eIDAS and PSD2 – A perfect symphony in the digital marketplace?

The European Union is leading the way in the move towards the creation of a single digital market. There are many advantages a digital business has over its more traditional counterparts that are only amplified when such businesses are allowed to operate seamlessly across multiple markets. 

The harmonization and standardization of regulations regarding digital signatures, electronic verification, and digital payments can create wonderful opportunities for FinTech companies and technological innovators. It essentially creates a large pan-European single digital market that opens to these companies for innovation. 

Made for each other - eIDAS and PSD2 

The PSD2 aims to revolutionize the digital payments market by allowing for unfettered innovation by third-party FinTech companies. Account Information Service Providers (AISP) can retrieve and present bank account information by plugging into banks through open APIs. Payment Initiation Service Providers (PISP) can even go so far as to allow users to initiate transactions through their platforms rather than through their bank accounts. 

The eIDAS regulation complements the additional functionality brought in by the PSD2. AISPs and PISPs must interface with existing core banking systems to access relevant customer data and provide their services. eIDAS provides the tools necessary to meet security, authentication, and document verification obligations. Member notified eIDs which provide a “high” level of assurance, can be used across the EU to open a bank digitally in any member country. The eIDAS regulation provides standardization for this process across the entire bloc.

Ongoing efforts on the regulatory front

The European Banking Association is also actively considering using eIDAS to provide secure communication and positive authentication by PSD2 service providers. A discussion paper was floated to seek industry opinion on this, and feedback would be used to draft the Regulatory Technical Standards in January 2017.

As per the EBA discussion paper, “the qualified trust services provided by qualified trust service providers under eIDAS can also be of relevance for the identification between the AIS or PIS providers with the Account Servicing Payment Service Providers (ASPSPs), as well as for ensuring the integrity and correctness of the origin of the data transmitted between AIS or PIS providers and the ASPSPs.” The qualified electronic signature will have the same legal relevance as a wet signature. A similar treatment is provided for electronic seals, which can help establish the integrity and verify the origin of the data. 

Further, a green paper on retail financial services was also issued, outlining how eIDAS could be used to enable digital payments, KYC processes, and the services envisioned under the PSD2. 

Harmonization across the bloc

This intends to use eIDAS to provide the security framework enabling service providers to offer end-to-end digital banking and payment services. This was possible under certain circumstances, but the process was not standardized, leading to low adoption rates. With the harmonization that will be brought in with the formal adoption of these directives, a single digital market for FinTech companies would materialize. The potential business opportunities created by this massive new marketplace would be available to anyone; if done correctly, everyone wins.

References and Further Reading

• Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget and Dawn M. Turner
  
• Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig 
  
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority

 Image: "Londres à Pied 24", courtesy of Alain Rouiller, (CC BY-SA 2.0)