The importance of thorough TPP checking under PSD2
What is a TPP?
A third party provider (TPP) is an entity that can access an online transacting payment account to provide either payment initiation services or account information services to an account holder.
It is an entity identified by the second Payment Services Directive (PSD2) regulation which aims to improve “the level playing field for payment service providers (including new players)”. Under PSD2, financial institutions must provide TPPs with access to their customers’ online payment accounts. This enables TPPs – which are not traditional financial institutions, but instead fintechs, merchants, or other types of payment providers – to access a consumer or business’s financial data or funds through an Application Programming Interface (API).
The introduction of TPPs has brought in a new breed of competitive companies and innovative financial products meaning that consumers and businesses no longer have to rely on their primary bank for the provision of all their financial services and products.
What services can TPPs provide?
PSD2 opened up the EU payments market to companies offering consumer and/or business-oriented payment services through the use of APIs to access online transacting payment accounts. There were three types of services defined:
- Account Information Services (AIS), allow a payment service user to have an overview of their financial situation at any time. allowing users to better manage their personal finances. This has driven a substantial number of transactions due to regular high-volume automated data collection by account aggregators and other providers.
- Payment Initiation Services (PIS), are services to initiate an order at the request of the payment service user with respect to a payment account held at another payment service provider. From a low initial base, there has been a significant increase in transactions over the last two years as providers see payment initiation as a revenue generator/cost saver.
- Card Based Payment Instrument Issuers (CBPII), enable payment instrument issuing organisations to issue payment instruments without an account attached. This is the least utilised of the three services as a reservation of funds is not provided.
Problems for financial institutions
Customers have a legal right to use payment initiation services and account information services provided by TPPs with respect to certain payment accounts. Financial institutions, therefore, must allow TPPs access to these payment accounts (with the customer’s ‘explicit’ consent) through a dedicated API interface.
However, no legal agreement between the two parties is required before access is granted. This means that financial institutions might not know who the third party is and have no pre-existing arrangement with them. Furthermore, they are legally obliged to offer instant access to their accounts unless they believe that the request is fraudulent or the TPP is not authorised to make the transaction.
TPP checking: the need and the challenge
To discover whether a request is fraudulent or the TPP is unauthorised for the requested transaction is not a simple process.
Between September 2019 and June 2024, over 120 TPPs lost their regulatory permissions for various reasons, encompassing mergers, acquisitions, business failures, legal name changes, bankruptcy, and modifications to offered services. As the ecosystem has matured, these changes are happening with greater frequency. None of these changes are reflected in an eIDAS certificate which means that financial institutions must prioritise the checking of a TPP’s status in real time for any given transaction.
There are three steps to checking the validity of a TPP: identification, authentication, and authorisation.
TPP checking in three steps
Identification
eIDAS certificates are used as identity credentials when interacting with financial institutions. They are the first step in securing an open banking transaction, namely by establishing the identity of the TPP.
As explained in PSD2, TPPs can apply for an eIDAS certificate with a Qualified Trust Service Provider (QTSP). QTSPs are government-approved entities and issue two types of PSD2 eIDAS certificates to TPPs:
- Qualified Website Authentication Certificates (QWACs), which enable a secure channel to be established between the two parties
- Qualified Electronic Seal Certificates (QSealCs), which provide legally assured evidence of transaction data, including data integrity and proof of origin
The use of eIDAS certificates is crucial to ensure independent government-assured trust in the identity of the third party. However, PSD2 explicitly states that the certificates should be used solely “for the purpose of identification” (Article 34). Confirming that a transaction is authenticated and authorised involves two additional steps.
Authentication
The second step makes sure that the TPP is authenticated. For this, QWACs are used to establish a secure communications channel using Transport Layer Security (TLS). As part of the Mutual authenticated TLS (MTLS) protocol, the TPP signs part of the communications data, passing between the two parties, with its private key. The financial institution can check the signature confirming that it matches the public key certificate. This confirms that the TPP holds the corresponding private key and therefore serves as proof of the TPP’s authentication.
The authentication step can also involve a QSealC to ensure the data integrity and proof of origin of the transaction, using digital seals and signatures to ensure the TPP is authenticated. The confidentiality of the data is provided by the encrypted TLS session.
Authorisation
Although QWACs and QSealCs provide secure identity and authentication mechanisms required by PSD2, they do not provide the regulatory check needed to ensure that the TPP is authorised. A financial institution must know in real-time that the TPP is:
- Regulated by its National Competent Authority
- Approved to perform the service requested (account information or payment initiation)
- Approved for services in the country of the request
- Authorised by the end user to carry out the transaction
eIDAS certificates, though crucial to identify a TPP, cannot be used to validate the authorisation status of the TPP at the time the transaction is taking place. eIDAS certificates are issued with a lifespan of one to two years and so cannot be relied upon to provide authorisation status, as the information can quickly become outdated. In addition, eIDAS certificates contain no information on passporting and so it is not clear whether the TPP is authorised to operate in another country.
Checking TPPs in real-time
Konsentus Verify helps financial institutions with the identification, authentication, and authorisation of TPPs in real-time. After confirming the TPP’s identity and authenticity with a thorough eIDAS certificate check with the relevant Qualified Trust Service Provider (of which there are 70+), the data is cross-checked with information held on the databases and registers of the 30 EEA NCAs and the UK’s FCA.
This ensures that a financial institution only ever approves a transaction with a third party that is authorised for the appropriate service, in that country, at the time of the account access request.
Konsentus Verify safeguards end-user account data and funds so financial institutions can confidently deliver innovative open banking products and services to their customer base.
Accessible via an online portal, a real-time API, a downloadable directory, or a hybrid approach, choose the best delivery option for you.
Contact us today to find out more.