Summary Guide
Last modified: March 28, 2022
Article 31 (PSD2 RTS) – Outlines the access interface options, thus ASPSPs can provide access:
Article 33 (PSD2 RTS) – Outlines the requirements of contingency interface.
Modified Customer Interface (MCI) enable TPPs access to the designated payment accounts of PSUs for inscope banking entities under PSD2
MCI enables TPP to access a PSU’s dedicated payment accounts via the browser based internet banking channel, which the PSU uses to access their accounts.
TPP is able to screen-scrape all content of ASPSP website when they login using customer credentials. Personal data are not supposed to be shared with TPP during the screen-scraping process.
The MCI solution redacts personal data based on policies set by bank staff. This solution is based on existing website design, layout and contents published by the bank.
Below entities are accessible via MCI http interface
| Entity Id | Bank/Brand | Country | Line of Business |
|---|---|---|---|
| CMB-GBRTL | China Merchants Bank | GB | Retail Banking |
In order to use the MCI solution, TPP will be required to have either completed or be aware of the following:
Below request headers are required to be passed when accessing the interface:
| Type | Value | Description |
|---|---|---|
| Request Header | x-mci-access-scope | TPP access scope – possible values are AIS, PIS, CBPII |
| Request Header | x-mci-access-country | Country Code where PSU Account is based; 2 letter as per ISO 3166 Standard (eg. GB, DE, FR) |
| Request Header | x-mci-aspsp-entid | Bank operate multiple brands or multiple divisions with this interface. This header can be used to specify the entity that TPP likes to access for a PSU. Check “in scope” section to find details on entity ids |
| Request Header | x-mci-psu-ip-addr | If PSU is present, then this need to be update with IP address of PSU’s device |
| Request Cert | Client Certificate | eIDAS/OBIE Certificate of the TPP |
MCI interface sets a cookie with the name MCISRV. Once this cookie is set, it needs to be passed along with subsequent requests to be able to maintain sessions properly under high available environment.
After the eIDAS/OBIE validation and TPP authorisation check is complete, bank firewall policies will redact personal information before handing over to TPP.
Internet Banking resources access is regulated based on the scope (PIS/AIS/CBPII) of the TPP request. There would also be some resources that won’t be accessible by TPP when bank decides to restrict them. Such resource request will be responded with “Unauthorised” code with appropriate error message.
If all requirements are met, TPP will be able to access redacted HTML page from the bank. Otherwise below are the error response codes TPP will receive -
| HTTP Code | Error Code | Error Message |
|---|---|---|
| 403 | EIDAS_FAILED_NOT_TRUSTED | Not authorised. eIDAS certificate is not trusted |
| 403 | EIDAS_FAILED_NOT_VALID | Not authorised. eIDAS certificate is not valid |
| 403 | OBIE_FAILED_NOT_TRUSTED | Not authorised. OBIE certificate is not trusted |
| 403 | OBIE_FAILED_NOT_VALID | Not authorised. OBIE certificate is not valid |
| 403 | NCA_FAILED_URN_NOT_FOUND | NCA authorisation check failed |
| 403 | NCA_FAILED_NO_ROLE_FOUND | NCA authorisation check failed - No role found |
| 403 | NCA_FAILED_NO_COUNTRY_FOUND | NCA authorisation check failed - No Country found |
| 403 | NCA_FAILED_STATUS_NOT_AUTHORISED | Resource not authorised for the scope defined |
| 403 | MANDATORY_HEADER_MISSING | If any of above access requirement header is missing |
| 403 | MANDATORY_CERT_MISSING | If eIDAS/OBWAC/OBSeal certificate is missing |
| 50x | SYSTEM_ERROR | Please contact the bank and inform about the issue. |
To ask a question about our open banking access provision for TPPs using modified customer interface, please contact us at dept_it@uk.cmbchina.com
| AISP | Account Information Service Provider |
| ASPSP | Account Servicing Payment Service Provider |
| EBA | European Banking Authority |
| eIDAS | EU Regulation that sets out rules for electronic identification and trust services |
| FCA | Financial Conduct Authority |
| MCI | Modified Customer Interface |
| NCA | National Competent Authority |
| PISP | Payments Initiation Service Provider |
| OBE | Open Banking Europe - PRETA's PSD2 directory project |
| OBIE | Open Banking Implementation Entity / Open Banking UK Limited |
| PSD2 | Second/Revised Payment Services Directive (Directive (EU) 2015/2366) |
| PSU | Payment Services User |
| RTS | Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication |
| SS+ | Screen Scraping Plus |
| TPP | Third Party Provider |