Is it required for an Account Servicing Payment Service Provider (ASPSP) to use qualified certificates under eIDAS to identify itself to a Third Party Provider (TPP)?
Article 34 (1) refers to Article 30 (1) in Regulation (EU No 910/2014 relating to qualified certificates. This is called eIDAS within our submission. Under (a) to (c) are mentioned AISP, PISP and CBPII without ASPSP. So too in Table 1 in "Opinion of the European Banking Authority on the implementation of the RTS on SCA and CSC". Nevertheless article 34 (2) and (3) mention ASPSP in conjunction with qualified certificates under eIDAS describing the necessary attributes to be used inside certificates. So it seems to be, that there is no unique definition whether ASPSP needs qualified certificates or not.
Article 30(1)(a) of the Commission Delegated Regulation (EU) 2018/389 specifies that ‘account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements: (a) account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments are able to identify themselves towards the account servicing payment service provider’.
Article 34(1) of the Delegated Regulation, provides that ‘for the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals (QSealCs) as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication (QWACs) as referred to in Article 3(39) of that Regulation.’
In relation to the above, in paragraph 28 of the EBA Opinion on the use of eIDAS certificates under the RTS on strong customer authentication and secure communication it states that in the scenario where the payment service provider acts in its capacity as an account servicing payment service provider and offers to payment service users accounts that are accessible online, said payment service providers should be assigned the role ‘account servicing’. Also, the Delegated Regulation and PSD2 do not require account servicing payment service providers to identify themselves towards the account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments. Nevertheless, competent authorities could encourage account servicing payment service providers also to obtain an eIDAS certificate for the purpose of mutual identification.