Managing Account Access (200 wip)

With the consent of the respective customer (PSU), Account Information Service Providers (AISPs) are allowed to access the PSU's account and transaction data. The endpoints listed below allow the AISP to create an account access consent using the listed permissions.

Endpoints

Resource	HTTP Operation	Endpoint	Mandatory/Optional	Scope	Grant Type
account-access-consents	POST	POST /account-access-consents	Mandatory	accounts	Client Credentials
account-access-consents	GET	GET /account-access-consents/{ConsentId}	Mandatory	accounts	Client Credentials
account-access-consents	DELETE	DELETE /account-access-consents/{ConsentId}	Mandatory	accounts	Client Credentials

POST /account-access-consents

The API allows the AISP to ask an ASPSP to create a new account-access-consent resource.

This API effectively allows the AISP to send a copy of the consent to the ASPSP to authorise access to account and transaction information.
An AISP is not able to pre-select a set of accounts for account-access-consent authorisation. This is because the behaviour of the pre-selected accounts, after authorisation, is not clear from a legal perspective.
An ASPSP creates the account-access-consent resource and responds with a unique ConsentId to refer to the resource.
Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

GET /account-access-consents/{ConsentId}

An AISP may optionally retrieve an account-access-consent resource that they have created to check its status. Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant. The usage of this API endpoint will be subjected to an ASPSP's fair usage policies.

Once the PSU authorises the account-access-consent resource, the status of the account-access-consent resource is updated with Authorised.

DELETE /account-access-consents/{ConsentId}

If the PSU revokes the consent to data access with the AISP, the AISP must delete the account-access-consent resource with the ASPSP before confirming consent revocation with the PSU.

This is done by making a call to DELETE the account-access-consent resource.
Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

Account access consent status

The PSU must authenticate with the ASPSP and authorise the account-access-consent for the account-access-consent to be successfully set up. The account-access-consent resource that is created successfully must have the following status code-list enumeration:

Status	Status Description
AwaitingAuthorisation	The account access consent is awaiting authorisation.

After authorisation has taken place, the account-access-consent resource may have any of the following statuses.

Status	Status Description
Rejected	The account access consent has been rejected.
Authorised	The account access consent has been successfully authorised.
Revoked	The account access consent has been revoked via the ASPSP interface.

Permissions

Permission codes will be used to limit the data that is returned in response to a resource request.

When permission is granted for a Detail permission code (for example, ReadAccountsDetail), it implies that access is also granted to the corresponding Basic permission code (for example, ReadAccountsBasic)

The following combinations of permissions are not allowed and the ASPSP must not allow such account-requests to be created:

Account requests with an empty Permissions array
Account requests with a Permissions array that contains ReadTransactionBasic but does not contain at least one of ReadTransactionCredits and ReadTransactionDebits.
Account requests with a Permissions array that contains ReadTransactionDetail but does not contain at least one of ReadTransactionCredits and ReadTransactionDebits.
Account requests with a Permissions array that contains ReadTransactionCredits but does not contain at least one of ReadTransactionBasic and ReadTransactionDetails.
Account requests with a Permissions array that contains ReadTransactionDebits but does not contain at least one of ReadTransactionBasic and ReadTransactionDetails.

Permissions	Endpoints	Business Logic	Description
ReadAccountsBasic	/accounts /accounts/{AccountId}		Ability to read basic account information
ReadAccountsDetail	/accounts /accounts/{AccountId}	Access to additional elements in the payload	Ability to read account identification details
ReadBalances	/balances /accounts/{AccountId}/balances		Ability to read all balance information
ReadBeneficiariesBasic	/beneficiaries /accounts/{AccountId}/beneficiaries		Ability to read basic beneficiary details
ReadBeneficiariesDetail	/beneficiaries /accounts/{AccountId}/beneficiaries	Access to additional elements in the payload	Ability to read account identification details for the beneficiary
ReadDirectDebits	/direct-debits /accounts/{AccountId}/direct-debits		Ability to read all direct debit information
ReadStandingOrdersBasic	/standing-orders /accounts/{AccountId}/standing-orders		Ability to read basic standing order information
ReadStandingOrdersDetail	/standing-orders /accounts/{AccountId}/standing-orders	Access to additional elements in the payload	Ability to read account identification details for beneficiary of the standing order
ReadTransactionsBasic	/transactions /accounts/{AccountId}/transactions /accounts/{AccountId}/statements/{StatementId}/transactions	Permissions must also include at least one of: ReadTransactionsCredits ReadTransactionsDebits	Ability to read basic transaction information
ReadTransactionsDetail	/transactions /accounts/{AccountId}/transactions /accounts/{AccountId}/statements/{StatementId}/transactions	Access to additional elements in the payload Permissions must also include at least one of ReadTransactionsCredits ReadTransactionsDebits	Ability to read transaction data elements which may hold silent party details
ReadTransactionsCredits	/transactions /accounts/{AccountId}/transactions /accounts/{AccountId}/statements/{StatementId}/transactions	Access to credit transactions. Permissions must also include one of: ReadTransactionsBasic ReadTransactionsDetail	Ability to read only credit transactions
ReadTransactionsDebits	/transactions /accounts/{AccountId}/transactions /accounts/{AccountId}/statements/{StatementId}/transactions	Access to debit transactions. Permissions must also include one of: ReadTransactionsBasic ReadTransactionsDetail	Ability to read only debit transactions
ReadStatementsBasic	/statements /accounts/{AccountId}/statements		Ability to read basic statement details
ReadStatementsDetail	/statements /accounts/{AccountId}/statements /accounts/{AccountId}/statements/{StatementId}/file	Access to additional elements in the payload Access to download the statement file (if the ASPSP makes this available).	Ability to read statement data elements which may leak other information about the account
ReadProducts	/products /accounts/{AccountId}/product		Ability to read all product information relating to the account
ReadOffers	/offers /accounts/{AccountId}/offers		Ability to read all offer information
ReadParty	/accounts/{AccountId}/party /accounts/{AccountId}/parties		Ability to read party information related to the account.
ReadPartyPSU	/party		Ability to read party information on the PSU logged in.
ReadScheduledPaymentsBasic	/scheduled-payments /accounts/{AccountId}/scheduled-payments		Ability to read basic statement details
ReadScheduledPaymentsDetail	/scheduled-payments /accounts/{AccountId}/scheduled-payments	Access to additional elements in the payload
ReadPAN	All API endpoints where PAN is available as a structured field	Request to access to PAN in the clear	Request to access PAN in the clear across the available endpoints. If this permission code is not in the account-access-consent, the AISP will receive a masked PAN. While an AISP may request to access PAN in the clear, an ASPSP may still respond with a masked PAN if: The ASPSP does not display PAN in the clear in existing online channels The ASPSP takes a legal view to respond with only the masked PAN