BPCE DEVELOPER PORTAL - 89C3 API

Eligibility

The API resources can only be used by Payment Service Providers (PSP) having a Account Information Service Providers (AISP) role.

In order to provide a service to users of payment informations services under PSD2 directive, you must be a licenced PSP such as credit institution, electronic money institution, and payment institution. This status is delivered by the financial authorities of the country where the request is made ; in France it is the "Autorité de Contrôle Prudentiel et de Résolution (ACPR), under the supervision of the Banque de France regulatory body :

https://acpr.banque-france.fr/sites/default/files/medias/documents/jch_20180403_conference_securite_des_paiements.pdf

Obtaining and maintaining such agreement requires rigorous procedures in order to give strong guarantees to the account informations services users. The forms are provided on the ACPR website : https://acpr.banque-france.fr/en/authorisation/banking-industry-procedures/all-forms

Once the agrement is granted, the Organisation Identifier (OID) given by the national authority has the following format (UPPER case):

PSDXX-YYYYYYYY-ZZZZZZZZ

"PSD" as 3 character legal person identity type reference;

2 character ISO 3166 country code representing the NCA country;

hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and

2-8 character NCA identifier (A-Z uppercase only, no separator)

hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); andPSP identifier (authorization number as specified by NCA).

This OID is very important to identify yourself as a TPP :

using STET API requests as OID is included in the parameter "client_ID"

using mutual authentication (TLS) as OID is included in eIDAS certificates to be delivered to the bank (see below)

Please note that if you are using our API "Register", an internal OID will be generated & shall be used for subsequent API requests.

You also need eIDAS (electronic IDentification And trust Services) compliant certificates delivered by a Qualified Certification Service Provider (QTSP, see list available on https://webgate.ec.europa.eu/tl-browser/#/).

In order to be able to consume PSD2 API published on our 89C3 Portal, the TPP has to enroll its app and to use live certificates signed by a QTSP while sending API Register requests :

a set of QWAC (for securing the TLS) and QSEALC (to be stored in our gateway) certificates for the sandbox

another set of (for securing the TLS) and QSEALC (to be stored in our gateway) certificates for the live environment

A keyID shall also be provided with a correct STET format integrating the SHA256 certificate fingerprint after "_" char, see example STET V1.4.2 / Documentation Part 3: Interaction Examples / section 6. AISP Use cases / Signature : keyId=https://path.to/myQsealCertificate_612b4c7d103074b29e4c1ece1ef40bc575c0a87e.

Please embed only public keys. Controls on other data will be based on European Banking Association TPP register (https://euclid.eba.europa.eu/register/pir/disclaimer).

You can also refer to the FAQ section or our virtual assistant for any further question.