This means one QWAC PSD2 certificate (and one NAN) would be shared within a community of VOP scheme participants, and be used to identify, authenticate and authorise all VOP scheme participants of the same community, when acting as VOP Requesting PSP.
EU law provides the following definitions for group/parent/subsidiary and branch, taking into account the EMIR Regulation (Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on over-the-counter derivatives, central counterparties and trade repositories), which in turn refers to other regulatory acts:
- ‘Group’ means the group of undertakings consisting of:
‘Parent undertaking’ = an undertaking which controls one or more subsidiary undertakings, and any undertaking which effectively exercises a dominant influence over another undertaking
and
- ‘Subsidiary’ = an undertaking controlled by a parent undertaking, including any subsidiary undertaking of an ultimate parent undertaking; and any undertaking over which a parent undertaking effectively exercises a dominant influence. Subsidiaries of subsidiaries shall also be considered to be subsidiaries of the undertaking that is their original parent undertaking.
- ‘Branch’ means a place of business which forms a legally dependent part of an institution, and which carries out directly all or some of the transactions inherent in the business of institutions.
The EPC’s definition of Grouping is based on the above definition (based on EMIR Regulation)
As defined in the VOP API Specifications and in the API Security Framework:
- QWAC PSD2 certificates must be used to identify the Requesting PSP.
- The possible presence of a RVM on the Requesting side is expected to be transparent, i.e. the QWAC PSD2 certificate of the Requesting PSP (VOP scheme participant) must be used.
- The authorisation of the Requesting PSP is performed by the Responding PSP based on the BIC and the National Authorisation Number (NAN) of the Requesting PSP.
- When a VOP scheme participant wants to use several, different, identifiers (e.g., BIC codes), it MUST present a certificate for each of its identifier, which may be the same certificate.
The VOP Working Group strongly recommends to use (at least) one QWAC PSD2 certificate per VOP scheme participant, in line with guidelines and Q&As (namely, Opinion EBA-Op-2018-7 of December 2018 paragraph 19, 20 and 21 and the EBA Q&A 2018_4375) provided by the European Banking Authority (EBA) in the frame of PSD2 Open Banking Access-to-Account, whose security framework constituted the design baseline for VOP API specifications and the API Security Framework (ASF).
However, for the time being, the option to use one QWAC PSD2 certificate per group (as defined in EMIR regulation) is also allowed, as the EPC is mindful of the limited timeframe and operational burden for PSPs in complying with VOP Rulebook and API specifications. If this option is chosen, the VOP Scheme participants need to record in the EDS the NAN included in this QWAC PSD2 certificate. If a VOP Scheme participant wishes to make use of another PSD2 QWAC certificate for some VOP requests, the NAN of this certificate should also be added in the EDS.
VOP Scheme participants, however, should be mindful that the EPC may reconsider this option in the future, based on new observations and updated risk evaluations.
For further clarity on this subject: Any “sharing” of the same QWAC PSD2 certificate beyond a Group as defined in the EMIR Regulation, is not allowed.
Furthermore, in case of discrepancies between the requesting BIC (AT-D002) and the QWAC PSD2 certificate (i.e. the NAN) of the VOP Responding PSP, liability should be attributed on the basis of the AT-D002, see the following example:
- PSP A (parent undertaking) and PSP B (subsidiary) are members of the same EMIR group
- The EMIR Group is sharing the same QWAC PSD2 certificate of PSP A
- PSP B issues a VOP Request using its own BIC as AT-D002 (BIC of Requesting PSP), and the QWAC PSD2 (hence the NAN) of PSP A
- in case of claims on a VOP Request, the liable entity is the one indicated by the AT-D002 element