Open Banking is a way for third party developers to securely and safely gain access to bank information and functionality to help create the applications and services needed to meet the current and future needs of the customers. Skandiabanken welcomes developers with great ideas to contact us; together we can innovate for the future.
PSD2 is a subset of Open Banking. PSD2 is related to information and functionality for payment accounts.
The Revised Services Directive (PSD2) is an EU regulation. The main objectives of PSD2 are to:
- Protect consumers
- Make payments safer and more secure
- Contribute to a more integrated and efficient European payments market
- Improve the level playing field for payment service providers (including new players)
PSD2 regulates access between banks and Third Party Providers (TPPs) such as Account Information Service Providers (AISP) and Payment Initiation Service Provider (PISP).
PSD2 regulates account information and payment initiation on payment accounts.
PSD2 is incorporated into Swedish law as “Lag (2010:751) om betaltjänster”.
Read more about PSD2 here
- Customers may grant consent to a TPP to access their existing and future payment accounts for a maximum of 90 days. This gives the TPP access to a list of payment accounts and transaction history.
- Customers can allow a TPP to initiate payments, for example a money transfer, bill payment or an international payment
- Customers always sign consent to account information and payment initiation with Swedish BankID
If a customer would like to revoke consent to a TPP the customer will need to contact the TPP they have given their consent to.
If you as a developer/TPP want to get started, we recommend that you read our documentation and create an account in our Developer Portal.
You find documentation and guides here on the Open Banking web site, and in the Developer Portal.
To access our live data environments you must apply and be approved by your local NCA as an AISP or PISP. You will also need an eIDAS certificate supporting QWAC from a QTSP. You must always comply with all applicable national regulations.
Yes. Security is always our main concern. The PSD2 regulation puts customer security in focus and regulates many security features.
All communication between the bank and TPP or between the PSU and the bank is encrypted using TLS.
We follow standards to secure our APIs and our customers’ data and payments. We authenticate TPPs using eIDAS certificates including QWAC. We use NCA information and OAuth2 for TPP authorization.
PSU authentication is handled by us at the bank by using SCA.
As a TPP you can manage your API setup for apps and subscriptions in the Developer Portal. This is also where you manage your certicate(s)
To register in our test environment please visit our portal here (please use Firefox or Chrome for the best user exprience).The test environment enables you to test the same features as exposed in the production environment.
In Skandiabanken, we use Swedish BankID for SCA. To learn more about Swedish BankID and how to acquire a BankID for test purposes, see information at the home page of Swedish BankID.
To access the production APIs you will need an eIDAS certificate supporting QWAC issued by a QTSP. We use OAuth 2.0 to generate an access token or a refresh token for you. The access token will give you acess to to the accounts granted by the customer for a maximum of 90 days.
You as a TPP must obtain the consent from the customer to access the PSU's accounts in the AIS. This must be signed with SCA at the bank by the PSU using a redirect flow. SCA is performed with Swedish Bank ID. You must make sure you have a valid consent with the PSU at all times before calling the AIS. The consent is valid for a maximum of 90 days. The consent for the AIS covers all current and future payment accounts for the given PSU.
If a customer wants to revoke a consent they will need to contact you.
When you as a TPP want to renew your certificate, the first step is to create a new app in our Portal with the new certificate. From that app you then subscribe to the API:s you want.
When you are approved, you can just move your traffic to your new app.