Information for Payment Services Providers
Pursuant to the Commission Delegated Regulation (EU) 2018/389 1 (Regulation), with relation to the provisions of the Act dated 10 May 2018 on amending the Payment Services Act 2 and certain other acts as of 14 September 2019 (the Act), payment services provides maintaining accounts are obliged to make available the so-called access interface. This interface is designed to enable Third Party Providers (TPP), who hold the relevant license from supervisory authority and provide, inter alia, the Payment Initiation Service (PIS), providers who offer the Account Information Service (AIS) or providers of payment services who have applied for the relevant license, to integrate their software and applications used to offer payment services to users.
For this purpose, the Bank makes available an interface that fulfils the above requirements.
Below please find information on its content, capabilities, available services that the TPP can profit from, and also on the manner for making the interface available.
Range of services that the TPP may provide using CitiConnect API
CitiConnect API enables the payment services providers the provision of the following services to their customers:
- Payment initiation;
- Access to information regarding the Account.
Selected functionalities available under the interface
CitiConnect API has the following functionalities enabling integration with the bank environment:
- TPP identification
- User (account holder) authentication
- Payment initiation
- Checking payment status
- Checking the balance
- Checking the availability of funds (Confirmation of Availability of Funds – COF)
- Checking the availability of statement
- Downloading the statement
- Downloading payment confirmation
- Downloading account history
Technical details of each of the services are available in the full technical documentation (Documentation). To obtain the Documentation, please contact our experts by emailing them at firstname.lastname@example.org.
Full contents of the Documentation can be provided only to entities which hold the relevant license/registration, or who have submitted such application to the appropriate authority. The TPP is obliged to demonstrate that he holds the relevant license/registration, or has submitted an application to obtain it.
Exchange of data between the TPP and the Bank
The exchange of data should take place under the ISO XML format.
The range of information provided to the TPP by the Bank depends upon the nature of service provided by the TPP.
Access to interface and request to receive the Documentation
To obtain access to the interface and/or the Documentation, please send an e-mail message to email@example.com and include the following information:
- Number and name of the TPP as recorded in the relevant register (in the case of an entity in the course of registration, please send a scan or a certified copy of confirmation of submission of application for registration/permit to the relevant authority).
- First and last name of the user
- E-mail address of the user and other contact details.
Failure to provide this information would make it impossible for us to provide the Documentation or to grant access to the interface.
After verification of the request, the Bank shall send an e-mail message to the applicant, together with the Documentation. In the case of request for access to the interface, the Bank shall contact the applicant via telephone or e-mail, in order to perform the implementation process.
In order to provide access to the interface, the Bank does not require, with the exception of documentation referred to in the section “Access to interface and request to receive the Documentation”, any additional documentation from the TPPs who intend to provide the PIS and AIS services.
Should you have any questions, problems, or wish to report errors tied to the operation of the interface, please contact our experts by e-mail.
E-mail address: firstname.lastname@example.org
Identification of the TPP via the interface functions on the basis of electronic certificates, pursuant to requirements of the Regulation no. 910/2014 (eIDAS).
An entity that intends to provide PIS and/or AIS services should possess its own valid certificate, to be used for identification under the interface, consistent with requirements specified in Article 34 of Regulation 2018/389.
Each service available under the interface is launched on the basis of the following steps:
- Identification and obtaining the oAuth token
- Placing in the header the required data, indicating the service
- Signing and encrypting of the “payload”, i.e. elements necessary to perform the given service
- Logging out
The identification process allows generating the oAuth token, which in turn allows calling up subsequent API queries (e.g. payment initiation). Details are described in the Documentation.
Authentication of the User (account holder)
Authentication of the User functions on the basis of electronic certificates, used by entities to make electronic signatures.
In the “body” section, insert the “payload” – details of the specific service to be launched following authentication. In the above case, the payment initiation service is presented.
“Payload” must contain the customer’s consent, in the form of electronic certificate. Details of the procedure are described in the Documentation.
The Bank ensures security through the use of electronic certificates, consistent with requirements of eIDAS. We handle certificates from selected providers (the list of providers is available in the Documentation).
The confidentiality of communication and of the data being sent is ensured with the use of the safe TLS protocol. Transmission of data takes place via connection with the Bank’s servers.
During the identification and authentication, the Bank launches procedures for access control and verification of electronic certificates.
Unavailability of the interface
All information on planned and unplanned unavailability of the interface shall be provided by the Bank via e-mail to addresses of the applicant, indicated during the implementation process.
1 Commission Delegated Regulation (EU) of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication available at: https://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32018R0389.
2 Journal of Laws of 2018, item 1075.