* The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.
Nowadays, the payments market is characterised by the confluence of several key drivers for change, such as regulations – in particular, the revised Payment Services Directive (). For this reason, in June 2017 PRETA launched an initiative called Open Banking Europe (OBE) to respond to market needs for a centralised directory. Today we interviewed John Broxis, Managing Director of PRETA to know more about the initiative that is seeking to address regulatory concerns under .
Could you explain in the context of the revised Payment Services Directive () why the PRETA Open Banking Europe (OBE) Directory project is needed?
Since the transposition of in national legislation, which was due by 13th January 2018, account-servicing payment service providers (AS-) have been required to allow access to payment accounts to regulated Payment Service Providers () at the request of their customers. In order to avoid any authentication failure which could lead to a breach of the mandatory provisions of the or the General Data Protection Regulation () respectively caused by processing unauthorised transactions or the illegitimate sharing of personal data, AS- should as from 14 September 2019 accurately check the identity of the through the electronic IDentification, Authentication and trust Services () Certificate and its access rights through the National Registers published by National Competent Authorities. Assuming that the Certificate of a confirms the validity of its identity, the access check is more complicated. Firstly, because the 31 National Registers contain data in different formats and languages and are not necessarily easily machine readable. Secondly, because the national competent authority (NCA) and Qualified Trust Service Providers (QTSPs) are not obliged to inform each other about any changes or withdrawals. Therefore a machine readable, and standardised repository was needed, as also stated by the Euro Retail Payments Board () Working Group on Payment Initiation Services.
The OBE Directory has been developed to provide the industry with a single, standardised, trusted and machine readable repository of information about active Regulated Entities that can perform access to account.
Generally speaking what is your assessment of implementation by payment service providers () across Europe?
If we think that at the end of 2017, which is less than one year ago, there was no common understanding of , no standards, no repository consolidating the data of 31 national Registers, we can say that a lot of progress has been made since then. Nevertheless, there is still a lot to do to harmonise the processes across and turn regulatory requirements into operational reality. PRETA, through its OBE workstream, is all about harmonising processes and delivering tools to help build a Digital Europe.
From the tests we have already performed on Application Programming Interfaces () we see that a consensus is emerging, that security is still a weak point, but that are willing and able to learn and adapt.
How does PRETA support AS- and third-party providers () in meeting the requirements of ?
Following a market consultation in 2017, PRETA launched OBE to bring together the participants, currently more than 40 among the major AS- and Service Providers across Europe, in one single collaborative space.
Concretely we support them with:
• Harmonising the understanding of registers, certificates, and their relation to access to account.
• Providing the OBE Directory as a central repository of information relating to access to account.
• Working with the QTSP community to ensure that certificates are available.
• Working with the competent authorities to ensure that we all understand regulatory data - and any country specificities - in the same way.
• Harmonising the security model, and the way certificates are used to secure access to account.
• We have now started a Conformance program to deliver a standardised testing process which takes into account the Evaluation Group requirements, NCA exemption conditions Consultation Paper and the standardisation initiatives’ outputs.
Our participants have an active part in shaping a harmonised and digital Europe and cooperate through workshops, regular meetings, webinars and partnerships with other organisations like the latest MoU with ETSI.
How does the Directory work practically speaking?
Basically, the OBE Directory contains the regulatory and operational data of AS- and . With regard to the Regulatory Data, the directory extracts standardises and formats the information of the National Registers and checks them for changes each hour.
We deliver this information to AS- via a secure, browser-based Graphical User Interface (GUI) or by downloading using the Directory’s Application Programming Interface (). For every critical change, AS- are notified.
Concerning the Operational Data, the Directory contains the information about AS- that can be used by to identify the endpoints offered by AS- and information about that can be used by AS- to help interact with them. This data can be updated by the entities and retrieved when needed.
All of this places the Directory as a reference point to support AS- and in complying with .
What are the Directory’s main benefits?
The three main benefits of the Directory are:
1. The provision of information allowing verification of Regulatory Access Rights of by .
2. The view and retrieval of Operational Data by AS- that can find there the contact details they need by their application or brand, in order to notify them of changes, or to contact them in case of incidents.
3. The view and retrieval of ASPSP Operational Data by that can use the Directory to find the ASPSP end points they need to access accounts, as well as their contact details, not only for each bank but for each brand and service.
The amount of work it takes to correctly understand the data in one national register that is not from your own country should not be underestimated. The work required to understand 31 National Registers is very significant. This is why the value of a single trusted source of information is so valuable because without a common trust base, you have no basis to grant access.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.