Audience

This section applies to TPPs that are fully licensed by their national supervisory authority as AISP and/or PISP and thus must use their own Certificates and Client Credentials to access the ASPSP APIs.

Purpose

This section describes how fully licensed TPPs can use finAPI Access PSD2 to access ASPSP APIs using their own eIDAS TPP Certificates and Client Credentials, which are required by ASPSPs.

For the description of how eIDAS TPP Certificates can be obtained, please refer to the requirements of EBA-RTS, ETSI TS 119 495 V1.2.1 (2018-11) technical specification and the list of qualified trust service providers according to the eIDAS regulation.

Summary

In order to use finAPI Access services, a client who is a fully licensed TPP must have at least one global QWAC and/or QSeal certificate. These certificates are required in order to access PSD2 APIs of ASPSPs (XS2A). Each Certificate (QWAC or QSeal) consists of a Private key, Certificate itself, a passphrase (optional) and validity from/until dates.

Some banks may also require a set of Bank API specific Client Credentials to authenticate a TPP. Each set of Client Credentials includes at least one of the following attributes: –°lient Id, –°lient Secret, API key. Additionally, validity from/until dates can be provided.

Licensed TPPs can store their own TPP Certificates/Client Credentials in finAPI Access in order to have quick and secure access to XS2A of ASPSPs. finAPI Access allows clients to easily manage their TPP certificates/client credentials for multiple ASPSPs: edit, delete, view existing and upload new TPP Certificates/Client Credentials.

On the other hand, Unlicensed Clients can use the built-in finAPI TPP Certificates / Client Credentials.

Note:

  • bank-specific certificates are not supported.

  • Audit logs can be requested by the standard support channel. There is no Web service for this purpose.

Security

From a security perspective, such data as QWAC and QSeal Certificates and Bank Credentials is sensible and must be protected.

HTTPS is used to ensure data is encrypted in transit from client to finAPI.

Within the finAPI realm, this data is treated with the highest level of security. Certificates and credentials are kept in the highly secure finAPI database and secured with double encryption. Any access to the certificates and/or credentials is logged in audit logs.

Services

finAPI Access supports TPP Certificates and TPP Credentials services which allow TPPs to upload and manage their certificate and client credentials.

All services require the authentication of an admin/mandator client in finAPI.