Third-Party Payment Services
Introduction
In accordance with the provisions of the Revised Payment Services Directive (PSD2), Eurobank Private Bank Luxembourg S.A. (hereafter referred to as “Eurobank) will grant access to Third Party Providers (hereafter referred to as TPPs) to client accounts if they have received the client consent. In that context, Eurobank has implemented LUXHUB’s API solution. To find the technical specifications of the API solution please use the following link : LUXHUB’s developer portal
Timeline
TPPs can access Eurobank’s testing environment (Sandbox) in order to test the interface with basic data. As of June 14 2019 TPPs will be able to access Eurobank’s dedicated production interface.
API standard used
Eurobank has implemented the Berlin Group standard version 1.13220190215.
For further information, please use the following link : https://www.berlin-group.org/psd2-access-to-bank-accounts
Authentication procedure
The authentication procedure applied is the redirection approach, where the individual steps of the authentication are not executed at LUXHUB’s Access to Account interface, but directly between the PSU and Eurobank. The PSU is redirected to the Bank’s web interface for authentication and thereby temporarily leaves the TPP interface for authentication. Once the PSU has been redirected to the Bank’s authentication service, the authentication of the PSU is executed step by step directly between the Bank and the PSU. After completion of the authentication, the PSU is redirected back to the TPP interface without sharing any authentication elements with the TPP. LUXHUB verifies the integrity of this identification by validating Eurobank’s signature of the PSU.
Functionalities offered
Eurobank offers the following via its API:
- Account Information Services (AIS), which allows AISPs to access information on customer’s accounts, such as a list of all available accounts, balances of given accounts and additional details as well as transaction reports;
- Payment Initiation Services (PIS), which enables PISPs to initiate payment orders, to adjust those if necessary and to access information on the status of these payments.
Consent management
Eurobank has implemented the “Detailed Consent” model as per the Berlin Group standard version 1.13220190215.
Eurobank has updated its Consent management policy in order to comply with the Commission Delegated Regulation (EU) 2022/2360 amendment of the Regulatory Technical Standards (RTS) laid down in Delegated Regulation (EU) 2018/389 on 90-day exemption for account access. From 25th July 2023 onward, the period of exemption of PSU’s SCA has increased from 90 to 180 days under AIS conditions on the TPP-dedicated interface. Prior accesses remain under the original RTS prescriptions.
Interface usage statistics
As per regulation, Eurobank publishes on a quarterly basis the daily usage statistics onto its Corporate Website for the scope of both interfaces:
- the API Dedicated Interface (date, uptime rate, downtime rate, AISP response time, PISP response time, CBPII response time, error response rate);
- the e-Banking Dedicated Interface (date, uptime rate, downtime rate, Consultation functions response time, Payment functions response time, error response rate).
Rates are given as percentages, Response times in milliseconds.
Link to the ZIP file:Interface_Usage_Statistics_20241220 (per quarter and per interface).
Note: statistics are computed in the light of EBA's methodology clarifications referenced as 2019_4661.
For any further information, visitors may contact the Bank through the Contact Form section of the website.
Additional information
- In regards to the EBA opinion June 2020, the Eurobank Luxembourg Private Bank App2App flow and specificities are documented below:
- General Remarks related to the Bank App2App implementation
- Additional Information Regarding the Bank Implementation and Supported Flows
Protocols used and communication
- Access Network: Internet
- Transport Protocol: HTTP version 1.1, TLS version 1.2 or higher
- Applicative Protocol: REST with HAL support
- Authorization Protocol: OAuth2 Authorization Code Grant (AISP, CBPII, PISP) or Client credentials Grant (PISP, CBPII) (See :https://tools.ietf.org/html/rfc6749 and https://tools.ietf.org/html/rfc7009)
- Data formats: JSON/UTF8 & XML
- Data model origin: ISO 20022
- Non-repudiation: HTTP Signature (https://datatracker.ietf.org/doc/draft-cavage-http-signatures/)
- Technical Documentation: Swagger 2.0 (https://swagger.io/specification/)
Legal references and background
PSD2
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&from=EN
EBA Report on RTS
Directive 2018/389 on RTS on SCA & CSC
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389&from=EN
Definitions
AIS / AISP |
Account Information Service / Account Information Service Provider |
API |
Application Programming Interface |
Berlin Group Standard |
This Standard has been developed by Berlin Group NextGenPSD2 over a period of 21 months in collaboration with representatives of the market supply-side, i.e. banks, banking associations, payment associations, payment schemes and interbank processors operating in SEPA |
CBPII |
Payment Service Provider issuing card-based payment instruments |
PIS / PISP |
Payment Initiation Service / Payment Initiation Service Provider |
PSP |
Payment Service Provider |
PSU |
Payment Service User
|
SCA |
Strong Customer Authenticating |
TPP |
Third Party Provider – namely, AISPs, PISPs and CBPIIs |