/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.

FCA changes Open Banking ID requirements for life after Brexit

In a bid to limit the risk of disruption to open banking services after Brexit, fhe FCA is to permit UK-based third-party providers (TPPs) to use an alternative to eIDAS certificates to access customer account information from account providers, or initiate payments.

  16 3 comments

FCA changes Open Banking ID requirements for life after Brexit

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The FCA's intervention comes after the European Banking Authority (EBA) announced that eIDAS certificates of UK Third-Party Providers (TPPs) will be revoked when the transition period ends on 31 December 2020.

EIDAS certificates are required for TPPs to identify themselves to account providers and allow firms to interact and share customer account information online. Under the Strong Customer Authentication Regulatory Technical Standards (SCA-RTS), they are the only accepted identification standard permitted between providers of open banking services in the EU.

Under the FCA's proposals, UK-based banks will need to make technical changes to their systems to enable TPPs to continue accessing customer account information, by accepting an alternative certificate and informing TPPs "as soon as possible" which certificates they will accept

"Firms must review the changes immediately and implement any necessary changes as soon as possible,Q" states the FCA. "Acknowledging the challenges faced by the industry, the FCA will provide a transition period until the end of June 2021 for complying with our rules."

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Comments: (3)

A Finextra member 

Account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked. So whole lot of pain for those accessing European accounts?

A Finextra member 

Another opportunity for AISP and PISP in the UK- we can provide regulatory solution via alternate infrastructure to this problem and favourably slope regulations!

Brendan Jones

Brendan Jones CCO - Co-Founder at Konsentus Ltd

The FCA amendments to the open banking identification requirements have very clear next steps for both ASPSPs and TPPs.

 ASPSPs must assess what changes they need to make to their systems so they can accept at least one alternative form of digital certificate (in addition to eIDAS Certificates).  Any changes that need to be made must be implemented as soon as possible ahead of IP Completion Day. They also need to tell TPPs which alternative certificates they will accept as early as possible.

The amendments also clearly state that ASPSPs, without causing an obstacle, must “verify that the payment service provider is authorised or registered to perform the payment services relevant to its activities”.

For TPPs, the guidance is much simpler.  If their eIDAS certificates are likely to be revoked, they must have an alternative certificate(s) as soon as possible ahead of IP Completion Day.

[On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at ScaleFinextra Promoted[On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at Scale