The revised European Payment Services Directive (PSD2) has finally been implemented in the Netherlands. The bank API sandboxes are now live and licensed Third Party Providers (TPPs) should be able to start using PSD2 APIs from September onwards. A first assessment of the API documentation published by the four largest Dutch banks show a multitude of differences, and it is clear that the banks have not (yet) chosen for standardization.
By Steven Schouten, Business Consultant at Visma Connect (formerly ebpi)
Below we give our first findings of the PSD2 API sandbox documentation for Payment Initiation service (PIS) and Account Information service (AIS) that the four largest Dutch banks, ABN AMRO, ING, Rabobank and Volksbank have published. In this overview we do not aim to provide all details, but want to give insight in main aspects and differences that we have uncovered so far. We have not yet focused on the PSD2 API service for the Confirmation of Available Funds (CAF) nor on other services that are also offered through bank APIs. Further updates will follow.
Geographically, ING offers standardized APIs for 16 European countries for current accounts as well as card accounts (for AIS), however API availability, type of accounts, means of authentication, transaction history (beyond 90 days), etc. can differ per country. ABN AMRO offers the API services for current accounts in the Netherlands, Belgium, Germany and the United Kingdom. In Belgium, private accounts and accounts for independent asset managers are also included. Rabobank and Volksbank offer API’s for their Dutch accounts. Volksbank APIs pertain to ASN bank, RegioBank and SNS.
For authentication, all banks use the OAuth 2.0 Payment Service Users (PSUs) authentication. PSU authentication seems based on existing internet banking authentication mechanism.
Payment Initiation Services
Banks, obviously, all offer the possibility to initiate a single SEPA Credit Transfer. However, none of the banks give any information regarding using Instant Payments (that will go live in May 2019 in the Netherlands).
ING and ABN AMRO Bank also offer international credit transfers to countries outside SEPA and currencies other than the Euro. ING also makes it possible to initiate domestic transfers within Europe with non-Euro currencies.
Volksbank offers the TPP a possibility to initiate recurring payments. After a one-time consent by the account holder the TPP can initiate the same SEPA Credit Transfer multiple times (not more than once a week), allowing TPPs for instance to collect subscription payments. Rabobank offers a possibility to initiate a (one-time initiated) Standing Order.
All banks allow the initiation of future dated payments, but with de Volksbank’s PIS API, the TPP will need to trigger the execution of the payment on the execution date itself.
All banks (except Volksbank) offer a means to request the payment status (after initiation); ING allows a TPP to retrieve (a copy of) the instruction details.
The actual flows of initiation and consent differ per bank. The API request and response formats differ per bank, e.g. required headers, path, body (some only in JSON others also XML), error codes, required payment information.
Account information Services
All banks offer API services (as mandated) to retrieve information regarding consented account details, balances and transactions. Furthermore, all banks offer the possibility to request the accounts for which the account holder has given the TPP consent.
ING and ABN AMRO Bank allow multiple balances depending on currency (for some countries). ING allows Account Information requests for Card Accounts.
Typically, the banks allow TPPs to retrieve up to 90 days of transaction details. With additional PSU consent ING will provide more transaction history. Rabobank states that a full transaction history of the PSU can be retrieved once by a TPP after the PSU has provided consent for the one-time access. Volksbank does not have a restriction on the transaction history.
The API request and response formats differ per bank, e.g. required headers, path, body (some only in JSON others also XML), error codes, required and provided information.
This initial assessment shows that the four largest Dutch Banks differ quite substantially in API standards, (detailed) services and flows, geographic scope of the services as well as the extent of the information provided on the developer websites. TPPs aiming to use the PSD2 API services will need to invest substantially to adopt for all the variations. On the other side the differences will certainly stimulate innovation!
About Visma Connect
Visma Connect designs, builds and delivers working solutions and services for highly secure, fast and reliable qualified information exchange. They process large volumes of digital and business critical messages, exceeding 300 million messages in 2018, and deliver services to the business community, municipalities, agencies and national governments.