Why gaps in the EBA Register leave worries over security

The EBA Register was launched in March of this year.

Now that it’s been live for a few months we can take stock and consider how effective it is.

While it appears to fulfil all the technical criteria set by the European Commission, does it actually add real value?

Let’s find out.

What’s its purpose?

Article 15 of PSD2 states that the EBA will develop and maintain a central register listing the following organisations:

·     Authorised payment institutions

·     E-money institutions

·     AISPs (account information service providers)

·     PISPs (payment initiation service providers).

Correspondingly, according to the EBA themselves, the aim of the register is to ‘increase transparency and ensure a high level of consumer protection.’

Consumers are protected – really?

The aim of protecting consumers is of course, a worthy one. However, we can’t ignore the (in)famous disclaimer that the register actually has no legal significance.

In fact, the EBA’s responsibility is limited to what they call ‘accurate reproduction’ of information from local authorities only.

How accurate is the register?

Another cause for concern is the register’s accuracy.

The EBA has warned users wishing to download information that there may be be ‘a discrepancy between the information contained on the download and the information contained on the actual register’ – depending on the time of the update of the file information and the timing of the download.

In real terms, this means that for total accuracy, reference should also be made to the registers held by the relevant local authority.

Which rather calls into question, the purpose of the register and how it actually protects consumers.

Purpose vs market expectations

As we mentioned above, if you consider the legal responsibilities and regulatory technical standards of the EBA, the electronic central register has fulfilled its purpose.

However, the register does seem to miss the mark when it comes to market expectations, specifically when it comes to using it as a source for TPP (Third Party Provider) verification.

There has already been a consultation of the regulatory standards (RTS) where the EBA received requests to include a technological solution to allow ASPSPs (Account Servicing Payment Service Providers) to automatically check the registration status of TPPs.

In their final report on the draft RTS and the register, the EBA told us that this request falls outside the purpose of the register, as originally envisioned by PSD2.

OK, in principle they are right, but this does not help the industry.

It would have been better for everyone if the European Commission considered a broader scope for the register, rather than merely centralising local authority records.

Are market expectations meeting regulatory requirements?

In the few months since the launch, it’s clear that the register is in effect, nothing more than a register.

This seems therefore, out of line with market expectations especially as there is a clear demand from banks for a broader scope.

But where do these expectations originate? Do banks really need to verify if TPPs are indeed authorised?

Are banks required to verify TPP registration?

A bank’s technical processes should be robust enough to make them aware when they are contacted by a TPP (and not a client).

According to article 66 paragraph 3 sub (d), a PISP needs to ‘identify itself towards the ASPSP.’ In addition, according to paragraphs 2 and 4 of that article; ASPSPs also ‘need to perform certain actions to ensure the payer’s right to use the payment initiation service, even when explicit consent has been given.’

Included here is the need to communicate security with the PISP, making information on payment transaction available to PISP and treating those payment orders without discrimination.

The bank is therefore not required to verify the PISP’s registration/ authorisations and the same applies to ASPSPs under article 67.

Or is this just implied?

This might sound like good news, but the problem is, other articles seem to imply otherwise.

Article 68 paragraph 4 gives for example, the APSP the right to deny a TPP access for reasons ‘relating to unauthorised or fraudulent access to the payment account.’

This could be that consent was not given, but also for reasons that a TPP was not authorised by the regulator.

The problem is, there’s no further context given, so it’s left open for interpretation.

Can we for example, assume that banks are required to verify authority? This may be the case but really, in the PSD2 text, there is no explicit statement either way.

This feels like another shortfall.

Also, does the RTS go into any more detail?

The EBA has drafted regulatory technical standards (RTS) specifying amongst other issues, the requirements for common and secure open standards of communication for the purpose of:

·     Identification

·     Authentication

·     Notification

·     Information between ASPSP and TPPs.

These are as laid down in article 98 PSD2.

Let’s look at those standards in more detail.

Chapter 5 of the RTS discusses the common and secure open standards of communications.

As per article 27, the communication interface of the banks must enable the identification by TPPs towards the bank. Again, this is more of a technical matter and does not mention verification of a TPP’s authority.

Also, as stated in article 29, RTS banks may rely on qualified certificates for electronic seals (eIDAS) for the purpose of identification. What’s more, as soon as this certificate is presented, there is no other legal obligation on banks to verify further.

Fraud or data misuse – who’s responsible?

The whole point of banks is that they are (and they must be) trusted by the public.

Their entire reputation is built on security.

Why therefore, would any bank put itself in the awkward (or even legally liable) position of allowing access to anyone without any verification of its authorisation and mere reliance on the qualification certificates?

Consider how a court case would play out if a consumer gave consent to an unauthorised party without checking the EBA register, the bank went along with relying on the qualified certificate and a TPP’s authorisation has been revoked for fraudulent activity resulting in the consumer’s data being misused?

It would certainly be one to watch!

Article 68 could be interpreted as saying that mere reliance on the qualified certificate might not be enough.

Then again, it is also important to note that this article does not stipulate an obligation – it simply provides a right that the bank (‘may deny’).

So, in the above situation, who will be held responsible?

Would this be consumer? I doubt it. The authorities? Not likely. The TPP? Yes, but what if they disappeared?

At the end of the day, this just leaves the bank.

The buck stops with the bank

In conclusion we can see therefore, that even though there is no explicit obligation under PSD2 or the RTS for banks to verify the authorisation of a TPP, if something does go wrong…

…it’s highly likely that it will be the bank, that ends up paying for it.