PSD2 Directive and open banking
The world is moving forward, and so are the financial services. Nowadays, a life without e-banking services, on-line shopping or payment cards is unimaginable. New technologies also mean new security-related challenges, and it is the PSD2 Directive that responds to them; the Directive strives to regulate the available innovative financial solutions and to increase the security of payments and the safety of the Clients’ data, i.e. of all of us.
PSD2 [Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market] is an EU directive that imposes on banks the obligation to provide the Third-Party Providers (TPPs), e.g. other banks, fintech companies, payment service providers, with access to their client’s accounts. The Client must each time consent to such access. The changes enters into force on 14 September 2019;
The Directive strives to:
- regulate the new financial solutions, standardize the payment market and increase competitiveness;
- ensure the highest payment security standards, e.g. by means of introducing the so-called strong customer authentication (in Citi Handlowy – a one-time authentication code sent via a text message or the Citi Mobile Token service, for instance);
- introduce the concept of “open banking”, which means opening the market of payment services to the TPPs, e.g. regulated (in Poland by the Polish Financial Supervision Institution) third-party payment service providers;
- ensure the consumer and consumer data safety.
What has PSD2 changed so far?
- We have shortened the complaint investigation time for payment services and for refunds in the case of non-authorized transactions.
- We have reduced the amount of the Client’s liability for non-authorized transactions from EUR 150 to EUR 50.
- We have changed the method of calculating the bank transfer costs in the EEA.
What changes entered into force on September 14th 2019?
- Increasing payment security: e.g. by means of introducing the so-called strong customer authentication (SCA). We will soon launch a new transaction authentication solution for our Clients – Citi Mobile Token, which will be necessary to conclude all on-line payment card transactions.
- Making finance management and payment orders more convenient: the possibility to view all bank accounts held with different banks, using one chosen system (in the banks that offers such functionality) and the possibility to instruct payments through the TPPs. The process of instructing payments through third parties will work similarly to the currently available fast bank transfer process (“Pay by link”).
- Ensuring safety of logging in: every 90 days, when you log in to your e-banking, we will ask you for additional authentication data as part of the strong customer authentication procedure (e.g. using the Citi Mobile Token or a one-time authorization code sent via a text message). Additionally, the session time will be shortened from 8 to 5 minutes.
- Increasing the security of contactless payments: PIN code will still not be required in the case of transactions for up to PLN 50, until the total amount of EUR 100 is spent, in which case the Client will be asked to authorize the transaction with the PIN code.
- During the identity verification in the IVR channel, verification using PESEL will be disabled. We encourage you to use the Citibank Online electronic banking services, Citi Mobile application or to activate the Incoming Number Identification service in Citi Phone.
Is open banking safe?
As we have already mentioned, one of the objectives of PSD2 is to ensure high safety and security standards in the financial services market.
The Clients themselves decide who can use these data and when – each and every request for the disclosure of data to the TPPs will be preceded with a request for consent thereto. Once granted, the consent may be withdrawn at any time, by contacting the company to which it had been granted. Additionally, the use of the services offered by the TPPs will require authentication in the form of logging in to the Citibank Online e-banking system. Additionally we secure our Clients’ data using cutting-edge technologies.
Types of API-based cooperation with Citi Handlowy:
Commercial
A Partner consumes a selected API under an agreement between the Partner and Citi Handlowy. An example of such cooperation is the use of an acquisition API, which may allow the Partner to offer Citi products in cooperation with the Bank (collecting applications or a full application process for a credit card).
A regulatory API under PSD2
Pursuant to PSD2, from September 14, 2019, licensed entities (the so-called TPPs) may gain access to open API in the scope of account information (AIS), initiation of payments (PIS) and confirmation of availability of funds on an account (CAF), without concluding an agreement with Citi Handlowy.
Accessing open APIs (PSD2)
In accordance with the requirements of PSD2, Citi Handlowy provides an open API (Application Programming Interface) to enable a secure connection between the bank and external payment service providers (TPPs).
A TPP authorized by the national regulatory authority, as an account information access service provider or payment initiation service provider, can use this link to access our API (Citi Partner Portal) where all information, needed for successful integration with Citi Handlowy, has been provided. TPPs can use open APIs in a production environment, according to the scope of their license.
To use open APIs, open the API catalog on the Citi Partner Portal, select "Poland" and then refer to:
Accounts API for AIS and CAF services
Money Movement API for the PIS service
TPP (Third Party Provider) access to open APIs, in the PSD2 scope, will require TPP's eIDAS certificate. Details of integration with open API for TPP can be found in the API catalog on the Citi Partner Portal, in the "Poland" tab.
Access to commercial APIs
APIs supporting the commercial model of cooperation with Citi Handlowy, have been listed in the API Catalog on the Citi Partner Portal, in the "Poland" tab. All information regarding their structure and development documentation is available on the Portal, enabling a test integration of the Partner's application in the Sandbox test environment, using dummy data. In the case of commercial use of the API in cooperation with Citi Handlowy, such integration is required.
First steps in the virtual test environment (Sandbox) of Citi Partner Portal
The access to the Sandbox on Citi Partner Portal is public, which means anyone can register there and conduct a test integration with his/her application in a secure environment.
Our Sandbox reflects the structure of the production environment to the best possible extent, therefore a potential migration to the production environment should proceed without bigger problems. Below, we present an instruction on how to do that:
- Register on the website Citi Partner Portal. Within a few days you will receive an e-mail confirming your registration and asking you to confirm your e-mail address by clicking on the registration link.
Important! TPPs registration before using open API, to the extent consistent with PSD2, is not required. - Log in to Sandbox.
- Register your application (Register a New App) in section API Keys.
- After the app has been registered, you will obtain a Client ID and Client Secret (these are confidential data that cannot be provided to anyone according to the Terms and Conditions of the Sandbox).
- Client ID is an identifier which helps us identify the person trying to gain access to API.
- Client Secret – is an identifier used for authentication and also applied in the authorization process of inquiries sent through API.
Important! In order to use open APIs, TPP does not need to register its application. Details of TPP integration with open APIs are available in the API catalog on the Citi Partner Portal, in the "Poland" tab.
- Perform an authentication through Authorize API using Client ID and Client Secret. Sandbox uses the commonly applied OAuth 2.0 standard. Depending on the API with which you wish to integrate, there are two ways of authentication:
- Two-Legged – used when the Bank does not provide sensitive or confidential data to the application of a thirty party (e.g. Onboarding API)
- Three-Legged – used when the Bank provides sensitive or confidential data to the application of a thirty party (e.g. in the scope of AIS/PIS services – access to account information or payment initiation)
Important! Details regarding TPP authorization are available in the API catalog on the Citi Partner Portal, in the "Poland" tab.
- Perform an appropriate integration of your app with the Bank’s API using the documentation available in the Sandbox. Sandbox makes it possible to generate static responses to the sent API commands.
- After you have successfully performed the tests, please send an application with a cooperation proposal to the Bank. The applications can be sent using the contact data on this website or via a contact form on Citi Partner Portal.
Available categories of APIs
Citi Partner Portal for Poland offers the following categories of APIs (in the Menu, select API Products > Poland):
- Accounts – access to information on payment accounts (current, savings and FX accounts, credit cards) in terms of balance, transaction history and account details.
Important! This API can be used by TPP to provide AIS and CAF services - Authorize – enables verification of a Citi Handlowy client.
- Customers – basic information about the Client.
- Money Movement – enables initiation of transfers available to Citi Handlowy clients, including instant transfers between Citi accounts in different countries free of charge (CGT – Citi Global Transfer).
Important! This API can be used by TPP to provide PIS - Onboarding – a possibility to send credit card and cash loan applications to Citi Handlowy. These can be the so-called short applications, which include basic client information, or long applications – with the full application process covering all client data, initial credit decision, client's documentation and verification.
- Pay with Points – using Citi points to pay online.
- Utilities – information on values of some APIs.
API Availability reports
Below are quarterly published reports with information on the availability of a dedicated access interface, i.e. our APIs operating as part of PSD2 services.
The report includes the following data on daily performance for our API: uptime, downtime, average response time, and percentage of errors.
Contact
Thanks to different categories of APIs in our offer, we are ready to create different business models.
If you have acquainted yourself with our Sandbox and have questions concerning potential cooperation, please contact us at:
open.banking.poland@citi.com
We make every effort to reply within 3 business days.