Back to CIC's Developer Portal Homepage

PSD2 Fallback Mechanism

PSD2 API Developer Portal PSD2 Fallback Mechanism

As part of its legal obligations under PSD2, CIC implements a Fallback Mechanism, to be used in cases where the Open Banking API is unavailable.

As implemented by CIC, the Fallback Mechanism fulfills two objectives:

  1. Secure and reliable authentication of the calling TPP, so that access to PSU data is granted only to authorized entities;
  2. Enabling TPP access to use the same internet banking interfaces as the PSU;

In order to use the fallback mechanism, the TPP will need to have in their possession a valid Qualified Website Authentication Certificate (QWAC), as described in Registration.

The URL on which to query the fallback mechanism is: Access to that URL requires usage of the qualified certificate to establish the TLS connection.

When queried with GET, that URL will show a HTML page that allows interactive form-filling by a human operator. Filling the form and sending it will send will result in the HTTP POST request described below, with the standard HTML Form mechanism implemented in every Web browser.

In order to use the fallback mechanism, the TPP must make a POST HTTP request to the fallback mechanism URL with the following parameters:

  • The Accept, User-Agent headers must be set and not empty;
  • The Content-Type header must be set to x-www-form-urlencoded, and the request body parameters must be encoded according to the rules for it;
  • For login/password authentication, the request body must set the following parameters:
    • flag must be set to value password;
    • _cm_user must be set to the PSU's user login;
    • _cm_pwd must be set to the PSU's password;
    • _charset_ should be set to the encoding used to percent-encode non-ASCII characters. Only values iso-8859-1 or utf-8 are supported. Generally, utf-8 should be used;

If valid PSU credentials are given to the fallback mechanism, then a HTTP response will be generated:

  • It will be a HTTP 302 or 303 Redirect response, to the PSU's banking homepage;
  • The response will set a number of cookies - these cookies are used to persist the user session;

Visiting the redirect destination with the created cookies will show the PSU's User Interface. For these subsequent requests, the PSD2 QWAC certificate is not necessary.