The API resources can only be used by Payment Service Providers (PSP) having a Account Information Service Providers (AISP) role.

In order to provide a service to users of payment informations services under PSD2 directive, you must be a licenced PSP such as credit institution, electronic money institution, and payment institution. This status is delivered by the national authorities of the country where the request is made. In France, it is the "Autorité de Contrôle Prudentiel et de Résolution (ACPR), under the supervision of the Banque de France regulatory body, see https://acpr.banque-france.fr/sites/default/files/medias/documents/jch_20180403_conference_securite_des_paiements.pdf.

Obtaining and maintaining such agreement requires rigorous procedures in order to give strong guarantees to the account informations services users. The forms are provided on the ACPR website : https://acpr.banque-france.fr/en/authorisation/banking-industry-procedures/all-forms.

Once the agrement is granted, the Organisation Identifier (OID) given by the national authority has the following format (UPPER case): PSDXX-YYYYYYYY-ZZZZZZZZ

• "PSD" as 3 character legal person identity type reference

• 2 character ISO 3166 country code representing the NCA country

• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)) and

• 2-8 character NCA identifier (A-Z uppercase only, no separator)

• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)) and PSP identifier (authorization number as specified by NCA)

This OID is very important to identify yourself as a TPP :

• using STET API requests as OID is included in the parameter "client_ID" 

• using mutual authentication (TLS) as OID is included in eIDAS certificates to be delivered to the bank (see below)

You also need eIDAS (electronic IDentification And trust Services) compliant certificates delivered by a valid Qualified Certification Service Provider (QTSP, see list available on https://webgate.ec.europa.eu/tl-browser/#/). 

In order to be able to consume PSD2 API published on our 89C3 Portal, you have to use eIDAS valide certificates signed by a QTSP with production "live" keys :

• a set of QWAC and et QSEALC of certificates for the sandbox environment

• another set of QWAC and et QSEALC certificates for the live production environment

In case of access problems due to certificates, we will check if your QWAC certificates are signed with a new Certification Authority (CA) or with a new root (from an existing CA). In both cases, an additional delay is expected (est'd 2 weeks) for loading it on our infrastructure.

Please embed only public keys in .pem format. Controls on data included in the certificates will be based on European Banking Association TPP register https://euclid.eba.europa.eu/register/pir/disclaimer).

You can also refer to the FAQ section or our virtual assistant for any further question.