Single Rulebook Q&A

Question ID: 2018_4432
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Passporting
Article: 28
Paragraph: 5
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 34
Name of institution / submitter: Bundesdruckerei GmbH
Country of incorporation / residence: Germany
Type of submitter: Other
Subject matter : Passporting and eIDAS certificates

Do Account servicing payment service providers (ASPSPs) have to check that third party providers (TPPs) are authorised to operate in their Member State via freedom to deliver services passporting? If so, how shall this be done?

Background on the question:

eIDAS certificates do not contain any information on passporting. Thus ASPSPs in the host member state cannot check passporting status based on the certificate. If they were requested to check the status they would have to retrieve this from other sources, e.g. the EBA register. Such an additional step would cause delays in the ‘customer journey’ as rightly pointed out (in a slightly different context)  in EBA-Op-2018-7 item 30.

Date of submission: 21/12/2018
Published as Final Q&A: 26/04/2019
EBA answer:

Article 34(1) of the Commission Delegated Regulation (EU) 2018/389 states that for the purpose of identification, payment service providers shall rely on eIDAS certificates. The Delegated Regulation does not require account servicing payment service providers (ASPSPs) to carry out additional checks for the purpose of identification. Given eIDAS certificates do not contain information on passporting, ASPSPs are not legally required to check any passporting information related to the third party provider (TPP) requesting access to online payment accounts.

In addition, Article 68(5) of PSD2 states that an ASPSP ‘may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider’. Given eIDAS certificates do not contain passporting information (as stated above) and that ASPSPs do not therefore have to check passporting rights for the purpose of identification, ASPSPs should not block access to an account on the basis of the absence of information on whether or not a TPP is allowed to provide services in the host Member State.


Status: Final Q&A
Permanent link: link