Use Case Example 


You, as a Third Party Provider (TPP), delivered to a customer a private labeled payment card linked to his bank account. The customer (PSU) is performing a transaction on an e-commerce site with it. The customer has previously given a consent to your entity as well as to his bank account holder.

Using API "Funds availability" setup by banks (ASPSP), you can request for real-time transaction amount coverage data authorized by the customer without asking for online banking credentials. You can then reduce your risk for overdue payments.

The bank will respond yes or no without any funds blockage corresponding to the transaction amount, neither any validation of this transaction.

The API resources can only be consumed if you have obtained the Card Based Payment Instrument Issuer ("CBPII") role status. This prerequisite is described in section "Eligibility".

Once done, the overall process is as follows : 

cinématique AISP UK v3 



The customer agreed to use your service. He needs to select his ASPSP through your interface.  



During the first set of data exchanges, you will request for an authorization token (and a refresh one). For this CBPII role, you need these tokens BEFORE consuming API resources. These tokens are issued by the ASPSP AFTER an identification and authorization process of the bank accound holder.  

The ASPSP will :

  • check your certificates and on-going agreement delivered by the Comptent Authority ;
  • identify and authorize the customer using the "redirect" mode in order to issue the tokens.



If the above access is granted by the customer, you can then get these OAUTH2 tokens thru secure exchanges (see use case "Get your token").



Whenever you present this token to the 89C3 API gateway, you will be able to consume this API resources (see use case "Check funds availability"). 

If the regulated 90-day token validity period expires, this process needs to be started again (see use case "Refresh your token").

NB : any ASPSP can refuse the access to customer's data fo rany justified reason (non compliant API call, blocked account, ...).