Global menu

Our global pages

Close

Wrapping up for the year - 12 days of payments

Wrapping up for the year - 12 days of payments
  • United Kingdom
  • Payment systems and digital commerce
  • Financial institutions

12-12-2019

Our Payments team are celebrating the festive season by bringing you 12 days of payments with key developments on the agenda for the payments industry in the New Year.

Day 1 - S.C.A. No, not the Santa Claus Association but Strong Customer Authentication (SCA)!

Day 2 - What’s the best way to spread Christmas cheer? A shake up of FCA regulation over the coming year!

Day 3 - What do we bring to you on our 3rd day? Three French hens crossing the payments border!

Day 4 - The calling birds are making a lot of noise for the latest Christmas release “taking payments with WeChat”

Day 5 - The Contingent Reimbursement Model and confirmation of payee set to ‘sleigh’ authorised push payment fraud but who’s paying?

Day 6 - The Sixth Money Laundering Directive (6MLD) is on the agenda for our 6th day

Day 7 - Ideas to achieve the European 2020 retail payments strategy are ‘swanning’ around on our 7th day!

Day 8 - The PSR continues ‘milking it’ as the Card-Acquiring Review is pushed back into Q1 2020

Day 9 - It's our 9th day but you won't see the New Payments Architecture (NPA) dancing around

Day 10 - A-Leaping into hot water?

Day 11 - 11 Pipers piping for FCA Cryptoasset Supervision!

Day 12 - What better way to end our payments advent than visiting the three ghosts of Open Banking!

Day 13 -  Bonus Article - Unwrapping eIDAS


1. S.C.A. No, not the Santa Claus Association but Strong Customer Authentication (SCA)!

2020 will be a year when the payments industry across the EEA will attempt to finally develop and deliver additional customer identification requirements for numerous types of payments. Whereas regulators should have enforced SCA by 14 September 2019, the industry wasn’t ready (particularly in the e-commerce space) and so regulators have delayed SCA and opted to impose a gradual rollout of the regime. In the UK, the Financial Conduct Authority (FCA) has opted for a six month delay for online banking payments and an 18 month delay for e-commerce payments. The 18 months period in the UK is despite the European Banking Authority (EBA) wanting a 15 month period across all EEA countries.

What this means for you in the New Year

A balance needs to be found between improving security and delivering a reasonable customer payments journey.

More prescriptive EBA requirements in July 2019 sent many payment service providers (PSPs) back to the drawing board. They must now work on delivering alternative ecommerce and online banking SCA factors now that card details cannot be used as a possession factor and one time passcodes cannot be used as a knowledge factor. This will change the ecommerce journey which had been expected to apply from September.

As merchants were not regulated by the new regime, the impact of e-commerce payments was not communicated and/or sufficiently understood leaving merchants unprepared for the original September deadline. Merchants are now seeking advice and working to ensure that they have implemented technical solutions (such as updated versions of 3DS) to lessen the chances of payments being rejected (in particular in relation to when payments are recorded/classified in certain ways (e.g. mail order and telephone orders (MOTO) or merchant initiation transactions (MITs)) and when SCA needs to be done/repeated for payments in a series or when amounts may change after an initial identification of the customer.


2. What’s the best way to spread Christmas cheer? A shake up of FCA regulation over the coming year!

Over the coming year, we may see an overhaul in the way that the Financial Conduct Authority (FCA) regulates firms, including payment service providers (PSPs). In October this year, Christopher Woolard (the Executive Director of Strategy and Competition at the FCA) delivered a speech about the future of FCA regulation, citing innovation and changes in consumer need as some of the reasons that the FCA's approach to regulation needs to change. Woolard questioned whether the current model of regulation is the right one and opened up the door to a public conversation to decide what changes are needed. Woolard was clear that a key focus for the future will be a change from the FCA considering compliance with rules to considering whether outcomes have been achieved. A practical example of what we may see is a change to the Handbook from a requirement to be ‘fair, clear and not misleading’ to an outcomes based approach where firms need to ensure that customers understand their options.

What this means for you in the New Year

Firstly, there will be an opportunity to join the conversation regarding FCA regulation over the coming months when the FCA issues an invitation for thoughts and ideas. It is important not to be a “cotton-headed ninny muggins” and instead engage in the conversation and take the opportunity to shape the future of regulation so that the new approach and the new rules are suitable for PSPs.

Once that work has been done, we may see greater clarity in the Handbook and other rules coming out of the FCA. We are also likely to see the FCA working more closely with other regulators, which would be greatly welcomed after seeing the challenges with conflicting regimes during the implementation of the revised payment services directive (PSD2) (e.g. the conflict between certain aspects of GDPR and PSD2). “There’s room for everyone on the nice list” if they consider outcomes properly, but an outcomes based approach is likely to be challenging for PSPs. Taking the potential change to the Handbook above, where do you set the bar and how can a PSP ensure that customers truly understand something? These will be important considerations when the new regime is under discussion.


3. What do we bring to you on our 3rd day? Three French hens crossing the payments border!

The 15th December marks the date when payment service providers (PSPs) must ensure charges for cross-border payments within the EEA are equivalent to charges for domestic payments in sterling. To keep off “Santa’s naughty list”, PSPs should have already benchmarked charges against equivalent payments and notified customers in advance of any changes to the greatest extent possible, but it’s not over there. 2020 and 2021 will also see new rules come into force in relation to the transparency of currency conversion charges for both PSPs and parties offering currency conversion services at ATMs and/or at the point of sale.

What this means for you in the New Year

In the context of card-based payments, the New Year will see the industry grapple with how to display the total currency conversion charges as a percentage mark-up over the European Central Bank rate. This presents a challenge for firms initiating payments using the fluctuating card scheme rates as they cannot guarantee fixed rates throughout the day. We know an estimated mark-up is not sufficient and so achieving practical compliance by including an actual mark-up in the terms or tariff remains an outstanding item on the agenda for most institutions in 2020.

PSPs will also be considering how to display the estimated currency conversion charges for credit transfers (examples include displaying percentage mark-ups or flat fees) and whether the estimated charges should be included in the live payment journey, in addition to the terms or tariff. There is also the question of how issuers will provide details of the charges via an electronic message by 2021. This is in addition to the application of the corporate opt-out to the information requirements for displaying charges in a uniformed way which has derived from the revised payment services directive

Finally, the issue of Brexit and where this will leave the newly amended regulation in the UK remains unclear. Initial feedback from the government suggested that the regulation would be inoperable in the UK post-Brexit but we understand the view of the regulator is changing and the cross border payment regulation may be here to stay.

Watch this space!


4. The calling birds are making a lot of noise for the latest Christmas release “taking payments with WeChat”

Messaging apps are ubiquitous, with WhatsApp being used by most people in the UK, it is perhaps unsurprising that Facebook intends to leverage its ownership of WhatsApp to introduce the ability to make payments through the app. Such solutions have already been taken to market by other institutions. These allow you to request or push a payment to someone that also has an account with that provider via their phone number. WhatsApp does not operate its own accounts so it is possible that such a restriction will not exist on WhatsApp allowing it to be account provider agnostic.

These innovations are very much playing catch-up to the Chinese market, and in particular WeChat, which has allowed users for quite some time to send money to their contacts, make payments and much more in app. It is additional features such as price comparison and ticket booking that have made WeChat the ‘go to’ app and have allowed it to ‘monopolise’ user transactions. It remains to be seen whether such an app will emerge in other countries.

What does this mean for you in the New Year

The ability to request and make payments through a messaging app is likely to be a popular feature on any messaging app. Whether WhatsApp will integrate the ability to also make payments to merchants remains unclear, as will the authorisation steps that will be taken to do so. Firms may wish to consider whether it is possible to integrate their payments through messaging apps to leverage this convenient feature.


5. The Contingent Reimbursement Model and confirmation of payee set to ‘sleigh’ authorised push payment fraud but who’s paying? 

At least seven direct participants in the Faster Payments Service (FPS) will each be receiving a lump of coal in their payments Christmas stockings following Pay.UK’s decision not to allow a fee to be levied on FPS transactions. This was to be a means of contributing to a central fund to reimburse victims of authorised push payment (APP) fraud.

APP fraud occurs when a customer is duped into authorising a payment to another account which is controlled by a criminal. In the first half of 2019, a total of £208 million was lost to APP fraud, split between personal (£147 million) and business (£61 million) accounts. It’s “snow laughing matter!”

Pay.UK, which manages the UK’s payment schemes including FPS, received a change request from Barclays, HSBC, Lloyds Banking Group, Metro Bank, Nationwide, RBS and Santander to introduce a change to the FPS Participant Rules to allow for the levying of a Contingent Reimbursement Model (CRM) fee. The central fund would be used to reimburse customers who had lost money from ‘no blame’ APP fraud, where a customer has not negligently contributed to the fraud. In responding to the change request a substantially larger number of participants supported a self-funding model instead.

What this means for you in the New Year

The cost of APP fraud is significant and criminals are continually and rigorously testing the security systems of payment service providers (PSPs). PSPs will now need to factor into their own budgets their likely exposure to customer reimbursements whilst at the same time seeking to continuously update their fraud prevention systems. This will necessarily include an analysis of the vulnerability of their customers and their potential susceptibility to APP fraud.


6. The Sixth Money Laundering Directive (6MLD) is on the agenda for our 6th day

All EU Member States must put laws and administrative provisions needed to comply with the Sixth Money Laundering Directive (6MLD) in place by 03 December 2020. Firms must then implement the new regulations by 3 June 2021.

The 6MLD aims to make getting access to financial resources more difficult for criminals and introduces new criminal law provisions to do so. Some of the main changes made are:

(a) The introduction of EU-wide definitions of money laundering-related crimes. There is now a list of 22 wide-reaching predicate offences which must be criminalised by all EU Member States, including new crimes such as environmental offences, cybercrime and tax crime.

(b) There are now EU-wide minimum penalties, such as a minimum imprisonment term of four years for money laundering maximum sentences.

(c) Additional sanctions are introduced. These ban individuals convicted of money laundering from running for public office, holding a public servant position and having access to public funds.

(d) There are also new rules in relation to cash flow. For example, the definition of “cash” now includes gold and anonymous pre-paid electronic cash cards; and authorities can now ask for information in relation to cash movements which are below the €10,000 threshold, as well as temporarily seize cash if criminal activity is suspected.

What does this mean for you in the New Year

For regulated firms, such as banks, it means some key changes must be added to their 2020 New Year’s resolutions in preparation:

1. Staff should be trained and systems monitored to ensure that predicate offences and suspicious activity can be detected. Adequate training and monitoring of systems will lead to a better ability to pick up signs of such activity.

2. The 6MLD extends the scope of criminal liability to include corporates where the money laundering offence is committed by a “bad elf” who holds a leading position or where there is a lack of supervision or control that allows such an individual to commit these offences. Firms must therefore protect themselves by ensuring that proper supervision and controls are in place to decrease this risk. We all want to be on the “good list!”

3. Firms should have plans, processes and systems in place to help them stay on top of the new requirements introduced by the 6MLD. This may prove to be challenging as it comes at a time where many firms are still trying to meet the requirements of the Fourth and Fifth Money Laundering Directives. Brexit cannot be used as an excuse from holding back on planning. These rules have to be complied with by any UK business that wants to operate within the EU regardless. “Snow” get planning!

4. It is important for firms to be flexible and take a broad view in terms of the changes that are being made by the 6MLD. Rules with regards to money laundering are constantly evolving (as seen by the fact that the 6MLD rules were published only 6 months after the Fifth Money Laundering Directive).


7. Ideas to achieve the European 2020 retail payments strategy are ‘swanning’ around on our 7th day!

The European Central Bank’s (ECB) Governing Council has relaunched its retail payments strategy for 2020. The aim of the new strategy is to encourage and support a pan-European market initiative for retail payments to improve the customer journey at the location of the purchase. In particular, the vision of the European Central Bank is based on five key objectives:

• Customers should be able to make payments throughout the European Union as efficiently and safely as in their home country, requiring wide merchant acceptance and efficient governance to drive consumer adoption and trust.

• Customer journeys should be adaptive to meet the needs of consumers and merchants alike. This will require the use of different tools and instruments to ensure easy and secure payment experiences.

• The pan-European payments solution must be secure and provide the highest levels of fraud prevention and offer consumer protection with robust complaints and refunds procedures.

• A common brand and logo should be adopted to foster a strong European identity, encouraging uptake and trust in the new easy and secure solution.

• The solution must be accessible to merchants based outside of the European Union to ensure global acceptance.

What this means for you in the New Year

It is likely that we will begin to see consultations and roadmaps for delivery of the new solution in the New Year (potentially including legislative obligations to ensure payment service providers adopt the new solution within a certain period). However, Blitzen Brexit, Santa’s new reindeer, is wondering how this will impact the UK! Our view is that “yule” be sorry if you don’t get involved! The ECB is encouraging the industry to spread festive cheer and work together to develop a strategic initiative to meet these objectives. Admittedly we may not be in the EU by the time any new solution becomes live but the objective is to create a pan-European payments solution whish is accessible beyond the EU. We, therefore, recommend you believe in your “elf” and begin to collate ideas on how such a solution could work and improve business for you. For more information, please see Benoît Cœuré’s speech here.


8. The PSR continues ‘milking it’ as the Card-Acquiring Review is pushed back into Q1 2020

It’s the eighth day of Christmas. Traditionally, maids would exclusively tend to milking activities. This year, however, the Payment Systems Regulator (PSR) has joined in. A ninth milk-maid if you will. The PSR’s interim report in respect of their card-acquiring review has been pushed back until Q1 2020, almost a year since the review began – absolutely milking it!

In January 2019, the PSR commenced a market review into the supply of card-acquiring services following concerns that the supply of these services may not be working well for merchants.

The PSR confirmed its analysis has been based on the evidence available to it, including any trends and developments arising from PSD2 and any technological changes. The PSR has also taken into account the European Commission’s review of the Interchange Fee Regulation and possible implications of Brexit.

In July 2019, the PSR confirmed that they planned to publish its interim report for consultation in Q1 2020, rather than by the end of 2019 as originally set out in the final Terms of Reference.

What this means for you in the New Year

For all card-acquirers, please see the full updated plan of work below. The first interim report will be published Q1 2020.

Updated plan of work

Phase Activity Timing
Information gathering and analysis Collect evidence and information from market participants Until end October 2019
Conduct merchant survey August and September 2019
Analysis of evidence and information gathered Until end December 2019
Interim report Publish interim report Q1 2020
Final report Conduct hearings Q2 2020
Publish final report Q3 2020

Acquirers should continue to engage with the PSR. Your “presents” is required to assist its understanding of the compliance issues under review before its interim period in early 2020. Its decision to drop any approach to assessing profitability on the basis of Return of Capital Employed was considered an early Christmas present by some and there are still a ‘sack’ full of challenges that remain. It’s “snow” joke!


9. It’s our 9th day but you won’t see the New Payments Architecture (NPA) dancing around

The NPA model aims to combine Bacs, Faster Payments and Cheque and Credit Clearing to become the UK’s shared retail payment infrastructure. Its core clearing and settlement layer is set to be implemented after 2021 to process £6.7 trillion worth of payments every year. In a report: ‘A Payments Strategy for the 21st Century: Putting the needs of users first’ the forum deemed that the UK payment systems are some of the best in the world but they are no longer fit for purpose. Legacy systems are only able to transfer limited data and, as a result, a new Simplified Payments Platform (SPP) is being proposed.

The SPP would standardise, simplify and make the way payments are made more secure. It would also allow changes in the system to be more easily made and for it to be able to respond to emerging threats more readily. The ISO 20022 file format would replace the Bacs Standard 18 format and the ISO 8583 format used by Faster Payments Service.

On 18 October 2018, Pay.UK published a ‘Strategic Partner Procurement Prospectus’ which initiated the beginning of the process to appoint a strategic partner to plan and build the NPA. This partner will be selected in Q2 2020.

The PSR has indicated that it will have to step in if there are potential competition issues such as the winner providing overlay services as well. The PSR is also keen to avoid the winner gaining unfair advantages or monopolising access to the NPA through high fees or other anti-competitive measures.

What this means for you in the New Year

It goes without saying that the NPA is an ambitious project and the proof of its success will be in the (Christmas) pudding. It is still in the early stages, however, one can imagine the complexities in transferring legacy systems to the NPA and the potential for this to be a “turkey” if not correctly managed. Once the NPA is in place, other than to welcome faster payments across the board, the standardisation is likely to help innovation and to encourage systems that can benefit from the new capabilities of NPA, such as more data being transferred.


10. A-Leaping into hot water?

Many organisations at all levels of the payments industry are waking up to the value of the data (whether about Lords or otherwise!) that they hold. But, from a European perspective, it is worth remembering that an individual's transactional data isn't just accounting information - it's personal data about that individual, and its use is governed by data protection laws across Europe, including the General Data Protection Regulation.

This personal data can in some cases be very personal indeed, giving information about travel options, and potentially locations, purchasing habits, and even data which would be special category data under the GDPR, such as trade union membership dues, or health or medical transactions.

In order to use this personal data, any organisation will need to have in place a lawful basis (from one of the specified few in the GDPR) for that processing.

Some have looked to “legitimate interests” as being the shining light for delving further into transactional data for additional purposes; however, this isn’t a simple solution. In order to rely on legitimate interests as a lawful basis, organisations must carry out a “balancing test” or legitimate interests assessment to consider whether its use of the data is appropriate and proportionate to the impact that it will have on the individual whose data it is. In addition, even if it is considered that it is appropriate, you would need to offer an opportunity to object.

However, even if you are satisfied that you can meet that benchmark, the Dutch Data Protection authority recently took an alternative view as to how this could be applied to the specific scenario of a bank using transactional data for direct marketing.

Opining in a letter to the Dutch Banking Association, it considered that that Banks were primarily processing personal data on the basis of the contract they had in place with their customers, and this related only to the specific purposes of processing in order to provide a payment account. Any further processing (such as the use of transactional data for direct marketing) would need to be compatible with those purposes, or alternatively require the consent of the individual. It should be noted that the same authority, in a different context, has also recently opined that “merely serving purely commercial interests”, including following the (buying) behaviour of (potential) customers, would not qualify as a legitimate interest in any event,.

If you are looking at maximising the value of the transaction data flowing through your systems, it will be vital to analyse exactly what the lawful basis under GDPR is for any processing that you might undertake of that transaction data, and what consents or opt-outs you may need to obtain from individuals in order to legitimise it. Don’t leap in without looking first.


11. 11 pipers piping for FCA Cryptoasset Supervision!

Almost there! The EU’s Fifth Money Laundering Directive (5MLD) comes into force on 10 January 2020 and this has really got the eleven pipers piping! In anticipation of the changes this will bring, the Treasury has charged the Financial Conduct Authority (FCA) with AML supervision of cryptoassets firms’ anti-money laundering policies and procedures.

It should be noted that the FCA’s Anti-Money Laundering and Counter Terrorism Finance (AML/CTF) responsibilities in relation to UK cryptoasset businesses will be limited to AML/CTF registration and supervision. Its remit covers supervising and taking any necessary enforcement action against UK cryptoassets businesses, whether or not they are FCA registered.

What this means for you in the New Year

If you are involved with cryptoassets then it is important to understand how this is likely to affect you. You ‘snow’ the drill!

Registration

Cryptoassets firms will have to apply to be registered for AML/CTF purposes before 10 January 2020 (this specifically includes those already registered or authorised for other activities). Any new business that intends to carry on cryptoassets-related activities after the 10th of January 2020 must obtain FCA registration before doing so. Any business that has previously been carrying on cryptoassets-related activities may only continue to do so (in compliance with the MLRs) if it has registered by the 10th of January 2021.

Process

To register with the FCA for cryptoassets supervision, you must:

• Complete the online application form (which you can find on Connect);

• Provide the FCA with the information they request; and

• Pay the registration fee.

Regardless of the FCA’s registration timeline, you will need to comply with your obligations under MLR from 10th of January 2020.

When applying for registration:

• Bear in mind that the FCA may request further information after receiving your application;

• To avoid your application being delayed or rejected, you should notify the FCA immediately of any changes;

• Remember that your application only becomes complete once the registration fee has been paid (no decision will be issued unless and until that happens); and

• Note that the FCA is encouraging businesses to send their applications early to ensure they meet the registration deadline.

Fees

• A one-off registration fee of £5,000, paid both by businesses already authorised and by new registrants; plus

• Annual periodic fees, based on income.


12. What better way to end our payments advent than visiting the three ghosts of Open Banking!

The Ghost of Open Banking Past

In the UK, the concept of Open Banking has been brought to life through both PSD2 and the work of the Open Banking Implementation Entity (OBIE), as a result of the mandate given to it by the Competition & Markets Authority. Open Banking was introduced in order to increase competition and innovation in the financial services sector, the intention being that existing TPPs could deliver their services through Open Banking (rather than screenscraping) and many new TPPs would enter the market and provide innovative services to consumers and businesses.

The Ghost of Open Banking Present

So, where are we now? More than 230 TPPs are listed on the OBIE register of providers in the UK. Banks have been working on their account access solutions so that TPPs can deliver their services through Open Banking, but there is still work to do.

If we take a stroll with the Ghost of Open Banking Present, we see:

- Banks continuing work to improve their API access solutions so that they can ensure parity with their direct channels, sufficient breadth and appropriate performance and availability.

- Banks continuing to discuss their account access solutions with regulators, industry bodies and API implementation entities (such as the OBIE in the UK). It hasn’t been an easy (sleigh) ride to understand what is required to achieve compliance and many banks are still discussing the exact nature of what they need to

build with regulators (e.g. such as the ability for customers to revoke TPP access in their domain). One issue which has caused particular uncertainty relates to offering direct eIDAS identification. Given that we don’t want to be seen as Scrooge, we have a special treat for you with a guest article focused on eIDAS from Jack Wilson, Head of Policy & Regulatory Affairs at TrueLayer below!

- Retailers considering offering payment services in their own right, working with new TPPs or taking additional types of non-card based payment services from their acquirer.

- Screenscraping continuing in the UK and other jurisdictions whilst further readiness work is done on API access solutions. The FCA in the UK has suggested that screenscraping should continue for certain providers until March 2020.

- Some TPPs ‘reverse engineering’ to ensure connectivity. This is where a TPP uses the API connecting a bank to its own mobile app.

The Ghost of Open Banking Yet To Come

So what will the Ghost of Open Banking Yet to Come show us?

We expect to see new entrants into the market and existing TPPs expanding their services.

Open Banking will continue to challenge banks to rethink their current operating models and to analyse their customers' expectations. Customer consent and the protection of customer data will continue to play a key role in the implementation of Open Banking standards. In the UK, we expect the OBIE to continue to push to increase the scope and functionality to be delivered by the CMA9.

With an increasing number of fintechs accessing payment services infrastructures and banks looking to reform their current operating models, the scope of banking supervision at both the retail and prudential levels may need to be re-assessed. Safeguarding prudential soundness is not always synonymous with welcoming new

market entrants and promoting innovation. Accordingly, whether regulators have asked Santa for a draft of PSD3 or a magical RTGS system for 2020 remains to be seen. What we do know is that the regulators believe so strongly in Open Banking that talks about creating the concept of Open Finance (where the principles of Open Banking are extended to a wider range of products) have already begun. Indeed, in the past few days the FCA has issued a Call for Input on the opportunities presented by Open Finance with feedback requested by 17 March 2020.

Overall, 2020 is likely to show us new propositions, greater use of new services and potentially an Open Banking ecosystem in the UK which is ‘best in snow’ by Christmas next year.


13. Unwrapping eIDAS

As Santa makes his epic journey from house to house this Christmas, one thing’s for sure. He doesn’t need to present a (QSealC) to get down the chimney. We all trust Santa implicitly to deliver his presents, without stating his credentials.

Not so for third party providers (TPPs) - the innovators that PSD2 empowers to offer exciting new financial services for customers.

As part of the trust framework created by PSD2, and incorporating eIDAS (the EU regulation on Electronic Identification, Authentication and Trust Services) - all TPPs must identify themselves to banks using eIDAS certificates. Piece of (Christmas) cake.

Not so fast Rudolf. The previous year has shown eIDAS compliance to be anything but straightforward.

In December 2018 the EBA Opinion on eIDAS attempted to clarify the requirements. This included specifying that banks should choose which type of eIDAS certificates TPPs should use (e.g. combinations of QWACs and QSealCs - no this isn't a game of Christmas scrabble).

In June 2019, the FCA emailed trade associations to clarify its expectations for TPPs, and banks using ‘Open Banking certificates’ - a kind of trust framework developed by the Open Banking Implementation Entity. In sum, Open Banking certificates could continue to be used, as long as it was the choice of the TPP to exchange their eIDAS certificate for an Open Banking certificate. However, banks still had to cater for the TPPs not enrolled in Open Banking and only using eIDAS certificates.

In September 2019, the FCA offered some flexibility to those TPPs struggling to obtain eIDAS certificates. Banks were encouraged to allow TPPs to use ‘an equivalent certificate enabling secure identification (for instance an Open Banking certificate)’, but eIDAS certificates would need to be obtained by 14th March 2020 at the latest.

What this means for you in the New Year

At the very least TPPs should make sure they have sourced an eIDAS certificate (both QWAC and QSealC is advisable) by the 14th March 2020. Open Banking Europe provide a handy list certificate issuers. This applies even if TPPs are currently connected via open banking certificates. It is also worth checking the OBIE transparency calendar which banks have been encouraged to use to document their certificate stance.

As a connectivity specialist, TrueLayer can guide TPPs through this process - and help the nightmare before Christmas become a happy new year.

Jack Wilson is Head of Policy & Regulatory Affairs at TrueLayer. TrueLayer builds technology that allows third party applications to access their users' financial data and initiate payments securely. Jack is a former policy adviser at the UK banking regulator, the FCA. There he led work to create the FCA’s approach to regulating firms under the new Payment Services Directive (PSD2). Before joining TrueLayer, Jack led the FCA’s team assessing banks’ readiness for open banking, focusing on their open banking interfaces (APIs) and customer journeys.