General information
Consent is an agreement between PSU, TPP and ASPSP on access rights to accounts of PSU in given APSPS that are granted to TPP.
Consent is authorized by PSU towards ASPSP and is shared with TPP for the further usage.
To access account details, balances and transactions TPP must provide a valid ID of an active consent. ASPSP must give TPP the access to account information according to access rights from given consent.
Note: Account owner name is supported without the special consent.
Access rights within a consent
| Access right | TPP is allowed to get | TPP is not allowed to get | Combination with other access rights | |
| 1 |
Access to the list of available accounts of PSU. Important: these will be only those accounts that are accessible through XS2A according to internal bank rules. |
|
of any of available accounts:
|
Not possible |
| 2 | Access to account details of given account |
|
|
Possible: 3, 4 |
| 3 | Access to balances of given account |
|
|
Possible: 2, 4 |
| 4 | Access to transactions of given account |
|
|
Possible: 2, 3 |
Access rights 2 - 4 can be combined within one consent: PSU grants TPP access to account details, balances and transactions.
Access right 1 can't be combined with any other access rights within on consent.
Consent models
XS2A supports 3 consent models defined by the Berlin Group standard: detailed consent, global consent, consent on available account.
Bank offered consent model might be supported in future together with the redirect SCA approach. Learn more about available SCA approaches 02. Supported Authentication Methods.
| Consent model | Description | Access right | Payload example | |
| 1 | Available accounts consent |
With this consent TPP gets a list of all available accounts of a PSU. Important: these will be only those accounts that are accessible through XS2A according to internal bank rules. In the request to XS2A no specific accounts are given, and the attribute "availableAccounts" is used to indicate the type of requested consent. |
Only 1 |
{ "access": {"availableAccounts": "allAccounts"}, |
| 2 | Detailed consent |
With this consent TPP gets the access to account details, balances, transactions of particular accounts. PSU must explicitly define the accounts where the access has to be granted and the type of access (balances and transactions, only balances, only transactions). If user grants access to balances or transactions of given account, the access to account details is given on default. |
2 - 4 | { "access": { "balances": [ { "iban": "DE89370400440532013000" }, { "iban": "LU280019400644750000" } ], "transactions": [ { "iban": "DE89370400440532013000" }, { "iban": "DE89370400440532013001" } ] }, "recurringIndicator": true, "validUntil": "2019-12-31", "frequencyPerDay": "4", "combinedServiceIndicator": false } |
| 3 | Global consent |
With this consent TPP gets the access to account details, balances, transactions of all available PSU accounts. Important: these will be only those accounts that are accessible through XS2A according to internal bank rules. In the request to XS2A no specific accounts are given, and the attribute "allPsd2" is used to indicate the type of requested consent. |
2 - 4 |
{ "access": {"allPsd2": "allAccounts"}, |