Strong authentication for individuals on access to accounts online
After the PSD2 APIs in 2019, BNP Paribas starts strong authentication for individuals on access to accounts online
Strong Customer Authentication every 90 days
Starting June 8, 2020, a strong authentication will be required every 90 days for individuals, professionals and private banking customers of the brands BNP Paribas and Hellobank in France that will access their online banking.
It will also be the case for access to accounts through PSD2 APIs by the Payment Services Providers.
The deployment will be gradual during 4 weeks. At the end of this period, all customers will be subject to strong authentication.
PSD2 APIsIn the context of the 2nd European Payment Services Directive, PSD2 APIs from the following scope :
- Hellobank in France
- BNP Paribas Retail in France
- BNP Paribas Corporate Investment Banking in Europe
- BNP Paribas Corporate in France
are available in production since mid-2019 and ready to be used by agreed Payment Services Providers with an eIDAS certificate.
Until the exemption is granted, a fallback mechanism is available on Corporate and Retail scope (BNP Paribas and Hellobank) in France as well as CIB Europe, in order to allow Payment Services Providers to access PSD2 data without break in service. The corresponding documentation is available on API Store.
Access to these APIs is reserved for Payment Services Providers that received authorization from their national competent authority in an EU Member State.
The APIs can be accessed on the BNP Paribas API Store Portal at https://apistore.bnpparibas
The publicly accessible online portable sets out the content and documentation of the API and enables you to contact BNP Paribas to get access to the APIs or ask questions.
API Store shows all the PSD2 APIs for France (Retail and Corporate), Belgium, CIB Europe (Corporate), Over-Seas and Poland. APIs offered by other Group entities are already locally available and will in time be listed in the API Store as well.
PSD2 API of BNP Paribas (mabanque.bnpparibas) don’t have any obstacle identified in the scope of ABE Opinion Paper - 4 June 2020 concerning requirements expected for 31/12/2020. Therefore, they are the main interface for a secure communication with third party providers and are already used by many of them. “Fallback” method, also called « authenticated screen scraping », must be used only in case of API failure.
About Hello bank ! (hellobank.fr) PSD2 API are live, working properly and largely used already by many third party providers. However, if the exhaustiveness of the transaction status is a must have, then the access through « authenticated screen scraping » (as specified on API Store since 2019) is the main interface. It is indeed the only obstacle identified in the scope of the Opinion Paper from ABE - 4 June 2020 concerning requirements expected on 31/12/2020. This obstacle will no longer exist starting end of March 2021, date of the delivery of an evolution on the transaction status (in order to display the same status as the online banking).
On the corporate scope (mabanqueentreprise.bnpparibas), PSD2 API are live, working properly and also used by third party providers. However, if they need to be used by the 5% of our customers who use the strong customer authentication method based on electronic certificate for credit transfer validation, then the « authenticated screen scraping » is to be considered as the main interface. This obstacle will no longer exist at the end of second quarter 2021, date of availability of this strong authentication method through PSD2 API for credit transfer validation.