INTERFACES AND SCA
PSD2 requires that consumers can access their payment accounts through ‘third parties’. These third parties must communicate securely with the Account Servicing PSP via a secure interface. The secure interface is often considered to be an API, that is provided by the ASPSP. There is concern that if every bank, or ASPSP provides its own API, then this will lead to fragmented landscape with no harmonisation about the main qualities of the API, i.e.:
- The security model
- The architecture of the API
- The content of the data fields
- The functionality provided by the API
Just as there is security provided between the TPP and the ASPSP, there must also be the security model that exists between the ASPSP, and the Customer (PSU) who owns the account, particularly when Strong Customer Authentication (SCA) is used.
The way that the API incorporates the customer SCA affects the liability model, the user experience at the TPP, the technical design of the API.
Open Banking Europe is supporting other organisations that are working on the API and SCA interactions, and have published guidance as to how banks could or should build their APIs. The following are those that have publicly announced standards or frameworks for building Bank APIs, although there are a few other organisations that are working on national solutions.
- Berlin Group: https://www.berlin-group.org/psd2-access-to-bank-accounts
- The French banking community through their clearing system Stet: https://www.stet.eu/en/psd2/
- UK Open Banking: https://www.openbanking.org.uk/