The Challenges and Best Practices of eIDAS Renewal
Many eIDAS certificates are reaching their 2-year term of expiring, this creates a problem for TPPs and banks. This article looks at why this is happening, and what can be done about it.
With the 2 year anniversary of the PSD2 coming into effect just a few months down the road, the Open Banking industry is maturing; the number of Third Party Providers (TPPs) is growing and the challenges once faced are being replaced by new concerns. One such issue now being raised is the renewal of PSD2 Qualified Certificates.
Despite its name, Open Banking is not really open. It is a controlled environment, to mitigate the risks associated with financial information. Only TPPs authorised by their Home National Competent Authorities can access payment accounts. When onboarding with an Account Servicing Payment Service Provider (ASPSP), TPPs must identify themselves and present their authorisation. PSD2 Qualified Certificates allow TPPs to provide this identification and authorisation securely and effectively but also must be periodically renewed.
PSD2 Qualified Certificates are valid for two years, meaning that the renewal process is already underway for many TPPs. For reference, around 118 TPPs currently acting in the European Economic Area (two-fifths) were authorised by September 2019. This does not necessarily mean that all of them were issued with certificates in this period, but it does suggest the volume of engagements that might reoccur between ASPSPs and TPPs to update the certificates in the months to come.
The Challenges of eIDAS Renewal
You might be wondering how something that was known in advance could pose challenges now. To answer this, OBE has talked to our membership groups about the specific obstacles that they face with certificate renewal.
Firstly, there’s a logistics problem. Based on previous OBE research, there are currently over 1000 unique developer portals in Europe, so it is easy to imagine a scenario in which a single TPP is onboarded with hundreds of banks. The TPP will have to synchronise their certificate renewal with all the ASPSPs they have onboarded with and this process may lead to downtimes.
Secondly, many ASPSPs have technical limitations that only allow TPPs to submit one certificate at a time. In paragraph 20 of its Opinion on the use of eIDAS certificates under the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication (SCA & CSC), the European Banking Authority (EBA) encourages TPPs to use multiple certificates simultaneously for branches and agents. Some ASPSPs allow TPPs to onboard with multiple certificates to accommodate this but this is not a general rule and other banks only accept one certificate, constraining the renewal process.
Finally, there are authorisation number legacy concerns. In the initial stages of Open Banking in Europe, there were more questions than answers regarding the correct identification of TPPs. This led to different authorisation number formats being employed in certificates until standardisation was agreed. Older certificates may reflect different approaches on the use of prefixes and special characters, or even contain authorisation numbers that diverge from the NCA guidance. In these cases, TPPs may experience problems with consents.
However, although these obstacles present some tangible threats for business continuity and security, there are actions that TPPs and ASPSPs can take to avoid or mitigate those threats.
How Can TPPs Face the Challenges of eIDAS Certificate Renewal?
TPPs should anticipate the renewal process and plan for it. Anticipation and careful planning of the renewal process will mitigate most issues, as it allows both TPPs and ASPSPs to implement corrections or workarounds in advance.
TPPs should contact the ASPSPs. As interested parties in the eIDAS certificate renewal process, ASPSPs are willing and available to work with TPPs. TPPs should use the existing communication channels established by ASPSPs to clarify doubts and reduce friction.
TPPs should test their certificates. Some ASPSPs allow TPPs to test the validity of their certificates against the bank’s systems, which allows TPPs check that their certificate will work before proceeding with the onboarding process.
How Can ASPSPs Face the Challenges of eIDAS Certificate Renewal?
ASPSPs should communicate by creating communication channels for eIDAS certificate renewal issues. As recommended for TPPs, communication is crucial. The implementation of specific communication channels will make exchanges more effective and efficient.
ASPSPs should inform TPPs. Thanks to their position in the ecosystem, ASPSPs are in the best position to urge TPPs to act. They should inform the TPPs of the systems and services that they have in place to facilitate eIDAS certificate renewal and encourage their use.
ASPSPs should educate TPPs on the renewal process. ASPSPs should prepare guidelines for TPPs to navigate through the process and protect themselves from the risks that may result from this process. This way, issues with downtimes or in the consents (resultant from different authorisation numbers) are less likely.
Act Now to Anticipate Certificate Renewal
Careful planning to mitigate the potential pitfalls of eIDAS certificate renewal is strongly recommended by our members, as it is the best way to make the process as smoot and efficient as possible.
If you have any doubts or if you want to share your experience on this or any other Open Banking topic, do not hesitate to contact our Industry Helpdesk at email@example.com.
By João de Azevedo Ferreira
This article has been written as part of the Open Banking Europe Membership Program. To access our resources, join our webinars or get involved, please contact us at firstname.lastname@example.org.