The European Banking Authority has recently put out a news item reminding financial institutions on the need to prepare for the end of transition by 31 December 2020. This relates primarily to the end of the transition where the UK, a non-EU country, loses some benefits of a closer relationship with the EU as the transition ends. The EBA is reporting the current position: no agreement has been signed which affects cross-border financial services and therefore could be avoided if there were to be some agreement, or the transition period were extended.
From their note, the summary is:
- “The EBA reminds financial institutions that the transition period between the EU and UK will expire on 31 December 2020, which will end the possibility for the UK-based financial institutions to offer financial services to EU customers on a cross-border basis (passporting).
- Financial institutions wishing to operate in the EU and offer services to their EU customers should ensure they have obtained the necessary authorisations and effectively establish themselves before the end of the transition period.
- Financial institutions affected by the UK withdrawal from the EU, should provide adequate information to their EU customers regarding the availability of services after the end of the transition period.”
In short, if the position doesn’t change, the current arrangements are set to change significantly.
The common item between the EU and UK is Payment Services Directive 2 and the Regulatory Technical Standards which define, amongst other things, how payment service providers communicate securely and identify each other. In the UK PSD2 is implemented as the Payment Services Regulations 2017 and all PSPs which offer the ability to access an account online are obliged to provide programmatic access to those accounts via a dedicated or modified customer interface. This means that the account operator – the Account Servicing Payment Service Provider (ASPSP) – should make available an API or web interface to a third party providers – Account Information Service Provide (AISP) or Payment Initiation Service Providers (PISP) – which allows their joint customers to access data and/or make payments.
To do this relies upon trust and security and the Regulatory Technical Standard on Strong Customer Authentication and Common Secure and Open Standards for Communication (aka SCA-RTS) defines how this works. the UK’s Financial Conduct Authority specifically references the SCA-RTS and the EBA guidance on implementation. Originally the UK’s Open Banking project used a directory and specific certificates, but FCA guidance has been to move to the SCA-RTS as a basis for security and trust.
The FCA guidance is based in law: the Payment Services Regulations call out to the Regulatory Technical Standards and that is almost certainly foundation for any legal advice a UK-based PSP would receive.
eIDAS is another EU Regulation on electronic identity and trust services and is transposed into UK law. It provides a legal basis for how one entity can trust another based on cryptographic security tokens issued by trusted service providers. PSD2 relies on eIDAS to trust that a connecting party is who they claim to be.
The component in the guidance and RTS which covers the identities of the parties is the combination of a private, cryptographic key and a public certificate which contains a section defining the ASPSP’s or PSPP/AISP’s role as a payment service provider. in addition to their verified organisational identity.
The EBA makes a worrying statement related to these certificates:
“account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.”
On first reading, this means that UK AISPs and PISPs will not be able to access accounts in EU payment service providers, This aligns with an earlier statement in the communiqué:
” UK-authorised payment and electronic money institutions wishing to continue to offer services to EU-based customers that it is illegal for them to provide payment or electronic money services in the EU after 31 December 2020, unless they have been adequately authorised beforehand by an EU competent authority“
But in addition it also has impacts on communications within the UK relying on eIDAS certificates, including all those firms who have followed the FCA guidance, which is directly related to UK law. Any AISP or PISP that wishes to connect to an ASPSP (bank or e-money institution) will have had their eIDAS certificate revoked, and checking that the certificate is not revoked is required by the guidance.
Some services go beyond this and actually check the records of the national competent authority but the he bare minimum is a valid eIDAS certificate containing PSD2 information. So by revoking these certificates, it should make attempted communications sessions fail.
Does the EBA have the power to revoke certificates? Not directly. But if the issuer was informed that a certificate was no longer valid the eIDAS regulation might oblige them to revoke it, or at the very least not re-issue a certificate when it expired. Given that PSPs in the EU are relying on these security measures, it seems unlikely that invalid certificates would be allowed to exist, especially in a third country outside the EU.
What could be done?
Some third-party providers may decide to apply for authorisation in the EU. Given the time for approvals it is unlikely that all of them could set up operations, gain the relevant authorisations and issue certificates before 1st January 2021. With authorisations typically taking 6-12 months in some of the more popular jurisdictions, any PISP or AISP joining the back of the queue now would be unlikely to get through the gate before the deadline at the end of the year.
The UK could develop its own set of certificates or go back to the Open Banking setup. This is possible but would require work in every ASPSP in the UK before 1 December – probably unachievable given the December development freeze and time to test. This would in theory need a change to the UK law to allow non-eIDAS certificates to be used, although it is unlikely that the FCA would enforce the existing law in such a circumstance.
The most practical options are both political: either ensure that any agreement signed before December 31 includes reciprocity for this part of financial services or, as an emergency measur, agree an extension to the transition so that this could be worked out.
Impacting Open Banking and FinTechs in the UK at the point in time where the industry is under pressure from COVID-19 measures and API-based banking is rising up the list of bank interests is more than unfortunate and could see the UK losing whatever lead it had. Let us hope it is not a perfect storm of politics, regulation and IT security.