By the Revised Payment Services Directive [PSD2], Account Servicing Payment Service Providers (ASPSPs), are required to grant Third Party Payment Services Providers (TPPs) - conditionally on the requirements of the PSD2 and the RTS - access to their customers’ (Payment Service User's – PSU) bank accounts.
For this purpose, ASPSPs implement dedicated interfaces through which TPPs access the ASPSPs administration system and, thus, the PSU bank accounts.
The dedicated interface allows the ASPSP not only to identify the accessing TPP by certificates but provides a secure access environment to protect PSU data.
With respect to the dedicated interface’s performance and availability, the EBA asks ASPSPs to monitor both and provide contingency (fallback) mechanisms in case the dedicated interface is unavailable.
Therefore, in agreement with the regulator, a fallback mechanism is temporarily made available by BankName until the dedicated APIs are in place.
The proposed fallback solution allows TPPs to use a new "secure" domain (Guestbook) provided by BankName.
This additional service carries out regulatory controls required by the EBA, before redirecting the TPP to BankName Home Banking site.
These controls correspond to:
- TLS MA 1.2 resolution (mutual authentication) with the TPP during each exchange
- Check that the CA is an official QTSP of the EU Trusted List
- Check that the certificate is not revoked by QTSP via Certificate Revocation List (CRL)
Prior to each session initiated by a TPP, the TPP must call the fallback solution in order to perform these controls. All these verification requests will be stored and tracked by the dedicated service of this new sub-domain.
For auditing purposes, a unique identifier will be generated for each request and this will be associated with the caller's (TPP) IP address and the caller's CN (Common name). The role of the TPP also be collected and tracked in audit trail.
Once all checks have been carried out and validated by the bank's verification service the TPP will be redirected to the Home Banking site (using http 30X redirect) and will be able to perform "web-scrapping" on the html content as it currently does.
It is the responsibility of the TPP to respect the fallback process. BankName will be able to identify fraudulent TPP as TPP offering connection to the Bank service without being visible in the audit trail of the Fall Back solution.
The fallback session is represented by the unique identifier sent to the bank and identifies the session: the TPP must therefore keep it.
The communication between the TPP and the fallback solution is always secured by using a TLS-connection Mutual authentication using TLS version 1.2 which is initiated by the TPP.
The TLS-connection has to be established always including client (i.e. TPP) authentication.
For this authentication the TPP has to use a qualified certificate for website authentication (QWAC) which has to be issued by a qualified trust service provider according to the eIDAS regulation, and has to be issued from a production CA.
The content of the certificate has to be compliant with the requirements of the EBA-RTS and follow the ETSI TS 119 495 V1.2.1 (2018-11) technical specification.
For security and auditing purpose, the bank requires the client certificate to be presented within each request.
Url of the fallback solution exposed by BankName: fallBackUrl