Single Rulebook Q&A

Question ID: 2019_4630
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: d
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 34
Name of institution / submitter: Bundesanstalt für Finanzdienstleistungsaufsicht
Country of incorporation / residence: Germany
Type of submitter: Competent authority
Subject matter : Applicability of Article 34 (eIDAS certificates) prior to application date of Regulation (EU) 2018/389
Question:

Is the use of eIDAS certificates mandatory for accessing payment accounts via dedicated interfaces (APIs) already prior to the application date of the Commission Delegated Regulation (EU) 2018/389, i.e. 14 September 2019?

Background on the question:

Article 34 of the Commission Delegated Regulation (EU) 2018/389, which becomes applicable from 14 September 2019, requires TPPs for the purpose of identification when accessing payment accounts via access interfaces in accordance with Article 30(1)(a) to rely on qualified certificates for electronic seals or qualified website certificates as referred to in Article 3 (30) and Article 3(39) of Regulation (EU) No 910/2014 (eIDAS Regulation).

Article 33(6) of the Delegated Regulation prescribes the general conditions under which ASPSPs may be exempted from the obligation to set up the contingency mechanism in accordance with Article 33(4) of the Delegated Regulation in case of dedicated interfaces. Amongst others, the dedicated interface has to have been widely used for at least 3 months. For an ASPSP to be granted an exemption until 14 September 2019, its dedicated interface therewith needs to be used even before 14 September 2019 in a production environment.

The corresponding dedicated interface, which is provided for the 3 month “wide usage” period, is the same interface that would be provided as of 14 September 2019 as access interface in accordance with Article 30 of the Delegated Regulation. Hence, Article 34 of the Delegated Regulation needs to be regarded prior to the application date of the Delegated Regulation. Nonetheless, access to payment accounts via this dedicated interface will not become mandatory before 14 September 2019.

Date of submission: 27/03/2019
Published as Final Q&A: 26/04/2019
EBA answer:

Article 38 of the Commission Delegated Regulation (EU) 2018/389 specifies that the Delegated Regulation applies from 14 September 2019, with the exception of paragraphs 3 and 5 of Article 30, as stated in paragraph 3 of Article 38, which apply from 14 March 2019.

Article 34 of the Delegated Regulation requires payment service providers (PSPs) for the purpose of identification, as referred to in Article 30(1)(a), to rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication as referred to in Article 3(39) of that Regulation. Article 34 of the Delegated Regulation is not referred to in Article 38(3) of the Delegated Regulation, meaning that it shall apply from 14 September 2019. This means that Account Servicing Payment Service Providers (ASPSPs) should rely on eIDAS certificates for the purpose of identification from the date of application of the Delegated Regulation (i.e. 14 September 2019).

In the same way as for the use of testing facility, any dedicated interface should offer the use of eIDAS certificates prior to 14 September 2019. It may in particular contribute to meeting the conditions to get an exemption from the obligation to have to build a fallback as defined in Article 33(6) of the Delegated Regulation, and specifically the condition of the interface being widely used under item ‘c’. To fulfill this condition, the dedicated interface, which shall be widely used, needs to be technically the same as the one that is provided from 14 September 2019 onwards. This means that it should include eIDAS certificates for the purpose of identification.

Furthermore, and in order to ensure a smooth application of the Delegated Regulation on 14 September 2019, ASPSPs, Account Information Service Providers (AISPs), Payment Initiation Service Providers (PISPs) and Card-based payment instrument issuers (CBPIIs) would benefit from the early use of eIDAS certificates.

 

Status: Final Q&A
Permanent link: link