The EBA register needs looking at closely. By 14 September 2019, over 9,000 European financial institutions must comply with ‘Open Banking’ under PSD2’s Regulatory Technical Standards (RTS).
This means a financial institution cannot deny access to a Third Party Provider (TPP) if they are appropriately regulated. But how do they know this and that a TPP are who they say they are?
For a system to utilise the information in the register it has to be regularly downloaded. And it needs a full interrogation and data management system built.It is not accessible on a real-time basis to check TPP transactions.
Organisations listed/omitted in the EBA register
The EBA register contains information on the following regulated organisations:
- ‘Payment institutions’as legally defined in Article 4(4) of PSD2;
- ‘Exempted payment institutions’under Article 32 of PSD2;
- ‘Account information service providers’under Article 33 of PSD2;
- ‘Electronic money institutions’ as legallydefined in Article 2(1) of EMD2;
- ‘Exempted electronic money institutions’under Article 9 of EMD2;
- ‘Agents’as legally defined in Article 4(38) of PSD2;
- ‘EEA branches’as legally defined in Article 4(39) of PSD2;
- ‘Institutions entitled under national law to provide payment services’under Article 2(5) of PSD2, and
- ‘Service providers excluded from the scope of PSD2′under points (i) and (ii) of point (k) and point (l) of Article 3 of PSD2.
However, it does not contain information on Credit Institutions (banks), which are all allowed to act as TPPs without further registration with the relevant National Competent Authority, although some have asked their Credit Institutions to inform them if they are intending to act as a TPP.There is a separate register published by the EBA containing information on Credit Institutions.
The EBA Credit Institution Register contains information on the following:
- Credit institutions;
- EEA Branches of credit institutions; and
- Non EEA Branches of credit institutions.
However, the EBA Credit Institution register only allows manual searches. There is no downloadable version, and is updated in their words only ‘regularly’. Thus there is no easy way to access this data and no guarantee it is up to date.
EBA register: validity of the data supplied
The EBA register of payment and electronic money institutions is not real-time. It publishes updates twice a day and it is only updated by National Competent Authorities (NCAs) once a day.
A NCA may supply information that a TPP has had its authorisation withdrawn just after the EBA register is published. It could be up to 12 hours or even longer before the EBA register is published containing details of the update.
The EBA register also has a disclaimer. This states that the information in it may be out of date.
Specifically, it says: ‘This file, which is available for download, reproduces the information contained on the EBA register of payment and electronic money institutions. It is updated on regular basis, with the update times being displayed on the register. For transparency reasons, public users of the register should be aware that there may be a discrepancy between the information contained on the file and the information contained on the actual register depending on the time of the update of the information on the file and the timing of its download.’
In addition, if the EBA registry is used by an ASPSP as its sole source for data checking and the information supplied by the EBA is out of date and the transaction is found to be fraudulent, the EBA takes no liability. Account Servicing Payment Service Providers (ASPSPs) are therefore fully liable not the EBA.
eIDAS stands for Electronic Identification (eID) and Trust Services (AS and is a European Regulation. This establishes a framework to ensure that electronic interactions between businesses, citizens and public authorities are safer and more efficient. This is regardless of the European Union (EU) country they take place in.
Electronic identification or eID is a way for businesses and consumers to identify who they are (identification process). And can prove that they are who they say they are (authentication process) so they can gain access to services or carry out business transactions more easily.
Trust Services are electronic services that aim to increase the confidence of EU citizens and businesses when carrying out electronic transactions, particularly those that take place between business and customers located in another EU country.
Under PSD2, ASPSPs will rely on eIDAS Certificates, Qualified Seal Certificates (QSealCs) and Qualified Web Authentication Certificates (QWACs) to provide proof of origin, identity and data integrity services for payment initiation and account access requests, Mutually Authenticated Transaction Layer Security (MTLS) and confidentiality for secure communications.
These Qualified Certificates will be issued by Qualified Trust Service Providers (QTSPs) in collaboration with NCAs. They will provide the QTSPs with a registration number for the TPP, the PSD2 roles for which the TPP is authorised/registered and the identity of the NCA.
The EBA register does not contain any information on eIDAS certificates or their status. This information is provided by EU member state approved Qualified Trust Service Providers (QTSPs). There may be up to 70+ QTSPs eventually providing certificates to TPPs and their status. Root public keys and certificate revocation details need to be known in order to validate the TPPs’ public key certificates.
Mismatching of data
The reference numbers on the EBA register are different to those on the NCA registers. The numbers are either mismatching, in a different format (e.g. removed commas and full stops) or missing all together. Currently there are:
- 18 countries with no numbers in EBA register e.g. Austria and Estonia, and
- 4 countries with mismatching numbers in EBA register e.g. French
Currently the number of entries in the EBA register does not match the number of entries in the NCA registers. It may be early days, but there are still significant differences. Below are some of the discrepancies identified between the NCA registers and the EBA register.
EBA register: summary of limitations
The EBA’s central electronic register of payment and electronic money institutions does not contain a single place for checking the authorisation of a TPP. Even when combined with the Credit Institution register there are still issues.
These include data, delays and the NCA reference numbers on the EBA registry. And there are issues withmissing identification numbers on the EBA registry.
Other issues include:
- The Credit Institution register has no download functionality and theCredit institution register is only updated regularly;
- Neither registers contain notification when there are changes, nor version history, and
- The registers were built for transparency, not interoperability
Finally, under the RTS for Strong Customer Authentication and Common Secure Communications, APSPs are required to provide traceability of all transactions, another aspect that needs to be built to be used in the case of disputes or fraudulent claims. The EBA registry does not provide any sort of tracking when data is updated on it or when an ASPSP checks it, it is just a static registry. Therefore, an ASPSP as previously outlined, needs to build not just interrogation and management software around the EBA database but also a full immutable audit.
The EBA registry whilst offering a reference point, is not the source data. This is the NCAs and cannot be relied upon by ASPSPs to check the regulatory status of TPPs.
The challenge of course is that there are 31 NCAs who all publish in a variety of languages, formats, and update at different times.
Furthermore, not all NCAs advise where TPPs regulated by them have been passported to. There is therefore no simple EU or State database solution provided to the market today. The PSD2 RTS has left that for third parties to provide.