Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Profile
Location
Reading
Member since
2009
Writes about
Payments Regulation & Compliance Retail banking

Brendan's blog archive

2019 (1) 2018 (4)
Brendan Jones

Brendan Jones

CCO - Co-Founder at Konsentus Ltd
Message Message me Posts: 5 Comments: 8
Bio CCO at Konsentus Ltd, a SaaS business providing consent and preference management services to financial institutions.

Blogs

Banking Regulations

Are eIDAS certificates sufficient for PSD2 Open Banking?

18 Jun 2019

Introduction At the European Banking Authority (EBA) Working Group on APIs under PSD2, a number of market participants raised concerns that there could be a potential mismatch, particularly in the case of a revoked authorisation, between the information contained in the eIDAS PSD2 certificate and the information contained on the EBA and national r...

Open Banking

The Implications and Requirements of PSD2 open banking for Programme Managers

23 Oct 2018

In a recent dialogue with the EBA, they stated about PSD2 open banking regulations that: “Ignorance of them can of course not be used to justify non-compliance”. Further adding: “Non-compliance amounts to a breach of law, with the resultant consequences for the legal entity.” With that mind and with a deadline of March 14 2019 looming less than 6...

Banking Regulations

Will FI’s be ready by March 14 2019 for PSD2 open banking

24 Aug 2018

As the clock counts down to when Financial Institutions (FIs) must be ready for external testing for PSD2 open banking it is interesting to see how ready, or not, all other parties are in the value chain. Most national competent authorities have nothing published about how and where they will provide updates on Third-Party Provider (TPP) registrat...

Banking Regulations

The World of Open Banking

12 Mar 2018

Open banking is not just for Europe, although many of us sitting in Europe probably think it is. Many other markets around the world have been noticing what Europe is up to and other countries and regions are also looking to adopt similar principles with the ultimate view of delivering better customer financial outcomes. USA Stakeholders in the ...

See all Brendan's blogs

Brendan is Commenting on

FCA changes Open Banking ID requirements for life after Brexit

  The FCA amendments to the open banking identification requirements have very clear next steps for both ASPSPs and TPPs.  ASPSPs must assess what changes they need to make to their systems so they can accept at least one alternative form of digital certificate (in addition to eIDAS Certificates).  Any changes that need to be made must be implemented as soon as possible ahead of IP Completion Day. They also need to tell TPPs which alternative certificates they will accept as early as possible. The amendments also clearly state that ASPSPs, without causing an obstacle, must “verify that the payment service provider is authorised or registered to perform the payment services relevant to its activities”. For TPPs, the guidance is much simpler.  If their eIDAS certificates are likely to be revoked, they must have an alternative certificate(s) as soon as possible ahead of IP Completion Day.

04 Nov 2020 Reply Read article

Consumers remain suspicious about open banking

  As the ING study states, the success of open banking is largely down to convenience and trust, with trust being the determining factor.  The security involved in accessing data is critical to get right and the risks are high. So, what are the risks for those involved?  For the customer they’re low.  However, for Financial Institutions the risks are high.  There are new players - third-party providers (TPPs) involved, and valuable consumer data being exchanged.  Once the account holder has given permission for their data to be shared with a TPP, it’s the responsibility of the Financial Institution to ensure nothing goes wrong.  However, it’s complex and time consuming to identify these third parties, check they’re authorised to provide the services being requested and, to find the relevant passporting information.   All this needs to be determined at the time of the transaction request. To verify a TPP’s identity and know its latest authorisation status, there are over 70 Qualified Trust Service Provider (QTSP) certificate revocation lists and 115 National Competent Authority (NCA) registers from across the EEA that need to be accessed to find this information.  Knowing how to interpret and standardise the data presents additional issues. Different languages, duplicated entries and missing information are just some of the issues that need to be taken into consideration. It’s also important to ensure all checks and due diligence are performed using the latest available source data provided by the relevant National Competent Authorities.  If there is a disputed transaction or issue, the Financial Institution needs to be able to show it has used the relevant source data or face being liable for the transaction.   With open banking services set to increase which will drive greater transaction volumes, data security and trust in the open banking ecosystem are paramount – without them customer loyalty and trust will quickly be lost.    

06 Oct 2020 Reply Read article

Trust in Open Banking: Negotiating data liability between banks and TPPs

  This is an excellent article that lays out some of the key challenges are risk and liabilities.  It talks about banks investigating to see if insurance covers them for cyber-crime risk but in my view misses one key aspect of the whole process.  Checking to see if the TPP is both valid and regulated.  The challenge is there is no central government database that covers both eIDAS certificates, passporting and regulated status.  Even for the regulated status check the only central database offered by the EBA, not only does it not include banks (Credit Institutions), but states on the home page: users of the register should be aware that there may be a discrepancy between the information contained on the file and the information contained on the actual register’ or in other words it may not be accurate.  To complicate matters still further we have seen some National Competent Authorities have introduced a new class of ‘suspension’ in that the party is still regulated and would appear on the EBA database as regulated, but in reality, has been suspended from carrying out regulated activity.  The risk here to banks of course is significant as if they provide data to unregulated TPPs or TPPs not regulated for that data i.e. AISP/PISP then they leave themselves open not just to the financial cost but also reputational issues and the effect this may have on customer trust. A number of private companies such as Konsentus and PRETA have stepped into this void and created accurate NCA registries that banks can use to check data.  Konsentus even cover both eIDAS and NCA data as well as offering insurance for the banks.  

25 Nov 2019 Reply Read article

TPP identification challenge for ASPSP under PSD2

  Dmitrii, in answer to the specific questions that you raised, my response is as follows:  1)    As stated in the EBA responses to issues VIII to XIII raised by participants of the EBA Working Group on APIs under PSD2, it states that (article XIII) “However, ASPSPs may choose to carry out additional checks of the authorisation/ registration status of TPPs in the respective EBA and/or national registers, provided that, in doing so, ASPSPs do not create obstacles to the provision of payment initiation and/or account information services, as required in Article 32(3) of the RTS”. 2)    You are correct that the EBA does not guarantee the accuracy of the information presented in the Register, however, as stated in the EBA Disclaimer “the Register has been set up by the EBA solely on the basis of information provided by national competent authorities of the EEA Member States. Therefore, unlike national registers under PSD2, this Register has no legal significance and confers no rights in law. The Disclaimer goes on to state “the EBA is responsible only for the accurate reproduction of the information received by competent authorities included in the register, while responsibility for the accuracy of that information lies with the competent authorities at national level. Therefore, by default the NCAs are the legal system of record. Additionally, it would appear strange and worrying if the NCAs are not the legal system of record, as this is the source data for QTSPs to check and verify the regulatory status of TPPs before issuing their eIDAS certificates.  

17 Jul 2019 Reply Read article