Brexit and eIDAS Revocation

eIDAS & ETSI TS 119/495 Standard & PSD2 RTS

The eIDAS Regulation is Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market. The Regulation applies from 1 July 2016 for the most part of its articles.

The Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market in article 98 stated that EBA had to develop draft regulatory technical standards addressed to payment service providers. EBA PSD2 RTS, in article 29, mandated regulated entities to use qualified certificates for electronic seals as defined in Article 3(30) of eIDAS Regulation or for website authentication as defined in Article 3(39) of eIDAS Regulation. EBA PSD2 RTS mandated also that the qualified certificates had to contain the authorisation number and the roles of the payment service provider (including account servicing payment service provider) and the name of the competent authorities where the payment service provider is registered.

ETSI published TS 119-495 in Jul 2018, with the collaboration of PRETA/OBE and with the advice of EBA, in order to address the requirements of EBA PSD2 RTS, specifying the qualified certificate profiles and the TSP policy requirements under the payment services Directive (EU) 2015/2366. QTSPs have since been able to deliver eIDAS certificates for PSD2. Latest version 1.4.1 of TS 119 495 was published on Nov 2019.

Brexit and Open Banking

European Commission in its Notice to Stakeholders on Brexit informed that the financial entities passporting of their authorisations from the UK into EU will end on 31 Dec 2020. Therefore these entities will no longer be allowed to provide services in the EU on a cross-border basis using their current UK authorisations.Also, EC advised the entities to take appropriate action including seeking new authorisations in relevant jurisdictions due to loss of passporting or advise the customers of their withdrawal of service in an orderly fashion.

On 29 Jul 2020, EBA provided a more direct message on Brexit asking financial institutions to be ready. One standout quote was on the revocation of UK TPP’s eIDAS certificate.

“Account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked”

Is EBA right to revoke?

Yes and No.

Qualified Trust Service Providers (QTSPs) in the EU are regulated and audited by the respective national supervisory bodies. There are many discussions about this topic of certificates revocation in consequence of Brexit and there is no clear resolution at the moment. A qualified certificate can be issued to a non-EU natural or legal person, therefore being a non-EU entity cannot be a reason for having its own qualified certificate revoked. Some more formal resolution from FCA or EBA or EU would be needed for imposing such revocation.

UK doesn’t have any single QTSP, but they have few TSPs, which could continue its operation for local entities subject to UK policy. Some prominent TSPs in the UK are Experian, Gov.uk verify, Home Office, Verizon etc.

Disruption due to eIDAS revocation

FCA has mandated eIDAS to be used to address Article 34 of PSD2 RTS. eIDAS is mandatory for all UK TPPs to connect to ASPSPs (however not mandatory for ASPSPs), who validate the identity and authentication of TPPs based on QWAC. QSealC is used in all digital signing. Additionally, eIDAS is not required by ASPSP to connect with TPPs.

Most banks have taken a long time to deliver the eIDAS based implementation to comply with PSD2/Open Banking. With the TPP’s eIDAS revocation as per EBA report, Open Banking ecosystem in the UK could have major disruptions. Moreover, with tight timeline coupled with covid19 situation, summer and Christmas holidays, banks will not be able to solve the situation with another radically different solution.

So far on TPP Identification in the UK

By 13 Jan 2018, OBIE Certs were used in the first milestone of the Open Banking Delivery by all CMA9 banks

By 14 Sep 2019, FCA requested all TPPs to present their eIDAS when connecting to banks to meet Article 34 of PSD2 RTS

By 14 Mar 2020, FCA offered an extension with Open Banking Adjustment period terms due to delivery complexity of eIDAS validation and also to support migration from OBIE certs

Alternatives to eIDAS for UK market

a. Extended Validation Certificate or Organization Validated Certificates

Allow Certificate Authorities to provide EV/OV certs using Attribute Extension (QC Statements) using the same ETSI TS 119/495 encoding of PSD2 attributes.

b. Attribute Certificate

Allow the CA (Certificate Authority) and AA (Attribute Authority) to provide Public Key Certificate (PKC) and Attribute Certificate (AC). The attribute certificate works in conjunction with a public key certificate (PKC). While the PKC is issued by a certificate authority (CA) and is used as a proof of identity of its holder like a passport, the attribute certificate is issued by an attribute authority (AA) and is used to characterize or entitle its holder like a visa.

c. OBIE Certs

Allow OBIE CA to revive the OBWAC and OBSealC certificates. CMA9 banks have already delivered this implementation, however non-CMA9 banks will struggle to deliver in the timeline.

Comparison of alternatives

EV or OV Certs with TS 119-495 extensions Attribute Cert (AC) with a standard PKC OBIE Certs
Technical Complexity Low
(the most similar to eIDAS certs)
High
(Not much expertise in the market)
Medium
(Non-Standard)
Trustworthiness High High High
PSD2 Role Check Will need to be done with FCA Register Can be handled with AC but still needs FCA register for more real time checks Done with its own register
Certificate Validation and TPP Directory Service vendors PRETA, OBIE, Banfico, Konsentus Need development from vendors OBIE
Risk to UK National Critical Infrastructure Low Low High
(Single point of failure)
Delivery Risk Low
(as all CMA9 and other banks have already implemented QCStatment extension)
High
(Not feasible to deliver new solution based on AC)
High
(Only CMA9 has previous delivery experience; Small banks will struggle)
Market Participation High Low Low
(Single Participant)
Cost of Certificates Low
(£100 - 200 / year)
High
(Not commonly available)
High
(Higher annual fee)

Potential Solution – Recommendation

With a tight timeline and avoiding radically new solution, FCA could leverage

  • Extended Validation or Organization Validated Certificates provided by CAs in the market
  • Request CAs to provide certificate extension based on IETF RFC 3739 using qcStatements. The QCStatement addresses the same encoding specified in ETSI TS 119 495
  • Also, mandate all banks to use FCA Register to validate TPP Authorisations in real-time
  • Encourage market players to provide directory service to ease the delivery (PRETA, Banfico and others already deliver this service as SaaS)

In short, EV/OV Certs can be used in TPP Identification but TPP Directory Service will be used to deliver real-time validation of authorisations.

With this approach, the impact on the ecosystem can be minimised. One main item of concern is the mobilisation of CAs issuing EV/OV Certs. It’s not about technical difficulty but operational difficulty for CAs in having to review their governance model on encoding TPP authorisations using FCA Register at the time of certificate issuance.