Payments NZ developed the API Centre standards in consultation with the New Zealand government.
The flow involved in the standard firstly has the customer requesting that a Third Party can access their account, held by an API provider. This provider then allows the Third Party to set up a flow with them, this provider might be the customer’s bank.
The Third Party transfers the customer to their bank to securely authorise access to specific account information. v2.0 and above of the standards include two authentication flows – redirect and decoupled – providing an additional option for standards users to gain customer consent.
The authentication flows define a safe and secure process for an API Provider to confirm a customer has authorised a Third Party’s consent request in real time. The functionality in each flow applies to both the Payment Initiation and Account Information APIs.
The Bank of New Zealand (Open Banking – BNZ ) is encouraging customers to give consent to Open Banking to allow for more flexibility with their money management.
Worldline has a developer portal for creating digital financial solutions.
Anyone can view the published version of the standards, available here Payments NZ API standards – Confluence (atlassian.net).
Eligible API providers must be:
A New Zealand registered bank, New Zealand non-bank deposit taker, or an entity prudentially regulated by the Reserve Bank of New Zealand or Financial Markets Authority (FMA),
Issue and provide bank accounts to your customers using the Payments NZ standard for bank account formats, and
Have a genuine business interest in the use of APIs developed using the API standards.
To be eligible for Standards User registration as a Third Party, you must have:
A New Zealand bank account,
A New Zealand GST number, and
A genuine business interest in the use of APIs developed using the API standards.
You’ll also need to:
Sign an agreement with the API Centre accepting the Standards User terms and conditions, and
Pay your annual registration fee.
The API Centre is member driven and open for market participation.
The Account Information API Standard allows consent based access to specific customer information, held within an API provider. The API Centre also defines a standard for payment initiation enabling a customer to set up and make electronic payments through a registered Third Party to a registered API Provider.
Included in the standard are resources giving information such as the balance of an authorised account, a list of transactions posted to an account within a defined date range, a list of saved recipients and direct debits, standing orders, personal details of the customer, scheduled payments and statements within a specific date range.
The standard dictates a clear flow for the process.
Real time confirmation is given to the TPP by the API provider that the customer has authorised access to the account or a payment and provides the consented information or utilises the redirect or decoupled authentication flow, respectfully.
The information that can be accessed through the standard includes a retrieval of the full list of accounts held by a customer, the balances, transactions, the trusted beneficiaries, direct debits, standing orders, the offers available on the accounts, scheduled payments and statements of the accounts, and details about the party who owns the accounts.
Authentication flows, coupled and decoupled, are used as additional options to gain customer consent. The most recent v2.1.0 of the Payment Initiation API allows long-lived consents. This new functionality enables a Third Party to process payments from a customer’s account to a nominated beneficiary multiple times, with the customer’s consent.
This functionality streamlines the authentication flow substantially over the life of the consent and removes the requirement for the customer to authorise consent with their bank every time a payment is made.
OAuth 2.0 framework
OpenID Connect Request (OIDC)
Financial API (FAPI) security regime
The API Centre provides a sandbox environment to allow developer experimentation with the standards.
Acting like a model bank, the sandbox contains endpoints for all the API standards, contains up-to-date patches and provides real-world format responses with dummy bank data.
Payment-related APIs have been used in New Zealand for some time, but there was no industry-wide standardisation of these.
In 2017, industry discussions in New Zealand led to the development of API standards for use in an industry pilot. The industry participants were BNZ and ASB, and technology companies TradeMe, Datacom, and Paymark. In 2019 the API centre, part of Payments NZ, was launched to facilitate work that would lead to a set of API standards to deliver Open Banking to New Zealanders.
An API Council, comprised of 6 API Provider (e.g. bank) representatives, 6 TPP representatives, and three independent representatives, governs the API Centre.
The API Council receives guidance and recommendations from three working groups made up of Standards User representatives – the Business Group, Technical Group, Partnering Group and ad hoc project groups who are in turn directed by the API Council.
Customer Experience Guidelines are outlined in Confluence.
Strong customer authentication (SCA) at the Customer’s API Provider for a Third Party request which must be actioned by the API provider is necessary. This should only be required once for a single session of access to account information.
Customers should have their usual authentication methods available.
The experience of authentication with a third party should be as smooth as with their API provider.
API providers should avoid all unnecessary steps, unclear language or distractions from the authentication process.
Standards Users enter into terms and conditions to use the API standards. These terms and conditions include compliance obligations. Standards Users must undertake annual self-attestation of compliance.
In July 2021, the New Zealand Government decided to implement a new legislative framework for consumer data right.
In early 2022 the Government will make further decisions about the implementation of consumer data right. This will include decisions on which institutions have a role in the implementation and development of rules and standards, and measures for enforcing consumer data right. The Government will also consider which sectors should be assessed first for the potential application of consumer data right.
A Bill implementing the consumer data right is expected to be introduced to Parliament in 2022.