Welcome to the FAQ page of Open Banking! Here you will find the most commonly asked questions around Open Banking.
Frequently Asked Questions
Swedbank Open Banking is our invitation to developers and companies to innovate and build applications together, creating the next generation of digital services for millions of Swedbank customers through APIs.
API stands for application programming interface and is a technique for sharing information between online services and applications.
Open Banking allows customers to use services built by other companies and give permission to those services to access customer’s bank data , if the customer has agreed to share it. Services built on the Swedbank Open Banking APIs will never get access to a customer's data without the customer specifically giving his/her consent to that application.
Customer safety is our first priority. Open Banking is built on EU PSD2 regulation guidelines and puts customer rights and security in focus. No customer data can be accessed by 3rd parties without proper licensing and receiving customer consent first.
You can write to firstname.lastname@example.org
Extending the Mobile BankID adds an additional layer of security for the customer. Some functionality for the customer (both in Swedbanks own channels and in the API) requires and extended Mobile BankID. To extend the Mobile BankID a code card or PIN Calculator is required to verify that the customer is who he or she claims to be as an extra precaution before the BankID is extended. If the customer desn’t have the code card the customer needs to request it and it will be sent out by regular post. The extension of the Mobile BankID is only required to do once per device and customer.
The Open Banking Sandbox functionality is a free service. You sign up by using your e-mail address.
The PSD2 APIs (Account Information and Payment Initiation API) are free for licensed 3rd parties. To get access you also need the required certificates. Read more about how to get access on our PSD2 onboarding page.
Currently we have launched a BETA Sandbox environment and PSD2 APIs (Account Information and Payment Inititation API). To receive news and updates on latest releases, sign up to the Developer portal and you will be automatically added to our e-mail updates.
In order to use PSD2 APIs you need to obtain appropriate PISP and/or AISP license from your local FSA in EU or EEE, and passport license to other countries if you want to use PSD2 APIs in other countries than country where you obtained license.
To use our Premium APIs (still in development) you don’t need license. In such case you need to contact us to agree on business model and sign agreement.
To report an issue with the Developer portal fill out the form here.
To reach our support team for questions about the Sandbox or Developer Portal e-mail email@example.com.
Our SLA (Service Level Agreement) is to respond to every inquiry within seven working days, but over 80% of questions are answered within one day.
Yes, our subsidiaries Swedbank Pay have a developer portal with information and documentation about their APIs (for example Payments, Checkout and Gift Cards). You can visit it here.
Open Banking Terminology
PISP stands for Payment Initiation Service Providers. These service providers are authorized to initiate a payment on behalf of the customer if they have given such permission.
AISP stands for Account Information Service Providers. These service providers are authorized to view the customer’s payment account information, if such permission is given by the customer.
TPP stands for Third Party Payment Service Providers. It describes both AISP and PISP companies mentioned above.
RTS stands for Regulatory Technical Standard. Market players need specific requirements to comply with the new obligations in PSD2. The security measures outlined in the RTS stem from two key objectives of PSD2: ensuring consumer protection and enhancing competition and level playing field in a rapidly changing market environment.
Consent is an integral part of PSD2 and collaboration with 3rd parties. The only way Third Party Payment Service Providers can act on the customers’ behalf is if the customer has given explicit consent (authorization) to have such permissions. The customer also has an overview of who has been granted consent. Consent is valid up to 90 days but can be revoked anytime by the customer.
OAuth 2.0 is the security model used. It is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. It enables third-party applications to obtain limited access to a web service.
Financial Supervisory Authority. Name of institution varies from country to country, and it is usually Finance Inspection or Central Bank of the country.
Strong Customer Authetification
Open Banking is a new feature in our Internet bank which requires an updated agreement. If the corporate customer has an old Internet agreement (entered before summer 2019) a new has to be signed. Please contact your advisor and ask to sign an updated Internet bank agreement with the service Open Banking included. If a corporate user gets an error message about lacking permissions to use an Open Banking service he or she should contact their corporate admin user and ask for required permissions.
As a previous customer you can still get the option to log on to Swedbank or a Savings bank and read documents from the bank and exchange information about your customer relationship. Third-party providers who have integrated Swedbank through screen scraping, reverse engineering of our own APIs or other methods might have issues with old customer engagements since they are visible through this portal and enabled as a choice in our profile selector.
Please note that the PSD2 API (or the fallback contingency mechanism in Sweden) is the only channel provided for third parties to access customer data in accordance with the requirements in the PSD2 directive. Old customer engagements are not visible in those channels.
Developer portal & APIs
We will update with the Finnish portal as soon as it is available.
You can register your account here.
Developers and API publishers need one of the following browsers to use the Developer Portal:
- Mozilla Firefox 50 or later
- Google Chrome 55 or later
- Microsoft Internet Explorer 11 or later
There are two APIs available from Swedbank currently:
- Payment Initiation API for Payment Initiation Service Providers (PISP)
- Account Information API for Account Information Service Providers (AISP)
There is same set of APIs for our four markets: Sweden, Estonia, Latvia and Lithuania.
With the APIs you can:
- Get a list of reachable accounts (AISP)
- Initiate payments on the customers behalf (PISP)
- Get balances for a given list of accounts (AISP)
- Get transaction information for a given account (AISP)
The API provides data for both Swedish and Baltic customers in Swedbank. More detailed information is available in the API documentation.
Currently we support both redirect and decoupled method for Estonia, Latvia and Lithuania and redirect method for Sweden. Customers can give Consent or authorize payments using these SCA methods from Swedbank: BankID, Mobilt BankID, (Sweden) and Smart-ID, Mobile-ID, PIN generator, ID-card (Baltics).
Swedbank offers eIDAS certificates support in our test environment since February 2019.
PSD2 API (PISP & AISP)
EU has issued the PSD2 regulation that strives to make payments safer, increase consumers protection, foster innovation and competition while ensuring an equal playing field for all market players, including new ones. It means that:
- The customer can grant third-party service providers access to the customers payment account information at the customers bank;
- The customer can grant third-party service providers permission to initiate payments from the customers Swedbank bank accounts;
- Authentication processes related to information and transactions must adhere to updated strong authentication standards.
Creating APIs that allow 3rd parties to integrate their services with Swedbank and, with customers consent, use their account information or initiate payments, is at the core of Open Banking. But that is just the first step of opening the banks services – we invite any fintech with ideas on how to collaborate to deliver interesting customer solutions to approach us for Premium API access beyond the PSD2 scope.
Here is more information provided by European Commission about the directive.
By integration with our PSD2 API you can connect to customers in our four home markets (Sweden, Estonia, Latvia and Lithuania) and these saving banks on the Swedish market:
Bergslagens Sparbank AB
Ivetofta Sparbank i Bromölla
Kinda Ydre Sparbank
Sparbanken Alingsås AB
Sparbanken Eken AB
Sparbanken Göinge AB
Sparbanken i Enköping
Sparbanken i Karlshamn
Sparbanken Lidköping AB
Sparbanken Rekarne AB
Sparbanken Skaraborg AB
Sparbanken Sjuhärad AB
Sparbanken Västra Mälardalen
Södra Dalarnas Sparbank
Södra Hestra Sparbank
Tjustbygdens Sparbank AB
Westra Wermlands Sparbank
Varbergs Sparbank AB
Vimmerby Sparbank AB
Åse Viste Sparbank
Ölands Bank AB
A customer can only make payments to account that have been added to the customers recipient list. The recipient list is a step to mitigate fraud and protect the customer. To add an account to the customers recipient list the customer must sign the action with the PIN Calculator or extended mobile BankID. This means that to make a payment through the API to a new account the account must first be added to the recipient list. The functionality works in the same way in all our own channels and the API. When the account has been added to the recipient list it is possible to do payments both in Swedbanks own channels and the API. The use of recipient list has been very effective in our work to mitigate fraud and protecting the customer.
No, there is no need to sign any agreement. It is enough for you to get appropriate FSA license and follow these steps.
In line with Art. 97(5) of PSD2 and Art. 30(2) of the RTS, all methods of SCA provided to the PSU need to be supported in the dedicated interface, either through re-direction, decoupling or embedding, or a combination of any of them. To be compliant with the regulations, Swedbank has chosen to implement a redirect solution first, as is currently implemented in Swedbank own PSU-facing digital channels.
However, a decoupled solution has also been implemented for Estonia, Latvia and Lithuania and it will be developed for Sweden during 2019 in accordance with the high-level roadmap that have been published on the Swedbank Open Banking site.
Swedbank PSD2 API provides services optimized for PSU and TPP experience, it allows to get all transaction list in single request. This solution optimizes performance and allows you to implement pagination in a way matching your application needs. Hence, PSD2 API pagination is not necessary and therefore not supported. More information is provided in our support channel which you can find in Paragraph “Transaction list with data older than 90 days” under the link here.
1. Requests where the PSU is actively involved (Art. 36(5)(a)); and
2. Requests where the PSU is not actively involved (Art. 36(5)(b)).
The first type of request has no limitation in terms of the number of requests. The second type can be requested four times/day for every PSU by the TPP.
We have applied for a fallback exemption to our local FSAs and it has been approved for Estonia, Latvia and Lithuania. Documentation for our fallback solution in Sweden is provided for licensed TPPs – please contact firstname.lastname@example.org. Access to our online bank or screen scraping is not a proper interface for TPPs.
Yes, decoupled SCA flow is available for Estonia, Latvia, Lithuania and Sweden. The implementation is described in our documentation section 8.3 “Decoupled Approach”.
“There is already a possibility to add the scope to ask for consent for transactions beyond 90 days. You can add the extra scope in the request and use the same SCA as for the account transactions within 90 days. After 90 days have expired, you can renew the consent again with the additional scope.
It is described in our documentation on page 6 and onwards.”
Feature requests for PSD2 API
Question: We want to implement a PIS-only flow where the TPP does not have to send the debtor account information beforehand. Can you offer a drop-down for accounts in the redirect flow for the PSU to choose account?
Response: “The EBA/OP/2020/10 paragraph 36 states that the ASPSP could (but not should) provide a payment flow where the PSU can make a payment from an account without sharing account information with the TPP. This can be done in either redirect or decoupled flow. The way our SCA methods are implemented (Mobile BankID and SmartID), makes it impossible for the PSU to choose different options while signing. For this reason, only a redirect flow where the PSU gets to choose which account should be the debtor account is possible. We are planning to implement this feature in our redirect PSD2 API, and in our current roadmap we are aiming for a release during Q1 2021.”
Question: In Swedbank (Swedish market) the PSU needs to add the recipient account for a payment to an approved account list (and sign the request with an SCA). We consider this to be an obstacle in the API. Can you to remove the necessary approval of the recipient account for the PSU?
Response: “The functionality to add a recipient account to an approved account list has been implemented in Swedbank channels (in Sweden) for many years. It is part of our fraud protection. We have the same flow in our PSD2 API as we have in our own channels, hence it can’t be considered to be an obstacle.
Since we have received many questions about the functionality and that TPPs would like to remove the necessary friction for the PSU, we are evaluating different solutions to simplify the flow while maintaining fraud protection, security and risk level. In the future it is possible that we will offer partnership agreement that adds functionality for the TPP with an agreement. If you are interested in such functionality, please let us know by sending an email to email@example.com and we will let you know if we provide options.”
Question: We would like to have the account holder name accessible via the PSD2 API. We consider it to be a requirement in the RTS (EU) 2018/389 for account servicing payment service providers (“ASPSPs”) to make the information available to account information service providers (“AISPs”) and payment initiation service providers (“PISPs”).
Response: ”Regarding providing the account holder name upon execution of a payment initiation, Swedbank acknowledges that the DG FISMA (through the EBA) has stated in Q&A 2018_4081, that the ASPSP shall, immediately after receipt of the payment order, provide PISPs with the same information on the initiation and execution of the payment transaction provided or made available to the PSU when the transaction is initiated directly by the latter. Hence, the ASPSP shall, immediately after receipt of the payment order, provide the name of the payer (PSU) to the PISP via the dedicated interface if the name is included in the information on the initiation and execution of the payment transaction provided or made available to the PSU when the transaction is initiated directly by the latter.
Swedbank does not, to our immediate knowledge, currently include the PSU’s name in the information on the initiation and execution of a payment transaction. If you have observed such information in the payment flows of the customer-facing interfaces, please provide us with information thereof, as this might be an error that needs rectification.
Also, please note that the current functionality of the Swedbank API, as agreed in discussions in API Forum between banks and TPPs, the personal identity number of the PSU is “locked in” upon entry in the beginning of the flow, thereby indirectly verifying the identity of the PSU, since a mismatch of the entered personal identity number and the SCA performed would render an error message. This functionality is described in the Swagger documentation (see PSU-ID reference).”
RestFX - Indicative Rates
No. These are Swedbank’s proprietary prices based on market data obtained from Swedbank’s counterparties on the interbank market. As such they give a good indication of “where the market currently is” but they will not necessarily be aligned with the rates from the ECB or from any other source.
No, not directly. These rates are only for information purposes and are not to be considered tradeable.
In the financial markets, price makers such as banks typically quote BID and ASK prices. BID is typically the price that the bank is prepared to buy the asset/instrument/commodity for and ASK is the price the bank is prepared to sell it for. The difference between BID and ASK is typically referred to as the spread. MID in this context is simply the average of BID and ASK and as such gives an indication of what an asset/instrument/commodity trades for in the market but is not in itself a tradeable price.
RestFX - Market Orders
Yes. At this point the service is only available for customers of Swedbank AB Sweden and Swedbank AB Norway that already have access to the FX Trade Service. If that description fits you, you should be good to go. If it does not we are of course more than willing to help you get aboard but then we suggest you contact firstname.lastname@example.org or Customer Service Centre – Corporate at +46 (0)771-33 44 33 before initiating the onboarding process on Open Banking.
No. There is no license fee to access the Market Orders service as such. Getting access to the service does however require a Transport Layer Security (TLS) client certificate for authentication of the customer. Swedbank Open Banking will be happy to evaluate if any TLS certificate that the customer already has will be sufficient for this purpose but if that is not the case a small fee may need to be paid to a third-party Certification Authority (CA) to procure such as certificate. Swedbank Open Banking will be available for advice also on suitable CA’s. Please contact email@example.com if needed.
The Market Orders service is a simple API that can be used to send FX orders to be executed at prevailing market rates. Simplicity has been prioritized and at this point there is no advanced order-management functionality in place. It is of course possible to use the Indicative Rates service in conjunction with the Market Orders service to obtain an indicative quote before placing an order.
Swedbank will also launch more RestFX services and more advanced RestFX and Balance FX functionality in the future. To read more on Balance FX please go to Balance FX on Swedbank.se.