Brexit will create new complications for PSD2
The post-Brexit era brings a broad array of economical and geopolitical issues, one being digital payments between the European Union and the U.K. and how they will be handled moving forward. One of the interesting areas is the validity of digital certificates issued to financial entities located in the U.K. in the context of compliance to the Payment Service Directive 2 (PSD2).
The PSD2 is a European regulation that will usher in the next phase of anti-fraud measures for the payments industry. It is expected to increase security for online transactions and encourage more competition through open banking. PSD2 mandates the use of Qualified Certificates for Electronic Seals and Qualified Website Authentication Certificates, issued under the EU regulation 910/2014 Electronic Identification and Authentication Services (eIDAS).
With the end of the year approaching, many are asking whether the requirements related to certificate management under PD2 will be subject to U.K. domestic law under the EU Withdrawal Act of 2018. One train of thought from certain authorities is that all PSD2 certificates issued to UK entities should be revoked, and no new certificates should be issued to entities authorized by the FCA (Financial Conduct Authority - the UK National Competent Authority (NCA).
The reasoning is that the FCA will no longer be a recognized NCA by the European Banking Authority (EBA) when a no-deal Brexit happens. On the other hand, the FCA has indicated its continued acceptance of PSD2 certificates, while also recognizing that alternative methods may be required for UK entities. Both solutions are currently included in the draft version of the FCA's Regulatory Technical Standards on strong customer authentication and secure communication.
The continued acceptance of the PSD2 certificates is supported regardless of where a Qualified Trust Service Provider (QTSP) is registered, or which NCA has authorized the payment service provider. The standards and the accreditation framework are clear, and currently used. The alternative methods are not prescribed in the hope of minimizing the potential for disruption to existing market practices, and maximizing the options available. Recommendations for possible solutions exist.
However, because these methods are not prescribed (and currently are still undergoing discussion), there is a big risk of disruption, as payment service providers will be forced to make technical changes which have not yet been specified, and may need to obtain new certificates.
Extensive dialogue is currently ongoing between the authorities, QTSPs and financial institutions seeking a solution for this tension in the positions of the EBA and the FCA. With time running out, industry actors are looking to provide solutions that guarantee the integrity of the infrastructure, while also recognizing the reality of a new banking framework following a no-deal Brexit.