Access data authorized by customers
A customer having different accounts in various banks is willing to agregate his data.
Using this API "Account information" setup by banks (ASPSP), you can ask for real-time data authorized by the customer without asking for online banking credentials.
Thanks to the "Account information" API provided by the Banque Populaire, your establishment can retrieve the customer current accounts in each of the Banque Populaire establishments where they are located. For these accounts, depending on the customer consents you will get and you will transmit, you can get their balances, their transactions, the linked delayed debit cards, the outstandings and slips of these delayed debit cards.
You can access this API in a batch way in order to prepare the restitution to our customer on your application (up to 4 times a day). On demand of the customer connected on his application, you can refresh this data (without limitation).
The API resources can only be consumed if you have obtained the Account Information Services Provider ("AISP") role status. This prerequisite is described in section "Eligibility".
Once done, the overall process is as follows :
1- The customer agreed to use your service. He needs to select his Banque Populaire bank establishment through your interface.
2- During the first set of data exchanges, you will request for an authorization token (and a refresh one). For this AISP role, you need these token BEFORE consuming API resources. Thes tokens are issued by the Banque Populaire AFTER an identification and authorization process of the bank account holder.
The Banque Populaire will :
- check your certificates and on-going agreement delivered by the Comptent Authority ;
- identify and authorize the customer using the "redirect" mode in order to issue the tokens.
3- If the above access is granted by the customer, you can then get these OAUTH2 tokens thru secure exchanges (see use case "Retrieve your access token").
4- Whenever you present this token to the 89C3 API gateway, you will be able to consume this API resources in order to :
- request for the list of eligible accounts (see use case "Get accounts list") ;
- forward customer's consent to the ASPSP (see use case "Forward customer's consent")
- securely access to granted customer's data (see use case "Get accounting balance", "Get transactions history", "Get trusted beneficiaries list" => this feature will not be available in 2020 and "Get PSU's identity" => this feature will be implemented with STET standard v22.214.171.124.)
If the regulated 90-day token validity period expires, this process needs to be started again (see use case "Refresh your access token")
NB : any ASPSP can refuse the access to customer's data for any justified reason (non compliant API call, blocked account, ...).