Introduction
The revised Payment Services Directive (PSD2) is a data and technology-driven directive which aims to drive increased competition, innovation and transparency across the European payments market, while enhancing the security of Internet payments and account access.
Among others [PSD2] contains regulations on new services to be operated by so called Third Party Payment Service Providers (TPP) on behalf of a Payment Service User (PSU).
These new services are:
To implement these new services (subject to PSU consent) a TPP needs to access the account of the PSU. The account is usually managed by another PSP called the Account Servicing Payment Service Provider (ASPSP). To support the TPP in accessing the accounts managed by an ASPSP, each ASPSP has to provide an "access to account interface" (XS2A interface).
Responsibilities and rights of TPP and ASPSP concerning the interaction at the XS2A interface are defined and regulated by [PSD2]. In addition, more detailed requirements for the implementation and operation of the XS2A interface are defined by [EBA-RTS].
Key objectives:
Basis of the regulatory requirements are the following documents:
Berlin Group NextGenPSD2
The NextGenPSD2 Initiative is a dedicated Task Force of the Berlin Group with the goal to create an open, common and harmonised European API (Application Programming Interface) standard to enable Third Party Providers (TPPs) to access banks accounts under the revised Payment Services Directive (PSD2). In a unique partnership, participants in NextGenPSD2 are working together with the common vision that open and harmonised PSD2 XS2A interface standards for processes, data and infrastructures are the necessary building blocks of an open, interoperable market. True interoperability is an essential component of competitive pan-European PSD2 XS2A services and will contribute to further progress towards the European Single Market and benefit the payments industry in general and European consumers and businesses in particular.
While a harmonised XS2A interface is essential to enable XS2A services to mature at scale and at relatively low cost, the full PSD2 XS2A ecosystem covers other technical, functional, operational and governance domains with (sometimes optional) complementary services as well, as displayed in the following picture:
Key characteristics of the NextGenPSD2 Framework:
For further details see NextGenPSD2 overview here
CBA PSD2 API Documentation
Croatian Banking Association joined Berlin Group in September 2017. Even though at that time in early stages, NextGenPSD2 has been seen as an initiative that could bring missing common API standard among credit institutions. Today, Berlin Group API standard is seen as dominant PSD2 API standard initiative backed by credit institutions throughout entire EU.
Latest version of CBA PSD2 API documentation is 1.0 and can be found here. Version 1.0 is referenced to NextGenPSD2 Implementation Guidelines 1.3. Archive versions are located here.
API Documentation
As a member of Berlin Group, fundamental documentation related to PSD2 API in Croatian is NextGenPSD2 documentation. CBA PSD2 documentation arises from NextGenPSD2 API documentation.
PSD2 API documentation for Croatian market can be divided into three hierarchical sections:
Dependencies between each documentation group are described on following graphic
The NextGenPSD2 Framework itself is built of 4 artefacts, which are all published for free under Creative Commons (CC-BY-ND):
The documents are used by banks and TPPs for implementing PSD2-required bank account access.
The most recent release of the NextGenPSD2 Framework can be downloaded here.
Documentation Lifecycle
According to RTS: "...account servicing payment service providers shall ensure that, except for emergency situations, any change to the technical specification of their interface is made available to authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments, or payment service providers that have applied to their competent authorities for the relevant authorisation, in advance as soon as possible and not less than 3 months before the change is implemented."
In order to be up-to-date with latest documentation we encourage TPPs to subscribe to any documentation changes that may affect API. All changes to API's will be announced according to RTS rules.
Linked Documents and References
[X2A-ImplG] | NextGenPSD2 XS2A Framework, Implementation Guidelines, The Berlin Group Joint Initiative on a PSD2 Compliant XS2A Interface, version 0.99, published 02 October 2017. |
[eIDAS] | EU Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC |
[PSD2] | Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, published 25.11.2015 |
Open API | https://www.openapis.org/ https://swagger.io/specification/ |
EBA RTS | Opinion of the European Banking Authority on the implementation of the RTS on SCA and CSC from 13 June 2018 |
EBA Guidelines | Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation(EU) 2018/389 (RTS on SCA & CSC) |
EBA eIDAS | Opinion on the use of eIDAS certificates under the RTS on SCA and CSC |
Abbreviations
Abbreviation | Description |
---|---|
AIS | Account Information Service according to article 4 (16) of [PSD2] and as regulated by article 67 of [PSD2]. |
AISP | Account Information Service Provider offering an AIS to its customer. See article 4 (19) of [PSD2]. |
API | Application Programming Interface. |
ASPSP | Account Servicing Payment Service Provider providing and maintain a payment account for a payer. See article 4 (17) of [PSD2]. |
CBA | Croatian Banking Association |
EBA | European Banking Authority |
eIDAS | Electronic Identification, Authentication and Trust Services |
IAM | Global architectural component that Manage the Identity & Access |
OAuth2 | This protocol, which allows third-party applications to grant limited access to an HTTP service. |
PIISP | Payment Instrument Issuer Service Provider according to article 4 (14) and 45) of [PSD2]. A PIISP can use the service "Confirmation on the availability of funds" as regulated by article 65 of [PSD2]. |
PIS | Payment Initiation Service according to article 4 (15) of [PSD2] and as regulated by article 66 of [PSD2]. |
PISP | Payment Service Provider offering a PIS to its customer. See article 4 (18) of [PSD2]. |
PSP | Payment Service Provider according to article 4 (11) of [PSD2]. |
PSU | Payment Service User according to article 4 (10) of [PSD2]. |
RTS | EBA Regulatory Technical Standards on strong customer authentication and common and secure communication. |
SCA | Strong Customer Authentication - authentication procedure based on two factors compliant with the requirements of [PSD2] and [EBA-RTS]. |
SCT | SEPA Credit Transfer. |
SDD | SEPA Direct Debit. |
TPP | Third Party Provider - generic term for AISP/PIISP/PISP. |
X2A | Access to Account interface - interface provided by an ASPSP to TPP for accessing accounts. (= API / interface) |