Regulation

Article 31 (PSD2 RTS) – Outlines the access interface options, thus ASPSPs can provide access:

  1. via a dedicated interface (generally understood to refer to an API-based solution)
  2. by allowing the use by [TPPs], the interfaces used for authentication and communication with the [ASPSP’s] payment service users

Article 33 (PSD2 RTS) – Outlines the requirements of contingency interface.

Challenge Banks have struggled with complex Dedicated Interface (API) and most banks have slipped the deadline. Also, fallback exemption criteria as per EBA guidelines have been stringent. Considering the state of play, providing an MCI interface could be a tactical solution to meet the PSD2 RTS compliance - either as Primary Interface or as Fallback to Dedicated Interface

Please fill the form

Modified Customer Interface (MCI)

Banfico is able to commission this interface solution that conforms to PSD2 and GDPR regulations. We offer on-premise and cloud based deployments. Our solution has been deployed at banks and compliant to PSD2 RTS. We have demonstrated the solution at various webinars and also have compiled a comprehensive set of FAQs, which is available for download here.

Cost & Timeline We can deliver in 3-5 days on our cloud platform. Contact us for pricing!

Components
  1. eIDAS and TPP Directory Service
  2. Personal Data Redaction
eIDAS & TPP Directory Service – tppWise Solution

Banfico provides cloud hosted SaaS service for eIDAS and TPP Directory Service. Our eIDAS solution is developed as extension to EU CEF eIDAS Digital Signature Service (DSS).

TPP Directory Service is powered by PRETA / Open Banking Europe service, which is most widely used by most banks in UK/EU. Banfico being directory distributor provides same SLA of PRETA.

Key features are:
  1. Connects to all 31-member state registers
  2. Check for new updates every 2 hours
  3. Capable of receiving critical notifications of any change to TPP
Personal Data Redaction

TPPs are able to screen-scrape all contents of ASPSP website when they login using customer credentials. The content also includes personal data like – name, address, contact numbers, email id, and others. These personal data are not supposed to be shared with TPP during the screen-scraping process. Banfico provides a Web Application Firewall (WAF) proxy which will help to redact personal data as per rules set by bank staff.

This solution is based on existing website design, layout and contents published by bank. Should this content change, the firewall rules need to be retested before go-live of new version of website.

Architecture

How it works?

  • Payment Service User (PSU) share their credentials to Third Party Providers (TPP)
  • TPP connects to MCI platform with their eIDAS certificate
  • eIDAS certificate is validated and access is granted to online banking platform
  • TPP replays the credentials on the internet banking platform
  • Once PSU credentials are authenticated, the TPP can request pages
  • The response page is subject to policies in Web Application Firewall & personal data are redacted
  • Non-PSD2 pages can be restricted as per redaction policies

Different Interfaces - Background

  1. Customer Interface – the interface used by PSU to access the banking channels electronically - namely, Internet Banking, Mobile banking or others. As per PSD2, TPPs are not allowed to access this interface through screen scraping mechanism.
  2. API (Dedicated) Interface – As per PSD2 RTS mandate, provide API access to all banking facility associated with payment accounts to TPPs who consumes on behalf of PSU with valid consent. Different APIs for Account Information Service Provider (AISP), Payment Initiation Service Provider (PISP) and Card Based Payment Instrument Issue (CBPII) should be provided via this channel
  3. Customer Interface with TPP Identification – TPP using “Customer Interface” but need to be eIDAS-authenticated and NCA-authorised during the access. Also, ASPSP should have safeguards where only financial data is shared and not the personal data so that ASPSP is GDPR compliant. This interface will be commonly referred as Modified Customer Interface (MCI) - but also known as "Fallback Interface" or "Screen Scraping Plus" or "Contingency Mechanism". This can also be considered as fallback-interface to Dedicated Interface.