PSD2 Access to Bank Accounts

The revised Payment Services Directive (EU 2015/2366, also known as PSD2) came into force on 12 January 2016 and for most of the provisions, Member States had until 13 January 2018 to implement them into national laws.
 

The most debated and impactful parts of PSD2 are related to the provisions on Strong Customer Authentication (SCA) for online payments and on the introduction of new 'payment initiation and account information services', operated by Third Party Providers (TPPs). The PSD2 security measures related to TPP account access and to SCA are more detailed in the EBA RTS (European Banking Authority Regulatory Technical Standards) and enter into force on 14 September 2019.

Based on the PSD2 and EBA RTS requirements, Berlin Group NextGenPSD2 has worked on a detailed 'Access to Account  (XS2A) Framework' with data model (at conceptual, logical and physical data levels) and associated messaging.

About the NextGenPSD2 Taskforce

NextGenPSD2 Taskforce

Participants of the NextGenPSD2 Taskforce represent the market supply-side (i.e. banks, payment/banking associations, payment schemes and interbank processors operating in SEPA), that is mandated by PSD2 and EBA RTS to provide an XS2A interface and is also liable for any damages.
If your organisation is operating on the market supply-side and is interested in participating to the NextGenPSD2 Taskforce, then please send a message to info@berlin-group.org. For participation to the NextGenPSD2 Taskforce it is not required to be a Berlin Group member: the NextGenPSD2 Taskforce is open for participation to any interested and committed non-Berlin Group participant as well, because the scope of the NextGenPSD2 topic might be interesting to work on also for other market supply-side participants, not necessarily only by Berlin Group members. For participants to the NextGenPSD2 Taskforce, there are no further Terms of Reference restrictions or applicable fees. The only commitment asked from participants is to participate as actively as possible on a best effort basis, which allows then to influence the process and results and being informed at first hand. Participants are engaged on a voluntary basis.
As transparency to the market is a key guiding principle for an open standardisation initiative such as the Berlin Group, the website always shows the organisations that have joined as participants to the NextGenPSD2 Taskforce: an updated participant list will be published each time when a new participant joins. The participant list mentions the organisation name and logo of the participants. The application as a participant only becomes final once the organisation logo has been received in a web-ready version (.PNG or .JPG file, 72 dpi) and a print-ready version (.EPS, .AI or .PDF file, 300 dpi).



NextGenPSD2 Advisory Group

Participants of the NextGenPSD2 Advisory Group represent the market demand-side (i.e. as a Registered Third Party Provider, a FinTech/IT Solution Provider, a Merchant/Retailer/Corporate, a Consumer Organisation, or an Industry Association/Consultancy).
If your organisation is operating on the market demand-side and is interested in participating to the NextGenPSD2 Advisory Group, then please send a message to advisory@berlin-group.org (please mark a permanent exception for ‘advisory@berlin-group.org’ and ‘advisory@ngpsd2.org’ in your SPAM-filters in order to ensure proper reception of messages).
The NextGenPSD2 Advisory Group is open for participation to any interested and committed market demand-side participant. Composition of the NextGenPSD2 Advisory Group needs to be balanced amongst the different stakeholders, in order to ensure

  • balanced and fair market representation without exclusive domination or guidance in standards development
  • due decision-making in broad consensus with equity and fairness among participants

For participants to the NextGenPSD2 Advisory Group, there are no applicable fees. The only commitment asked from participants is to participate as actively as possible on a best effort basis, which allows then to influence the process and results and being informed at first hand. Participants are engaged on a voluntary basis.
As transparency to the market is a key guiding principle for an open standardisation initiative such as the Berlin Group, the website always shows the organisations that have joined as participants to the NextGenPSD2 Advisory Group: an updated participant list will be published each time when a new participant joins. The participant list mentions the organisation name and logo of the participants. The application as a participant only becomes final once the organisation logo has been received in a web-ready version (.PNG or .JPG file, 72 dpi) and a print-ready version (.EPS, .AI or .PDF file, 300 dpi).

About the NextGenPSD2 Framework

Future Outlook

Writing the compliance part of the Framework has only been the beginning of a greater journey. In order to unleash the full potential of the NextGenPSD2 technology, the Berlin Group established a new complementary activity which is focused on a broader perspective beyond regulatory functionalities.
Building on top of the core NextGenPSD2 Framework architecture, the Berlin Group openFinance API Framework will add standardised extensions that go beyond the core PSD2 compliant services. This will allow banks and TPPs to offer commercial premium value added services to their customers, leveraging the same technology and infrastructure investments with new digital products and services that will benefit all market participants and will further improve customer experiences.



Key Characteristics

The NextGenPSD2 Framework offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services (‘Banking as a Service’) by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.

  • Modern “RESTful” API set using HTTP/1.1 with TLS 1.2 (or higher) as transport protocol

  • TPP identification by ETSI-defined eIDAS certificates: QWACS mandated (easy measure to protect e.g. against DDOS attacks), QSEALS optional for banks (TPP follows instruction by bank)

  • Supporting all PSD2 required payment initiation, account information and confirmation of funds use cases, with future-dated, multiple/bulk, and recurring payments optional (depending on support in online banking or in national legislation)

  • Full multicurrency support of accounts

  • Four architecture models for Strong Customer Authentication (SCA): redirect, OAuth2, decoupled and embedded, with influence of the TPP on redirect preference

  • Multilevel SCA approach for corporates, e.g. to support a 4-eyes principle

  • Support of card transactions reconciliation accounts

  • Signing baskets as signing vehicles for grouped transactions (instead of multiple payments functions)

  • Transparent resource structures (allowing TPPs to keep an overview also in complex business processes)

  • Dedicated consent API separating consent handling from account access, obeying both PSD2 and GDPR requirements

  • Optional session support (set of consecutively executed transactions), subject to appropriate customer consent

  • Data structures either as

    • JSON with data model based on ISO 20022, or

    • XML with pain.001 for PISPs and camt.05x for AISPs

  • Integrated formal and transparent change management process and versioning

  • Extensible with additional extensions for (non-core PSD2) value add services

Supported Services



Releases

Considering the stringent timelines needed for implementation, a full detailed Version 1.0 of the NextGenPSD2 Framework was published already on 8 February 2018. This version integrated market requirements as expressed in the extensive market feedback from the public market consultation of October/November 2017 for which a total of approximately 1,000 market comments from 59 organisations had been processed. Subsequent releases were published in 2018: The most recent release of the NextGenPSD2 Framework can be found here.



About the NextGenPSD2 Advisory Group & Board

Participants & Structure

The above participants of the NextGenPSD2 Advisory Group represent the market demand-side (i.e. Third Party Providers, FinTechs / IT Solution Providers, Merchants / Retailers / Corporates, Consumers, Consultancies and Industry Associations). The current NextGenPSD2 Advisory Board and Co-Chairs have been elected and confirmed for a 2-years term on 18 September 2019. Elected Co-Chairs:

  • Bruno Cambounet (Sopra)
  • Ralf Ohlhausen (ETPPA, PPRO, Tink)
The NextGenPSD2 Advisory Board consists of a maximum of 17 members, including the Co-Chairs, representing the NextGenPSD2 Advisory Group stakeholder groups. The stakeholder groups and elected members are as follows:
  • Market demand-side:
    • Registered TPPs: 3 member representatives
      Deepak Monga (Reflow)
      Ralf Ohlhausen (ETPPA, PPRO, Tink)
      Sebastian Tiesler (Figo)
    • FinTechs/IT Solution Providers: 3 member representatives
      Bruno Cambounet (Sopra)
      Francis Pouatcha (Adorsys)
      Oliver Dlugosch (NDGIT)
    • Merchants/Retailers/Corporates: 1 member representative
      Steffen Weiss (DATEV)
    • Consumer organisations: 1 member representative
      1 vacant seat
    • Industry Associations/Consultancies: 3 member representatives
      Alain Martin (FIDO)
      Gavin Littlejohn (FDATA)
      Hakan Eroglu (Accenture)
  • Market supply-side Observers:
    • 3 members, designated by the NextGenPSD2 Taskforce
      Varying composition
    • Regulatory Observers: 3 (1 from the European Banking Authority, 1 from the European Central Bank, 1 from the European Commission), designated by their corresponding organisations
      3 vacant seats

Background & Context

NextGenPSD2 is interested in further engagement with market participants in order to involve broader market interests as well. To this end, a NextGenPSD2 Advisory Group as well as a NextGenPSD2 Board, both with a balanced multi-stakeholder representation from the market demand-side, have been established.
The NextGenPSD2 Advisory Group and the NextGenPSD2 Advisory Board offer participants the opportunity to liaise, interact and engage in a 2-way dialogue on strategic, business and technical topics related to the use and evolution of the NextGenPSD2 standards and beyond, ensuring up-to-date information on all NextGenPSD2 activities and future specification development from inception.
The NextGenPSD2 Advisory Group and the Advisory Board offer every opportunity to discuss and feed input into the NextGenPSD2 standards development process. As such, they offer a Forum for debate and help to foster adoption of NextGenPSD2, remove barriers, find optimisation potentials, ensure usability of NextGenPSD2 for implementers, and contribute to pan-European harmonisation with improved interoperability across the PSD2 XS2A value chain. The NextGenPSD2 Advisory Group & Board operate in a solution-oriented approach. Download: Terms of Reference of the NextGenPSD2 Advisory Group & Board.



Meetings & Public Deliverables

Meetings The following meetings have been organised sofar:

  • 20180706 - Webinar Conference Call Meeting
  • 20181012 - Meeting hosted by KAL Ltd. in Edinburgh, United Kingdom
  • 20190206 - Meeting hosted by SDV / adorsys in Nürnberg, Germany
  • 20190515 - Meeting hosted by Finastra in Paris, France
  • 20190709 - Meeting hosted by Accenture in Zurich, Switzerland
  • 20190930 - Meeting hosted by adorsys in Eschborn (Frankfurt), Germany
  • 20200204 - Meeting hosted by Sopra Steria in Paris, France
Due to the 2020 Covid-19 situation, follow-on meetings have been scheduled to be organised as remote web conference calls since March 2020. Public Deliverables The following Public Deliverables specific to the NextGenPSD2 Advisory Group & Board have been published sofar:

How to participate?

Future Outlook

Writing the compliance part of the Framework has only been the beginning of a greater journey. In order to unleash the full potential of the NextGenPSD2 technology, the Berlin Group established a new complementary activity which is focused on a broader perspective beyond regulatory functionalities.
Building on top of the core NextGenPSD2 Framework architecture, the Berlin Group openFinance API Framework will add standardised extensions that go beyond the core PSD2 compliant services. This will allow banks and TPPs to offer commercial premium value added services to their customers, leveraging the same technology and infrastructure investments with new digital products and services that will benefit all market participants and will further improve customer experiences.



Key Characteristics

The NextGenPSD2 Framework offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services (‘Banking as a Service’) by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.

  • Modern “RESTful” API set using HTTP/1.1 with TLS 1.2 (or higher) as transport protocol

  • TPP identification by ETSI-defined eIDAS certificates: QWACS mandated (easy measure to protect e.g. against DDOS attacks), QSEALS optional for banks (TPP follows instruction by bank)

  • Supporting all PSD2 required payment initiation, account information and confirmation of funds use cases, with future-dated, multiple/bulk, and recurring payments optional (depending on support in online banking or in national legislation)

  • Full multicurrency support of accounts

  • Four architecture models for Strong Customer Authentication (SCA): redirect, OAuth2, decoupled and embedded, with influence of the TPP on redirect preference

  • Multilevel SCA approach for corporates, e.g. to support a 4-eyes principle

  • Support of card transactions reconciliation accounts

  • Signing baskets as signing vehicles for grouped transactions (instead of multiple payments functions)

  • Transparent resource structures (allowing TPPs to keep an overview also in complex business processes)

  • Dedicated consent API separating consent handling from account access, obeying both PSD2 and GDPR requirements

  • Optional session support (set of consecutively executed transactions), subject to appropriate customer consent

  • Data structures either as

    • JSON with data model based on ISO 20022, or

    • XML with pain.001 for PISPs and camt.05x for AISPs

  • Integrated formal and transparent change management process and versioning

  • Extensible with additional extensions for (non-core PSD2) value add services

Supported Services



Releases

Considering the stringent timelines needed for implementation, a full detailed Version 1.0 of the NextGenPSD2 Framework was published already on 8 February 2018. This version integrated market requirements as expressed in the extensive market feedback from the public market consultation of October/November 2017 for which a total of approximately 1,000 market comments from 59 organisations had been processed. Subsequent releases were published in 2018: The most recent release of the NextGenPSD2 Framework can be found here.



More information

Future Outlook

Writing the compliance part of the Framework has only been the beginning of a greater journey. In order to unleash the full potential of the NextGenPSD2 technology, the Berlin Group established a new complementary activity which is focused on a broader perspective beyond regulatory functionalities.
Building on top of the core NextGenPSD2 Framework architecture, the Berlin Group openFinance API Framework will add standardised extensions that go beyond the core PSD2 compliant services. This will allow banks and TPPs to offer commercial premium value added services to their customers, leveraging the same technology and infrastructure investments with new digital products and services that will benefit all market participants and will further improve customer experiences.



Key Characteristics

The NextGenPSD2 Framework offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services (‘Banking as a Service’) by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.

  • Modern “RESTful” API set using HTTP/1.1 with TLS 1.2 (or higher) as transport protocol

  • TPP identification by ETSI-defined eIDAS certificates: QWACS mandated (easy measure to protect e.g. against DDOS attacks), QSEALS optional for banks (TPP follows instruction by bank)

  • Supporting all PSD2 required payment initiation, account information and confirmation of funds use cases, with future-dated, multiple/bulk, and recurring payments optional (depending on support in online banking or in national legislation)

  • Full multicurrency support of accounts

  • Four architecture models for Strong Customer Authentication (SCA): redirect, OAuth2, decoupled and embedded, with influence of the TPP on redirect preference

  • Multilevel SCA approach for corporates, e.g. to support a 4-eyes principle

  • Support of card transactions reconciliation accounts

  • Signing baskets as signing vehicles for grouped transactions (instead of multiple payments functions)

  • Transparent resource structures (allowing TPPs to keep an overview also in complex business processes)

  • Dedicated consent API separating consent handling from account access, obeying both PSD2 and GDPR requirements

  • Optional session support (set of consecutively executed transactions), subject to appropriate customer consent

  • Data structures either as

    • JSON with data model based on ISO 20022, or

    • XML with pain.001 for PISPs and camt.05x for AISPs

  • Integrated formal and transparent change management process and versioning

  • Extensible with additional extensions for (non-core PSD2) value add services

Supported Services



Releases

Considering the stringent timelines needed for implementation, a full detailed Version 1.0 of the NextGenPSD2 Framework was published already on 8 February 2018. This version integrated market requirements as expressed in the extensive market feedback from the public market consultation of October/November 2017 for which a total of approximately 1,000 market comments from 59 organisations had been processed. Subsequent releases were published in 2018: The most recent release of the NextGenPSD2 Framework can be found here.



© The Berlin Group - Disclaimer and Dataprivacy Policy