Table of Contents

maxLevel	1


style	none

1. Version Control

Version	Date	Description of Changes
Bahrain OBF v1.0.0	25th Aug 2020	Initial Release

2. Overview

The Account Access Consents API is used by an AISP to request an ASPSP to create a new account-access-consent consents resource, retrieve the status of account-access-consent consents resource and delete patch the account-access-consent consents resource.

This resource description should be read in conjunction with a compatible Account Information Services API Profile.

...

3.

...

Endpoints

S. No.	Resource	HTTP Operation	Endpoint	Mandatory	Scope	Grant Type	_{Message Signing}	Idempotency Key	Parameters	Request Object	Response Object
23.1	account-access-consents	POST	POST /account-access-consents	Mandatory	accounts	Client Credentials_{Signed Request Signed Response}	No	OBAccountAccessConsentRequest	OBAccountAccessConsentResponse
23.2	account-access-consents	GET	GET /account-access-consents/{ConsentId}	Mandatory	accounts	Client Credentials_{Signed Response}	No	NA	OBAccountAccessConsentResponse
23.3	account-access-consents	_DELETEPATCH	DELETE PATCH /account-access-consents/{ConsentId}	Mandatory	accounts	Client Credentials	_{Signed Response}	No	_NAOBPatchAccountAccessConsentRequest_NA	OBAccountAccessConsentResponse

...

3.1

...

POST /account-access-consents

The API allows the AISP to ask an ASPSP to create a new account-access-consent consents resource.

This API effectively allows the AISP to send a copy of the consent to the ASPSP to authorise access to account and transaction information.
An AISP is not able to pre-select a set of accounts for account-access-consent authorisation. This is because the behaviour of the pre-selected accounts, after authorisation, is not clear from a Legal perspective.
An ASPSP creates the account-access-consent consents resource and responds with a unique ConsentId to refer to the resource.
Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

...

3.1.

...

1 Account Access Consent Status

The PSU user/customer must authenticate with the ASPSP and authorise the account-access-consent for the account-access-consent to be successfully setup. The account-access-consent consents resource that is created successfully must have the following Status code-list enumeration:

S. No.	Status	Status Description
1	AwaitingAuthorisation	The account access consent is awaiting authorisation.

After After authorisation has taken place the account-access-consent consents resource may have these following statuses:

S. No.	Status	Status Description
1	Rejected	The account access consent has been rejected.
2	Authorised	The account access consent has been successfully authorised.
3	Revoked	The account access consent has been revoked via the AISP/ASPSP interface.

...

3.1.

...

2 Status Flow

...

3.2 GET /account-access-consents/ {ConsentId}

An AISP may optionally retrieve an account-access-consent consents resource that they have created to check its status.

Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

The usage of this API endpoint will be subject to an ASPSP's fair usage policies.

...

3.2.1 Account Access Consent Status

Once the PSU user/customer authorises the account-access-consent consents resource - the Status of the account-access-consent consents resource will be updated with "Authorised".

The available Status code-list enumerations for the account-access-consent consents resource are.:

S. No.	Status	Status Description
1	Rejected	The account access consent has been rejected.
2	AwaitingAuthorisation	The account access consent is awaiting authorisation
3	Authorised	The account access consent has been successfully authorised.
4	Revoked	The account access consent has been revoked via the ASPSP AISP interface.

...

3.3

...

PATCH /account-access-consents/{ConsentId}

If the PSU user/customer revokes consent to data access with the AISP, the AISP must delete patch the account-access-consent consents resource with the ASPSP as soon as is practically possible.

This is done by making a call to DELETE PATCH the account-access-consent consents resource.
Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

TPP AISP should also clear the Account Access Consent consents resources, from ASPSP's ASPSP’s system, which are:

Expired, i.e. ExpirationDateTime is lapsed, or ExpirationDateTime is not lapsed, but PSU user/customer doesn't want to refresh/re-authenticate it, and
Consent Resource may never be referenced by the PSU in AISP or ASPSP domain.

3. Data Models

...

4. Data Models

4.1 Account Access Consents - Request

The OBAccountAccessConsentRequest object will be used for the call to:

POST /account-access-consents

...

4.1.

...

1 UML Diagram

...

4.1.1.

...

1 Notes

The

...

Account access consent request contains the following elements:

Permissions provided by the user/customer
Transaction from Date Time - A specified start date and time for the transaction query period
Transaction to Date Tome - A Specified end date and time for the transaction query period

4.1.2 Data Dictionary

Name	Occurrence	XPath	Enhanced Definition	Class/ Datatype	Codes
OBAccountAccessConsentRequest		OBAccountAccessConsentRequest		OBAccountAccessConsentRequest
Data	1..1	OBAccountAccessConsentRequest/Data		OBAccountAccessConsentRequest/Data
Permissions	1..n	OBAccountAccessConsentRequest/Data/Permissions	Specifies the Open Banking account access data types. This is a list of the data clusters being consented by the PSUUser/Customer, and requested for authorisation with the ASPSP	String	Enum: ReadAccountsBasic ReadAccountsDetail ReadBalances ReadBeneficiariesBasic ReadBeneficiariesDetail ReadDirectDebits ReadOffers ReadPAN ReadParty _ReadPartyPSReadSupplementaryAccountInfo _ReadProductsReadFutureDatedPaymentsBasic _{ReadScheduledPaymentsBasic}ReadFutureDatedPaymentsDetail _{ReadScheduledPaymentsDetail} ReadStandingOrdersBasic ReadStandingOrdersDetail ReadStatementsBasic ReadStatementsDetail ReadTransactionsBasic ReadTransactionsCredits ReadTransactionsDebits ReadTransactionsDetail	_{ExpirationDateTime}	_0..1	_{OBAccountAccessConsentRequest/Data/ExpirationDateTime}
_{Specified date and time the permissions will expire. If this is not populated, the permissions will be open ended}	_DateTime		TransactionFromDateTime	0..1	OBAccountAccessConsentRequest/Data/TransactionFromDateTime	Specified start date and time for the transaction query period. If this is not populated, the start date will be open ended, and data will be returned for upto the last 12 months from the earliest available transactiondate of customer providing consent	DateTime
TransactionToDateTime	0..1	OBAccountAccessConsentRequest/Data/TransactionToDateTime	Specified end date and time for the transaction query period. If this is not populated, the end date will be open ended, and data will be returned to the latest available transactiontill the date of customer providing consent	DateTime
_Risk	_1..1	_{OBAccountAccessConsentRequest/Risk}	_{The Risk section is sent by the initiating party to the ASPSP. It is used to specify additional details for risk scoring for Account Info}	_OBRisk

...

4.2 Access Account Consents - Response

The OBAccountAccessConsentResponse object will be used for the call to:

...

POST /account-access-consents

...

4.2.

...

1 UML Diagram

...

4.2.

...

2 Notes

The domestic-payment-consent request OBAccountAccessConsentResponse contains these objects:

The OBAccountAccessConsentResponse object contains the same information as the OBAccountAccessConsentRequest, but with additional fields:
- ConsentId - to uniquely identify the account-access-consent consents resource.
- Status.
- CreationDateTime.
- StatusUpdateDateTime.

...

4.2.

...

3 Data Dictionary

Name	Occurrence	XPath	Enhanced Definition	Class/ Datatype	Codes
OBAccountAccessConsentResponse		OBAccountAccessConsentResponse		OBAccountAccessConsentResponse
Data	1..1	OBAccountAccessConsentResponse/Data		OBAccountAccessConsentResponse/Data
ConsentId	1..1	OBAccountAccessConsentResponse/Data/ConsentId	Unique identification as assigned to identify the account access consent consents resource.	String
CreationDateTime	1..1	OBAccountAccessConsentResponse/Data/CreationDateTime	Date and time at which the resource was created.	DateTime
Status	1..1	OBAccountAccessConsentResponse/Data/Status	Specifies the status of consent consents resource in code form.	String	Enum: Authorised AwaitingAuthorisation Rejected Revoked
StatusUpdateDateTime	1..1	OBAccountAccessConsentResponse/Data/StatusUpdateDateTime	Date and time at which the resource status was updated.	DateTime
Permissions	1..n	OBAccountAccessConsentResponse/Data/Permissions	Specifies the Open Banking account access data types. This is a list of the data clusters being consented by the PSUUser/Customer, and requested for authorisation with the ASPSP	String	Enum: ReadAccountsBasic ReadAccountsDetail ReadBalances ReadBeneficiariesBasic ReadBeneficiariesDetail ReadDirectDebits ReadOffers ReadPAN ReadParty _ReadPartyPSReadSupplementaryAccountInfo _ReadProductsReadFutureDatedPaymentsBasic _{ReadScheduledPaymentsBasic} _{ReadScheduledPaymentsDetail}ReadFutureDatedPaymentsDetail ReadStandingOrdersBasic ReadStandingOrdersDetail ReadStatementsBasic ReadStatementsDetail ReadTransactionsBasic ReadTransactionsCredits ReadTransactionsDebits ReadTransactionsDetail	_{ExpirationDateTime}	_0..1
_{OBAccountAccessConsentResponse/Data/ExpirationDateTime}	_{Specified date and time the permissions will expire. If this is not populated, the permissions will be open ended}	_DateTime		TransactionFromDateTime	0..1	OBAccountAccessConsentResponse/Data/TransactionFromDateTime	Specified start date and time for the transaction query period. If this is not populated, the start date will be open ended, and data will be returned for upto the last 12 months from the earliest available transactiondate of customer providing consent	DateTime
TransactionToDateTime	0..1	OBAccountAccessConsentResponse/Data/TransactionToDateTime	Specified end date and time for the transaction query period. If this is not populated, the end date will be open ended, and data will be returned to the latest available transaction	_DateTime		_Risktill the date of customer providing consent	DateTime

4.3. Access Account Consents - Patch Consent – Request

The OBPatchAccountAccessConsentRequest object will be used for the call to:

PATCH /account-access-consents/{ConsentId}

4.3.1 UML Diagram

...

4.3.2 Data Dictionary

...

Name	Occurrence	XPath	Enhanced Definition	Class/ Datatype	Codes	Pattern
OBPatchAccountAccessConsentRequest		OBPatchAccountAccessConsentRequest		OBPatchAccountAccessConsentRequest
Data	1..1	OBPatchAccountAccessConsentRequest/Data		OBPatchAccountAccessConsentRequest/Data
Status	1..1	OBAccountAccessConsentResponseOBPatchAccountAccessConsentRequest/Data/Risk	_{The Risk section is sent by the initiating party to the ASPSP. It is used to specify additional details for risk scoring for Account Info}	_OBRisk
_Links	_0..1	_{OBAccountAccessConsentResponse/Links}	_{Links relevant to the payload}	_Links
_Meta	_0..1	_{OBAccountAccessConsentResponse/Meta}	_{Meta Data relevant to the payload}	_Meta	₌

4. Usage Example

Status

Specifies the status of consents resource in code form

String

Enum:

Revoked

5. Usage Example

5.1 Post Account Access Consents

5.1.1 Request

POST /account-access-consents

Authorisation: Bearer 2YotnFZFEjr1zCsicMWpAA

x-fapi-auth-date: Sun, 10 Sep 2020 19:43:31 GMT+03:00

x-fapi-customer-ip-address: 104.25.212.99

x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

Content-Type: application/json

Accept: application/json

{

"Data": {

"Permissions": [

"ReadAccountsBasic"

],

"TransactionFromDateTime": "2020-03-17T07:05:34.327+03:00",

"TransactionToDateTime": "2020-05-17T07:05:34.327+03:00"

},

}

5.1.2 Response

201 Created

x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

Content-Type: application/json

{

"Data": {

"ConsentId": "tbc-0083976",

"CreationDateTime": "2020-09-10T19:43:31.508+03:00",

"Status": "Authorised",

"StatusUpdateDateTime": "2020-09-10T19:44:31.508+03:00",

"Permissions": [

"ReadAccountsBasic"

],

"TransactionFromDateTime": "2020-03-17T07:05:34.508+03:00",

"TransactionToDateTime": "2020-05-17T07:05:34.508+03:00"

},

"Links": {

"Self": "www.tbc.com"

},

"Meta": {

"TotalPages": 1,

"FirstAvailableDateTime": "2020-03-17T07:05:34.508+03:00",

"LastAvailableDateTime": "2020-05-17T07:05:34.508+03:00"

}

5.2 GET /account-access-consents/{ConsentId}

5.2.1 Request

GET /account-access-consents/0083976

Authorisation: Bearer 2YotnFZFEjr1zCsicMWpAA

x-fapi-auth-date: Sun, 10 Sep 2020 19:43:31 GMT+03:00

x-fapi-customer-ip-address: 104.25.212.99

x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

Accept: application/json

5.2.2 Response

200 OK

x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

Content-Type: application/json

{

"Data": {

"ConsentId": “0083976",

"CreationDateTime": "2020-09-10T19:43:31.508+03:00",

"Status": "Authorised",

"StatusUpdateDateTime": "2020-09-10T19:44:31.508+03:00",

"Permissions": [

"ReadAccountsBasic"

],

"TransactionFromDateTime": "2020-03-17T07:05:34.508+03:00",

"TransactionToDateTime": "2020-05-17T07:05:34.508+03:00"

},

"Links": {

"Self": "www.tbc.com"

},

"Meta": {

"TotalPages": 1,

"FirstAvailableDateTime": "2020-03-17T07:05:34.508+03:00",

"LastAvailableDateTime": "2020-05-17T07:05:34.508+03:00"

}

5.3 PATCH /account-access-consents/{ConsentId}

5.3.1 Request

PATCH /account-access-consents/0083976

Authorisation: Bearer 2YotnFZFEjr1zCsicMWpAA

x-fapi-auth-date: Sun, 10 Sep 2020 19:43:31 GMT+03:00

x-fapi-customer-ip-address: 104.25.212.99

x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

{

"Data": {

"Status": "Revoked"

}

5.3.2 Response

200 Account Access Consents Status Updated Successfully

x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

Content-Type: application/json

{

"Data": {

"ConsentId": "0083976",

"CreationDateTime": "2020-09-10T19:43:31.508+03:00",

"Status": "Revoked",

"StatusUpdateDateTime": "2020-09-10T19:44:31.508+03:00",

"Permissions": [

"ReadAccountsBasic"

],

"TransactionFromDateTime": "2020-03-17T07:05:34.508+03:00",

"TransactionToDateTime": "2020-05-17T07:05:34.508+03:00"

},

"Links": {

"Self": "www.tbc.com"

},

"Meta": {

"TotalPages": 1,

"FirstAvailableDateTime": "2020-03-17T07:05:34.508+03:00",

"LastAvailableDateTime": "2020-05-17T07:05:34.508+03:00"

}

Version	Old Version 1	New Version Current
Changes made by	CBB Admin	CBB Admin
Saved on	Apr 03, 2020	Sept 18, 2020

Page Comparison

Versions Compared

Key

1. Version Control

2. Overview

3.

Endpoints

3.1

POST /account-access-consents

3.1.

1 Account Access Consent Status

3.1.

2 Status Flow

3.2 GET /account-access-consents/ {ConsentId}

3.2.1 Account Access Consent Status

3.3

PATCH /account-access-consents/{ConsentId}

3. Data Models

4. Data Models

4.1 Account Access Consents - Request

4.1.

1 UML Diagram

...

4.1.1.

1 Notes

4.1.2 Data Dictionary

4.2 Access Account Consents - Response

4.2.

1 UML Diagram

...

4.2.

2 Notes

4.2.

3 Data Dictionary

4.3. Access Account Consents - Patch Consent – Request

4.3.1 UML Diagram

4.3.2 Data Dictionary

4. Usage Example

5. Usage Example

5.1 Post Account Access Consents

5.1.1 Request

5.1.2 Response

5.2 GET /account-access-consents/{ConsentId}

5.2.1 Request

5.2.2 Response

5.3 PATCH /account-access-consents/{ConsentId}

5.3.1 Request

5.3.2 Response