Buypass will continue to issue PSD2 certificates to the UK
An updated version of the ETSI standard now provides Buypass with the regulatory authority we need to continue issuing our PSD2 certificates to the UK. These certificates satisfy the requirements set by both the UK RTS and the regulations that we are subject to as a QTSP under eIDAS.
There has been some uncertainty surrounding the regulations on PSD2 certificates in the UK after Brexit. The UK left the EU on 31 December 2020 and are therefore no longer subject to the same EU/EEA regulations that they were before.
In the EU/EEA, payment services are regulated through the Payment Service Directive 2 (PSD2) and associated Regulatory Technical Standards (RTS), which set strict requirements for customer authentication and secure communication. In accordance with the PSD2, payment service providers are required to use eIDAS certificates when identifying themselves to banks via their APIs.
The regulatory body for the UK financial sector (the Financial Conduct Authority – FCA) has used the EU RTS as a basis for an equivalent set of regulations (UK RTS) for Open Banking in the UK after Brexit. These regulations also rely on using eIDAS certificates in the same way as the EU RTS.
However, following the European Banking Authority’s (EBA) recommendations in autumn 2020 that all eIDAS certificates issued to British payment service providers should be revoked at the turn of the year due to Brexit, the FCA chose to expand the UK RTS with an alternative form of identification to the eIDAS certificates.
Many certificate issuers (referred to by eIDAS as QTSPs), including Buypass, chose to not revoke the eIDAS certificates at the turn of the year, as it became apparent that there was nothing in the regulations that we are subject to as a QTSP that required the certificates to be revoked. Nonetheless, we chose not to issue new certificates to the UK in anticipation of an update of one of the important standards for PSD2 compliant certificates.
In the middle of April, an updated version of the ETSI standard that regulates these certificates, ETSI TS 119 495, was reissued, and now allows for the same type of certificates for Open Banking forms to be used outside the EU/EEA, such as in the UK. This provides us with the regulatory authority we need to continue issuing our PSD2 certificates to the UK.
From May 2021, Bypass continues to offer PSD2 certificates to payment service providers in the UK. These certificates satisfy the requirements set by both the UK RTS and the regulations that we are subject to as a QTSP under eIDAS.