# Global customer access controls

In order to use our Open Banking APIs, you need to be a [regulated Third Party Provider (TPP)](/docs/guides/build-banking-apps/introduction-to-the-open-banking-api/who-can-access-the-api#regulated-third-party-providers-under-psd2).
Depending on the region of the user, you will need to use either an [OBIE](#obie-certificates) or [eIDAS](#e-idas-certificates) certificate.
Please check the below coverage matrix for which certificate is needed in each region.

:::note
Revolut Ltd acts as a technical provider to all regional entities.
This means that API traffic is secured and signed (when required) with certificates issued to Revolut Ltd regardless of the local branch which is providing and maintaining the payment accounts for the [PSU](/docs/guides/build-banking-apps/glossary).
:::

<table>
    <thead>
        <tr>
            <th colspan="2">Regions</th>
            <th>Revolut Entity</th>
            <th>Certificate Type</th>
            <th>Scopes</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td rowspan="2" colspan="2">UK</td>
            <td>Revolut Ltd</td>
            <td rowspan="2"><a href="#obie-certificates">OBIE</a>, <a href="#e-idas-certificates">eIDAS</a>*</td>
            <td rowspan="13">Accounts, Payments</td>
        </tr>
        <tr>
            <td>Revolut Bank UK Ltd</td>
        </tr>
        <tr>
            <td rowspan="9">EEA</td>
            <td>DE</td>
            <td>Revolut Bank UAB Zweigniederlassung Deutschland (German Branch)</td>
            <td rowspan="9"><a href="#e-idas-certificates">eIDAS</a></td>
        </tr>
        <tr>
            <td>ES</td>
            <td>Revolut Bank UAB Sucursal En España (Spanish Branch)</td>
        </tr>
        <tr>
            <td>FR</td>
            <td>Revolut France Succursale De Revolut Bank UAB (French Branch)</td>
        </tr>
        <tr>
            <td>HU</td>
            <td>Revolut Bank UAB Magyarországi Fióktelepe (Hungarian Branch)</td>
        </tr>
        <tr>
            <td>IE</td>
            <td>Revolut Bank UAB (Irish Branch)</td>
        </tr>
        <tr>
            <td>IT</td>
            <td>Revolut Bank UAB (Italian Branch)</td>
        </tr>
        <tr>
            <td>NL</td>
            <td>Revolut Bank UAB (Netherlands Branch)</td>
        </tr>
        <tr>
            <td>RO</td>
            <td>Revolut Bank UAB Vilnius Sucursala Bucuresti (Romanian branch)</td>
        </tr>
        <tr>
            <td>Other</td>
            <td>Revolut Bank UAB</td>
        </tr>
        <tr>
            <td rowspan="2" colspan="2">CH**</td>
            <td>Revolut Ltd</td>
            <td><a href="#obie-certificates">OBIE</a>, <a href="#e-idas-certificates">eIDAS</a>*</td>
        </tr>
        <tr>
            <td>Revolut Bank UAB</td>
            <td><a href="#e-idas-certificates">eIDAS</a></td>
        </tr>
        <tr>
            <td colspan="2">SG</td>
            <td>Revolut Technologies Singapore Pte Ltd</td>
            <td rowspan="2"><a href="#obie-certificates">OBIE</a>, <a href="#e-idas-certificates">eIDAS</a></td>
            <td rowspan="2">Accounts</td>
        </tr>
        <tr>
            <td colspan="2">US</td>
            <td>Revolut Technologies Inc. US</td>
        </tr>
    </tbody>
</table>

_*Third-party providers who possess the eIDAS certificate under the authorisation of the FCA are granted access to customer data originating from Revolut Ltd users._

_**As of August 2024, Revolut users based in Switzerland are being gradually migrated from Revolut Ltd to the Revolut Bank UAB entity. This means that existing consents granted to TPPs with OBIE certificates will no longer be valid. New consents for those migrated users require the TPP to use eIDAS certificates._

## Certificate types

Depending on the provider of your certificates, you will be issued two types of signing and transport certificates: 

| Certificate type               | Certificate Authority (CA)    | Transport certificate   | Signing certificate   |
| ------------------------------ | ----------------------------- | ----------------------- | --------------------- |
| [OBIE](#obie-certificates)     | Open Banking Limited (OBIE)   | OBWAC                   | OBSeal                |
| [eIDAS](#e-idas-certificates)  | EU QTSPs                      | QWAC                    | QSeal                 |

### OBIE certificates

When using Open Banking Limited as your certificate issuer, you must obtain an OBWAC (transport) certificate and an OBSeal (signing) certificate.

Note that legacy OBTransport and OBSigning certificates are no longer supported.

To avoid integration issues, make sure that your certificate includes `organisationIdentifier` set to your Open Banking Participant ID.

### eIDAS certificates

If your certificate issuer is a Qualified Trust Service Provider (QTSP) from the EU, you must obtain a QWAC (transport) certificate and a QSeal (signing) certificate. Please check that the following criteria are met by your certificates to ensure they are accepted by our certificate validation process:

- The certificate issuer of your transport and signing certificates is listed in the [EU/EEA Trusted List](https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home) as a QTSP for `QWAC` (Qualified Website Authentication Certificate) and `QCert for ESeal` (Qualified Certificate for Electronic Seal) respectively.
- Your roles ([AISP](/docs/guides/build-banking-apps/glossary) and/or [PISP](/docs/guides/build-banking-apps/glossary)) are correctly stated in the `qcStatements` section of both your QWAC and QSeal certificates.
- Your QWAC certificate contains the extended key usage for Client Authentication (OID 1.3.6.1.5.5.7.3.2).
- Both QWAC and QSeal certificates contain either CRL or OCSP values to allow for automated certificate revocation checks in compliance with clause 4.3.11 and 4.4.1 of the [ETSI EN 319 412-2](https://www.etsi.org/deliver/etsi_en/319400_319499/31941202/02.03.01_60/en_31941202v020301p.pdf) standard. 
- Intermediate issuer certificates contain either CRL or OCSP values to allow for automated certificate chain validation in compliance with clause 6.3.10-01 of the [ETSI EN 319 411-2](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.05.01_60/en_31941102v020501p.pdf) standard in reference to clause 6.3.10-05 of the [ETSI EN 319 411-1](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.04.01_60/en_31941101v010401p.pdf) standard.
- The signing algorithm used in every certificate within the certificate chain is SHA256 or higher.

You can check for potential issues with your eIDAS certificates using the [EU certificate validator tool](https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/certificate-validation).