LogoRegulatory Alerts
2025-01-10

Requirements for network channels used between payment service providers for providing payment initiation and account information services

The Central Bank of the Republic of Azerbaijan issued Resolution No. 49/3 to standardize secure network channels and API gateway operations for payment initiation and account information services. The regulation requires account servicing providers to maintain authorized interfaces that enable third-party providers to retrieve payment data, execute transactions, and access open financial information using strong customer authentication. It further establishes operational protocols, including a structured user consent mechanism with a maximum ninety-day validity period and mandatory connection agreements for all participating entities.

Central Bank of Azerbaijan logo

Azerbaijan

Central Bank of Azerbaijan

Click to view thumbnail

“Approved” Central Bank of the Republic of Azerbaijan Resolution № 49/3 10 December 2024 REQUIREMENTS for network channels used between payment service providers for providing payment initiation and account information services

  1. General provisions These requirements have been developed in accordance with Article 62.7 of the Law of the Republic of Azerbaijan ‘on Payment services and payment systems’ (hereinafter – the Law) and establish the requirements for the organization of standardized, secure and reliable operation of network channels used between payment service providers when providing payment initiation and account information services.
  2. Main definitions 2.1. The definitions used in these Requirements bear the following meanings: 2.1.1. open information – the open information regarding the financial sector specified in Item 5.2 of these requirements. 2.1.2. authorization – the process of confirming the payment service provider's right to access the required information. 2.1.3. strong customer authentication – authentication designed to protect the confidentiality of authentication information, that does not exclude reliability of others if one is violated, is based on the use of only two or more of elements known (password, PIN, set of questions, etc.) only to, belonging to (face recognition, voice recognition, fingerprint, etc. ) and owned (mobile phone, OTP, TOTP, electronic signature, etc.) by the user. 2.1.4. account information service – online service to provide information on payment accounts held by the payment service user with one or several payment service providers. 2.1.5. account information service provider – a payment service provider that renders payment account information service. 2.1.6. supervised entities – persons designated as the entities supervised by the Central Bank of the Republic of Azerbaijan (hereinafter – the Central Bank) by the laws regulating financial markets. 2.1.7. account servicing payment service provider – a payment service provider providing and maintaining a payment account for a payment service user. 2.1.8. payment initiation service – a service of issuing a payment order on the payment account opened with another payment service provider at payment service user’s request. 2.1.9. intermediary – a payment service provider that offers intermediary services to the payment service user for carrying out a payment transaction. 2.1.10. payment account access interface (hereinafter – the Interface) – an interface provided by the payment service provider that services the account, enabling third-party providers to access the payment service user's payment account.

2.1.11. payment service user – person using payment services as a payer and/or payee. 2.1.12. third party provider – an account information service provider and/or intermediary. 2.1.13. Application Programming Interface (hereinafter – API) – a set of procedures, protocols, and tools used for the development of software that defines the mechanisms for establishing interactions between information systems. 2.1.14. API Gateway – intermediary software that ensures data exchange between payment service providers under these Requirements. 2.2. Other definitions used in these Requirements bear the meanings defined in the Law, as well as in other normative legal and regulatory acts. 3. Interface services 3.1. The interface supports the following payment services: 3.1.1. payment initiation service. 3.1.2. account information service. 3.2. Operations can be performed for the use cases specified in Item 5.1 of these Requirements regarding the services supported in the interface, and the information specified in Item 5.2 can be accessed. 3.3. The interaction and unified data exchange between a third-party provider and the account servicing payment service provider in the interface are conducted through the API gateway provided by the Central Bank 4. Activities of interface participants 4.1. The interface participants consist of the account servicing payment service provider, the third-party provider, and the Central Bank. 4.2. The account servicing payment service provider: 4.2.1. establishes at least one interface in accordance with the technical requirements set by the Central Bank and ensures its uninterrupted operation. 4.2.2. ensures the authorization of and Interface access for the third-party provider. 4.2.3. accepts request messages from any third-party provider in the interface and sends the corresponding response messages to the third-party provider. 4.3. The third-party provider: 4.3.1. performs services on behalf of the payment service user for the use cases specified in Items 5.1 and 5.2 of these Requirements. 4.3.2. uses the interface by being authorized through an advanced certificate-based enhanced electronic signature. 4.3.3. sends and receives request messages to/from the account servicing payment service provider in the interface. 4.4. Technical configurations related to data exchange in the API and the interface, as determined by the Central Bank, are published on the official website of the Central Bank. 4.5. Central Bank ensures the third-party provider’s connection to the API gateway and relevant service tests through the electronic cabinet created on its official website. 4.6. A payment service provider that has not implemented binding instructions of the Central Bank regarding information security violations may not connect to the API gateway.

4.7. Participants connected to the API gateway sign the connection protocol specified in Annex 1 of these Requirements. The Central Bank sends information about the newly connected participant to other participants in hard or soft copy. 4.8. Considering Articles 23.3 and 24.3 of the Law, the account servicing payment service provider should enable the third-party provider to provide the services specified in Item 3.1 of these Requirements. 4.9. When the third-party provider’s license or registration is revoked, its advanced certificate-based enhanced electronic signature is revoked by the Central Bank. 4.10. If the third-party provider is not authorized in the interface, the account servicing payment service provider should refuse to execute the operation. 5. Use cases of the interface 5.1. The interface supports the following use cases for payment services: 5.1.1. make a payment using the payment initiation service. 5.1.2. on payment account information service: 5.1.2.1. obtain consent to retrieve information on the payment account. 5.1.2.2. obtain a list of payment accounts. 5.1.2.3. obtain the payment account details. 5.1.2.4. retrieve information about the balance of the payment account. 5.1.2.5. retrieve transaction information for the payment account. 5.2. The interface may support the following use cases for open information: 5.2.1. retrieve information on financial products and services (hereinafter – financial products). 5.2.2. retrieve information on supervised entities (branches and departments, ATMs, and other data). 5.2.3. retrieve information about the official exchange rate set by the Central Bank for the Azerbaijani manat against foreign currencies and the exchange rate set by banks. 6. Execution of payments 6.1. In the use case of payment execution, payments are made from the payment service user's payment account through a third-party provider. 6.2. The operation is initiated by the payment service user in the third-party provider's interface and is then carried out by the third-party provider in the interface. 6.3. During payment execution, the account servicing payment service provider applies enhanced customer authentication in accordance with Article 35 of the Law. 7. Obtaining consent for the retrieval of information on the payment account 7.1. For the third-party provider to provide the payment account information service the account servicing payment service provider should obtain the payment service user's consent. 7.2. The consent is obtained by redirecting the payment service user to the interface of the account servicing payment service provider by the third-party provider, the user's

consent is obtained with enhanced customer authentication and then is communicated to the third-party provider. 7.3. The payment service user's consent is structured as per Annex 2 herein. 7.4. The payment service user's consent serves as the basis for executing operations in all use cases of the payment account information service. 7.5. If access to payment account data is granted to the third-party provider, the duration and frequency of this access are determined by the payment service user in the consent. The duration of this access may not exceed 90 (ninety) days. 7.6. When giving consent, payment service users should specify the payment accounts they wish to access the service for. 7.7. The third-party provider should clearly inform the payment service user in advance about the terms of consent and the procedure for giving consent. 8. Obtaining a list of payment accounts 8.1. In the use case of obtaining the list of payment accounts, the payment service user obtains the list of payment accounts which grants full access to all payment accounts through a third-party provider. 8.2. The operation is initiated by the third-party provider in the Interface. This operation does not require the direct participation of the payment service user. The operation is conducted based on the prior consent given by the payment service user. 9. Obtaining the payment account details 9.1. In the use case of obtaining payment account details, the payment service user obtains detailed information about the selected payment account's details through the third￾party provider's interface. 9.2. The operation is initiated by the third-party provider in the Interface. This operation does not require the direct participation of the payment service user. The operation is conducted based on the prior consent given by the payment service user. 10. Obtaining information about the balance of the payment account 10.1. In the use case of obtaining balance information for a payment account, the third￾party provider retrieves the account balance information for the payment account specified in the operation request made for this purpose. 10.2. The operation is initiated by the third-party provider in the Interface. This operation does not require the direct participation of the payment service user. The operation is conducted based on the prior consent given by the payment service user. 11. Obtaining transaction information for the payment account 11.1. In the use case of obtaining transaction information for a payment account, the third-party provider retrieves information about the payment transactions carried out on the relevant payment account during the specified period in the operation request.

11.2. The operation is initiated by the third-party provider in the Interface. This operation does not require the direct participation of the payment service user. The operation is conducted based on the prior consent given by the payment service user. 12. Obtaining financial product information In the use case of obtaining information about financial products, the third-party provider can obtain information about the financial products offered by the account servicing payment service provider due to this operation request. In this case, the third-party provider authorization is not required. 13. Obtaining information about supervised entities In the use case of obtaining information about supervised entities, the third-party provider can obtain information about supervised entities and the account servicing payment service provider, from the Central Bank and the account servicing payment service provider, due to this operation request. In this case, the third-party provider authorization is not required. 14. Obtaining exchange rate information In the use case of obtaining information about the official exchange rate of the manat against foreign currencies set by the Central Bank and the exchange rate set by banks, the third-party provider can obtain information about the exchange rates provided by the Central Bank and the account servicing payment service provider due to this operation request. In this case, the third-party provider authorization is not required.

Annex 1 to the ‘Requirements for network channels used between payment service providers for providing payment initiation and account information services’ Protocol on Connecting to the API Gateway Date: ____________________ (Day, month, year) To establish mutual interaction and unified data exchange between the account servicing payment service provider and the third-party provider, with the purpose of connecting to the API gateway provided by the Central Bank of the Republic of Azerbaijan, the undersigned protocol is signed by ____________________________________________ (organization's name) which is considered as a written commitment that the organization will act in accordance with the ‘Requirements for network channels used between payment service providers for providing payment initiation and account information services’, as well as the technical configurations for the API gateway. Authorized representative of the organization:

(Last, first names)

(position) Stamp

Annex 2 to the ‘Requirements for network channels used between payment service providers for providing payment initiation and account information services’ Consent Form for the Transfer of Payment Account Information Account servicing payment service provider: _________________________________________ Payment service user’s first, last, middle names: ______________________________________ Payment service user’s PIN code: ___________________________________________________ Hereby, I give my consent to _______________________________________________________ (Name of the account servicing payment service provider) to provide account information service for the period from _____________ to _____________ (d/m/y) (d/m/y) including the following list of payment account(s), account details, account balances, and transaction information of the payment account(s) to __________________________________: (third-party provider’s name) • {ACCOUNT_1} • {ACCOUNT_2} • ... • {ACCOUNT_N} Note: You can withdraw this consent at any time. To withdraw consent, you can contact

(Name of the account servicing payment service provider and/or third-party provider) through its mobile application and/or website or by submitting a written application. The information obtained under this consent will be destroyed and archived in accordance with the procedures established by law. Date: __________________ (d/m/y)

Share