General purpose

By the Revised Payment Services Directive [PSD2], Account Servicing Payment Service Providers (ASPSPs), are required to grant Third Party Payment Services Providers (TPPs) - conditionally on the requirements of the PSD2 and the RTS - access to their customers’ (Payment Service User's – PSU) bank accounts.
For this purpose, Axa bank implements dedicated interfaces through which TPPs access the ASPSPs administration system and, thus, the PSU bank accounts.
The dedicated interface allows Axa bank not only to identify the TPP by certificates, but provides a secure access environment to protect PSU data.
With respect to the dedicated interface’s performance and availability, the EBA asks ASPSPs to monitor both and provide contingency (fallback) mechanisms in case the dedicated interface is unavailable.
Therefore, in agreement with the regulator, a fallback mechanism is temporarily made available by Axa bank until the dedicated APIs are in place.

Description

The proposed fallback solution consists of a secured proxy service, carrying out regulatory controls required by the EBA, before redirecting the TPP to Axa bank Home Banking site. These controls correspond to:

  • TLS MA 1.2 resolution (mutual authentication) with the TPP during each exchange
  • Verification that the certificate’s CA is an official QTSP of the EU Trusted List
  • Verification that the certificate is not revoked by QTSP via Certificate Revocation List (CRL)

TPPs are required to register in the secured proxy service prior to each session (each AIS and PIS request initiation) in order to perform these regulatory controls.
The Fallback session is represented by a unique identifier (called REQUEST_ID) which is provided by the secured proxy service and which identifies the session. The REQUEST_ID is valid for 10 minutes and the TPP must persist it on their side and provide it in the scrapping request. A Session is defined as follow:

  • AIS : Account consultation initialization transaction : a session is a scrapping period of maximum 10 minutes
  • PIS : Payment initiation workflow – A session is defined for each payment transaction

For auditing purposes, the unique REQUEST_ID linked to the TPP will be tracked by Axa bank.
All these verification requests will be stored and tracked by the secured proxy service. Once all checks have been carried out and validated by the bank's verification service, the TPP will be redirected to the Home Banking site (using http 30X redirect) and will be able to perform "web-scrapping" on the html content as the TPP currently does.
It is the responsibility of the TPP to:

  • Respect the fallback process and the RTS (including the limit of 4 AIS workflow without the PSU involvement in a period of 24h).
  • Scrapp only the payment accounts for which the PSU gave his consent. The TPP is not allowed to scrapp other existing accounts of the PSU.

 Axa bank will be able to identify fraudulent TPP as TPP offering connection to the Bank service without being visible in the audit trail of the Fallback solution.

Strong Customer Authentication mechanism on fallback interface

For customers owning a valid mobilephone number and that authentified themselves with a strong authentication more than 90 days ago, or, for a first connection, a strong authentication is needed to acceed to their client webspace.

Customers’ connection link: https://connect.axa.fr/

Customers enter their ID and password

C1. Custumer experience 1 : fisrt connection or SCA > 90 days with a mobile number resgistred

Customer is invited to enter the 6 numbers OTP code received on his mobile phone.

If the code is ok, he will be able to connect to his client webspace.

If the code is KO, an error message is displayed.

Customers can get more information on the PSD2 Directive and the SCA, clicking on the CTA « Plus d’informations sur l’authentification renforcée ».

Customer experience 2 : Customer has no mobile phone registred

A pop-up message informs the customer that a mobile phone number is needed to receive the OTP code by SMS to acceed to his accounts.

C2. Customer experience 2 : fisrt connection or SCA > 90 days with no mobile number resgistred

The customer can’t connect to his bank web site. To update his mobilephone number, custumer clicks on « Mettre à jour mon n° de mobile ». He will be sent to the menu « j’envoie un email » to follow the process of mobilephone number’s update.

C3. Custumer experience 3 : connection with SCA < 90 days
 

The customer can’t connect to his bank web site. To update his mobilephone number, custumer clicks on « Mettre à jour mon n° de mobile ». He will be sent to the menu « j’envoie un email » to follow the process of mobilephone number’s update.

How to connect to the fallback solution

The URL of the secured proxy service solution exposed by Axa bank is: https://psd2-fallback.axabanque.fr/

The communication between the TPP and the secured proxy service is always secured by using a TLS-connection Mutual authentication using TLS version 1.2 which is initiated by the TPP.
The TLS-connection has to be established always including client (i.e. TPP) authentication.
For this authentication the TPP has to use a qualified certificate for website authentication (QWAC) which has to be issued by a qualified trust service provider according to the eIDAS regulation, and has to be issued from a production CA (Certificate Authority).
The content of the certificate has to be compliant with the requirements of the EBA-RTS and follow the ETSI TS 119 495 V1.2.1 (2018-11) technical specification.
For security and auditing purpose, the bank requires the client certificate to be presented within each request.

Example of request / response:
The TPP have to call the fallback URL with a valid QWAC certificate.

 curl -k -vvv --cert PUBLIC_QWAC_KEY.cer --key PRIVATE_QWAC_KEY.key https://psd2-fallback.axabanque.fr/
* Rebuilt URL to: https://psd2-fallback.axabanque.fr/
* …
* Server certificate: Axa bank certificate (QWAC)
* …
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: https://psd2-fallback.axabanque.fr/
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< …
< Location: Here URL of Axa bank home banking website
< …
<html>
<head><title>302 Found</title></head>
<body>

</body>
</html>
* Connection #0 to host https://psd2-fallback.axabanque.fr/ left intact