Modified Customer Interface (MCI)

Summary Guide
Updated: 02/11/2020

PSD2 Regulation

Article 31 (PSD2 RTS) – Outlines the access interface options, thus ASPSPs can provide access:

1. via a dedicated interface (generally understood to refer to an API-based solution)
2. by allowing the use by [TPPs], the interfaces used for authentication and communication with the [ASPSP’s] payment service users

Article 33 (PSD2 RTS) – Outlines the requirements of contingency interface.

Modified Customer Interface (MCI)

Modified Customer Interface (MCI) enable TPPs access to the designated payment accounts of PSUs for inscope banking entities under PSD2

MCI enables TPP to access a PSU’s dedicated payment accounts via the browser based internet banking channel, which the PSU uses to access their accounts.

TPP is able to screen-scrape all content of ASPSP website when they login using customer credentials. Personal data are not supposed to be shared with TPP during the screen-scraping process.

The MCI solution redacts personal data based on policies set by bank staff. This solution is based on existing website design, layout and contents published by the bank.

In Scope Entities

Below entities are accessible via MCI http interface

Entity IdBank/BrandCountryLine of Business
WSW-GBRTLWeSwapGBRetail Banking

TPP Requirements

In order to use the MCI solution, TPP will be required to have either completed or be aware of the following:

– TPPs must be appropriately authorized or regulated by an EU National Competent Authority (NCA)
– TPPs will be required to present their eIDAS certificates in order to use the MCI solution

MCI Access Requirements

Below request headers are required to be passed when accessing the interface:

TypeValueDescription
Request Headerx-mci-access-scopeTPP access scope – possible values are AIS, PIS, CBPII
Request Headerx-mci-access-countryCountry Code where PSU Account is based; 2 letter as per ISO 3166 Standard (eg. GB, DE, FR)
Request Headerx-mci-aspsp-entidBank operate multiple brands or multiple divisions with this interface. This header can be used to specify the entity that TPP likes to access for a PSU. Check “in scope” section to find details on entity ids
Request Headerx-mci-psu-ip-addrIf PSU is present, then this need to be update with IP address of PSU’s device
Request CertClient CertificateeIDAS Certificate of the TPP

MCI Cookie Requirements

MCI interface sets a cookie with the name MCISRV. Once this cookie is set, it needs to be passed along with subsequent requests to be able to maintain sessions properly under high available environment.

Access to Internet Banking resources

After the eIDAS validation and TPP authorisation check is complete, bank firewall policies will redact personal information before handing over to TPP.

Internet Banking resources access is regulated based on the scope (PIS/AIS/CoF) of the TPP request. There would also be some resources that won’t be accessible by TPP when bank decides to restrict them – examples like “Profile Page” & “Messages”. Such page request will be responded with “Unauthorised” code with appropriate error message.

MCI Response

If all requirements are met, TPP will be able to access redacted HTML page from the bank. Otherwise below are the error response codes TPP will receive –

HTTP CodeError CodeError Message
403EIDAS_FAILED_NOT_TRUSTEDNot authorised. eIDAS certificate is not trusted
403EIDAS_FAILED_NOT_VALIDNot authorised. eIDAS certificate is not valid
403NCA_FAILED_URN_NOT_FOUNDNCA authorisation check failed
403NCA_FAILED_NO_ROLE_FOUNDNCA authorisation check failed – No role found
403NCA_FAILED_NO_COUNTRY_FOUNDNCA authorisation check failed – No Country found
403NCA_FAILED_STATUS_NOT_AUTHORISEDResource not authorised for the scope defined
403MANDATORY_HEADER_MISSINGIf any of above access requirement header is missing
403MANDATORY_CERT_MISSINGIf eIDAS certificate is missing
50xSYSTEM_ERRORPlease contact the bank and inform about the issue.

Contact us

To ask a question about our open banking access provision for TPPs using modified customer interface, please contact us at [email protected]

Glossary

AISPAccount Information Service Provider
ASPSPAccount Servicing Payment Service Provider
EBAEuropean Banking Authority
eIDASEU Regulation that sets out rules for electronic identification and trust services
FCAFinancial Conduct Authority
MCIModified Customer Interface
NCANational Competent Authority
PISPPayments Initiation Service Provider
OBEOpen Banking Europe – PRETA’s PSD2 directory project
PSD2Second/Revised Payment Services Directive (Directive (EU) 2015/2366)
PSUPayment Services User
RTSRegulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication
SS+Screen Scraping Plus
TPPThird Party Provider