Skip to main content
Skip table of contents

XS2A Consent Models and Access Rights

General information

Consent is an agreement between PSU, TPP, and ASPSP on access rights to accounts of PSU in given APSPS that are granted to TPP.

Consent is authorized by PSU towards ASPSP and is shared with TPP for further usage.

To access account details, balances, and transactions, TPP must provide a valid ID of an active consent. ASPSP must give TPP access to the account information according to the access rights from given consent.

Account owner's name is supported without special consent.

Access rights within a consent

 

Access right

TPP is allowed to get

TPP is not allowed to get

Combination with other access rights

1

Access to the list of available accounts of PSU.

Important: these will be only those accounts that are accessible through XS2A according to internal bank rules.

  • list of all available PSU accounts

of any of available accounts:

  • details,

  • transactions,

  • balances (if not in the consent)

 Not possible

2

Access to account details of given account

  • list of particular PSU accounts relative to granted consent,

  • details of each account from this list

  • list of particular PSU accounts relative to granted consent,

  • details of each account from this list

Possible: 3, 4

3

Access to balances of given account

  • balances

  • details

  • balances

  • details

Possible: 2, 4

4

Access to transactions of given account

  • transactions

  • details

  • transactions

  • details

Possible: 2, 3

 

Access rights 2 - 4 can be combined within one consent: PSU grants TPP access to account details, balances, and transactions.

Access right 1 can't be combined with any other access rights within one consent.

Consent models

XS2A supports 3 consent models defined by the Berlin Group standard: detailed consent, global consent, consent on the available account.

Bank offered consent model might be supported in the future together with the redirect SCA approach. Learn more about available SCA approaches Supported Authentication Methods .

 

Consent model

Description

Access right

Payload example

1

Available accounts consent

With this consent TPP gets a list of all available accounts of a PSU.

Important: these will be only those accounts that are accessible through XS2A according to internal bank rules.

In the request to XS2A no specific accounts are given, and the attribute "availableAccounts" is used to indicate the type of requested consent.

Only 1

JSON
{
  "access": {
    "availableAccounts": "allAccounts"
  },
  "recurringIndicator": false,
  "validUntil": "2019-12-31",
  "frequencyPerDay": "1"
}

2

Detailed consent

With this consent TPP gets the access to account details, balances, transactions of particular accounts.

PSU must explicitly define the accounts where the access has to be granted and the type of access (balances and transactions, only balances, only transactions).

If user grants access to balances or transactions of given account, the access to account details is given on default.

2 - 4

JSON
{
  "access": {
    "balances": [
      {
        "iban": "DE89370400440532013000"
      },
      {
        "iban": "LU280019400644750000"
      }
    ],
    "transactions": [
      {
        "iban": "DE89370400440532013000"
      },
      {
        "iban": "DE89370400440532013001"
      }
    ]
  },
  "recurringIndicator": true,
  "validUntil": "2019-12-31",
  "frequencyPerDay": "4",
  "combinedServiceIndicator": false
}

3

Global consent

With this consent TPP gets the access to account details, balances, transactions of all available PSU accounts.

Important: these will be only those accounts that are accessible through XS2A according to internal bank rules.

In the request to XS2A no specific accounts are given, and the attribute "allPsd2" is used to indicate the type of requested consent.

2 - 4

JSON
{
  "access": {
    "allPsd2": "allAccounts"
  },
  "recurringIndicator": false,
  "validUntil": "2019-12-31",
  "frequencyPerDay": "4"
}

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.