diff --git a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/GetAuthorizationStatusService.java b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/GetAuthorizationStatusService.java
index 089c2e1a4b..06b87636d0 100644
--- a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/GetAuthorizationStatusService.java
+++ b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/GetAuthorizationStatusService.java
@@ -15,6 +15,7 @@
 
 import java.time.ZoneOffset;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 
@@ -52,7 +53,18 @@ protected void updateStatusFromDb(ServiceSession dbSvcSession, AuthSession dbAut
             detailedStatus.setLastRequestId(dbAuthSession.getLastRequestId());
             detailedStatus.setLastErrorRequestId(dbAuthSession.getLastErrorRequestId());
 
-            statusBody.setDetailedStatus(Collections.singletonMap(dbAuthSession.getId(), detailedStatus));
+            if (null == statusBody.getDetailedStatus()) {
+                statusBody.setDetailedStatus(Collections.singletonMap(dbAuthSession.getId(), detailedStatus));
+            } else {
+                statusBody.setDetailedStatus(new HashMap<>(statusBody.getDetailedStatus()));
+                statusBody.getDetailedStatus().compute(dbAuthSession.getId(), (id, currStatus) -> {
+                    if (null == currStatus) {
+                        return detailedStatus;
+                    }
+                    detailedStatus.setExternalStatus(currStatus.getExternalStatus());
+                    return detailedStatus;
+                });
+            }
         }
     }
 }
diff --git a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/ais/GetAisAuthorizationStatusService.java b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/ais/GetAisAuthorizationStatusService.java
index 76ea3bd66a..d0df313728 100644
--- a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/ais/GetAisAuthorizationStatusService.java
+++ b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/ais/GetAisAuthorizationStatusService.java
@@ -13,6 +13,7 @@
 import de.adorsys.opba.protocol.facade.services.ProtocolSelector;
 import de.adorsys.opba.protocol.facade.services.ProtocolWithCtx;
 import de.adorsys.opba.protocol.facade.services.context.ServiceContextProvider;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.support.TransactionTemplate;
@@ -26,6 +27,7 @@
 /**
  * Unlike other types of Facade services, this one does not require protocol implementation available.
  */
+@Slf4j
 @Service
 public class GetAisAuthorizationStatusService extends GetAuthorizationStatusService<AisAuthorizationStatusRequest, AisAuthorizationStatusBody, GetAisAuthorizationStatus> {
 
@@ -54,7 +56,11 @@ protected CompletableFuture<FacadeResult<AisAuthorizationStatusBody>> handleProt
         var dbSvcSession = svcSessions.findById(protocolWithCtx.getServiceContext().getServiceSessionId()).orElseThrow();
         var statusResult = result.thenApply(it -> {
             var dbAuthSession = sessions.findByParentId(protocolWithCtx.getServiceContext().getServiceSessionId()).orElse(null);
-            var status = null == it ? new SuccessResult<>(new AisAuthorizationStatusBody()) : it;
+            var status = it;
+            if (!(it instanceof SuccessResult)) {
+                log.error("[{}] Unexpected result type from protocol", aisAuthorizationStatusRequest.getFacadeServiceable().getRequestId());
+                status = new SuccessResult<>(new AisAuthorizationStatusBody());
+            }
             updateStatusFromDb(dbSvcSession, dbAuthSession, status);
             return status;
         });
diff --git a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/context/ServiceContextProviderForFintech.java b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/context/ServiceContextProviderForFintech.java
index 13db1a3c89..9aad94d2b4 100644
--- a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/context/ServiceContextProviderForFintech.java
+++ b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/context/ServiceContextProviderForFintech.java
@@ -27,6 +27,7 @@
 
 import java.util.Objects;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 @Service(ServiceContextProviderForFintech.FINTECH_CONTEXT_PROVIDER)
 @RequiredArgsConstructor
@@ -59,6 +60,7 @@ public <REQUEST extends FacadeServiceableGetter, ACTION> InternalContext<REQUEST
                         .bankProfileId(null != request.getFacadeServiceable().getBankProfileId() ? request.getFacadeServiceable().getBankProfileId() : session.getBankProfile().getUuid())
                         .authSessionId(null == authSession ? null : authSession.getId())
                         .authContext(null == authSession ? null : authSession.getAuthSessionContext())
+                        .associatedAuthSessionIds(authSessions.findByParentId(session.getId()).map(AuthSession::getId).stream().collect(Collectors.toSet()))
                         // Currently 1-1 auth-session to service session
                         .futureAuthSessionId(session.getId())
                         .futureRedirectCode(UUID.randomUUID())
@@ -185,7 +187,7 @@ private <REQUEST extends FacadeServiceableGetter> RequestScoped fintechFacingSec
         BankProfile profile = session.getBankProfile();
 
         // FinTech requests should be signed, so creating Fintech entity if it does not exist.
-        Fintech fintech = authenticator.authenticateOrCreateFintech(request.getFacadeServiceable());
+        Fintech fintech = authenticator.authenticateOrCreateFintech(request.getFacadeServiceable(), session);
 
         return provider.registerForFintechSession(
                 fintech,
diff --git a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/fintech/FintechAuthenticator.java b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/fintech/FintechAuthenticator.java
index bf74a289ca..facf9578a9 100644
--- a/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/fintech/FintechAuthenticator.java
+++ b/opba-banking-protocol-facade/src/main/java/de/adorsys/opba/protocol/facade/services/fintech/FintechAuthenticator.java
@@ -1,16 +1,19 @@
 package de.adorsys.opba.protocol.facade.services.fintech;
 
 import de.adorsys.opba.db.domain.entity.fintech.Fintech;
+import de.adorsys.opba.db.domain.entity.sessions.ServiceSession;
 import de.adorsys.opba.db.repository.jpa.fintech.FintechRepository;
 import de.adorsys.opba.protocol.api.dto.request.FacadeServiceableRequest;
 import de.adorsys.opba.protocol.facade.config.encryption.impl.fintech.FintechSecureStorage;
 import de.adorsys.opba.protocol.facade.services.fintech.registrar.FintechRegistrar;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
 import java.util.function.Supplier;
 
+@Slf4j
 @Service
 @RequiredArgsConstructor
 public class FintechAuthenticator {
@@ -20,8 +23,13 @@ public class FintechAuthenticator {
     private final FintechRepository fintechRepository;
 
     @Transactional
-    public Fintech authenticateOrCreateFintech(FacadeServiceableRequest request) {
+    public Fintech authenticateOrCreateFintech(FacadeServiceableRequest request, ServiceSession session) {
         String fintechId = request.getAuthorization();
+        if (null != session.getAuthSession() && null != session.getAuthSession().getFintechUser() && !session.getAuthSession().getFintechUser().getFintech().getGlobalId().equals(fintechId)) {
+            log.error("[SECURITY] Fintech [{}] has requested data belonging to [{}] fintech", fintechId, session.getAuthSession().getFintechUser().getFintech().getGlobalId());
+            throw new IllegalStateException("Security violation");
+        }
+
         Supplier<char[]> finTechPassword = () -> request.getSessionPassword().toCharArray();
         Fintech fintech = fintechRepository.findByGlobalId(fintechId)
                 .orElseGet(() -> fintechRegistrar.registerFintech(fintechId, finTechPassword));
diff --git a/opba-facade-protocol-api-shared/src/main/java/de/adorsys/opba/protocol/api/dto/context/Context.java b/opba-facade-protocol-api-shared/src/main/java/de/adorsys/opba/protocol/api/dto/context/Context.java
index 9f553c81da..c7f27da0b6 100644
--- a/opba-facade-protocol-api-shared/src/main/java/de/adorsys/opba/protocol/api/dto/context/Context.java
+++ b/opba-facade-protocol-api-shared/src/main/java/de/adorsys/opba/protocol/api/dto/context/Context.java
@@ -5,6 +5,7 @@
 import lombok.Getter;
 import lombok.NonNull;
 
+import java.util.Set;
 import java.util.UUID;
 
 @Getter
@@ -41,6 +42,11 @@ public class Context<REQUEST> {
      */
     private final UUID authSessionId;
 
+    /**
+     * The IDs of all authorization session(s) associated with this request.
+     */
+    private final Set<UUID> associatedAuthSessionIds;
+
     /**
      * Will be used as redirect code when coming back from ASPSP.
      * (it happens after we can act in protocol)
diff --git a/opba-protocols/opba-protocol-testing-helper/src/main/java/de/adorsys/opba/helpers/protocol/testing/controller/ProtocolTestingController.java b/opba-protocols/opba-protocol-testing-helper/src/main/java/de/adorsys/opba/helpers/protocol/testing/controller/ProtocolTestingController.java
index daf70453a9..d1a4a399b8 100644
--- a/opba-protocols/opba-protocol-testing-helper/src/main/java/de/adorsys/opba/helpers/protocol/testing/controller/ProtocolTestingController.java
+++ b/opba-protocols/opba-protocol-testing-helper/src/main/java/de/adorsys/opba/helpers/protocol/testing/controller/ProtocolTestingController.java
@@ -25,6 +25,7 @@
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.Collections;
 import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
 
@@ -84,6 +85,7 @@ private <T> Context<T> supplyContext(UUID bankProfileId, UUID sessionId, T reque
                 bankProfileId,
                 sessionId,
                 sessionId,
+                Collections.emptySet(),
                 UUID.randomUUID(),
                 UUID.randomUUID(),
                 UUID.randomUUID(),