<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><a href="https://www.law.ox.ac.uk/business-law-blog/blog/2019/10/welcome-vilnius-regulatory-competition-eu-market-e-money">https://www.law.ox.ac.uk/business-law-blog/blog/2019/10/welcome-vilnius-regulatory-competition-eu-market-e-money</a>
- Lithuania does come up a lot when discussing the regulations. For information, this isn’t just an issue when it comes to the NCA. Qualified Trust Service Providers, QTSP, are responsible for the issuance of the certificates that contain the regulatory roles
that TPPs must use when communicating with Banks. Again, this is an area of arbitrage, where some QTSPs are known for being faster, cheaper and ‘easier’ for TPPs to obtain their Certificates from. Given that QTSP issued certificates can also be used across
regulatory boundaries, questions have to be asked as too why there is the variance in process, speed and cost for obtaining these certs with some QTSP’s requiring TPP’s to utilise Hardware Devices to obtain keys and others not.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Post, Brexit the UK will be able to make its own rules and for a new market looking to develop and implement a national programme, consideration of the technical requirements to ensure the safe storage of Data by TPPs and ASPSPs should
be included.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hope this was useful.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">RB<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Reply to: </b>Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Date: </b>Tuesday, 7 July 2020 at 07:37<br>
<b>To: </b>Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Cc: </b>Ralph Bragg <ralph.bragg@raidiam.com>, Nat Sakimura <nat@digitalideas.tokyo><br>
<b>Subject: </b>Re: [Openid-specs-fapi] How are TTPs vetted under PSD2?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Nat,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">It’s one of the areas that is unfortunately not universally defined across Europe. Ultimately each National Competent Authority is responsible for accreditation of the regulatory permissions to be
a TPP. The ‘technical’ requirements vary by NCA which means that you do get some regulatory arbitrage taking place across Europe with some NCA’s applying stricter rules than others. The financial burden to become a regulated AISP/PISP can be quite high, there
is a particularly reasonable high capital requirement to become a PISP.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Ultimately all organisations and their officers can in some cases be held personally to account especially for negligent handling of personal data. All corporations are subject to the European Wide
GDPR however again depending on how and where a breach happens, where it is reported and the ICO / Data Protection Department for a country is given jurisdiction to investigate then again the impact, fines, censure can vary.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">We did ask at the OBIE what if any technical requirements the FCA/NCA or the ICO would like TPP’s to obtain in order to become accredited participants but unfortunately nothing was ultimately adopted.
Ideally I’d have liked TPP’s to have complete UK Cyber Essentials Plus as a minimum and have had their software certified as FAPI Relying Party compliant however there was no appetite to implement these requirements and as mentioned there is a potential competitive
hazard that will encourage TPP’s to register with whatever country has the lowest or cheapest route to accreditation.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">The OBIE for PSD2 participants can not apply any more rules or checks than those applied by the issuing NCA. For other authorization such as Confirmation of Payee or the other Pay.UK overlay services
the ‘NCA’ responsible, in this case Pay.UK, could enforce additional checks or place additional requirements on TPPs before those regulatory roles were granted.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">RB</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Reply to: </b>Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Date: </b>Tuesday, 7 July 2020 at 06:45<br>
<b>To: </b>Financial API Working Group List <openid-specs-fapi@lists.openid.net><br>
<b>Cc: </b>Nat Sakimura <nat@digitalideas.tokyo><br>
<b>Subject: </b>[Openid-specs-fapi] How are TTPs vetted under PSD2?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Hi<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">It is not really a technical spec issue but just out of curiosity: How are the appropriateness of data handling etc. of the TTPs (i.e., Fintechs) get verified under PSD2? Is there some kind of rules? Who is verifying that the TPP is trustworthy? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Best, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>