WSO2 Open Banking enabling Berlin Group extended service, multiple consents.
When using any open banking platform, it is always a must for the TPP(Third Party Provider)to obtain the consent of the PSU(Payment Service User) prior to accessing the account information. A TPP will be allowed to access the account information with an authorized consent only. Taking a look at the Berlin Group open banking specification it is easy to spot two types of consents depending on the usability. Those two types are known as one-off consents and recurring consents. As the name itself suggests, a one-off consent can be used only one time. This type of consent will require a PSU to authorize the consent each and every time a consent is created. But in a situation where the PSU will keep using a certain service for a longer period of time the TPP can obtain a recurring consent from the PSU, where once authorized consent can be used to access the account information till the consent is revoked by the PSU or till consent reach its expiry stated at the consent initiation. As per the current Berlin Group Specification 1.3.6 a TPP is only allowed to obtain a single recurring consent for a given PSU. Hence, every time a PSU authorizes a recurring consent to his/her account information resources, any existing recurring consent for that specific PSU will expire. These regulations will aid better security, but in certain use cases where a TPP is offering AIS services to different subsystems or to organizations bound by civil law, this has been understood as a challenge for TPPs as well as a pain point for PSUs.
Upon realization of this practical problem, the Berlin Group has mandated an extension of the existing AIS service. The extended specification will allow an ASPSP(Account Servicing Payment Servicing Provider) to let a TPP obtain multiple recurring consents (mrc) for a single PSU. Hence the validity period of an existing recurring consent will not be affected by a newly created recurring consent. The specification also mentioned that the decision to support mrc can be taken by the ASPSP.
WSO2 Open Bank Berlin has made the multiple consent service available in Open Banking 2.0.0 running NextGenPSD2 1.3.6.
To enable the feature go to <OBIAM_HOME>/repository/conf/deployment.toml and set [open_banking.berlin.multiple_recurring_consent] to true and restart the OBIAM server.
If an ASPSP is supporting mrc then TPP will receive the header as ASPSP-Multiple-Consent-Support : true in the consent creation response. If the header value is false it means that the ASPSP is not supporting mrc. Once the PSU authorizes the newly created consent, it will allow a TPP to obtain a new recurring consent for the PSU without invalidating existing recurring consents.
For more information, see WSO2 Open Banking documentation — Quick Start Guide Try WSO2 Open Banking
