Open banking and eIDAS certificates:
The impact of Brexit
27 November 2020
As we are fast approaching the end of the Brexit transition period, the open banking services industry has been long preparing for the changes to limit post-Brexit disruption. The FCA has now published a new Policy Statement PS20/13 outlining changes to the technical identification requirements for UK-based third-party providers (TPPs) to access customer accounts held with payment account providers from 1 January 2021.
What is the key issue?
UK payment service providers' eIDAS certificates will be revoked from the end of 2020. Therefore, UK payment service providers will need to prepare to use and accept alternative certificates when accessing or allowing access to customer accounts from 1 January 2021.
The issue has arisen because the European Banking Authority (EBA) announced earlier in the summer that eIDAS certificates issued under the EU eIDAS Regulation to UK payment service providers would no longer be valid under the revised Payment Services Directive 2 (PSD2) rules after the end of the Brexit transition period and so those certificates would be revoked.
Why eIDAS certificates are needed?
The Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication (SCA&CSC) under PSD2 require FinTechs and other payment services TPPs to identify themselves using eIDAS certificates when seeking to access customers' payment accounts held with another payment service provider.
From a UK perspective, the FCA is therefore allowing UK payment service providers to use alternative methods of secure identification and communication. However, UK payment service providers will need to take steps to ensure they can provide and/or accept alternative identification in practice. They will still also need to be able to accept EU eIDAS certificates where EU TPPs have entered the UK temporary permissions regime, allowing them to continue to provide their services in the UK based on temporary permissions for up to 3 years after the end of the transition period.
Changes to Regulatory Technical Standards
The FCA published its Policy Statement PS20/13 on 3 November 2020 (following a short consultation) setting out the changes to the onshored RTS on SCA&CSC which would allow for these alternative identification arrangements. The UK-RTS will come into force at 11pm on 31 December 2020.
The changes to the UK-RTS mean that:
- UK-based TPPs will likely be required to obtain a new certificate to be able to provide open banking services in the UK after the end of the transition period; and
- Account providers will likely need to make changes to their systems. The purpose of this is to allow TPPs to continue accessing customer account information.
The FCA has also recommended firms to review and make any necessary changes as soon as possible.
In addition, the EBA published a new press release on 9 November 2020 reminding firms of the need to be ready for the end of the transition period – highlighting this as one of the key operational changes for payment service providers. Other points highlighted by the EBA relate to loss of passporting rights (and local licensing implications), and the fact that payment service providers will need to include additional details regarding the payer and the payee for the transfer of funds between the EU and UK under the Wire Transfer Regulation (Regulation (EU) 2015/847).
While the industry has been long aware of and been preparing for the issues flagged by the EBA, the spotlight has now slightly shifted on the more recent issues surrounding the eIDAS certificates. These issues require firms to make operational changes in short order to prepare for the end of the Brexit transition period.