2018_4413 Qualified certificate under eIDAS for ASPSP

Question ID: 2018_4413
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: d
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 34
Type of submitter: Credit institution
Subject matter: Qualified certificate under eIDAS for ASPSP
Question: Is it required for an Account Servicing Payment Service Provider (ASPSP) to use qualified certificates under eIDAS to identify itself to a Third Party Provider (TPP)?
Background on the question: Article 34 (1) refers to Article 30 (1) in Regulation (EU No 910/2014 relating to qualified certificates. This is called eIDAS within our submission. Under (a) to (c) are mentioned AISP, PISP and CBPII without ASPSP. So too in Table 1 in "Opinion of the European Banking Authority on the implementation of the RTS on SCA and CSC". Nevertheless article 34 (2) and (3) mention ASPSP in conjunction with qualified certificates under eIDAS describing the necessary attributes to be used inside certificates. So it seems to be, that there is no unique definition whether ASPSP needs qualified certificates or not.
Submission date: 10/12/2018
Final publishing date: 14/06/2019
Final answer: Article 30(1)(a) of the Commission Delegated Regulation (EU) 2018/389 specifies that ‘account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements: (a) account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments are able to identify themselves towards the account servicing payment service provider’.
Article 34(1) of the Delegated Regulation, provides that ‘for the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals (QSealCs) as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication (QWACs) as referred to in Article 3(39) of that Regulation.’
In relation to the above, in paragraph 28 of the EBA Opinion on the use of eIDAS certificates under the RTS on strong customer authentication and secure communication it states that in the scenario where the payment service provider acts in its capacity as an account servicing payment service provider and offers to payment service users accounts that are accessible online, said payment service providers should be assigned the role ‘account servicing’. Also, the Delegated Regulation and PSD2 do not require account servicing payment service providers to identify themselves towards the account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments. Nevertheless, competent authorities could encourage account servicing payment service providers also to obtain an eIDAS certificate for the purpose of mutual identification.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer