This article is the fifth in a series of articles dealing with the use of the eIDAS Regulation and qualified certificates in the context of the PSD2 Directive. Beneath let’s consider the relationship between PSD2 certificates and the license / entry in the register of payment institutions.

eIDAS certificates and TPP roles in PSD2

One of the frequently discussed problems in the context of PSD2 is the synchronization of information between the register of payment institutions and the information contained in the certificate. In brief, the problem is as follows:

  1. The company applies to the supervisory body (like in Poland KNF) for entry in the register as payment institutions.
  2. After receiving the entry in the register, the company goes to QTSP for certificates.
  3. QTSP issues QSealC and QWAC certificates based on an entry in the register and in accordance with the ETSI TS 119 495 standard.
  4. The payment institution along with the received certificates will present itself to the ASPSP and sign the messages sent while using the “special interface” and “emergency interface”.

Now the questions arise:

  1. What happens if the supervisory authority revokes the license from the PSP and removes the PSP from the register of payment institutions? Would the certificate still be valid? Will the supervisory authority inform QTSP to revoke the certificate?
  2. Does the ASPSP, beside validating the eIDAS certificate, still need to check the PSP status in the register of payment institutions? Where is the register located?
  3. Can the register of payment institutions be automatically asked about the status of a specific payment institution? Does the register of payment institutions contain all entities that can use the “special interface” / “emergency interface”?

The answers to the questions above are as follows:

Concerning the first point, the EBA noticed this problem and issued an opinion describing the process (based on emails) of certificate revocation. As we know, EBA opinions are not binding, so the future will show whether this process will work.

As for the second point, for financial security of the ASPSP, apart from the certificate validating, the PSP status should be checked in the register. The certificate contains information about the role that the PSP can play. However, we there is no information on passporting. Such information can only be found in the register of payment institutions. The register of payment institutions is kept by
a competent national authority (e.g. KNF in Poland). Fortunately, the EBA shared a central register where ASPSP can find information on PSPs from all over Europe.

In response to the last question, should be noted that the EBA register can be automatically requested to receive PSP status information. However, the following challenge occurs: this register does not contain information about credit institutions, which are also PSPs and can use the ASPSP “special interface” / “emergency interface”. In a nutshell, Bank may use the interfaces of the other Bank. The EBA obviously keeps a register of credit institutions, but the problem is that this register is difficult to query automatically (unless we have good sreen scraping tools).

Finally, we have two registers with which the “special / emergency interface” must communicate during PSP / TPP identity verification.

At the end, a few words about the eIDAS certificate itself under PSD2, specifically about the extension, which is described in the ETSI TS 119 495 standard. I will not cite the content of this standard here, because is very clear to read. If I’m not mistaken, the author of this standard is Mr. Michał Tabor.
I would like just mention, that in addition to the standard eIDAS certificate fields, the standard adds fields that allow us to check:

  • Authorization number;
  • Roles in which the payment institution may appear (PSP_AS, PSP_PI, PSP_AI, PSP_IC)

The end of our series of articles still requires an IT solution to address current requirements / restrictions and allow:

  • automatically validate TPP (QSealC, QWAC) certificates for PSD2
  • confirm the identity of the PSP
  • extract from certificates relevant information necessary for authentication and authorization (e.g. roles or PSP passporting information).
  • check the license status in the EBA registry.

About the mentioned above we treat in the last article. We will present our TPP Validator solution.