eIDAS does not work, especially for the UK, and it’s time to recognise it. Or: is eIDAS the worst i
We have discussed how there are three layers to open banking / open everything:
The compliance layer;
The walled garden / gated community whereby ASPSPs share data, but via private APIs and processes; and
The ecosystem, whereby ASPSPs take on the role of TPPs, and all parties need to agree via lite schemes how to operate in order to achieve the benefits for the consumer.
This analysis was derived to explain the apparent paradox that banks that aren’t immediately compelled, like the CMA9 banks, to adopt the compliant solutions are actually shying away from them. The key reasons being that the compliant solution is defined such that the banks cannot commercialise it, and it is being increasingly complexly regulated in a way that seems to make it increasingly possible to understand let alone implement.
“There are no scarier nine words in the English language than, ‘I’m from the government and I’m here to help'"
The cherry on the cake of this is the apparent insistence of the authorities that eIDAS certificates are all that a TPP under PSD2 needs to identify itself to an ASPSP is an eIDAS.
But such certificates do not work and are not fit for purpose.
Regulatory perimeter: The whole basis of eIDAS certificates-based approach is a brittle structure which only works if the only parties that are able to access accounts etc are entities licensed and regulated by being financial regulators. Once this assumption splinters, so does the whole solution.
Even for PSD2 this assumption doesn’t work. As has been pointed out since the legislation has been mooted, there are unregulated parties that everyone accepts should have access to payments accounts:
Government entities, such NSI in the UK;
‘Fourth parties’, such as Yodlee that wish to access accounts and then provide services to customer facing TPPs. Except the letter of PSD2 says these fourth parties don’t provide a payments service to a payments services user and so cannot be licensed;
Incidental PSPs: Many retailers want to realise the stated purpose of PSD2, i.e. to reduce the cost of payments processing by eliminating the need for the card-related merchant service charge. But the Kafkesque logic of the eIDAS model means that, because they are only processing incidentally as a PSP, rather than by way of business, they cannot be licensed, and therefore cannot get eIDAS certificates!
Further, once you starting thinking about ‘open everything’ (a name used by Fingleton’s Associates, an approach aligned with the Australian one that is driven by the fact that information sharing is gaining more rapid traction than payments initiation, the absurdity of eIDAS becomes more clearly visible. Again, this has been visible for some time. The Information Commissioner’s Office (ICO) has from the first indicated that it would be logical for data sharing under GDPR to be done using the same processes as UK open banking.
This is an issue, both because there is no clear ‘bright line’ between PSD2 access to account and GDPR data sharing. For example, arguably some data AISPs are wanting to access go beyond the coverage of PSD2: e.g:
Sharing data on non-payment accounts, like savings, mortgage, investment etc accounts; and
Sharing data which is not transaction data, like identity data, basket data from card-accounts etc.
Moreover, it is eminently logical for GDPR data sharing to move from screen scraping to an API based model like open banking, in order to provide better security and GDPR compliance.
But those parties that are undertaking GDPR based data sharing are not able to get PSD2 licensing and therefore eIDAS certificates. In theory, even activity undertaken by regulated parties outside of the PSD2 regulatory perimeter should not use its processes since it is not covered by PSD2’s protections.
But let’s just assume the regulatory perimeter could be made to work, eIDAS certificates would work then wouldn’t they?
Well, actually unfortunately they fail there also for a number of reasons.
eIDAS certificates do nothing to evidence the continuing regulatory status of the party (which may get revoked).
Moreover, they don’t give any details of the passporting status of the party (which also may get revoked or amended). Which, since their use for passporting was a major point for their use, does seem something of an omission.
There are no clear consistent liability rules for parties relying on the certificates. So the incentive for the paying party is to buy the cheapest certificates they can get.
Given all of these defects one might argue that a teleological analysis of European law could be used to infer that parties would be able to infer a solution that would actually work. That is, the basis for arguing the supremacy of European law that was never mentioned in the treaties. So, a pretty powerful principle. This was essentially the logic of the initial OBIE solution that additional certificates were needed over and above eIDAS certificates to make the project work. In the same way that you might use your passport to identify yourself to enter a building in another country, but they would then issue a fit for purpose pass-card to access the parts of the building you then needed to access.
Impact of Brexit on the UK
All of these issues become even more pronounced when the position of the UK after Brexit is considered.
It has been ruled that the UK cannot have a UK resident QTSP (Qualified Trust Service Provider). Rather than trying to establish something within the UK that that the EC will accept as equivalent, because we know this will never happen, the UK should establish its own functional processes and accept appropriately validated parties from overseas, not just from within Europe. So, for Europe, that can be for regulated entities, it can be eIDAS certificates as proof of identity. But these would need to be verified back to the regulatory register. Moreover this would work internationally for services provided from outside Europe that want to operate in the UK, like the Americas.
So what is the solution?
There are a number of potential solutions:
Do nothing. Because the situation is so unclear, what with the SCA RTS being an increasingly complex and unclear, especially in the UK with Brexit. While superficially attractive this is short-sighted, both in appearing to do nothing in response to the regulatory and commercial pressures. And in substance allowing others to gain the initiative.
Adopt eIDAS certificates as the one and only means of identification of the partiesin the ecosystem. As indicated above this doesn’t work even for regulatory compliance, and certainly not for any commercial solution.
Use the OBIE Directory. This in planning to have the capabilities for the ASPSPs to support eIDAS Certificates plus additional capabilities such as branding and QTSP checking. This solution also commits ASPSPs to adopt eIDAS, which as discussed has a significant risk of being completely irrelevant post Brexit in the UK. Moreover, it does not account for unregulated parties and is complained of as being difficult for parties to integrate to.
Create a single Directory solution that is fit for purpose, i.e. it on-boards and continually validates all participants back to source, including un-regulated parties. This is theoretically appealing, like the desire for a single API standard: and just as unrealistic in the planning horizon we are operating in today. It perpetually gets redefined by an ever-wider group of partners but without the market reality check required to avoid over-specification.
Multiple Directories. Coming back to the three-layer model, participants need a Directory that works for all three layers, especially the commercial layers two and three. That is, for participants in the ecosystem to confirm that the parties are actually who they say they are and that they are, and remain, appropriate parties to participate in the ecosystem. For example, if a party, even if regulated exhibited bad behaviours, or was connected to sanctioned individuals, the Directory should be able to suspend the party’s participation. And for unregulated parties there needs to be appropriate due diligence.
The compliance layer can be dealt with by permitting the use of eIDAS certificates to enter the ecosystem. In practice, the ‘one-size fits all’ Directories are dominated by the regulatory agenda and so are unfunctional for the reasons indicated above. So, while to the theoretical mindset multiple Directors may seem messy that is the way the market develops. And then the Directories will merge or become interoperable as time goes on. That’s how competition and innovation in a free market economy works. Perhaps the UK should use the Brexit break as an opportunity to acknowledge this reality in this key area.
If want to discuss the ideas in this paper and/or sign up for other thought pieces, please
e-mail firstname.lastname@example.org or email@example.com call +44(0)7986 680 283, or contact us via our website at www.triari.co.uk.