Andbank

Andbank XS2A (Berlin Group)

Version:  1.13220190215.037.005
State:  Prototyped
Environment: Sandbox
Base URI: https://bacalull-psd2api-sbx.luxhub.com/bg/v1
Authorization Endpoint: https://bacalull-cb-sbx.luxhub.com/api/oauth/authorize
Token Endpoint: https://bacalull-psd2api-sbx.luxhub.com/api/oauth/token
Categories: PSD2
Passport :

Funds Confirmation Services (CBPII)

All APIs are protected by OAuth2 authorization. To receive authorization & access tokens, the PSU has to give consent for the application to access his resources - in case of funds confirmation services these are: accounts funds confirmation. The TPPs that are allowed to provide funds confirmation services according to PSD are called Card Based Payment Instrument Issuer and this particular flow is used normally for card accounts, but not only, to confirm funds before payment.

Consent

According to PSD2 directive, the PSU has to give his consent for a TPP to be able to access funds confirmation services API. However, it is not exactly specified how this should be done. It is further assumed, based on current industry practices, that a valid way of giving consent might be as out of band, i.e. based on an agreement between TPP, PSU and bank outside of the scope of the API.

STET specification

Taking into account the generic consideration above regarding consent, the STET specification allows funds confirmation consent to be given in two distinct ways:

  • via an out of band agreement between TPP, PSU and bank, where the bank has a record of the PSU consent for the respective TPP and based on this a Client Credentials OAuth2 flow is allowed. It is entirely up to the bank to verify such an out-of-band consent exists and if it is authorized by the respective PSU for the respective TPP. If this option is used, LUXHUB will allow funds confirmation endpoint access for ALL registered TPPs via Client Credentials Grant and it is up to the ASPSP to restricted according to the existing authorized consent.
  • via dedicated API authorization scope, i.e. a dedicated OAuth2 authorize request has to be made by the TPP, as part of the Authorization Code grant. The scope requested should be "cbpii". In this approach the PSU will be able to authorize the consent for funds confirmation using SCA, in a similar flow as in the case of account information services consent. Please note that the CBPII consent is not to be mixed with AISP consent, neither business wise or technically, as in OAuth2 scopes.

LUXHUB supports both approaches described above; please refer below diagram for details.

Berlin Group specification

Berlin Group specification considers, in its current - 1.3 - implementation, the consent for funds confirmation services as out of scope for the XS2A API. Therefore, the only approach supported is the one based on the Client Credentials flow and this is not part of the Berlin Group specifications.

However, recognizing the market's need, LUXHUB is also supporting an approach similar with the one supported by STET specification, based on dedicated scope for funds confirmation services consent and Authorization Code grant. The scope requested should be "PIIS". In this approach, the PSU will be able to authorize the consent for funds confirmation using SCA, within a similar flow as in the case of account information services consent. Please note that the CBPII consent is not to be mixed with AISP consent, neither business-wise or technically, as in OAuth2 scopes.

Please refer above diagram for details; it is of note that the technical scope used is named "PIIS" in case of Berlin Group implementation as opposed to "cbpii" in case of STET.

Furthermore, please note that with this type of flow only consent for funds confirmation for ALL eligible accounts is possible and not specific account consent. Same is valid for STET standard as described above.

Berlin Group v2 API

Recently Berlin Group published the so called "Extended value-added services" documentation, among them a proposal of handling consent for funds confirmation via a dedicated API. However the API specification for this is still under review and no reliable version was published.

As such, very few of LUXHUB API providers have implemented this version 2 API form Berlin Group. Please refer to the documentation above for detials of the functionality. In a nutshell, we are talking about a flow very similar with the one for Accounts Information Services consent but with consent request data structure closer to the payment initiation, i.e. the actual account, for which funds confirmation consent request is received, is included in the request body. There is, of course, a dedicated OAuth2 scope for this purpose, i.e. PIS for cleint Credentials Grant to obtain a consent and, respectively, PIIS: for the Authorization code grant for consent authorization - where the consent identifier is obtained as a result of the POST /consents/funds-confirmation request before.

 

This website uses cookies. By continuing to use our website, you accept the use of these cookies.