Regulation

Article 31 (PSD2 RTS) – Outlines the access interface options, thus ASPSPs can provide access:

  1. via a dedicated interface (generally understood to refer to an API-based solution)
  2. by allowing the use by [TPPs], the interfaces used for authentication and communication with the [ASPSP’s] payment service users

Article 33 (PSD2 RTS) – Outlines the requirements of contingency interface.

Different Interfaces

  1. Customer Interface – the interface used by PSU to access the banking channels electronically - namely, Internet Banking, Mobile banking or others.
  2. API (Dedicated) Interface – As per PSD2 RTS mandate, provide API access to all banking facility associated with payment accounts to TPPs who consumes on behalf of PSU with valid consent.
  3. Customer Interface with TPP Identification – TPP using “Customer Interface” but need to be eIDAS-authenticated and NCA-authorised during the access. Also, ASPSP should have safeguards where only financial data is shared and not the personal data so that ASPSP is GDPR compliant. This interface will be commonly referred as Modified Customer Interface (MCI) in this guide. This can also be considered as fallback-interface or contingency mechanism to Dedicated Interface.

Modified Customer Interface (MCI)

Banfico is able to commission this interface solution that conforms to PSD2 and GDPR regulations.

Components
  1. eIDAS and TPP Directory Service
  2. Personal Data Redaction
eIDAS & TPP Directory Service – tppWise Solution

Banfico provides cloud hosted SaaS service for eIDAS and TPP Directory Service. Our eIDAS solution is developed as extension to EU CEF eIDAS Digital Signature Service (DSS).

TPP Directory Service is powered by PRETA / Open Banking Europe service, which is most widely used by most banks in UK/EU. Banfico being directory distributor provides same SLA of PRETA.

Key features are:
  1. Connects to all 31-member state registers
  2. Check for new updates every 2 hours
  3. Capable of receiving critical notifications of any change to TPP
Personal Data Redaction

TPPs are able to screen-scrape all contents of ASPSP website when they login using customer credentials. The content also includes personal data like – name, address, contact numbers, email id, and others. These personal data are not supposed to be shared with TPP during the screen-scraping process. Banfico provides a Web Application Firewall (WAF) proxy which will help to redact personal data as per rules set by bank staff.

This solution is based on existing website design, layout and contents published by bank. Should this content change, the firewall rules need to be retested before go-live of new version of website.

Architecture

How it works?

  • Payment Service User (PSU) share their credentials to Third Party Providers (TPP)
  • TPP connects to MCI platform with their eIDAS certificate
  • eIDAS certificate is validated and access is granted to online banking platform
  • TPP replays the credentials on the internet banking platform
  • Once PSU credentials are authenticated, the TPP can request pages
  • The response page is subject to policies in Web Application Firewall & personal data are redacted
  • Non-PSD2 pages can be restricted as per redaction policies