Welcome to the FAQ page of Open Banking! Here you will find the most commonly asked questions around Open Banking.
Frequently Asked Questions
Swedbank Open Banking is our invitation to developers and companies to innovate and build applications together, creating the next generation of digital services for millions of Swedbank customers through APIs.
API stands for application programming interface and is a technique for sharing information between online services and applications.
Open Banking allows customers to use services built by other companies and give permission to those services to access customer’s bank data , if the customer has agreed to share it. Services built on the Swedbank Open Banking APIs will never get access to a customer's data without the customer specifically giving his/her consent to that application.
Customer safety is our first priority. Open Banking is built on EU PSD2 regulation guidelines and puts customer rights and security in focus. No customer data can be accessed by 3rd parties without proper licensing and receiving customer consent first.
You can write to firstname.lastname@example.org
Extending the Mobile BankID adds an additional layer of security for the customer. Some functionality for the customer (both in Swedbanks own channels and in the API) requires and extended Mobile BankID. To extend the Mobile BankID a code card or PIN Calculator is required to verify that the customer is who he or she claims to be as an extra precaution before the BankID is extended. If the customer desn’t have the code card the customer needs to request it and it will be sent out by regular post. The extension of the Mobile BankID is only required to do once per device and customer.
The Open Banking Sandbox functionality is a free service. You sign up by using your e-mail address.
The PSD2 APIs (Account Information and Payment Initiation API) are free for licensed 3rd parties. To get access you also need the required certificates. Read more about how to get access on our PSD2 onboarding page.
Currently we have launched a BETA Sandbox environment and PSD2 APIs (Account Information and Payment Inititation API). To receive news and updates on latest releases, sign up to the Developer portal and you will be automatically added to our e-mail updates.
In order to use PSD2 APIs you need to obtain appropriate PISP and/or AISP license from your local FSA in EU or EEE, and passport license to other countries if you want to use PSD2 APIs in other countries than country where you obtained license.
To use our Premium APIs (still in development) you don’t need license. In such case you need to contact us to agree on business model and sign agreement.
To report an issue with the Developer portal fill out the form here.
To reach our support team for questions about the Sandbox or Developer Portal e-mail email@example.com.
Our SLA (Service Level Agreement) is to respond to every inquiry within seven working days, but over 80% of questions are answered within one day.
Open Banking Terminology
PISP stands for Payment Initiation Service Providers. These service providers are authorized to initiate a payment on behalf of the customer if they have given such permission.
AISP stands for Account Information Service Providers. These service providers are authorized to view the customer’s payment account information, if such permission is given by the customer.
TPP stands for Third Party Payment Service Providers. It describes both AISP and PISP companies mentioned above.
RTS stands for Regulatory Technical Standard. Market players need specific requirements to comply with the new obligations in PSD2. The security measures outlined in the RTS stem from two key objectives of PSD2: ensuring consumer protection and enhancing competition and level playing field in a rapidly changing market environment.
Consent is an integral part of PSD2 and collaboration with 3rd parties. The only way Third Party Payment Service Providers can act on the customers’ behalf is if the customer has given explicit consent (authorization) to have such permissions. The customer also has an overview of who has been granted consent. Consent is valid up to 90 days but can be revoked anytime by the customer.
OAuth 2.0 is the security model used. It is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. It enables third-party applications to obtain limited access to a web service.
Financial Supervisory Authority. Name of institution varies from country to country, and it is usually Finance Inspection or Central Bank of the country.
Strong Customer Authetification
Open Banking is a new feature in our Internet bank which requires an updated agreement. If the corporate customer has an old Internet agreement (entered before summer 2019) a new has to be signed. Please contact your advisor and ask to sign an updated Internet bank agreement with the service Open Banking included. If a corporate user gets an error message about lacking permissions to use an Open Banking service he or she should contact their corporate admin user and ask for required permissions.
Developer portal & APIs
We will update with the Finnish portal as soon as it is available.
You can register your account here.
Developers and API publishers need one of the following browsers to use the Developer Portal:
- Mozilla Firefox 50 or later
- Google Chrome 55 or later
- Microsoft Internet Explorer 11 or later
There are two APIs available from Swedbank currently:
- Payment Initiation API for Payment Initiation Service Providers (PISP)
- Account Information API for Account Information Service Providers (AISP)
There is same set of APIs for our four markets: Sweden, Estonia, Latvia and Lithuania.
With the APIs you can:
- Get a list of reachable accounts (AISP)
- Initiate payments on the customers behalf (PISP)
- Get balances for a given list of accounts (AISP)
- Get transaction information for a given account (AISP)
The API provides data for both Swedish and Baltic customers in Swedbank. More detailed information is available in the API documentation.
Currently we support both redirect and decoupled method for Estonia, Latvia and Lithuania and redirect method for Sweden. Customers can give Consent or authorize payments using these SCA methods from Swedbank: BankID, Mobilt BankID, (Sweden) and Smart-ID, Mobile-ID, PIN generator, ID-card (Baltics).
Swedbank offers eIDAS certificates support in our test environment since February 2019.
PSD2 API (PISP & AISP)
EU has issued the PSD2 regulation that strives to make payments safer, increase consumers protection, foster innovation and competition while ensuring an equal playing field for all market players, including new ones. It means that:
- The customer can grant third-party service providers access to the customers payment account information at the customers bank;
- The customer can grant third-party service providers permission to initiate payments from the customers Swedbank bank accounts;
- Authentication processes related to information and transactions must adhere to updated strong authentication standards.
Creating APIs that allow 3rd parties to integrate their services with Swedbank and, with customers consent, use their account information or initiate payments, is at the core of Open Banking. But that is just the first step of opening the banks services – we invite any fintech with ideas on how to collaborate to deliver interesting customer solutions to approach us for Premium API access beyond the PSD2 scope.
Here is more information provided by European Commission about the directive.
By integration with our PSD2 API you can connect to customers in our four home markets (Sweden, Estonia, Latvia and Lithuania) and these saving banks on the Swedish market:
Bergslagens Sparbank AB
Ivetofta Sparbank i Bromölla
Kinda Ydre Sparbank
Sparbanken Alingsås AB
Sparbanken Eken AB
Sparbanken Göinge AB
Sparbanken i Enköping
Sparbanken i Karlshamn
Sparbanken Lidköping AB
Sparbanken Rekarne AB
Sparbanken Skaraborg AB
Sparbanken Sjuhärad AB
Sparbanken Västra Mälardalen
Södra Dalarnas Sparbank
Södra Hestra Sparbank
Tjustbygdens Sparbank AB
Westra Wermlands Sparbank
Varbergs Sparbank AB
Vimmerby Sparbank AB
Åse Viste Sparbank
Ölands Bank AB
A customer can only make payments to account that have been added to the customers recipient list. The recipient list is a step to mitigate fraud and protect the customer. To add an account to the customers recipient list the customer must sign the action with the PIN Calculator or extended mobile BankID. This means that to make a payment through the API to a new account the account must first be added to the recipient list. The functionality works in the same way in all our own channels and the API. When the account has been added to the recipient list it is possible to do payments both in Swedbanks own channels and the API. The use of recipient list has been very effective in our work to mitigate fraud and protecting the customer.
No, there is no need to sign any agreement. It is enough for you to get appropriate FSA license and follow these steps.
In line with Art. 97(5) of PSD2 and Art. 30(2) of the RTS, all methods of SCA provided to the PSU need to be supported in the dedicated interface, either through re-direction, decoupling or embedding, or a combination of any of them. To be compliant with the regulations, Swedbank has chosen to implement a redirect solution first, as is currently implemented in Swedbank own PSU-facing digital channels.
However, a decoupled solution has also been implemented for Estonia, Latvia and Lithuania and it will be developed for Sweden during 2019 in accordance with the high-level roadmap that have been published on the Swedbank Open Banking site.
Swedbank PSD2 API provides services optimized for PSU and TPP experience, it allows to get all transaction list in single request. This solution optimizes performance and allows you to implement pagination in a way matching your application needs. Hence, PSD2 API pagination is not necessary and therefore not supported. More information is provided in our support channel which you can find in Paragraph “Transaction list with data older than 90 days” under the link here.
1. Requests where the PSU is actively involved (Art. 36(5)(a)); and
2. Requests where the PSU is not actively involved (Art. 36(5)(b)).
The first type of request has no limitation in terms of the number of requests. The second type can be requested four times/day for every PSU by the TPP.
We have applied for a fallback exemption to our local FSAs and it has been approved for Estonia, Latvia and Lithuania. Documentation for our fallback solution in Sweden is provided for licensed TPPs – please contact firstname.lastname@example.org. Access to our online bank or screen scraping is not a proper interface for TPPs.
Yes, decoupled SCA flow is available for Estonia, Latvia, Lithuania and Sweden. The implementation is described in our documentation section 8.3 “Decoupled Approach”.
Data beyond 90 days require an SCA by the PSU as described in Art. 97.1 (a) (PSD2) since it isn’t covered by any exemptions from the SCA requirements in the SCA RTS (such as account information within 90 days in Art. 10 in the RTS). In our documentation it is described in section 10.2 “Transaction list with data older than 90 days”.