Navigating the world of open banking – identifying which third-party providers (TPPs) are authorised for which services – is complicated enough. For each transaction, a bank must determine the current regulatory status of the TPP and the countries in which it is authorised to operate. This involves connecting to the European Banking Authority (EBA) registers, over 70 Qualified Trust Service Providers (QTSPs) who issue the digital credentials (eIDAS certificates), and hundreds of National Competent Authority (NCA) registers. Under the rules of the Payment Services Directive (PSD2), a TPP must be given instant access unless the request is believed to be fraudulent or unauthorised.

The looming risk of giving unauthorised access to a customer’s data or funds is further compounded by Article 19 of PSD2, which enables the use of agents and outsourcing. Agents are unregulated organisations that rely on the PSD2 licence of a regulated TPP. They add a further layer of ambiguity and shadow when trying to identify the nature of a transaction.

What is an Agent
Open banking is a three-party model, connecting banks to TPPs who in turn offer services to consumers. However, in practice this often becomes a four, five, or six party model. Agents are non-regulated middlemen who sit between the consumer and the TPP. They offer services to consumers, then use the licences from regulated TPPs to access consumer bank data.

There are certain requirements laid out in PSD2 around agents and outsourcing:

• The TPP must provide information about the agent(s) it is contracting with to its National Competent Authority (NCA). After which, the agent must be registered with the NCA.
• The TPP is responsible for all acts and services provided by the agent. As outsourcing increases, the TPP must increase its professional indemnity insurance.
• The TPP must still receive consent from the consumer to access the account. 
• The agent must make it clear to the consumer that they are contracting a TPP. They cannot suggest that they are a TPP in their own right.
• TPPs should use multiple certificates simultaneously: one per agent.

Although the TPP is responsible for ensuring the validity and behaviour of the agent, liability for misuse of a customer’s data ultimately lies with the bank.

Identifying the Agent
In practice, the agent often does not make clear that it is using a TPP, or if it does it is included in small print. If a customer believes they are dealing with organization X, but their bank statement claims that the bank handed out data to organization Y, it easily leads to eroded trust and possible disputes. A consumer will often not remember the brand of the third party or have read the terms and conditions and might challenge the transaction.

Furthermore, if the TPP has had its authorisations withdrawn, the agent could still attempt to use its certificate. From an identification perspective alone, the agent’s certificate would remain valid. For this reason, it is important for banks to understand a TPP’s legitimacy, its current regulatory status and whether it is authorised to perform the task being requested in the relevant jurisdiction. Tools like Konsentus Verify are essential for this traceability as they checks both the identity of the TPP and its regulatory status in real time.

Multiple Certificates
In Article 20 of the Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA & CSC, the EBA clarifies that the NCA should encourage the third party to use more than one certificate when contracting an agent:

“This should ensure business continuity and better risk management of these PSPs because the legitimacy of one certificate would not be affected by the revocation of any other. PSPs remain fully responsible and liable for the acts of their agents and outsource providers as well as for the revocation and updating of the eIDAS certificates used by them.”

However, third parties are often neglectful of updating eIDAS certificates – both their own and those of their agents. This means that the bank must be extra cautious when sharing data, always consulting the relevant NCA for up-to-date information.

The bank is stuck between complexity and invisibility. The TPP is under no obligation to provide a certificate for the agent, so sometimes there are multiple certificates for each agent involved in a single transaction, creating confusion, or sometimes there is no certificate for the agent at all.

National Discrepancies
If this wasn’t complicated enough, there are regional differences depending on where the agent is operating. The NCA in France (ACPR) published a document, De nouveaux acteurs régulés dans les paiements, outlining different outsourcing models which are acceptable, and requiring the agent to be regulated under law. There are similar requirements in the UK and other European markets.

Protecting the Future
The phenomenon of outsourcing raises the question: how do you identify entities which are unregulated? This question will become more pressing as open finance is implemented and more independent companies enter the ecosystem.

With such complexity and divergence, Konsentus Verify can cut through the noise and pinpoint the nature of every transaction. Konsentus ascertains whether a TPP is authorised in real time, thus preventing any TPPs or agents from using an expired eIDAS certificate. This is a crucial method of mitigating risk, avoiding fraud, and protecting customers’ data. 

[The author of this article, Mike Woods, is CEO and Co-founder at Konsentus]