11 December 2018
The European Banking Authority (EBA) published today an Opinion on the use of eIDAS certificates under the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication (SCA&CSC). In the Opinion, the EBA clarifies specific aspects on the use of qualified certificates for electronic seals (QSealCs) and qualified certificates for website authentication (QWACs) for the purpose of identification of payment service providers (PSPs) under the RTS, the content of these certificates, and the process for their revocation.
The Opinion aims at addressing questions and concerns raised by market participants related to the use of eIDAS certificates. More specifically, the Opinion clarifies that ASPSPs are the party that should choose whether to use a QSealC or a QWAC for identification purposes, because they are providing the interface and ensuring the security of the communication. In addition, in the Opinion, the EBA highlights three potential alternative approaches for the use of eIDAS certificates, but it recommends that QSealCs and QWACs should be used in parallel.
The Opinion also clarifies which payment services correspond to each of the roles specified in Article 34(3)(a) of the RTS and the roles that have to be assigned in the certificates to payment institutions, electronic money institutions and credit institutions, including when these institutions act in their capacity as a third party provider or an ASPSP.
Finally, in order for all payment service providers (PSPs) to be in a position to rely on the eIDAS certificates, the Opinion identifies a few measures that competent authorities may apply, including by requesting the revocation of certificates issued to a PSP that has had its authorisation withdrawn. However, the EBA acknowledges that the validity of the information contained in the certificates is within the responsibility of PSPs and qualified trust service providers that issue the certificates.
The Opinion is addressed to national competent authorities, but it is also useful for account servicing payment service providers (ASPSPs), account information service providers, payment initiation service providers, card-based payment instrument issuers, third party providers, and industry initiatives, including initiatives of application of programming interface (API).
The EBA has drafted the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
The Opinion is issued in support of the EBA's RTS on SCA&CSC, which was published in the Official Journal of the EU as Commission Delegated Regulation (EU) 2018/389.