Following the revised Payment Service Directive (PSD2), banks in the EEA are required to enable their customers (users) to grant third party providers (TPPs) access to
- Customer account information
- Initiate payments on behalf of the customers
Before a bank can allow a TPP access to information about the user’s account, two conditions must be met:
- The PSP must authenticate towards the bank using an eIDAS PSD2 certificate and
- The user owning the account must have provided his/her consent for the PSP to access the account information - such consent must be based on Strong Customer Authentication (SCA)
This article briefly describes a solution for an Identity Provider (IdP) that can be used to manage such access to privileged user resources and leverage existing authentication methods provided by one or several authentication / eID schemes. Typically, such an IdP solution is managed by the bank.
The general goal is to enable end-users to grant TPPs access to privileged information / transactions provisioned by a resource owner. The user is required to provide explicit consent and be duly authenticated by an eID scheme before such information can be passed on to an entrusted TPP.
High level Overview
To make this possible and allow for seamless communication with multiple eID Schemes and TPPs, we introduce an Identity Provider (IdP). An IdP is a server that handles registration, authentication, signing and token requests.
In this ecosystem, the IdP server receives an authorization request from a TPP that needs access to services from the Resource Owner. The service displays the resources to the end user, which (s)he can choose to give the TPP access to. Following the user’s selections, the eID Scheme signing dialog is used by the user to provide non-repudiable consent for the TPP to access the user’s resources at the Resource Owner.
The eID Scheme should be certified according to the eIDAS standards for trust services (e.g. providing qualified certificates and signatures).
Application in a PSD2 context (Embracing Open Banking PSD2)
This architecture applies particularly well in the banking industry. In a PSD2 scheme, the bank is the Resource Owner. This will allow third parties described as Payment Initiation Service Providers (PISPs) to directly access customer accounts by connecting directly through a standard API. PSD2 further opens the path to what is known as Open Banking APIs.
Role of the Idp
The purpose of the IdP is to authenticate and authorize the TPP to act on behalf of the end user towards the Resource Owner such as a bank.
The server receives an authorization request from an organization (TTP) that needs access to services provided by the Resource Owner. The service displays to the end user the resources, which (s)he can choose to give the organization access to. Following the user’s selection, the eID scheme dialog allows the user to provide non-repudiable consent for the organization to access the user’s resources at the bank.
This involves two steps.
- Firstly, the end user must agree to grant the particular TPP access to the services and information in question. Based on such consent the IdP may authorize the TPP with these permissions.
- Secondly, in order to actually access the services, the TPP must be authenticated to the bank to ensure that only authorized TPPs get access.
An additional important feature is to provide evidence to demonstrate that both of these steps have been executed properly. To this extent, a signed PDF document is produced to record the fact that the user gave the TPP access to a specific set of resources.
Furthermore, the solution allows the end-user to sign a transaction (or document) through the IdP, in compliance with eIDAS.
The IdP method described above is designed to help banks provide value added services in compliance with PSD2. By leveraging existing eID schemes and their eIDAS trust services, it is possible to deliver a compelling user experience in a highly cost effective manner. To anchor the bank´s position as a strategic trust partner in financial transactions, particular attention was paid to security, non-repudiation as well as scalability and interoperability.
The described solution can be a strong enabler to allow banks to lead the PSD2 revolution.
For more information on the technology described above, please feel free to contact us.
References and Further Reading
- COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
- Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority
Image: Bridge, courtesy of Victor Camilo, Flickr (CC BY-ND 2.0)