XS2A Consent Models and Access Rights

General information

Consent is an agreement between PSU, TPP, and ASPSP on access rights to accounts of PSU in given APSPS that are granted to TPP.

Consent is authorized by PSU towards ASPSP and is shared with TPP for further usage.

To access account details, balances, and transactions, TPP must provide a valid ID of an active consent. ASPSP must give TPP access to the account information according to the access rights from given consent.

Account owner's name is supported without special consent.

Access rights within a consent

	Access right	TPP is allowed to get	TPP is not allowed to get	Combination with other access rights
1	Access to the list of available accounts of PSU. Important: these will be only those accounts that are accessible through XS2A according to internal bank rules.	list of all available PSU accounts	of any of available accounts: details, transactions, balances (if not in the consent)	Not possible
2	Access to account details of given account	list of particular PSU accounts relative to granted consent, details of each account from this list	list of particular PSU accounts relative to granted consent, details of each account from this list	Possible: 3, 4
3	Access to balances of given account	balances details	balances details	Possible: 2, 4
4	Access to transactions of given account	transactions details	transactions details	Possible: 2, 3

Access rights 2 - 4 can be combined within one consent: PSU grants TPP access to account details, balances, and transactions.

Access right 1 can't be combined with any other access rights within one consent.

Consent models

XS2A supports 3 consent models defined by the Berlin Group standard: detailed consent, global consent, consent on the available account.

Bank offered consent model might be supported in the future together with the redirect SCA approach. Learn more about available SCA approaches Supported Authentication Methods .

	Consent model	Description	Access right	Payload example
1	Available accounts consent	With this consent TPP gets a list of all available accounts of a PSU. Important: these will be only those accounts that are accessible through XS2A according to internal bank rules. In the request to XS2A no specific accounts are given, and the attribute "availableAccounts" is used to indicate the type of requested consent.	Only 1	JSON `{ "access": { "availableAccounts": "allAccounts" }, "recurringIndicator": false, "validUntil": "2019-12-31", "frequencyPerDay": "1" }`
2	Detailed consent	With this consent TPP gets the access to account details, balances, transactions of particular accounts. PSU must explicitly define the accounts where the access has to be granted and the type of access (balances and transactions, only balances, only transactions). If user grants access to balances or transactions of given account, the access to account details is given on default.	2 - 4	JSON `{ "access": { "balances": [ { "iban": "DE89370400440532013000" }, { "iban": "LU280019400644750000" } ], "transactions": [ { "iban": "DE89370400440532013000" }, { "iban": "DE89370400440532013001" } ] }, "recurringIndicator": true, "validUntil": "2019-12-31", "frequencyPerDay": "4", "combinedServiceIndicator": false }`
3	Global consent	With this consent TPP gets the access to account details, balances, transactions of all available PSU accounts. Important: these will be only those accounts that are accessible through XS2A according to internal bank rules. In the request to XS2A no specific accounts are given, and the attribute "allPsd2" is used to indicate the type of requested consent.	2 - 4	JSON `{ "access": { "allPsd2": "allAccounts" }, "recurringIndicator": false, "validUntil": "2019-12-31", "frequencyPerDay": "4" }`