[Openid-specs-fapi] How are TTPs vetted under PSD2?

Ralph Bragg ralph.bragg at raidiam.com
Tue Jul 7 06:50:05 UTC 2020 

Hi,

https://www.law.ox.ac.uk/business-law-blog/blog/2019/10/welcome-vilnius-regulatory-competition-eu-market-e-money - Lithuania does come up a lot when discussing the regulations. For information, this isn’t just an issue when it comes to the NCA. Qualified Trust Service Providers, QTSP, are responsible for the issuance of the certificates that contain the regulatory roles that TPPs must use when communicating with Banks. Again, this is an area of arbitrage, where some QTSPs are known for being faster, cheaper and ‘easier’ for TPPs to obtain their Certificates from. Given that QTSP issued certificates can also be used across regulatory boundaries, questions have to be asked as too why there is the variance in process, speed and cost for obtaining these certs with some QTSP’s requiring TPP’s to utilise Hardware Devices to obtain keys and others not.

Post, Brexit the UK will be able to make its own rules and for a new market looking to develop and implement a national programme, consideration of the technical requirements to ensure the safe storage of Data by TPPs and ASPSPs should be included.

Hope this was useful.

RB

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply to: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Date: Tuesday, 7 July 2020 at 07:37
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Ralph Bragg <ralph.bragg at raidiam.com>, Nat Sakimura <nat at digitalideas.tokyo>
Subject: Re: [Openid-specs-fapi] How are TTPs vetted under PSD2?

Hi Nat,

It’s one of the areas that is unfortunately not universally defined across Europe. Ultimately each National Competent Authority is responsible for accreditation of the regulatory permissions to be a TPP. The ‘technical’ requirements vary by NCA which means that you do get some regulatory arbitrage taking place across Europe with some NCA’s applying stricter rules than others. The financial burden to become a regulated AISP/PISP can be quite high, there is a particularly reasonable high capital requirement to become a PISP.

Ultimately all organisations and their officers can in some cases be held personally to account especially for negligent handling of personal data. All corporations are subject to the European Wide GDPR however again depending on how and where a breach happens, where it is reported and the ICO / Data Protection Department for a country is given jurisdiction to investigate then again the impact, fines, censure can vary.

We did ask at the OBIE what if any technical requirements the FCA/NCA or the ICO would like TPP’s to obtain in order to become accredited participants but unfortunately nothing was ultimately adopted. Ideally I’d have liked TPP’s to have complete UK Cyber Essentials Plus as a minimum and have had their software certified as FAPI Relying Party compliant however there was no appetite to implement these requirements and as mentioned there is a potential competitive hazard that will encourage TPP’s to register with whatever country has the lowest or cheapest route to accreditation.

The OBIE for PSD2 participants can not apply any more rules or checks than those applied by the issuing NCA. For other authorization such as Confirmation of Payee or the other Pay.UK overlay services the ‘NCA’ responsible, in this case Pay.UK, could enforce additional checks or place additional requirements on TPPs before those regulatory roles were granted.

RB

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply to: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Date: Tuesday, 7 July 2020 at 06:45
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Nat Sakimura <nat at digitalideas.tokyo>
Subject: [Openid-specs-fapi] How are TTPs vetted under PSD2?

Hi

It is not really a technical spec issue but just out of curiosity: How are the appropriateness of data handling etc. of the TTPs (i.e., Fintechs) get verified under PSD2? Is there some kind of rules? Who is verifying that the TPP is trustworthy?

Best,

Nat Sakimura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200707/1c93e670/attachment-0001.html>

More information about the Openid-specs-fapi mailing list