Using fallback

Principle

In accordance with the regulations, Groupe BPCE institutions have set up a dedicated interface for payment service providers: the published PSD2 REST APIs.

If the exposed PSD2 APIs fail, the payment service provider can use the “fallback” solution, which is based on the following principle:

Image

This solution meets the regulatory requirements of PSD2 (article 33 of the RTS). You can use it under the same conditions and prerequisites described in the “Eligibility” section.

Roadmap

Below are the elements of our forecast trajectory:

(*) Main features :

• Use by the TPP (Third Party Provider) of the same endpoint as the dedicated interface.
   
• A query parameter (header "fallback:1" present or absent) added by the TPP allows distinguishing a "Fallback" request from an API request via the dedicated interface, which must always be used systematically.
   
• TPP authentication via mutual TLS authentication using an eIDAS certificate (QWAC).
   
• Security measures identical to those for accessing the online banking of the PSU (Payment Service User) (the same interface used by the PSU for direct access, and the same customer authentication methods)
   
• In the context of the increased use of the dedicated interface (API), dynamic switching is not implemented: the fallback solution is always active.
   
• The fallback solution is a backup solution that should not be used as the primary means of access to provide PSD2 services. Its usage is monitored, and any abusive use by one or more TPPs will be automatically reported to the competent national authority.

Example

1. In the event that the DPS2 APIs are unexpectedly unavailable or the system fails (see criteria in RTS Art. 33), the TPP can send the request :

POST https://www.17515.live.api.89c3.com/stet/psd2/oauth/token

with :

• its eIDAS QWAC production certificate
• the header parameter (fallback: “1″)

Image

POST /stet/psd2/oauth/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

X-Request-ID: 1234

fallback: 1

User-Agent: PostmanRuntime/7.16.3

Accept: */*

Cache-Control: no-cache

Host: www.17515.live.api.caisse-epargne.fr

Accept-Encoding: gzip, deflate

Content-Length: 67

Connection: keep-alive

client_id=PSDFR-ACPR-12345&grant_type=client_credentials&scope=aisp
 

2. If the checks are positive, we will return a header url of the type to be used as part of the redirection to the online banking environment, and which contains a JWT token (“&fallback=” fields) which must also be used in this context:

HTTP/1.1 302 Found

Date: Tue, 25 May 2021 21:46:59 GMT

Location: https://www.caisse-epargne.fr/se-connecter/sso?service=dei&cdetab=17515&fallback=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImhF…

Content-Length: 870

Connection: close

Content-Type: text/html; charset=iso-8859-1

</head><body>

<h1>Found</h1>

<p>The document has moved <a >here</a>.</p>

</body></html>

3. Once redirected, the TPP must then use the PSU’s identifiers via its proprietary method

For more details on the POST request, see STET V1.6.2.0 / Part I / section 3.4.3

Limits

The constraints of this solution are as follows:

• No reuse of the context of the dedicated interface, nor of the access token (currently valid for 180 days).
   
• Only the PSD2 features available on online banking (reference: remote banking via fixed internet) are accessible via the fallback. For example, online banking services do not offer e-commerce payment (this PISP functionality is therefore not available in fallback mode).
   
• The client utilizing the services (PSU) must be connected to the TPP application (no possibility for AISP batch processing to retrieve the customer's consented data). PSD2 also mandates a systematic strengthening of strong authentication methods (AF/SCA) for access to remote/online banking; the authentication methods provided to PSU clients will be used (non-exhaustive list):
  • Soft token Sécur’Pass
  • OTP SMS
  • Physical key (for businesses)

Regulatory publications

How to retrieve your OAuth2 access token ?

1. You send a request directly to the authorization IT infrastructure of the account-holding bank; the details of the links and parameters are provided below  
  

Image

2. The account-holding bank (ASPSP) will perform checks related to your profile as a TPP (validity of certificates and your role in the marketplace registry, non-revocation of your profile, etc.). 
 

3. Once these checks are completed and if they are successful, the bank will respond with an HTTP 200 (OK) code and the following data:  

Image

The access token must be used in all requests in the "Authorization" header prefixed by the token type "Bearer." 

If the token has expired, the request will be rejected with an HTTP 400 code and data indicating "Invalid Token." 

This request can be resent once a new Client Credential type access token has been requested and obtained.

Please note that the maximum lifespan of an access token is currently 180 calendar days.

Obtain the list of a client's current accounts

Use case

This service allows listing all accounts eligible* for PSD2.

Note (*) : active payment accounts accessible online, namely sight accounts for professionals and businesses managed by this account holder.

Prerequisites 

This call retrieves the list of payment accounts of the PSU (payment service user) for which the AISP (account information service provider) is connected.

Each account is returned with links to consult the balances or outstanding amounts as well as the transactions associated with it.

Pagination of the returned list can be done if the number of accounts is high; in this case, navigation links providing access to the first page, previous, next, and last pages will facilitate the consultation of results.

A self-link will also be present to return to the page obtained just after executing the request.

Access to this method is limited to a maximum of 4 batch accesses per calendar day for a TPP without customer connection, excluding pagination.

Request 

GET /accounts

Parameter 

No specific parameter is required when calling this service (other than the OAuth2 token).

Example 

GET www.18919.sandbox.api.89c3.com/stet/psd2/v1.6.2/accounts

Obtain the list of a client's account balances

Prerequisites

This call retrieves the balance of a payment account of the PSU (payment service user) for which the AISP (account information service provider) is connected.

This service follows the retrieval of the customer's payment accounts list: a resource identifier corresponding to an account must be provided to obtain the list of balances.

One type of balance is returned for the specified account: the accounting balance (“CLBD” in the STET standard) as of the previous day (D-1).

A self-link will be present to return to the page obtained just after executing the request.

Access to this method is limited to a maximum of 4 batch accesses per calendar day for a client, for an account, or for a TPP.

Request

GET /accounts/{accountRessourceId}/balances

Parameters

Parameter “accountRessourceId”: payment account for which we want to consult the balances; this data corresponds to the “resourceId” section obtained in the results page of the request GET /accounts.

Example

Request

GET www.18919.sandbox.api.89c3.com/stet/psd2/v1.6.2/accounts/EURFR353000799999A40166510B

Obtain the list of a client's account transactions

Prerequisites

This call allows retrieving the list of transactions for a payment account of the PSU (payment service user) for which the AISP (account information service provider) is connected.

The transactions obtained are for a period not exceeding 90 days from the current date.

Pagination of the returned list can be done if there is a large amount of data to display; in this case, navigation links providing access to the first page, previous, next, and last pages will facilitate the consultation of results (see the “Limitations” section for the maximum number of results returned per page).

A self-link will also be present to return to the page obtained just after executing the request.

This service follows the retrieval of the customer's payment accounts list: a resource identifier corresponding to an account must be provided to obtain the list of transactions.

Access to this method is limited to a maximum of 4 batch accesses per calendar day for a client, for an account, or for a TPP, excluding pagination.

Request

GET /accounts/{accountRessourceId}/transactions

Parameters

Parameter accountRessourceId: payment account for which we want to consult the transactions; this data corresponds to the “resourceId” section obtained in the results page of the request GET /accounts.

Optional parameters:

• dateFrom (start date limit for the searched transactions)
• dateTo (end date limit for the searched transactions)
• afterEntryReference (minimum increment reference for the technical identifier)
   

Example

Request

GET www.18919.sandbox.api.89c3.com/stet/psd2/v1.6.2/accounts/EURFR353000799999A40166510BB25/transactions

Sandbox assembly

Sandbox

The Developer API Sandbox can be used directly via the AISP application by calling the APIs of the developer-API platform (sandbox assembly).

In the sandbox assembly, there are 2 calls:

• The first to retrieve the authorization token  
• The second to make the API call  

Image

Explanations  

The consumer application of the Sandbox APIs will need to retrieve an access token via its authentication key from the AS (Authentication Server).

This way, the application can consume the APIs using its access token.

API calls can be chained: first retrieving a list of sight accounts, and then executing a second request to obtain the balance of one of the accounts from the list by passing the "resourceId" obtained from the result of the first request as a parameter.

The data used for testing will come from personas, allowing the selection of specific profiles according to the tests in order to better understand the results obtained.

If necessary, pagination of results will be implemented to facilitate readability, and navigation links between different pages of results will be provided (see the examples in the use cases for obtaining accounts, balances, and transactions), which implies that the consuming application must be able to handle this pagination correctly.

Manage errors

Here is the list of error code descriptions for each method :

• Obtain the list of accounts: GET /accounts  
• Obtain the list of balances: GET /accounts/{accountRessourceId}/balances  
• Obtain the list of transactions: GET /accounts/{accountRessourceId}/transactions  

Roadmap

The account information API is subject to ongoing improvements and developments throughout the year. Below is our projected roadmap.

Functional limitations

The limitations of this API are as follows:

• It applies only to cash accounts in euros that are eligible (not blocked or under escrow) and accessible online (see the text of the PSD2 Directive).
   
• It does not allow retrieving the list of a client's trusted beneficiaries (this concept does not exist), nor the identity of the client using the payment service (first and last name).
   
• It uses only the redirection authentication method (Strong Customer Authentication required and managed through the client's account-holding bank).
   
• The transaction history depth is the same as that of the fixed internet online banking, with a maximum of 50 days.
   
• The mode "aisp extended_transaction_history" is not supported.
   
• Access to the account is only allowed via the IBAN of the payment account; however, the IBAN is not returned in the response.
   
• Limited to 4 batch accesses per day for each of the methods of this API (see the text of the PSD2 Directive).
   
• Transitioning to V1.6.2 will not allow for a coexisting period with the STET V1.4.0 version (v1 of the API).

Access to production data

In accordance with regulations, the data provided via the portal and sandbox assembly are only fictitious data.

These test data are described in the use cases "How to Test the API".

To access production data, using the PDS2 Registration API is a prerequisite.

The establishment code (see below) will allow addressing the correct backend via the endpoint www.<cdetab>.oba-bad-me-live.api.89c3.com (new url to be taken into account from now on)
(or www.<cdetab>.live.api.natixis.com aligned with the domain name of www.natixis.com direct access).
As a reminder, the existing URL www.<codetab>.live.api.89C3.com will no longer be available as of September 28, 2025.

Once chosen, this endpoint must be retained for all subsequent requests.

Eligibility

The resources of the "Account Information Services" API can only be consumed by PSPs with the aggregator role (AISP). This status is granted by the financial authorities of the country where the application is made; in France, this is the Prudential Control and Resolution Authority (ACPR), linked to the Bank of France.

Obtaining and retaining accreditation involves rigorous procedures to provide strong guarantees to users of payment services, with the forms available on the ACPR website: https://acpr.banque-france.fr/autoriser/procedures-secteur-banque/tous-les-formulaires.

Once the accreditation is granted, the format of this identifier (Organisation Identifier = OID) provided by the competent authority is:

PSDXX-YYYYYYYY-ZZZZZZZZ:

• XX => ISO 3166 country code of the competent authority hyphen-minus "–" (0x2D (ASCII), U+002D (UTF-8))
• YYYYYYYY => 2-8 characters from the competent authority's identifier (A-Z, no separator) hyphen-minus "–" (0x2D (ASCII), U+002D (UTF-8))
• ZZZZZZZZ => identifier of the PSP specified by the national competent authority (no restrictions on the number – or type – of characters used)

This OID identifier is important for two reasons:

• It will be used to identify you when making calls in the STET API requests (via the "client_id" parameter).
• It must be present in the eIDAS certificates you provide to the account holder (see below).

Additionally, you must have certificates issued by a recognized certification authority (Qualified Certification Service Providers – QTSP: https://webgate.ec.europa.eu/tl-browser/#/) compliant with the eIDAS regulation (electronic IDentification And trust Services: https://www.ssi.gouv.fr/entreprise/reglementation/confiance-numerique/le-reglement-eidas/) and adhering to the ETSI standard (https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.02.01_60/ts_119495v010201p.pdf).

To consume the PSD2 APIs offered on this portal, the TPP must enroll its app and send us via our PSD2 Registration API signed production certificates from an approved certification authority:

• A first set of QWAC certificates (for mutual TLS authentication) and QSEALC (to be uploaded to our gateway via the Register API) for the sandbox.
• Another set of QWAC certificates (for mutual TLS authentication) and QSEALC (to be uploaded to our gateway via the Register API) for production.
   

IMPORTANT NOTE: In the case of certificate renewal, if the certification authority (QTSP) is different (or if it is the same QTSP company but using different root keys), the TPP must notify the API support available via this site 2 months in advance to verify that the elements of the new certification authority are properly loaded onto our infrastructure.

A keyID identifier must also be provided in a format compliant with the STET specification, incorporating a SHA256 fingerprint after the "_" character, see example in the STET documentation Part 3 / Interaction Examples: keyId=https://path.to/myQsealCertificate_612b4c7d103074b29e4c1ece1ef40bc575c0a87e.

Only public keys in .pem format are required. Checks on the certificate data will be carried out based on French (REGAFI: https://www.regafi.fr) and European (ABE or EBA: https://euclid.eba.europa.eu/register/pir/disclaimer) registers.

Changes made since the first version