As part of its legal obligations under PSD2, CIC implements a Fallback Mechanism, to be used in cases where the Open Banking API is unavailable.
As implemented by CIC, the Fallback Mechanism fulfills two objectives:
- Secure and reliable authentication of the calling TPP, so that access to PSU data is granted only to authorized entities;
- Enabling TPP access to use the same internet banking interfaces as the PSU;
In order to use the fallback mechanism, the TPP will need to have in their possession a valid Qualified Website Authentication Certificate (QWAC), as described in Registration.
The URL on which to query the fallback mechanism is:
Access to that URL requires usage of the qualified certificate to establish
the TLS connection.
When queried with
GET, that URL will show a HTML page that allows interactive
form-filling by a human operator. Filling the form and sending it will send
will result in the HTTP
POST request described below, with the standard HTML
Form mechanism implemented in every Web browser.
In order to use the fallback mechanism, the TPP must make a
request to the fallback mechanism URL with the following parameters:
User-Agentheaders must be set and not empty;
Content-Typeheader must be set to
x-www-form-urlencoded, and the request body parameters must be encoded according to the rules for it;
- For login/password authentication, the request body must set the following
flagmust be set to value
_cm_usermust be set to the PSU's user login;
_cm_pwdmust be set to the PSU's password;
_charset_should be set to the encoding used to percent-encode non-ASCII characters. Only values
utf-8are supported. Generally,
utf-8should be used;
If valid PSU credentials are given to the fallback mechanism, then a HTTP response will be generated:
- It will be a HTTP 302 or 303 Redirect response, to the PSU's banking homepage;
- The response will set a number of cookies - these cookies are used to persist the user session;
Visiting the redirect destination with the created cookies will show the PSU's User Interface. For these subsequent requests, the PSD2 QWAC certificate is not necessary.