Third Party Providers (TPP)
General
As part of the CMA regulations, fintech’s, new entrants and other online service that want to access FCMBUK’s Open Banking Standard API’s for product development are required to be registered and authorised by the Financial Conduct Authority (FCA).
Access to FCMBUK API.
The use of FCMBUK’s API by TPP for their product development requires the following steps.
ONBOARDING – As part of the onboarding process FCMBUK will need to verify that a Third-Party Provider is registered with UK FCA or European Equivalent and carry out additional checks including CDD.
ACCESS – Once a TPP has been verified by FCMBUK as part of the Onboarding Process, the TPP will be granted access to FCMBUK sandbox environment to develop and test their API’s as well as connectivity to the live API’s.
CONSENT – Access to customer financial data will be through explicit customer consent. Each customer must provide their consent to allow the TPP to access their accounts, the initiating step that starts the process is when the customer agrees with the TPP/application owner that the TPP’s is allowed to access the customer’s account.
Once consent is granted the TPP’s application then initiates the request to the account provider for access to the customer accounts.
The Account provider will then trigger a process in which the customer must provide explicit consent to either grant or deny the TPP access to their account.
The technological design of the API ensures that a customer’s credentials are never shared with the TPP, so that the customer can be re-assured that their credentials remain confidential at all times.
The process of a TPP gaining access to a customer’s data is a multi-step process, all of which must be completed by the TPP and is summarised below:
- TPP uses their certificate-based credentials to obtain an Access Token via the OAuth Client Credentials flow. This token will be used later to register Access Requests.
- TPP uses the Access Token to notify FCMBUK of the request type to access customer account data.
- The customer is then redirected by the TPP to the FCMBUK Consent portal where they can view the access request.
- The customer can then choose to either grant or deny the TPP’s access request to their account.
- The customer is then redirected back to the TPP’s website or application and the TPP will receive an authorisation code.
- The TPP will exchange the authorisation code for an Access Token specific to the access request.
- The TPP will use the Access Token to access the customer’s account data.
Links to Resources
TPP Registration with FCMBUK
If you would like to access FCMBUK API’s then please click to register.
Raise a Ticket
If you were not able to find the information on our website or to report any technical issues then please raise a ticket. For technical issues you can use the Open banking list of Reason Codes