate provider (QTSP) is using the March version of the competent authority list. The QTSP will presumably now have to revoke and reissue the TPP’s certificates with the corrected identifier.
So while the information published by the EBA comes rather late, we are in a stable situation as concerns NCA identifiers. Good news!
If only we were in the same situation for “Authorisation numbers” but that is a story for another day….
Konsentus also publishes a machine-readable, centralised and standardised directory for the purpose of checking identity and authorisations. Contact us if you are interested.
John Broxis
Consultant, Konsentus