PSD2 compliance for banks
FinTP-Connect is a solution designed for ensuring PSD2 compliance for banks or public administration. It achieves centralized management of requests initiated by PISP/AISP on behalf of the final customer. FinTP-Connect retrieves and processes these requests; they are then transferred to the Core Banking system, returning the responses back to the PISP/AISP.
FinTP-Connect receives requests from the PISP/AISP in JSON/XML – ISO 20022 elements format, and transmits them to the Core Banking system in its native format. FinTP-Connect also retrieves responses from the Core Banking system in its native format and sends them to the PISP/AISP as JSON/XML – ISO 20022 elements format.
Features:
- API management
- TPP identification
- TPP validation for access to services
- Rules management for applying Strong Customer Authentication (SCA)
- User activity tracking: TPP Management and Fraud Risk Management
- Log of services run by users: TPP Management
- Native format configuration: requests from the TPP, responses from Core Banking systems
API Management – components:
- API Gateway receives API requests (from PISP/AISP) in compliance with the security policies in place (authentication, authorization, audit and regulatory compliance), passes the requests to the API Integration & Services component, retrieves the response and sends it back to the initiator (PISP/AISP). Secures, protects and scales API calls. It is a basic proxy component that forwards API requests and policies, verifying access limits or security checks. After validation of a policy or rule, it forwards the requests via web services towars the backend able to return the response. The API Gateway also identifies and authenticates the TPP and the customer, by accessing the Identity Server and by checking credentials, tokens or registry. The API Gateway also collects analytics data and provides it to the Reporting & Monitoring Interface.
- API Integration & Services ensures the management of requests received from the API Gateway, passes the requests to core banking systems in their native formats, retrieves responses from the core banking systems and then sends them back to the API Gateway.
- Reporting & Monitoring Interface enables activity monitoring, based on the data received from API Gateway, provides reports for fraud risk identification and management, as well as statistical reports containing data about the services accessed by the Services Providers (PISP/AISP).
- API Publisher allows API providers to develop and publish custom APIs, specific documentation, public keys and to collect information about the impact of functionalities, quality and usability. The API Publisher manages a set of APIs for an organization or a business unit and controls the lifecycle of an API and any related monetization issues.
- API Store is a collaboration interface for API publishers, allowing them to host and promote their APIs. Consumers can register, discover, evaluate and subscribe for using APIs in a secure, protected and authenticated way.
- RESTful API Microservices. The API service is the functionality that runs in the backend. It ensures compliance with requirements for user account information request flows and for payment initiation flows on behalf of the final user, offering a unique end-point in the bank. This component ensures communication with internal bank systems and conversion of TPP requests and responses to the standard format developed by the Berlin group (or a customer preffered format). The component also supports the monitoring feature that analyzes and reports user activity via TPP.
Architecture:
- The API Gateway (a FinTP-Connect component hosted by the bank) retrieves the request initiated by User via the Client Application hosted by TPP and sends it to the Identity Server (hosted by the bank), for achieving User authentication. FinTP-Connect implements also the Strong Customer Authentication specific flows.
- The Identity Server returns an Access Token to User through the Client Application, via the API Gateway. A series of subsequent actions are allowed: Return Access Token, Refresh Token.
- Based on the Access Token already received, the TPP sends User request to the Resource Server through FinTP-Connect (API Gateway and API Integration & Services components).
- The Resource Server delivers data requested by the User to the Client Application hosted by TPP, via FinTP-Connect (API Gateway and API Integration & Services components).
- The API Gateway component sends analytics data to the Reporting & Monitoring Interface.