Does the same principle apply for Basic Account Scope?
If the Accredited Data Recipient (ADR) has only consent for Scheduled Payments Scope, should a DH provide
accountId for scheduled payments between internal accounts, where
accountId would apply?
The DH should respond with the
accountId in accordance with the standards. The description of
accountId in the BankingScheduledPaymentTo schema states that the
accountId should be shared if the payment is to another account that is accessible under the current consent. If the account is not accessible under the current consent, the domestic
uType and BankingDomesticPayee response must be set.
accountId does not compromise the security of account information. The
accountId is an opaque, non-guessable identifier field created only for the CDR, so it can be shared. The
accountId does not provide access to account information without consent.
accountId, in this case, does not prevent an ADR obtaining an
accountId by other means. For example, an ADR can use the bulk scheduled payments endpoint to get a list of
accountIDs and then call the account specific version of the scheduled payments APIs.
accountId does not necessarily provide access to account information. With the introduction of amending consent in the v2 Rules, an ADR could have previously obtained an account list and now no longer have access to it if consent is amended to remove the account scopes.
If the ADR does not have the consumer's consent to access the account data (for example, bank:accounts.basic:read privilege) then the DH returns an error if the Get Accounts API is called and does not return the account specific information.