Open Banking is a way for third party developers to securely and safely gain access to bank information and functionality to help create the applications and services needed to meet the current and future needs of the customers. Skandiabanken welcomes developers with great ideas to contact us; together we can innovate for the future.
PSD2 is a subset of Open Banking. PSD2 is related to information and functionality for payment accounts.
The Revised Services Directive (PSD2) is an EU regulation. The main objectives of PSD2 are to:
- Protect consumers
- Make payments safer and more secure
- Contribute to a more integrated and efficient European payments market
- Improve the level playing field for payment service providers (including new players)
PSD2 regulates access between banks and Third Party Providers (TPPs) such as Account Information Service Providers (AISP) and Payment Initiation Service Provider (PISP).
PSD2 regulates account information and payment initiation on payment accounts.
PSD2 is incorporated into Swedish law as “Lag (2010:751) om betaltjänster”.
Read more about PSD2 here
- Customers may grant consent to a TPP to access their existing and future payment accounts for a maximum of 90 days. This gives the TPP access to a list of payment accounts and transaction history.
- Customers can allow a TPP to initiate payments, for example a money transfer, bill payment or an international payment
- Customers always sign consent to account information and payment initiation with Swedish BankID
If a customer would like to revoke consent to a TPP the customer will need to contact the TPP they have given their consent to.
If you as a developer/TPP want to get started, we recommend that you read our documentation and – as soon as its available – create an account in our Developer Portal.
You will find documentation and guides here on the Open Banking web site, and in the Developer Portal when it is available.
To access our live data environments you must apply and be approved by your local NCA as an AISP or PISP. You will also need an eIDAS certificate supporting QWAC from a QTSP. You must always comply with all applicable national regulations.
Yes. Security is always our main concern. The PSD2 regulation puts customer security in focus and regulates many security features.
All communication between the bank and TPP or between the PSU and the bank is encrypted using TLS.
We follow standards to secure our APIs and our customers’ data and payments. We authenticate TPPs using eIDAS certificates including QWAC. We use NCA information and OAuth2 for TPP authorization.
PSU authentication is handled by us at the bank by using SCA.
As a TPP you will manage your API subscriptions in the Developer Portal. It will also provide technical documentation and a sandbox for testing.
The Portal will be open for anyone to register and use in the test environment, free of charge.
If you have problems with your username or password, you will be able to reset your password at our sign in page. Make sure your browser allows cookies. If a problem persist you can contact us via our contact form.
Our test environment is currently not available. We will publish a link to it as soon as it is. However you can find some documentation on this site.
The test environment will initially not support you calling our APIs from your applications. The Developer Portal will support a "Try It" function for basic AIS testing. We will continously improve and add functionality to the test environment and developer portal.
It is currently not possible to test the functionality of eIDAS certificates.
In Skandiabanken, we use Swedish BankID for SCA. To learn more about Swedish BankID and how to acquire a BankID for test purposes, see information at the home page of Swedish BankID.
To access the production APIs you will need an eIDAS certificate supporting QWAC issued by a QTSP. We use OAuth 2.0 to generate an access token or a refresh token for you. The access token will give you acess to to the accounts granted by the customer for a maximum of 90 days.
You as a TPP must obtain the consent from the customer to access the PSU's accounts in the AIS. This must be signed with SCA at the bank by the PSU using a redirect flow. SCA is performed with Swedish Bank ID. You must make sure you have a valid consent with the PSU at all times before calling the AIS. The consent is valid for a maximum of 90 days. The consent for the AIS covers all current and future payment accounts for the given PSU.
If a customer wants to revoke a consent they will need to contact you.