Getting Started for TPPs
This guide will walk you through the complete onboarding process to get your TPP services connected to ASPSPs across Europe. As a regulated TPP, you'll be using Enable Banking as your Technical Service Provider (TSP) to access ASPSP APIs while maintaining your direct relationship with Payment Service Users (PSUs). Enable Banking provides the technical infrastructure while you remain the regulated entity responsible for compliance and customer relationships.
# Prerequisites
Before starting the onboarding process, ensure you have:
- Regulatory Authorisation: Valid TPP registration or license (AISP, PISP or Credit Institution);
- Authorisation Passporting: European Banking Authority (EBA) register displaying your TPP status for the market(s) you're targeting;
- eIDAS certificates: Both QWAC (Qualified Website Authentication Certificate) and QSealC (Qualified Electronic Seal Certificate) containing correct roles and TPP identifier;
- Terms of Service and Privacy Notice: Your own legal texts that you'll present to PSUs.
# Onboarding Process
# Step 1: Complete TPP Onboarding Form
Enable Banking will provide you with a form to fill out detailing your TPP information. You'll need to provide comprehensive information about your TPP, including:
- Company details and regulatory information
- Links to your Terms of Service and Privacy Notice
- Primary email address for ASPSP communications
- Contact details of technical and business personnel responsible for TPP operations
- Web domains, which will be used for PSU redirection in the live and sandbox environments
- Logos
The information provided in the form will be used to configure your dedicated environment within our platform and while onboarding you to ASPSPs' APIs. Once completed, this information will be reviewed by Enable Banking and your environment will be provisioned accordingly.
# Step 2: Technical Setup
# Domain Configuration
You'll need to add DNS records for the web domains, which will be used for PSU redirection in the live and sandbox environments, to point to IP addresses provided by Enable Banking.
Please note that these are "technical" domains, not those associated with TPP's services. They will be used exclusively for PSU auth flow handling, i.e. redirection between TPP's services and ASPSPs' authentication and consent interfaces. They are registered to ASPSPs while Enable Banking onboards you to ASPSPs' APIs, so TPP's services can use any other domains and easily change addresses if needed.
# Cryptography Offload Setup
In order to connect to ASPSP APIs, Enable Banking would need to use TPP's eIDAS certificates. However, for security and compliance reasons Enable Banking should not access private keys of the TPP's certificates. Therefore Enable Banking performs cryptography offload, so it only gets the results of the cryptographic operations performed by the TPP. The cryptography offload can be done either:
- Via an eIDAS Broker (opens new window), an open source solution provided by Enable Banking and hosted by the TPP with acceess to the private keys of the TPP's certificates; or
- Using an alternative cryptography offload mechanism, such as a Hardware Security Module (HSM).
Most TPPs using Enable Banking's TPP Infrastructure-as-a-Service platform use the eIDAS Broker, as it's a cost efficient and easy to configure solution. You can find a high-level overview of how the eIDAS Broker works and how to set it up at the Github repository: https://github.com/enablebanking/open_banking_eidas_broker/blob/master/README.md (opens new window). We also provide sample instructions for setting up production-ready configurations for different cloud providers here: https://github.com/enablebanking/open_banking_eidas_broker/wiki#eidas-broker-configuration-guides (opens new window)
# Email Forwarding
Set up email forwarding from your primary contact address for ASPSP communications to the email address provided by Enable Banking. This is necessary because Enable Banking will manage all communications related to your TPP registration and onboarding progress with ASPSPs.
NB
Please make sure this email is only used for communication with ASPSPs. Do not use this email for any other purpose, e.g. support requests from PSUs or your customers using your Open Banking services.
# Step 3: Onboarding to ASPSPs
Enable Banking will handle onboarding to each ASPSP on behalf of your TPP. We'll take care of manual and automated processes involved in connecting to each ASPSP's APIs. We will use the information provided during the first step. Onboarding is done only to the ASPSPs, which are selected by the TPP. The TPP is able to track the onboarding progress through the Enable Banking Control Panel.
NB
If you have already onboarded to some ASPSPs, please let us know before Enable Banking starts onboarding to make sure existing integrations are not affected.
# Step 4: Go-Live Preparation
Before going live:
- Ensure all regulatory requirements are met, e.g., finalise terms of service and privacy notice content;
- Test your TPP services and thier interactions with Enable Banking API thoroughly;
- Verify PSU authentication flows end-to-end in the live environment with a few ASPSPs;
- Confirm monitoring and alerting setup for your TPP services and make sure your personnel has been on how Enable Banking monitoring works;
- Coordinate with Enable Banking regarding go-live date and time to make sure we allocate enough resources for the go-live day.
# Timeline
Onboarding typically takes around 3-5 weeks since the kick-off meeting depending on how many ASPSPs your TPP wants to connect to. We'll schedule the kick-off (mainly focused on technical aspects) meeting once contractual arrangements for the use of Enable Banking's TPP Infrastructure-as-a-Service are finalised. During the onboarding period, we'll work closely with you to ensure everything is ready for go-live. Please make sure you have allocated sufficient resources and personnel for the duration of the onboarding process.