If you are a TrueLayer client who is regulated by FCA to provide account information services
You should make sure you have sourced an eIDAS certificate (both QWAC and QSealC is advisable) by the 14th March 2020. This applies even if you are currently connected to banks via open banking certificates.
Open Banking Europe provides a list of certificate issuers.
If you are a TrueLayer client who is an agent of TrueLayer
You do not need any certificates. TrueLayer will connect to banks using its own certificates.
If you are using the TrueLayer Payments API
What is an eIDAS certificate?
PSD2 technical standards (SCA-RTS) set out that banks must have an interface that enables a third-party provider (TPP) to identify itself and communicate securely to request and receive information or to initiate a payment order. For the identification part, TPPs and banks must rely on certificates issued by regulated bodies called Qualified Trust Service Provider (QTSPs):
- qualified certificates for electronic seals (QSealCs) - used to protect the data or messages during or after the communication, but they do not provide confidentiality of the data (i.e. there is no encryption of application data); or
- qualified certificate for website authentication (QWACs) - which enable a secure communication channel to be established for the transmission of data between the TPP and the bank.
Why are they needed?
eIDAS certificates enable a bank to understand whether a TPP is a legitimate actor, with the legal right to access a customer’s account, or not. For this purpose, the certificate must include the TPPs’ firm registration number (which it gets from being regulated); the name of the regulator; and the role of the TPP (account information, payment initiation).
When are they needed?
Using eIDAS certificates to identify became law for TPPs on 14 September 2019, along with PSD2 technical standards (SCA-RTS).
However, the FCA has provided some flexibility for banks to allow for the continued use of Open Banking (or eIDAS equivalent) Certificates, but only until 14 March 2020.
How does TrueLayer use my certificate?
Where you use TrueLayer to access accounts (i.e. as a technical service provider), you will need to securely provide your certificate to TrueLayer so that we can present the certificate when acting on your behalf to access accounts. This is in line with European Banking Authority Guidance.
Why do I need eIDAS certificates when I already have Open Banking Certificates?
It is a legal requirement for AISPs and PISPs to identify themselves to banks using eIDAS certificates. The FCA expects all TPPs to have eIDAS certificates by 14 March 2020.
Open Banking certificates were a temporary stop-gap in the UK. They do not meet the legal requirements of PSD2, because they are not issued by a Qualified Trust Service Provider.
If I am currently using Open Banking Certificates, will I be able to continue using them after 14 March 2020?
Leading up to the 14 March we expect there will be a mixture of approaches taken by banks. Some banks may move to accepting eIDAS only. Some banks may seek to continue using Open Banking Certificates (see below).
In any case, most banks based outside the UK, and some UK banks, do not support Open Banking Certificates as a means of identification currently.
That means obtaining eIDAS certificates as soon as possible is the best approach if you are a regulated TPP. This will also better enable TrueLayer to ensure your connections are maintained beyond 14 March 2020.
UK banks that continue to support identification via Open Banking Certificates
Some UK banks may request that TPPs continue to use Open Banking Certificates for identification after the 14 March 2020. This is based on the idea that enrolling on the Open Banking Directory using an eIDAS certificate, and using Open Banking Certificates from that point on, is sufficient to meet legal requirements.
The Open Banking Directory has now been developed so that TPPs can auto-enrol regulated entities via an API through the use of eIDAS certificates. That means it should be relatively straightforward for a TPP to manage the certificates and software statements (in addition to eIDAS) that it may need to connect to account providers. But again, having eIDAS certificates is the key.
Why do I need both QSealC and QWAC?
The European Banking Authority (EBA) published an Opinion on the use of eIDAS certificates in December 2018. It set out three possible combinations that could be used to meet PSD2 requirements:
- Parallel use of QWACs and QSealCs (EBA recommends this approach above others)
- Use of QWACs only
- Use of QSealCs with an additional element that ensures secure communication
The EBA clarified that it should be the bank that decides on what type of certificate should be used for identification. The Opinion also clarified that while the use of eIDAS certificates is required for the purposes of identification, eIDAS certificates are not necessarily required for securing the communication session, although their use is encouraged for that purpose.
Since it is the bank that decides, it is advisable that a TPP obtains both a QWAC and a QSealC from a provider.
What is TrueLayer doing to help clients with certificates?
We are building self-service functionality into our developer console so that you can automatically register your certificates. In the meantime, one of our team will be able to assist you through the certification process.