New regulations surrounding consumer banking transactions in the European Union (EU) can seem onerous for all financial services institutions that transact in the EU, but with the right information and a bit of guidance, the transition to compliance with Revised Payment Services Directive (PSD2) can still be achieved by the extended deadline established by the European Banking Authority (EBA) to December 31, 2020.
The technical requirements for all financial services institutions impacted by PSD2 are detailed in the Regulatory Technical Standards (RTS). The RTS is organised into two main categories: Secure Communications and Strong Customer Authentication. Both are designed to bring increased identity and greater security to consumer banking transactions.
This article will focus on Secure Communications and provide you with five things you need to know to get you on your way towards compliance for PSD2 RTS in this category.
1. What is Secure Communication for PSD2?
The Secure Communication requirement for PSD2 supports regulations for creating greater transparency and more secure exchanges between financial services institutions within the payment network.
The RTS that support PSD2 specify that any financial services institution within the payment network that offers an online payer a payment account must identify themselves, provide secure communications, and receive all customer data on the initiation and execution of the payment transaction.
There are two technical requirements to support these types of transactions. One requires extensive identity checking and cryptographic key pairing. This is accomplished with the issuance of one or more PSD2 certificates, which are built on the foundation of Qualified Website Authentication Certificates for PSD2 (PSD2 QWACs) and can only be issued by a Qualified Trust Service Provider (QTSP). The other requires that access to customer data must be securely provided to third-party service providers when requested. Many impacted organisations are moving towards a dedicated interface through open APIs to enable access to the requested customer data. Download our white paper to learn more.
2. Application Requirements for a PSD2 Certificate
A third-party provider that wants to gain access to bank accounts, and a bank that is providing third-parties with access to customer account data within the EU, must each identify themselves with one or more PSD2 certificates. But before applying for a PSD2 certificate, a third party must first register as a payment service provider with its National Competent Authority (NCA) in the EU member state with regulatory authority over the third-party provider.
There are different types of licenses that each determine the data access rights or “roles” of the third-party provider (TPP) in accordance with their business model. After the third party receives its NCA license, it can purchase a PSD2 certificate from a certification authority (CA) that is recognised as a QTSP under eIDAS and ETSI audit requirements. The CA can then complete the verification process and issue the third party one or more PSD2 certificate types.
3. PSD2 Certificate Types: Qualified Website Authentication Certificates for PSD2 (PSD2 QWACs)
PSD2 QWACs are a new certificate type that are generally used for fintech in the EU in much the same way as an Extended Validation TLS/SSL certificate, except they have additional verification requirements:
PSD2 certificates requires the applicant to provide the following information:
1. Authorisation Number of the TPP
- Found in the public registers of the NCA
2. The role(s) of the TPP, which may be one or more of the following:
- Issuing of card-based payment instruments
3. Name of the competent authorities where the TPP is registered
4. Name of issuing CA/QTSP is also listed on the certificate
The above information is needed in addition to the traditional certificate requirements, which include:
- Name of certificate owner
- Domain verification
- Organisation identity
- Legal identity of organisation controlling the website
- Validity period
4. PSD2 Certificate Type: Qualified Electronic Seal Certificates for PSD2 (QSeals)
QSeal certificates are compliant with Article 34 of the RTS for PSD2 and ETSI and can be used in addition to PSD2 QWACs to seal the data that is sent between financial institutions.
QSeals ensure the origin of the data and that the data has not been modified while in transit. QSeals provide added security by alerting recipients when data has been tampered with while in transit, bringing added peace of mind to the payment service providers who use them.
5. Use Cases of Secure Communications for PSD2
QWACs will be required to secure the public APIs used in the open banking framework to meet PSD2 requirements. A financial institution is impacted subject to the data access rights or the “roles” of the TPP as licensed by the NCA.
- ASPSP: Account Servicing Payment Service Provider – Traditional banks
- AISP: Account Information Service Provider – An account aggregator that manages financial services from various banks
- PISP: Payment Initiation Service Provider – Enables users to make payments directly from their bank
When the steps to achieving compliance for Secure Communications for PSD2 are explained, TPPs can feel more confident that compliance is achievable. All TPPs should strive to meet the December 31, 2020 deadline established by the EBA to avoid possible penalties for non-compliance. It is up to the National Competent Authority (NCA) of each member state to establish penalties for non-compliance. Please refer to your NCA for specific details. With the assistance of a QTSP, fallout from non-compliance can easily be avoided.