Modified Customer Interface (MCI)

Summary Guide

Date: 13/01/2019


Contents

  1. PSD2 Regulation

  2. Modified Customer Interface (MCI)

  3. In Scope Entities

  4. TPP Requirements

  5. Contact us

  6. Glossary


PSD2 Regulation

Article 31 (PSD2 RTS) – Outlines the access interface options, thus ASPSPs can provide access:

  1. via a dedicated interface (generally understood to refer to an API-based solution)
  2. by allowing the use by [TPPs], the interfaces used for authentication and communication with the [ASPSP’s] payment service users

Article 33 (PSD2 RTS) – Outlines the requirements of contingency interface.

Modified Customer Interface (MCI)

Modified Customer Interface (MCI) enable TPPs access to the designated payment accounts of PSUs for inscope banking entities under PSD2

MCI enables TPP to access a PSU’s dedicated payment accounts via the browser based internet banking channel, which the PSU uses to access their accounts.

TPP is able to screen-scrape all content of ASPSP website when they login using customer credentials. Personal data are not supposed to be shared with TPP during the screen-scraping process.

The MCI solution redacts personal data based on policies set by bank staff. This solution is based on existing website design, layout and contents published by the bank.

In Scope Entities

Below entities are accessible via MCI http interface

Entity Id Bank/Brand Country Line of Business
ZEN-GBBUS Zenith Bank GB Core Banking services

TPP Requirements

In order to use the MCI solution, TPP will be required to have either completed or be aware of the following:

MCI Access Requirements

Below request headers are required to be passed when accessing the interface:

Type Value Description
Request Header x-mci-access-scope TPP access scope – possible values are AIS, PIS, CBPII
Request Header x-mci-access-country Country Code where PSU Account is based; 2 letter as per ISO 3166 Standard (eg. GB, DE, FR)
Request Header x-mci-aspsp-entid Bank operate multiple brands or multiple divisions with this interface. This header can be used to specify the entity that TPP likes to access for a PSU. Check “in scope” section to find details on entity ids
Request Header x-mci-psu-ip-addr If PSU is present, then this need to be update with IP address of PSU’s device
Request Cert Client Certificate eIDAS Certificate of the TPP

MCI Cookie Requirements

MCI interface sets a cookie with the name MCISRV. Once this cookie is set, it needs to be passed along with subsequent requests to be able to maintain sessions properly under high available environment.

Access to Internet Banking resources

After the eIDAS validation and TPP authorisation check is complete, bank firewall policies will redact personal information before handing over to TPP.

Internet Banking resources access is regulated based on the scope (PIS/AIS/CoF) of the TPP request. There would also be some resources that won’t be accessible by TPP when bank decides to restrict them – examples like “Profile Page” & “Messages”. Such page request will be responded with “Unauthorised” code with appropriate error message.

MCI Response

If all requirements are met, TPP will be able to access redacted HTML page from the bank. Otherwise below are the error response codes TPP will receive -

HTTP Code Error Code Error Message
403 EIDAS_FAILED_NOT_TRUSTED Not authorised. eIDAS certificate is not trusted
403 EIDAS_FAILED_NOT_VALID Not authorised. eIDAS certificate is not valid
403 NCA_FAILED_URN_NOT_FOUND NCA authorisation check failed
403 NCA_FAILED_NO_ROLE_FOUND NCA authorisation check failed - No role found
403 NCA_FAILED_NO_COUNTRY_FOUND NCA authorisation check failed - No Country found
403 NCA_FAILED_STATUS_NOT_AUTHORISED Resource not authorised for the scope defined
403 MANDATORY_HEADER_MISSING If any of above access requirement header is missing
403 MANDATORY_CERT_MISSING If eIDAS certificate is missing
50x SYSTEM_ERROR Please contact the bank and inform about the issue.

Contact us

To ask a question about our open banking access provision for TPPs using modified customer interface, please contact us at mci@banfico.com

Glossary

AISP Account Information Service Provider
ASPSP Account Servicing Payment Service Provider
EBA European Banking Authority
eIDAS EU Regulation that sets out rules for electronic identification and trust services
FCA Financial Conduct Authority
MCI Modified Customer Interface
NCA National Competent Authority
PISP Payments Initiation Service Provider
OBE Open Banking Europe - PRETA's PSD2 directory project
PSD2 Second/Revised Payment Services Directive (Directive (EU) 2015/2366)
PSU Payment Services User
RTS Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication
SS+ Screen Scraping Plus
TPP Third Party Provider