Article 31 (PSD2 RTS) – Outlines the access interface options, thus ASPSPs can provide access:
1. via a dedicated interface (generally understood to refer to an API-based solution)
2. by allowing the use by [TPPs], the interfaces used for authentication and communication with the [ASPSP’s] payment service users
Article 33 (PSD2 RTS) – Outlines the requirements of contingency interface.
Modified Customer Interface (MCI) enable TPPs access to the designated payment accounts of PSUs for inscope banking entities under PSD2
MCI enables TPP to access a PSU’s dedicated payment accounts via the browser based internet banking channel, which the PSU uses to access their accounts.
TPP is able to screen-scrape all content of ASPSP website when they login using customer credentials. Personal data are not supposed to be shared with TPP during the screen-scraping process.
The MCI solution redacts personal data based on policies set by bank staff. This solution is based on existing website design, layout and contents published by the bank.
Below entities are accessible via MCI http interface
|Entity Id||Bank/Brand||Country||Line of Business|
In order to use the MCI solution, TPP will be required to have either completed or be aware of the following:
– TPPs must be appropriately authorized or regulated by an EU National Competent Authority (NCA)
– TPPs will be required to present their eIDAS certificates in order to use the MCI solution
MCI Access Requirements
Below request headers are required to be passed when accessing the interface:
|Request Header||x-mci-access-scope||TPP access scope – possible values are AIS, PIS, CBPII|
|Request Header||x-mci-access-country||Country Code where PSU Account is based; 2 letter as per ISO 3166 Standard (eg. GB, DE, FR)|
|Request Header||x-mci-aspsp-entid||Bank operate multiple brands or multiple divisions with this interface. This header can be used to specify the entity that TPP likes to access for a PSU. Check “in scope” section to find details on entity ids|
|Request Header||x-mci-psu-ip-addr||If PSU is present, then this need to be update with IP address of PSU’s device|
|Request Cert||Client Certificate||eIDAS Certificate of the TPP|
MCI Cookie Requirements
MCI interface sets a cookie with the name MCISRV. Once this cookie is set, it needs to be passed along with subsequent requests to be able to maintain sessions properly under high available environment.
Access to Internet Banking resources
After the eIDAS validation and TPP authorisation check is complete, bank firewall policies will redact personal information before handing over to TPP.
Internet Banking resources access is regulated based on the scope (PIS/AIS/CoF) of the TPP request. There would also be some resources that won’t be accessible by TPP when bank decides to restrict them – examples like “Profile Page” & “Messages”. Such page request will be responded with “Unauthorised” code with appropriate error message.
If all requirements are met, TPP will be able to access redacted HTML page from the bank. Otherwise below are the error response codes TPP will receive –
|HTTP Code||Error Code||Error Message|
|403||EIDAS_FAILED_NOT_TRUSTED||Not authorised. eIDAS certificate is not trusted|
|403||EIDAS_FAILED_NOT_VALID||Not authorised. eIDAS certificate is not valid|
|403||NCA_FAILED_URN_NOT_FOUND||NCA authorisation check failed|
|403||NCA_FAILED_NO_ROLE_FOUND||NCA authorisation check failed – No role found|
|403||NCA_FAILED_NO_COUNTRY_FOUND||NCA authorisation check failed – No Country found|
|403||NCA_FAILED_STATUS_NOT_AUTHORISED||Resource not authorised for the scope defined|
|403||MANDATORY_HEADER_MISSING||If any of above access requirement header is missing|
|403||MANDATORY_CERT_MISSING||If eIDAS certificate is missing|
|50x||SYSTEM_ERROR||Please contact the bank and inform about the issue.|
To ask a question about our open banking access provision for TPPs using modified customer interface, please contact us at [email protected]
|AISP||Account Information Service Provider|
|ASPSP||Account Servicing Payment Service Provider|
|EBA||European Banking Authority|
|eIDAS||EU Regulation that sets out rules for electronic identification and trust services|
|FCA||Financial Conduct Authority|
|MCI||Modified Customer Interface|
|NCA||National Competent Authority|
|PISP||Payments Initiation Service Provider|
|OBE||Open Banking Europe – PRETA’s PSD2 directory project|
|PSD2||Second/Revised Payment Services Directive (Directive (EU) 2015/2366)|
|PSU||Payment Services User|
|RTS||Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication|
|SS+||Screen Scraping Plus|
|TPP||Third Party Provider|