And who are you? EBA Opinion on the use of eIDAS certificates under PSD2

The EBA has published an Opinion dated 10 December 2018 on the use of eIDAS certificates under PSD2. The EBA has taken the step to issue an Opinion to ensure consistent implementation as there have been a number of questions arising from the requirement under Article 34 of the RTS on SCA and CSC for payment service providers to use eIDAS certificates.

The Opinion clarifies specific aspects on the use of qualified certificates for electronic seals (QSeal) and qualified certificates for website authentication (QWACs), the content of these certificates, and the process for their revocation.

The EBA explains the difference between QSeal and QWACs:

  • QSeals make it possible for the owner of the certificate to create electronic seals on any data that ensure the integrity and correctness of the origin of the signed/sealed data. This means that the persons receiving digitally signed data can be sure who signed the data, that the data have not been changed since being signed, and that they can also present these signed data to third parties as evidence of who signed the data and that they were not changed after being signed. QSeals do not provide confidentiality of the data (i.e. there is no encryption of application data).
  • QWACs make it possible to establish a channel for communication with the subject of the certificate using the Transport Layer Security (TLS) protocol, which guarantees confidentiality, integrity and authenticity of all data transferred through the channel (in the transport layer). This means that the person or system connecting to the website presenting the certificate can be sure who "owns" the end point of the communication channel (the owner of the certificate), that the data was not changed between the end points, and that nobody else could have read the data along the way.

The key takeaways from the Opinion are:

  • The obligation to use eIDAS certificates relates to identification only – PSPs must still secure the communication channel as well but an eIDAS certificate is not necessary for that.
  • It is acceptable to use a QWAC, a QSeal or both. If QSeal is used, ASPSPs will need to secure the communication channel.
  • It is for the ASPSP to choose which of these three options is to be used not the TPP. The EBA has recommended that national regulators (competent authorities) encourage ASPSPs to use both in parallel.
  • eIDAS is needed for all access whether through a dedicated interface or through an enhanced customer interface (screen-scraping+).
  • There is no obligation to request eIDAS certificates from end customers.
  • ASPSPs must accept certificates presented by agents or outsource providers as long as the principal is identifiable in the certificate. The EBA encourages PSPs to use multiple certificates where it is using agents or outsource providers as well as where it performs different roles.
  • Only TPPs have to identify themselves using eIDAS – an ASPSP is not required to but again the EBA would like to see national regulators encouraging ASPSPs to use eIDAS certificates to enable mutual recognition.
  • The Qualified Trust Service Provider is responsible for checking the validity of the information included in the certificate when it is issued, and both the QTSPs and the holder of the certificate are responsible for keeping the underlying information up to date including revocation of the certificate. The EBA has suggested that national regulators consider establishing mechanisms for the certificate to be revoked if the authorisation or registration of the TPP is revoked. This should include directing the TPP to give notice of the revocation to the QTSP.

Although ASPSPs and TPPs will welcome the clarity provided by the Opinion they still face practical difficulties in complying with Article 34 given the limited number of QTSPs – with the added complication of Brexit in the UK.

Back to main blog
Loading data