The Berlin Group is made up of participants in the payments industry from both eurozone and surrounding countries, with the aim of defining open standards in the interbanking domain between the creditor bank and the debtor bank, and to help compliance with PSD2 regulation.
NextGenPSD2
The Berlin Group
Europe
The XS2A interface is mandatory in the gaining of consent to access account information. Such information may include a transaction history, or a list of accounts. The TPP must clearly inform the PSU about the rights they are consenting for. The PSU must be strongly authenticated, and then once the TPP has acquired the right for further account information, they must give the PSU information about the result. If the TPP cannot be identified at the XS2A interface, then the transaction will be rejected.
The standard has four models for Strong Customer Authentication (SCA): redirect, OAuth2, decoupled and embedded.
There is a dedicated consent management.
The framework has an introductory document, an operational rules document, implementation guidelines with the technical details, and an open API file.
The Mobile Peer 2 Peer work (the use of mobile phones to almost simultaneously authenticate a customer and release available funds) will involve a fine-tuning of the PSD2 mechanisms. A public market consultation for the framework took place in March 2017, with a version 1.2 published in Nov 2020.
Bankart, a Slovenian payments company, uses the Berlin Group’s standard Bankart joins the Berlin Group (berlin-group.org). The PSD2 XS2A was provided to ten banks.
Lithuania’s Bittiq has an Open Banking platform, tailored towards wealth management, lending and retail banking.
ISO 20022
JSON
RESTful
XML
Active API
NextGenPSD2 v2.0 / 1 March 2024
The Berlin Group are following an open source model for information sharing.
Regulated
Mandated
Premium
The Eurozone payment industry’s response to the PSD2 legislation.
The Berlin Group hopes to make payment schemes in Europe flow between nations the way they already do at a national level. As of January 2022, there were 69 organisations from 30 countries coordinating the standards development.
The Berlin Group has been involved with the “access to account interface” (XS2A) to suit the requirements of PSD2 (the updated Payment Services Directive).
An Account Servicing Payment Service Provider (ASPSP) has to provide an interface to allow the Third Party Payment Service Providers (TPP) to access the account of the Payment Service User (PSU).
This will be necessary when implementing an initial payment on behalf of a PSU, when requesting information about an account of a PSU, or confirming the availability of funds of a PSU.
The NextGenPDS2 XS2A interface defined by the Berlin Group is used by 3600 banks (over 75% of European banks) and hundreds of Third Party Providers across Europe. Banks outside of PSD2 mandated countries have been adopting the standards in order to reach compatibility and reachability with the PSD2 mandated countries.
Open Finance is an extension of NextGenPSD2.
Banking
Finance
Open Banking
-
Account Information
-
Payment Initiation
Open Finance
-
Extended Payment Initiation Service
- Extended services: single cards, savings accounts, loan accounts, securities accounts
Credit Cards
Current Accounts
Investments
Lending
Savings
Wallets Or Prepaid
Certificates
Registry
App To App Redirect
Browser Redirect
Decoupled
Embedded
The execution of any transaction at the XS2A interface is subject to the consent of the PSU.
OAuth
Awareness of potential attacks on the XS2A Framework has led to the Berlin Group introducing supplementary data into the Implementation Guidelines. These include shortening the timeframe for executing necessary authentication of the PSU, gathering more information from the PSU for fraud detection systems, such as the IP address and accepting only complete transactions on the XS2A interface.
Qualified eIDAS certificates are used for secure identification of access clients for website authentication and electronic use (QWACS eIDAS certificates at the TLS level; QSEALS eIDAS certificates at the application level); this is evolving in Open Finance. Open Finance assumes the use of directory services in API Access Schemes: this was voluntary in Directory Services.
The Berlin Group are looking to integrate FAPI (the financial grade API with security protocols) into their next iteration of the PSD2 framework.
Webhook
Accounts
Balances
Beneficiaries
Cards
Confirmation Of Funds
Direct Debits
Other
Parties Or Contacts
Standing Orders
Statements
Transactions
Bulk Payments
File Payments
Future Dated Payments
Other
Pay Later
Request to Pay
Single Domestic Payments
Single International Payments
Standing Orders
Variable Recurring Payments
Parties/contact information is included in AIS Accounts.
API Specifications
Operational Guidelines
The Berlin Group’s download page allows access to full specifications and documentation around their API frameworks.
API files, implementation guidelines and operational rules for NextGenPSD2.
For testing and testing support, information can be found at NISP (the NextGenPSD2 Implementation Support Program), which supports banks, associations, schemes and interbank processors in implementing the Berlin Group NextGenPSD2 framework.
The Berlin Group first met in 2004 to fulfil the vision of the European Central Bank, the European Commission and the European Payments Council of the Single Euro Payments Area (SEPA). This vision involves extending the current high level of efficiency, brand awareness, security, convenience and ease of use that exists for transactions within national borders to the entire SEPA area.
The Second Payment Services Directive (PSD2) was a European legislation that came in to force in January 2016 to regulate electronic payment services and payment service providers throughout the EU. This followed on from the original PSD which was adopted by the EU in 2007.
The PSD2 legislation was to bring APIs into line with the diversity of the banking payment services, online banking functionalities, local regulatory requirements and authentication methods.
The Berlin Group is governed by a Plenary, with several task forces reporting to the Plenary. The Berlin Group operates as a civil union with informal governance. Participation is open to market supply-side active in the SEPA payment industry.
The task forces include the Authorisation Task Force ( working on the standardisation of the authorisation application layer), the Clearing Task Force (clearing and settlement matters), the VPN Task Force and the Security Task Force (both looking at network connection requirements). Other NextGen Task Forces, including the Open Finance Task Force, are discussing tokenisation, instant payments, and other emerging issues.
An Implementation Task Force has been established to support implementers.
Fraud detection is based on PSU device related data.
Data encryption is based on Transport Layer Security.
The Berlin Group makes clear that the implementation of the standards delivered by the group are left entirely to market participants, they are solely concerned with the development of the standards.
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.