/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
FCA changes Open Banking ID requirements for life after Brexit

FCA changes Open Banking ID requirements for life after Brexit

In a bid to limit the risk of disruption to open banking services after Brexit, fhe FCA is to permit UK-based third-party providers (TPPs) to use an alternative to eIDAS certificates to access customer account information from account providers, or initiate payments.

The FCA's intervention comes after the European Banking Authority (EBA) announced that eIDAS certificates of UK Third-Party Providers (TPPs) will be revoked when the transition period ends on 31 December 2020.

EIDAS certificates are required for TPPs to identify themselves to account providers and allow firms to interact and share customer account information online. Under the Strong Customer Authentication Regulatory Technical Standards (SCA-RTS), they are the only accepted identification standard permitted between providers of open banking services in the EU.

Under the FCA's proposals, UK-based banks will need to make technical changes to their systems to enable TPPs to continue accessing customer account information, by accepting an alternative certificate and informing TPPs "as soon as possible" which certificates they will accept

"Firms must review the changes immediately and implement any necessary changes as soon as possible,Q" states the FCA. "Acknowledging the challenges faced by the industry, the FCA will provide a transition period until the end of June 2021 for complying with our rules."

Comments: (3)

A Finextra member
A Finextra member 03 November, 2020, 13:23Be the first to give this comment the thumbs up 0 likes

Account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked. So whole lot of pain for those accessing European accounts?

A Finextra member
A Finextra member 04 November, 2020, 10:36Be the first to give this comment the thumbs up 0 likes

Another opportunity for AISP and PISP in the UK- we can provide regulatory solution via alternate infrastructure to this problem and favourably slope regulations!

Brendan Jones
Brendan Jones - Konsentus Ltd - Reading 04 November, 2020, 15:57Be the first to give this comment the thumbs up 0 likes

The FCA amendments to the open banking identification requirements have very clear next steps for both ASPSPs and TPPs.

 ASPSPs must assess what changes they need to make to their systems so they can accept at least one alternative form of digital certificate (in addition to eIDAS Certificates).  Any changes that need to be made must be implemented as soon as possible ahead of IP Completion Day. They also need to tell TPPs which alternative certificates they will accept as early as possible.

The amendments also clearly state that ASPSPs, without causing an obstacle, must “verify that the payment service provider is authorised or registered to perform the payment services relevant to its activities”.

For TPPs, the guidance is much simpler.  If their eIDAS certificates are likely to be revoked, they must have an alternative certificate(s) as soon as possible ahead of IP Completion Day.