Single Rulebook Q&A

Question ID: 2018_4138
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: art 67
Paragraph: 2
Subparagraph: c
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 34 RTS SCA
Type of submitter: Credit institution
Subject matter : Testing eIDAS certificates before 14 September 2019
Question:

How can Third Party Providers (TPPs) and account servicing payment service providers (ASPSPs) test their interfaces using PSD2 eIDAS-certificates during the testing period prior to September 2019 as it is only mandatory to use PSD2 eIDAS certificates from September 2019 onwards?

Background on the question:

ASPSPs want to (1) meet the requirements of the testing period in order to qualify for the exemption to the fall-back and sees the importance of timely testing of all requirements imposed by the RTS SCA. Additionally ASPSPs want to (2) ensure that the testing period is used for testing the interfaces including certificates similar to those that are going to be used after September 2019. This way ASPSPs and TPPs can both optimise their customer journeys based on the actual to-be-state.

Date of submission: 18/07/2018
Published as Final Q&A: 07/06/2019
EBA answer:

In accordance with Article 33(6) of the Commission Delegated Regulation (EU) 2018/389, one of the conditions that account servicing payment service providers (ASPSPs), who have opted for a dedicated interface, must meet in order to be eligible for an exemption from the fall-back mechanism under Article 36(4) of the Delegated Regulation is that their dedicated interface “has been designed and tested in accordance with Article 30(5) to the satisfaction of the payment service providers referred to therein” (Article 33(6)(b) of the Delegated Regulation).

In accordance with Article 30(5) of the Delegated Regulation, ”Account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers, payment service providers issuing card-based payment instruments and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. This testing facility should be made available no later than 6 months before the application date referred to in Article 38(2) or before the target date for the market launch of the access interface when the launch takes place after the date referred to in Article 38(2) […]”

Furthermore, Guideline 6.5(b) of the EBA Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (EBA/GL/2018/07), provides that “The testing facility should allow ASPSPs, authorised Payment Initiation Service Providers (PISPs), Account Information Service Providers (AISPs) and card-based payment instrument issuers (CBPIIs) or payment service providers (PSPs) that have applied to their competent authorities for the relevant authorisation to test the dedicated interface in a secure, dedicated testing environment with non-real Payment Services User (PSU) data, for the following: [...] b. the ability of ASPSPs and authorised PISPs, AISPs and CBPIIs to exchange the relevant certificates in accordance with Article 34 of the” Delegated Regulation.

As clarified in the Final report on the above mentioned Guidelines, for the purpose of the testing under Article 30(5) of the Delegated Regulation, the testing facility should allow the testing of the ability of authorised AISPs, PISPs and CBPIIs to exchange eIDAS certificates as referred to in Article 34 of the Delegated Regulation. Prior to 14 September 2019, when certificates must comply with Article 34 of the Delegated Regulation, authorised or registered AISPs, PISPs or CBPIIs that do not yet have the relevant qualified certificate under Article 34 of the Delegated Regulation, may also use test certificates for the purpose of testing in accordance with Article 30(5) of the Delegated Regulation.

PSPs that have applied to their competent authorities for the relevant authorisation/ registration as AISPs, PISPs or CBPIIs, but are not yet authorised, may identify themselves for the purpose of testing under Article 30(5) of the Delegated Regulation using test certificates, taking into account that said Article requires ASPSPs to also grant these providers access to the testing facility. This also applies to the period after the application date, 14 September 2019, of the Delegated Regulation.

 

Status: Final Q&A
Permanent link: link