Welcome back

It's always good to see you back here! Join us around our campfire.

Remember me

Reset password

Enter the email associated with your account and we'll send an email with instructions to reset your password

Check your email

We have sent a password recover instructions to your email.

Digital identity is a challenging and often controversial topic. But it is also an issue that should be of concern to every player in the Open Banking and Finance space. 

PSD2 states that every organisation operating in the Open Banking ecosystem in Europe must have certificates issued by a qualified trust service provider (QTSP). AISPs and PISPs first go to a National Competent Authority and then on to a QTSP, where they undergo a process of identification and the checking of credentials.

Once these checks are completed, organisations are issued with digital credentials that AISPs and PISPs then use to identify themselves to a bank when accessing an account or executing a payment transaction on Open Banking rails. Certificates are cryptographic documents, allowing banks to go to the issuer of the certificate, check its validity and ensure third parties are who they say they are. 

 
Identity Issues

However, there are a number of issues around the use of these certificates, which are issued under the electronic identification and trust services (eIDAS) regulation. Firstly, they are only issued for a short period of time, which requires organisations to update them regularly. 

The information contained in certificates is also not as comprehensive as one would expect. For example, a certificate is simply a reflection of the regulatory status of an organisation at the time when the credential was issued. Authorisation status can change overnight because an eIDAS certificate is a snapshot in time and can quickly become inaccurate. National competent authorities also structure and present their authorisation data differently across the EEA – driving yet more complexity into the ecosystem. 

Certificates may not accurately confirm if a third party is regulated to operate in its home jurisdiction, meaning that banks need to reference additional information. Furthermore, certificates hold no information on passporting, in which an entity that is regulated by a national competent authority can apply to operate in other legal jurisdictions across the EEA (European Economic Area). 

The situation as it stands raises genuinely frightening possibilities. Banks often believe that checking identity means they are not liable for fraudulent-based transactions and/or unauthorised access to data. That is factually incorrect, according to regulations and the law, which makes it clear ASPSPs do have liability. We always have to remember that identity authentication is different from authorisation, this is where European regulation is very blurred.


Identifying The Problem

The complexity of the situation around digital identity should now be starting to become clear. So what went wrong? At the beginning of the Open Banking journey in Europe, there were very few transactions taking place. Access to Account (XS2A) mechanisms were built in order to ensure compliance with regulators, rather than to enable smooth, safe transactions. Now Open Banking players are facing difficulties due to a rise in transaction volume. 

If the challenge of digital identity had been properly addressed at the start, Open Banking would have rolled out in a much more seamless way. The EU should have built robust standards to enable interoperability on a regional and national scale, as well as a general register. This would have been a better solution than relying on the different register formats used by national competent authorities. 


Beyond eIDAS

The EU has issued a new identity framework paper which will supersede eIDAS after admitting it has faults, which is to be welcomed. This appears to suggest the EU recognises differences in the interpretation of regulations which has led to disparity in the implementation. But issues will still remain around digital identity. 

Today, the EU has the opportunity to build robust standards. We must also address the challenge on a global scale, because identity schemes are highly fragmented. Open Banking started as a European initiative and has gone global. As we see more and more countries leverage the benefits of Open Banking and Finance, standards are required for digital identity to allow interoperability across multiple jurisdictions. There is a very good argument for the development of an international identity-based standard that can support global adoption.

In the meantime, outsourcing the risk around digital identity is the best way to gain the trust needed to succeed in the Open Banking ecosystem. Specialised players like Konsentus enable Open Banking and Finance entities to check both the identity and authorisation status of TPPs in real time. When the problem of digital identity is solved, Open Banking and Open Finance adoption can accelerate around the world.

[The author of this article, Brendan Jones, is CCO at Konsentus]

Helen Child, Founder & CEO, Open Banking Excellence

To learn more about Digital Identity in the world of Open Banking, you can watch our 17th March 2022 Campfire.