Single Rulebook Q&A

Question ID: 2019_4609
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Other topics
Article: 98
Paragraph:
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Articles 30 and 34
Name of institution / submitter: De Nederlandsche Bank
Country of incorporation / residence: the Netherlands
Type of submitter: Other
Subject matter : Identification and access for testing purposes of entities that are not authorised third party providers (TPPs)
Question:

How would account servicing payment service providers (ASPSPs) identify entities that have applied for authorisation as a TPP?

Should ASPSPs offer access to their testing facility to entities that are not (i) authorised payment service providers or (ii) entities that have applied for authorisation as a TPP (e.g. technical service providers)? If the answer is ‘yes’, should ASPSPs offer the same level of service to the referred entities?

 

 

Background on the question:

Article 30(5) of the Commission Delegated Regulation (EU) 2018/389 states that “account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable […] payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users”.

In accordance with Article 34(1) of the Delegated Regulation, the identification of TPPs towards the ASPSPs is done through the use of qualified certificates for electronic seals and qualified certificates for website authentication (PSD2 eIDAS certificates). However, these certificates are issued only to authorised payment service providers. Therefore, it is not clear how ASPSPs will be able to identify entities that have applied for authorisation as a TPP in order to grant them access to the ASPSP’s testing facility since these applicants cannot obtain PSD2 eIDAS certificates. Market participants we interacted with suggested the EBA to establish a central register of all TPPs that have applied for authorisation as a TPP. This would also allow QTSPs to introduce a unique [organization] identifier for the entities that have applied for authorisation as a TPP. ASPSPs, in turn, will be able to perform the same checks in the sandbox and in the live environment.

Article 30(5) lists the industry participants to whom ASPSPs are required to provide access to their testing facility. However, said Article is silent whether or not ASPSP can provide access to other market participants that are not authorised PSPs or entities that have applied for authorisation as a TPP (e.g. technical service providers). This, in turn, would mean that it is for the ASPSP to make the decision whether to make its testing facility available to these market participants. This would also mean that ASPSPs should be able to choose the service level they will offer to them.

Date of submission: 12/03/2019
Published as Final Q&A: 29/03/2019
EBA answer:

Article 30(5) of the Commission Delegated Regulation (EU) 2018/389 states that “account servicing payment service providers (ASPSPs) shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers (PISPs), payment service providers issuing card-based payment instruments (CBPIIs) and account information service providers (AISPs), or payment service providers (PSPs) that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users”.

This means that ASPSPs shall provide access to the testing facility to all authorised PISPs, CBPIIs and AISPs, and also to entities that have applied for authorisation. With regard to the identification of the entities that have applied for authorisation as a Third Party Provider (TPP), national competent authorities (NCAs) should be in a position to provide a confirmation to the applicants that their application for authorisation has been received. NCAs are free to choose the form of the confirmation they will provide to the applicants. Applicants should consider using this confirmation from the NCAs when requesting access to the testing facilities of ASPSPs and, reversely, ASPSPs should consider using this information when making their testing facility available for applicants.

There are no legal requirements that would prevent ASPSPs from making the testing facilities accessible to market participants other than authorised PISPS, CBPIIs and AISPs (and entities that have applied for authorisation), such as technical service providers or entities that intend to apply for an authorisation but have not yet so done. In this case, the relationship between the parties in question is outside the scope of PSD2. Therefore, if ASPSPs were to do so, it would be permissible for them to provide a different level of service and support to these additional market participants or to introduce an enrolment process for them. Further, while ASPSPs are not prevented from providing this information to NCAs, ASPSPs are not required to include information about these additional market participants when providing the summary of the results of testing to the NCAs in accordance with Guideline 6.6 of the EBA Guidelines on the conditions to benefit from an exemption (EBA/GL/2018/07). If ASPSPs choose to provide this information to NCAs, NCAs are not required to take into account this information in their assessment of the application for an exemption. Also, there are no legal requirements that would prevent ASPSPs from blocking access to the testing facility to these additional market participants in case of security concerns.

The EBA has no legal remit over Qualified Trust Service Providers (QTSPs) and cannot impose specific attributes to be included in the certificates issued by them.

Finally, the EBA and NCAs have not developed nor operate registers for the identification of entities that have applied for authorisation as TPPs. In addition, there is no requirement or intention to so do.

 

 

Status: Final Q&A
Permanent link: link