4 min read

Bridging a link between PSD2 and eIDAS

Bridging a link between PSD2 and eIDAS

Following the revised Payment Service Directive (PSD2), banks in the EEA are required to enable their customers (users) to grant third party providers (TPPs) access to

  • Customer account information
  • Initiate payments on behalf of the customers

Before a bank can allow a TPP access to information about the user’s account, two conditions must be met:

  1. The PSP must authenticate towards the bank using an eIDAS PSD2 certificate and
  2. The user owning the account must have provided his/her consent for the PSP to access the account information - such consent must be based on Strong Customer Authentication (SCA)

This article briefly describes a solution for an Identity Provider (IdP) that can be used to manage such access to privileged user resources and leverage existing authentication methods provided by one or several authentication / eID schemes. Typically, such an IdP solution is managed by the bank.

The general goal is to enable end-users to grant TPPs access to privileged information / transactions provisioned by a resource owner. The user is required to provide explicit consent and be duly authenticated by an eID scheme before such information can be passed on to an entrusted TPP.

High level Overview

To make this possible and allow for seamless communication with multiple eID Schemes and TPPs, we introduce an Identity Provider (IdP). An IdP is a server that handles registration, authentication, signing and token requests.

PSD2 eIDAS relationship

In this ecosystem, the IdP server receives an authorization request from a TPP that needs access to services from the Resource Owner. The service displays the resources to the end user, which (s)he can choose to give the TPP access to. Following the user’s selections, the eID Scheme signing dialog is used by the user to provide non-repudiable consent for the TPP to access the user’s resources at the Resource Owner.

The eID Scheme should be certified according to the eIDAS standards for trust services (e.g. providing qualified certificates and signatures).

Application in a PSD2 context (Embracing Open Banking PSD2)

This architecture applies particularly well in the banking industry. In a PSD2 scheme, the bank is the Resource Owner. This will allow third parties described as Payment Initiation Service Providers (PISPs) to directly access customer accounts by connecting directly through a standard API. PSD2 further opens the path to what is known as Open Banking APIs.

Role of the Idp

The purpose of the IdP is to authenticate and authorize the TPP to act on behalf of the end user towards the Resource Owner such as a bank.

The server receives an authorization request from an organization (TTP) that needs access to services provided by the Resource Owner. The service displays to the end user the resources, which (s)he can choose to give the organization access to. Following the user’s selection, the eID scheme dialog allows the user to provide non-repudiable consent for the organization to access the user’s resources at the bank.

This involves two steps.

  1. Firstly, the end user must agree to grant the particular TPP access to the services and information in question. Based on such consent the IdP may authorize the TPP with these permissions.
  2. Secondly, in order to actually access the services, the TPP must be authenticated to the bank to ensure that only authorized TPPs get access.

An additional important feature is to provide evidence to demonstrate that both of these steps have been executed properly. To this extent, a signed PDF document is produced to record the fact that the user gave the TPP access to a specific set of resources.

Furthermore, the solution allows the end-user to sign a transaction (or document) through the IdP, in compliance with eIDAS.


The IdP method described above is designed to help banks provide value added services in compliance with PSD2. By leveraging existing eID schemes and their eIDAS trust services, it is possible to deliver a compelling user experience in a highly cost effective manner. To anchor the bank´s position as a strategic trust partner in financial transactions, particular attention was paid to security, non-repudiation as well as scalability and interoperability.

The described solution can be a strong enabler to allow banks to lead the PSD2 revolution.

For more information on the technology described above, please feel free to contact us.


Download white paper

References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Image: Bridge, courtesy of Victor Camilo, Flickr (CC BY-ND 2.0)