FCA announces changes to open banking identification requirements

The FCA has announced changes to limit the risk of disruption to open banking services after Brexit.

The FCA’s changes will permit UK-based third-party providers (TPPs) to use an alternative to eIDAS certificates to access customer account information from account providers, or initiate payments, after Brexit. Firms must act to ensure they can continue to provide open banking services. 

eIDAS certificates are required for TPPs to identify themselves to account providers and allow firms to interact and share customer account information online in a trusted and secure way. Under the Strong Customer Authentication Regulatory Technical Standards (SCA-RTS), they are the only accepted identification standard permitted between providers of open banking services in the EU. 

However, in July 2020 the European Banking Authority (EBA) announced that eIDAS certificates of UK TPPs would be revoked when the transition period ends on 31 December 2020. The near final instrument, published by the FCA, allows TPPs to rely on an alternative certificate.

The changes will mean:

  • UK-based TPPs will likely need to obtain a new certificate to be able to continue to provide open banking services in the UK, post-Brexit
  • Account providers (e.g. banks) will likely need to make technical changes to their systems to enable TPPs to continue accessing customer account information, by accepting an alternative certificate and informing TPPs as soon as possible which certificate(s) they will accept

Firms must review the changes immediately and implement any necessary changes as soon as possible.

Acknowledging the challenges faced by the industry, the FCA will provide a transition period until the end of June 2021 for complying with our rules.