blob: 91c0f599f2f5a1a12e64570a2f2355ce54b3d274 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
Banking Protocols
#################
This page collects information we have about banking protocols available around
the world.
Open Financial Exchange (OFX) Direct Connect
============================================
`OFX <https://www.ofx.net/>`__ is widely used in the US. It defines a completely
custom protocol (based on HTTP) and data formats (**not** based on ISO20022) for banking.
Electronic Banking Internet Communication Standard (EBICS)
==========================================================
EBICS is used primarily in Germany, France and Switzerland. Some banks (such as BNPParibas
with their `Global Ebics <https://cashmanagement.bnpparibas.com/our-solutions/solution/global-ebics> offering`__)
also allow EBICS access to accounts in other countries.
EBICS is just a transfer layer for communicating with banks. Banks define what
messages they support. In practice, EBICS is very often used to transfer
ISO20022 messages.
German banks that are part of the German Banking Industry Committee all must offer EBICS access.
Thus this protocol is a good choice for the German market.
FinTS / HBCI
============
German home-banking standard. Only some banks allow authentication based on key pairs.
Due to different interpretation of PSD2, other banks now only allow authentication
methods that require interaction from the customer (SCA / Strong Customer Authentication).
Payloads these days can be ISO20022 messages.
PSD2
====
PSD2 is not a technical standard, but high-level legal requirements on (amongst other things) APIs
that banks have to offer.
There are many implementations of PSD2 APIs. The `Berlin Group <https://www.berlin-group.org/>`__
provides a framework that somewhat standardizes technical details, but the use of this standard
is by no means necessary.
Unfortunately, it focuses on *other* parties accessing *your* bank account. It
does not give customers access to their own bank account. Customers can manage
third party access they give to their bank account in their online banking
system. That mechanism is conceptually similar to OAuth2. In fact, some
implementations of PSD2 even use OAuth2 directly.
PSD2 requires two main services to be available via an API:
* AIS (Account Information Service).
* PIS (Payment Initiation Service).
Together, they're often called XS2A ("access to account").
An entity that wants to use AIS has to be registered with the financial
oversight authority in its country (BAFIN in Germany). PIS has even stronger
legal prerequisites.
On a technical level, using PSD2 APIs usually requires having an `EIDAS
<https://en.wikipedia.org/wiki/EIDAS>`__ certificate.
Bank-Proprietary APIs
=====================
Some banks offer completely custom APIs to access services of the bank. These often include services
not available via more standardized APIs, such as account creation.
Often banks frame PSD2 as just another API available in their portfolio of API offerings.
Examples:
* `Deutsche Bank <https://developer.db.com/products>`__
* `ING Group <https://developer.ing.com/api-marketplace/marketplace>`__
|
