On 16 January 2020, the FCA updated its webpage on strong customer authentication (SCA) under the revised Payment Services Directive by adding a section on the use of eIDAS certificates.
The new section notes that:
- during the adjustment period (the period where, in certain circumstances, firms have until 14 March 2020 in which to implement the SCA for online banking), account servicing payment service providers (ASPSPs) are encouraged to allow third party providers (TPPs) that do not yet have an electronic identification, authentication and trust services (eIDAS) certificate and are accessing accounts via application programming interface standards (APIs), to enable the use of equivalent certificates enabling secure identification;
- ASPSPs should tell TPPs which certificates they will accept during the adjustment period. The FCA encourages the use of the Open Banking Implementation Entity’s transparency calendar for this purpose;
- following the adjustment period, the FCA expects all ASPSP and TPPs to rely on eIDAS certificates for the purpose of identification. This means that an ASPSP must ensure that its interface is capable of enabling a TPP to identify itself using only its eIDAS certificate; and
- if TPPs voluntarily agree to it, ASPSPs can also enable TPPs to use a certificate obtained from a provider of an API programme, so long as that provider only issues the alternative identification certificate to a TPP that has enrolled with the API programme using its eIDAS certificate to identify itself. The provider of the API programme should continue checking, on behalf of the ASPSP, the status of the TPP’s eIDAS certificate with the Qualified Trust Service Provider.