Limits

Operational limitations

These are the operational limitations of this PSD2 API in the version 1.4.2 :

• Only apply to active payment accounts that are accessible online (cf. PSD2 Directive texts) => only current accounts will be returned

• Use the REDIRECT authentication  approach only (Strong Customer Authentication required and handled by the bank), which IS NOT an obstacle according to French national competent authority

Note : TPP are not allowed to send to ASPSP the PSU credentials, and only ASPSP SCA redirect screens can be used (no embeding process as clarified by European Banking Authority based on articles PSD2 #95.5 & RTS #31)

• Implement the mixed AISP consent mode, but not the full AISP consent mode :
  • By default, when no consent has been transmitted, all accounts are available
  • But the accounts balances and transactions detail either the cards outstandings and slips are available only for the accounts the consent was given

• The limit is up to 4 batch accesses per calendar day for every method of this API(see use cases of every method for more details), but there is no limit when the customer asks directly his accounts online

• Access to the list of trusted beneficiaries is NOT available (feature not implemented in Banques Populaires online banking service : a recorded beneficiary using SCA require also a SCA validation for payment as of the first euro for this beneficiary)

• "aisp extended_transaction_history" mode is NOT supported

• Only the GET /accounts, PUT /consents, GET /balances, GET /transactions and GET /endUserIdentity methods are available

• Return data only for active delayed cards which have been used at least once in the past two months.

Limitations related to customer segments:

• The individual (IND) is a natural person categorized as a "capable adult". The IND can also have activities within the framework of a sole proprietorship (SP) = a company managed by a single person, and which has no legal personality, although it is registered in the directory of trades or in the Register of Commerce and Companies (RCC). Examples: craftsman or liberal profession. In this case, the SP is considered a IND

• The categories "professional" (PRO) and "company" (COMP) cover legal persons

Limitations related to the types of accounts accessible:

• The accounts accessible via the AISP API are those available on remote banking, namely:
  • capable major
  • joint account Mr and Mrs
  • joint account Mrs and Mr
  • freelance
  • enrtreprise
  • attached minor
  • emancipated minor

• As the following account is not accessible on remote banking, it is not via the AISP API either
  • adult under guardianship

Limitations related to strong authentication means depending on the customer segment :

• Classic customer (CLA): equipment with SMS OTP and / or Sécur'pass. Secur'pass is triggered as a priority if necessary

• Professional customer (PRO): equipment with SMS OTP and / or Sécur'pass. Secur'pass is triggered as a priority if necessary

• Business customer (BUS): equipment with OTP SMS

The table below summarizes the limitations by method for this API (the field names are given in italics):

From test to live data :

According to PDS2 regulation, the data set available thru this dev portal, Try-it mode and sandbox are based on fictive data (or non-real ones).These data are described in the use case "Test our API".

In order to access to live data, you will need to request for a GO Live thru the 89C3 API portal after testing your app using Try-it and Sandbox environments as described below : 

Refer to Art. 30 (5). Account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers, payment service providers issuing card-based payment instruments and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users.

Only one TPP app can be declared so far per OID (= client_Id) knowing that it is possible to :

• apply white-labelled partnerships as well as third parties models
• declare many sets of certificats (and redirect URL)

Please note that a weekly slot is reserved for a programmed maintenance (all IT infrastructure incl'd backends and API gateways) Sunday morning from 02:00 to 06:00 am, and could generate some perturbations during this period. 

As in test mode, the institution code (see the list of accessible banking institutions below) will allow you to address the correct customer repository via an "endpoint" in the format : www.<bankcode>.live.api.89c3.com or

• www.<bankcode>.live.api.banquepopulaire.fr aligned on direct access domain name www.banquepopulaire.fr 

• www.10548.live.api.banque-de-savoie.fr aligned on direct access domain name www.banque-de-savoie.fr
  

• www.40978.live.api.palatine.fr aligned on direct access domain name www.palatine.fr 

Once chosen, this entry point shall also be used for all subsequent requests.