Global customer access controls
In order to use our Open Banking APIs, you need to be a regulated Third Party Provider (TPP). Depending on the region of the user, you will need to use either an OBIE or eIDAS certificate. Please check the below coverage matrix for which certificate is needed in each region.
Revolut Ltd acts as a technical provider to all regional entities. This means that API traffic is secured and signed (when required) with certificates issued to Revolut Ltd regardless of the local branch which is providing and maintaining the payment accounts for the PSU.
| Regions | Revolut Entity | Certificate Type | Scopes | |
|---|---|---|---|---|
| UK | Revolut Ltd | OBIE, eIDAS* | Accounts, Payments | |
| Revolut Newco UK Ltd (UK Bank) | ||||
| EEA | ES | Revolut Bank UAB Sucursal En España (Spanish Branch) | eIDAS | |
| FR | Revolut France Succursale De Revolut Bank UAB (French Branch) | |||
| IE | Revolut Bank UAB (Irish Branch) | |||
| IT | Revolut Bank UAB (Italian Branch) | |||
| NL | Revolut Bank UAB (Netherlands Branch) | |||
| RO | Revolut Bank UAB Vilnius Sucursala Bucuresti (Romanian branch) | |||
| Other | Revolut Bank UAB | |||
| CH** | Revolut Ltd | OBIE, eIDAS* | ||
| Revolut Bank UAB | eIDAS | |||
| SG | Revolut Technologies Singapore Pte Ltd | OBIE, eIDAS | Accounts | |
| US | Revolut Technologies Inc. US | |||
*Third-party providers who possess the eIDAS certificate under the authorisation of the FCA are granted access to customer data originating from Revolut Ltd users.
**As of August 2024, Revolut users based in Switzerland are being gradually migrated from Revolut Ltd to the Revolut Bank UAB entity. This means that existing consents granted to TPPs with OBIE certificates will no longer be valid. New consents for those migrated users require the TPP to use eIDAS certificates.
Certificate types
Depending on the provider of your certificates, you will be issued two types of signing and transport certificates:
| Certificate type | Certificate Authority (CA) | Transport certificate | Signing certificate |
|---|---|---|---|
| OBIE | Open Banking Limited (OBIE) | OBWAC | OBSeal |
| eIDAS | EU QTSPs | QWAC | QSeal |
OBIE certificates
When using Open Banking Limited as your certificate issuer, you must obtain an OBWAC (transport) certificate and an OBSeal (signing) certificate. Note that legacy OBTransport and OBSigning certificates are no longer supported.
eIDAS certificates
If your certificate issuer is a Qualified Trust Service Provider (QTSP) from the EU, you must obtain a QWAC (transport) certificate and a QSeal (signing) certificate. Please check that the following criteria are met by your certificates to ensure they are accepted by our certificate validation process:
- The certificate issuer of your transport and signing certificates is listed in the EU/EEA Trusted List as a QTSP for
QWAC(Qualified Website Authentication Certificate) andQCert for ESeal(Qualified Certificate for Electronic Seal) respectively. - Your roles (AISP and/or PISP) are correctly stated in the
qcStatementsection of your certificate. - Your QWAC certificate contains the extended key usage for Client Authentication (OID 1.3.6.1.5.5.7.3.2).
- Both QWAC and QSeal certificates contain either CRL or OCSP values to allow for automated certificate revocation checks in compliance with clause 4.3.11 and 4.4.1 of the ETSI EN 319 412-2 standard.
- Issuer certificates contain either CRL or OCSP values to allow for automated certificate chain validation in compliance with clause 6.3.10-01 of the ETSI EN 319 411-2 standard in reference to clause 6.3.10-05 of the ETSI EN 319 411-1 standard.
- The signing algorithm used in every certificate within the certificate chain is SHA256 or higher.
You can check for potential issues with your eIDAS certificates using the EU certificate validator tool.