Account Access Permission Policy

In UK Open Banking API technical documents, data elements are logically grouped together into “permissions”. Permissions provide to group data elements of Account Information Services (AIS). If Account Information Service Providers (TPPs) request access to specific permission, they will have access to all the data elements included by the permission. This grouping function provides a better user experience allowing TPPs to be selective, and better understandable a consent process for PSUs. ApiGo enables API providers specialize endpoints on Management Portal with account access permissions.

To allow TPPs to be selective but at the same time creating a consent process that is at an acceptable level of granularity for the PSU, ApiGo provides two main clusters to make clear the permissions which include Account Access Permission Policy and Account Transaction Permission Policy. The detail permission contains all data elements which provide by TPPs.

_images/draw1.png

To get access Account Information Services (AIS), the TPP presents to the PSU a description of the data that it requires to support its service proposition. When TPP sent a request to get consent to reach AIS, ApiGo informs the ApiGo to authenticate the customer and to select the account(s) they want to give access to. Once the PSU has been authenticated, ApiGo will be able to respond to the TPP’s request by providing the account information that has been requested.

When an environment has been created with UK Open Banking Standard, the permission for the related endpoints will be configured automatically.

_images/AccountAccessPicture1.PNG

The endpoints which will be autogenerated depend on the Open Banking Standard of the environment can be managed on the Endpoints page. Also, Account Access Permission Policy can be configured for any other endpoint from the policy list.

Management Portal -> Endpoints -> The Related Endpoint -> Account Access Permission Policy

_images/AccountAccessPicture2.PNG

Account Details

ReadAccountsDetail permission

If the request asks for all the accounts without AccountId in the query, detailed permission for the accounts will be given as bulk. If there is an AccountId in the query to retrieve account resource details, the detailed account information response will be only for the account.

ReadAccountsDetail permission will provide all the account details which include currency of the account, the nickname of account (E.g. ‘Jakes Household account’), account name, sort code, account number, IBAN, roll number (used for building society).

_images/AccountAccessPicture3.PNG

Selected Permission can be customized on the Account Access Permission wrapper. Forbidden Message can be rewritten to inform TPPs about why the request has been rejected. The message will be used as a response body to inform TPP when the ApiGo server understood the request but refuses to authorize it due to lack of valid consent.

_images/AccountAccessPicture4.PNG

To reach account details, consent, which as previously mentioned, must be taken. The consent needs to include the permissions depends on TPP business needs. The response will include an authorization URL which is providing a path to TPP to reach account information services.

ApiGo will inform PSU about the application request to take its permission. PSU can select and confirm the accounts to be shared with TPPs. Also, if PSU does not give permission to TPP, the process may be ended and TPP cannot reach the related services.

_images/AccountAccessPicture5.PNG

After the consent has been confirmed, TPP can call an account information service to reach account details. AIS needs to be called with the token, which is taken with the authorization code. To reach account details, TPP can be authorized with PSU’s all accounts or for only specific ones. Depends on TPP’s business needs and services, the selection can be specialized. ApiGo provides both kinds of endpoints mentioned on UK Open Banking Standards.

_images/AccountAccessPicture6.PNG

The request sent by TPP will be responded with the body containing the account basics and details. If there is no available consent to reach account details, the gateway will respond to the request with the forbidden message which can be defined with policy details on Management Portal.

_images/AccountAccessPicture7.PNG _images/AccountAccessPicture8.PNG

A sample consent body without account details has been sending to the gateway in the following instance. When TPP sends a request with the consent which is not allowed to read account details, it will respond to the message, consent is not contained relevant permission to this account. So, if the consent has been taken without relevant permission, the response will be like the following body.

_images/AccountAccessPicture9.PNG _images/AccountAccessPicture10.PNG

ReadBalances permission

The balance endpoint configured with Account Access Permission Policy - ReadBalances permission represents the net increases and decreases (as bulk or for a specific account) at a specific point in time. ReadBalances Permission can be customized on the Account Access Permission wrapper. Forbidden Message can be rewritten to inform TPPs about why the request has been rejected.

With ApiGo, ASPSP can implement both the bulk and specific retrieval endpoints, an TPP may optionally reach the account information services in bulk or only for an account. For bulk, the resources can be retrieved for all authorized accounts linked to the account request. By giving related AccountId in the query of the request, an TPP can send a request and be successfully responded to for a specific account.

_images/AccountAccessPicture11.PNG

After the consent with ReadBalances permission has been approved, TPP can call an account information service to reach balances. AIS needs to be called with the token which is taken with authorization code. The request will be responded with the body includes balance basics and details.

_images/AccountAccessPicture12.PNG

Regular Payments

ReadBeneficiariesDetail permission

An TPP may retrieve the account beneficiaries’ information resource for a specific AccountId (GET /accounts/{AccountId}/beneficiaries) or bulk (GET /beneficiaries). For bulk, an endpoint can retrieve the beneficiaries’ resources for all authorized accounts. ApiGo supports ReadBeneficiariesDetail permission, but do not overlook that ASPSP may not provide beneficiaries for an account (AccountId).

_images/AccountAccessPicture13.PNG

After the consent has been approved, TPP can call an account information service to reach beneficiaries’ details. As mentioned before, account information services need to be called with the token, taken with the authorization code. The TPP’s request will be responded with the body, which includes account basics and details.

_images/AccountAccessPicture14.PNG

ReadStandingOrdersDetail permission

With ApiGo, ASPSP can serve the standing-order resource for a specific AccountId (/accounts/{AccountId}/standing-orders) or as bulk (/standing-orders). An TPP may optionally retrieve the standing-order resources in bulk or an account.

_images/AccountAccessPicture15.PNG

Standing Order endpoint provides details of creditor account information (name, sort code, account, SO Info, frequency, creditor reference info, first/next/final payment info).

_images/AccountAccessPicture16.PNG

ReadDirectDebits permission

ApiGo users can provide an endpoint for TPPs to retrieve the direct-debits for a specific account identified by AccountId (/accounts/{AccountId}/direct-debits). With ApiGo, ApiGo may provide this endpoint for TPPs to retrieve direct debits for all accounts that the PSU has consented to. The TPP will be responded with the direct-debit resources for all authorized accounts.

_images/AccountAccessPicture17.PNG

There is a sample request and response body for a direct debit endpoint that provides details of PSU’s direct debits includes mandate info, status, name, previous payment information.

_images/AccountAccessPicture18.PNG