Guides • Build Banking Apps
Global customer access controls

Global customer access controls

From 1st January 2021, we made changes to which third-parties are able to access Revolut customer data across the globe. This depends on the type of certificate held, the regulator of the third-party and the type of endpoints used.

For those that are in possession of both OBIE and eIDAS certificates, please read the below carefully before deciding which certificate to use for your integration.

For Revolut Partners, all functionality is available. Please reach out for further details.

RegionsRevolut EntityCertificate TypeScopes
UK, CHRevolut LTDOBIE, eIDAS*Accounts, Payments
EEARevolut Bank UAB (EEA customers)eIDAS
Revolut Bank UAB (Irish Branch)
Revolut France Succursale De Revolut Bank UAB (French Branch)
Revolut Bank UAB Sucursal En España (Spanish Branch)
Revolut Bank UAB (Netherlands Branch)
OtherRevolut Technologies Singapore Pte LtdOBIE, eIDASAccounts
Revolut Technologies Inc. US

*Third-party providers who possess the eIDAS certificate under the authorisation of the FCA are granted access to customer data originating from the UK.

Certificate types

Depending on the provider of your certificates, you will be issued two types of signing and transport certificates:

Certificate typeCertificate Authority (CA)Transport certificateSigning certificate
OBIEOpen Banking Limited (OBIE)OBWACOBSeal

OBIE certificates

When using Open Banking Limited as your certificate issuer, you must obtain an OBWAC (transport) certificate and an OBSeal (signing) certificate. Note that legacy OBTransport and OBSigning certificates are no longer supported.

eIDAS certificates

If your certificate issuer is a Qualified Trust Service Provider (QTSP) from the EU, you must obtain a QWAC (transport) certificate and a QSeal (signing) certificate. Please check that the following criteria are met by your certificates to ensure they are accepted by our certificate validation process:

  • The certificate issuer of your transport and signing certificates is listed in the EU/EEA Trusted List as a QTSP for QWAC (Qualified Website Authentication Certificate) and QCert for ESeal (Qualified Certificate for Electronic Seal) respectively.
  • Your roles (AISP and/or PISP) are correctly stated in the qcStatement section of your certificate.
  • Every certificate in the certificate chain contains either CRL or OCSP values to allow for automated certificate revocation checks in compliance with paragraphs 4.3.11 and 4.4.1 of the ETSI EN 319 412-2.
  • The signing algorithm used in every certificate within the certificate chain is SHA256 or higher.

You can check for potential issues with your eIDAS certificates using the EU certificate validator tool.

Was this page helpful?