TPP-Onboarding Guidelines

TPP-Onboarding Guidelines

Initial situation and necessity

With OBP.ch, a PSD2-like ecosystem is being established in which independent financial service providers can access banks' account information on behalf of their customers.
In addition to an approval process, in which the account holder must agree to the access and which is regulated by OBP.ch, a process is required which enables third-party providers (TPP) to communicate with the bank and retrieve the relevant data.
In contrast to PSD2, each bank is responsible for this process itself.

The illustration shows the process of registering a TPP with a bank.

Onboarding Guidelines

Information

The TPP reports to the bank to obtain information about the onboarding process. The bank provides a dedicated web page for this purpose which contains at least the necessary contact details. The web page must be reachable as: https://<bank.ch>/OBP-Onboarding


Onboarding form


The TPP must provide the bank with the necessary information to enable it to decide whether to grant access. The scope is a matter for the bank, as is the technical implementation. Instead of web or PDF forms, the data can also be collected and written down in a conversation.


Due Diligence


The bank checks in accordance with internal guidelines whether it wishes to cooperate with the TPP within the framework of OBP.ch and whether it wishes to grant permission to access bank customer data via the OBP.ch API.


Technical parameters


Even though the OBP.ch API is standardized, there are differences between banks, for example in the handling of SEPA payments: when is conformity checked and what happens if this is not the case? If necessary, it must be agreed with the TPP how payments or account queries are to be treated exactly and what the TPP can rely on, i.e. what possibilities are offered to it.


Create Certificate


OBP.ch stipulates that a TPP must identify itself with a certificate when accessing the API so that its identity and authorizations can be determined beyond doubt.
Within the scope of compatibility with PSD2, so-called eIDAS certificates with corresponding PSD2-specific attributes are required.
Since TPP onboarding is a bank-specific process, the responsibility for creating the certificate lies with the bank. Of course, it can outsource the technical part to a service provider.


Treatment of foreign, EU-certified TPPs


One of OBP.ch's goals is to stay close to corresponding European standards and to simplify access for EU-certified TPPs. Therefore Berlin Group's NextGenPSD2 was used as a basis for the OBP.ch API.
For the individual bank, the question arises how an EU-certified TPP should be treated within the framework of the onboarding process:
Which data must be submitted? Is the confirmation by foreign supervisory authorities of authorisation as a PSD2 TPP sufficient?
Will the bank accept the TPP's PSD2 certificate for its authentication or does the TPP have to use a specific certificate to access the bank's OBP.ch API?

Initial situation and necessity

With OBP.ch, a PSD2-like ecosystem is being established in which independent financial service providers can access banks' account information on behalf of their customers.
In addition to an approval process, in which the account holder must agree to the access and which is regulated by OBP.ch, a process is required which enables third-party providers (TPP) to communicate with the bank and retrieve the relevant data.
In contrast to PSD2, each bank is responsible for this process itself.

The illustration shows the process of registering a TPP with a bank.

Onboarding Guidelines

Information

The TPP reports to the bank to obtain information about the onboarding process. The bank provides a dedicated web page for this purpose which contains at least the necessary contact details. The web page must be reachable as: https://<bank.ch>/OBP-Onboarding


Onboarding form


The TPP must provide the bank with the necessary information to enable it to decide whether to grant access. The scope is a matter for the bank, as is the technical implementation. Instead of web or PDF forms, the data can also be collected and written down in a conversation.


Due Diligence


The bank checks in accordance with internal guidelines whether it wishes to cooperate with the TPP within the framework of OBP.ch and whether it wishes to grant permission to access bank customer data via the OBP.ch API.


Technical parameters


Even though the OBP.ch API is standardized, there are differences between banks, for example in the handling of SEPA payments: when is conformity checked and what happens if this is not the case? If necessary, it must be agreed with the TPP how payments or account queries are to be treated exactly and what the TPP can rely on, i.e. what possibilities are offered to it.


Create Certificate


OBP.ch stipulates that a TPP must identify itself with a certificate when accessing the API so that its identity and authorizations can be determined beyond doubt.
Within the scope of compatibility with PSD2, so-called eIDAS certificates with corresponding PSD2-specific attributes are required.
Since TPP onboarding is a bank-specific process, the responsibility for creating the certificate lies with the bank. Of course, it can outsource the technical part to a service provider.


Treatment of foreign, EU-certified TPPs


One of OBP.ch's goals is to stay close to corresponding European standards and to simplify access for EU-certified TPPs. Therefore Berlin Group's NextGenPSD2 was used as a basis for the OBP.ch API.
For the individual bank, the question arises how an EU-certified TPP should be treated within the framework of the onboarding process:
Which data must be submitted? Is the confirmation by foreign supervisory authorities of authorisation as a PSD2 TPP sufficient?
Will the bank accept the TPP's PSD2 certificate for its authentication or does the TPP have to use a specific certificate to access the bank's OBP.ch API?