PSD2 Directive and open banking
The world is moving forward, and so are the financial services. Nowadays, a life without e-banking services, on-line shopping or payment cards is unimaginable. New technologies also mean new security-related challenges, and it is the PSD2 Directive that responds to them; the Directive strives to regulate the available innovative financial solutions and to increase the security of payments and the safety of the Clients’ data, i.e. of all of us.
PSD2 [Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market] is an EU directive that imposes on banks the obligation to provide the Third-Party Providers (TPPs), e.g. other banks, fintech companies, payment service providers, with access to their client’s accounts. The Client must each time consent to such access. The changes enters into force on 14 September 2019;
The objective of the directive is to, among others:
- regulate new financial solutions, harmonize the payments market and boost competitiveness,
- ensure top security standards of payments by, for example, introducing the so-called strong authentication (at Citi Handlowy this includes a text message or the Citi Mobile Token service),
- implement the concept of the so-called “open banking”, or opening the payment services market to third parties – for example such that provide payment services, subject to a regulatory approval (in Poland – by the PFSA). These are categories of services provided by third parties which will be granted the status of a Third Party Provider (TPP). These companies can provide two categories of services: Payment Initiation Service (PIS) – service of initiating payment transactions that allows third parties to execute payments on behalf of their client (upon the client providing their login data in online banking), and Account Information Service (AIS) – service of providing access only to account information outside of their bank’s transaction platform (clients will be able to access information about the bank account balance or transaction history)
- ensure better protection of consumers and their data
What has changed following the implementation of PSD2?
- Shorter complaint handling time and money refund time in case of unauthorized transactions
- Lower amount of the client’s liability for unauthorized transactions – from EUR 150 to EUR 50
- Different settlement method for fees on transfers executed within the European Economic Area
- Higher security of payments owing to, among others, implementation of the so-called strong authentication (SCA) – Citi Mobile Token, which is necessary to execute any card transactions online
- More convenient finance management and payment ordering: option to view all bank accounts held with different banks via one selected system (applies to banks that provide such a service) and an option to order transfers via TPPs. The payment initiation process via third parties's similar to the currently applicable instant transfer (so-called Pay by link)
- Improved login security – strong authentication (with Citi Mobile Token or a one-time SMS code, among others) may be required once every 90 days when logging in to electronic banking. Additionally, the session timeout for Citibank Online has been reduced from 8 to 5 minutes.
- Better protection of contactless payments – contactless payments of under PLN 50 will not require a PIN code until reaching a total purchase amount of EUR 100 – then the Client will be prompted to enter the PIN code.
- Disabled option to verify identity in the IVR channel using the PESEL number – we encourage you to use Citibank Online electronic banking services, Citi Mobile application or to enable Incoming Call Identification service in CitiPhone.
Is open banking safe?
As we have already mentioned, one of the objectives of PSD2 is to ensure high safety and security standards in the financial services market.
The Clients themselves decide who can use these data and when – each and every request for the disclosure of data to the TPPs will be preceded with a request for consent thereto. Once granted, the consent may be withdrawn at any time, by contacting the company to which it had been granted. Additionally, the use of the services offered by the TPPs will require authentication in the form of logging in to the Citibank Online e-banking system. Additionally we secure our Clients’ data using cutting-edge technologies.
Types of API-based cooperation with Citi Handlowy:
Commercial
A Partner consumes a selected API under an agreement between the Partner and Citi Handlowy. An example of such cooperation is the use of an acquisition API, which may allow the Partner to offer Citi products in cooperation with the Bank (collecting applications or a full application process for a credit card).
A regulatory API under PSD2
Pursuant to PSD2, from September 14, 2019, licensed entities (the so-called TPPs) may gain access to open API in the scope of account information (AIS), initiation of payments (PIS) and confirmation of availability of funds on an account (CAF), without concluding an agreement with Citi Handlowy.
Accessing open APIs (PSD2)
In accordance with the requirements of PSD2, Citi Handlowy provides an open API (Application Programming Interface) to enable a secure connection between the bank and external payment service providers (TPPs).
A TPP authorized by the national regulatory authority, as an account information access service provider or payment initiation service provider, can use this link to access our API (Citi Partner Portal) where all information, needed for successful integration with Citi Handlowy, has been provided. TPPs can use open APIs in a production environment, according to the scope of their license.
To use open APIs, open the API catalog on the Citi Partner Portal, select "Poland" and then refer to:
Accounts API for AIS and CAF services
Money Movement API for the PIS service
TPP (Third Party Provider) access to open APIs, in the PSD2 scope, will require TPP's eIDAS certificate. Details of integration with open API for TPP can be found in the API catalog on the Citi Partner Portal, in the "Poland" tab.
Access to commercial APIs
APIs supporting the commercial model of cooperation with Citi Handlowy, have been listed in the API Catalog on the Citi Partner Portal, in the "Poland" tab. All information regarding their structure and development documentation is available on the Portal, enabling a test integration of the Partner's application in the Sandbox test environment, using dummy data. In the case of commercial use of the API in cooperation with Citi Handlowy, such integration is required.
First steps in the virtual test environment (Sandbox) of Citi Partner Portal
The access to the Sandbox on Citi Partner Portal is public, which means anyone can register there and conduct a test integration with his/her application in a secure environment.
Our Sandbox reflects the structure of the production environment to the best possible extent, therefore a potential migration to the production environment should proceed without bigger problems. Below, we present an instruction on how to do that:
- Register on the website Citi Partner Portal. Within a few days you will receive an e-mail confirming your registration and asking you to confirm your e-mail address by clicking on the registration link.
Important! TPPs registration before using open API, to the extent consistent with PSD2, is not required. - Log in to Sandbox.
- Register your application (Register a New App) in section API Keys.
- After the app has been registered, you will obtain a Client ID and Client Secret (these are confidential data that cannot be provided to anyone according to the Terms and Conditions of the Sandbox).
- Client ID is an identifier which helps us identify the person trying to gain access to API.
- Client Secret – is an identifier used for authentication and also applied in the authorization process of inquiries sent through API.
Important! In order to use open APIs, TPP does not need to register its application. Details of TPP integration with open APIs are available in the API catalog on the Citi Partner Portal, in the "Poland" tab.
- Perform an authentication through Authorize API using Client ID and Client Secret. Sandbox uses the commonly applied OAuth 2.0 standard. Depending on the API with which you wish to integrate, there are two ways of authentication:
- Two-Legged – used when the Bank does not provide sensitive or confidential data to the application of a thirty party (e.g. Onboarding API)
- Three-Legged – used when the Bank provides sensitive or confidential data to the application of a thirty party (e.g. in the scope of AIS/PIS services – access to account information or payment initiation)
Important! Details regarding TPP authorization are available in the API catalog on the Citi Partner Portal, in the "Poland" tab.
- Perform an appropriate integration of your app with the Bank’s API using the documentation available in the Sandbox. Sandbox makes it possible to generate static responses to the sent API commands.
- After you have successfully performed the tests, please send an application with a cooperation proposal to the Bank. The applications can be sent using the contact data on this website or via a contact form on Citi Partner Portal.
Available categories of APIs
Citi Partner Portal for Poland offers the following categories of APIs (in the Menu, select API Products > Poland):
- Accounts – access to information on payment accounts (current, savings and FX accounts, credit cards) in terms of balance, transaction history and account details.
Important! This API can be used by TPP to provide AIS and CAF services - Authorize – enables verification of a Citi Handlowy client.
- Customers – basic information about the Client.
- Money Movement – enables initiation of transfers available to Citi Handlowy clients, including instant transfers between Citi accounts in different countries free of charge (CGT – Citi Global Transfer).
Important! This API can be used by TPP to provide PIS - Onboarding – a possibility to send credit card and cash loan applications to Citi Handlowy. These can be the so-called short applications, which include basic client information, or long applications – with the full application process covering all client data, initial credit decision, client's documentation and verification.
- Pay with Points – using Citi points to pay online.
- Utilities – information on values of some APIs.
API Availability reports
Below are quarterly published reports with information on the availability of a dedicated access interface, i.e. our APIs operating as part of PSD2 services.
The report includes the following data on daily performance for our API: uptime, downtime, average response time, and percentage of errors.
Contact
Thanks to different categories of APIs in our offer, we are ready to create different business models.
If you have acquainted yourself with our Sandbox and have questions concerning potential cooperation, please contact us at:
Retail banking:
open.banking.poland@citi.com
Corporate banking
helpdesk.ebs@citi.com
We make every effort to reply within 3 business days.