Von Heinz-Roger Dohms
Wussten Sie schon … dass N26 eine interessante Kehrtwende bei der PSD2 vollzogen hat? Wie den Open-Banking-Aficionados unter Ihnen erinnerlich sein dürfte, hatte sich die Berliner Neobank ihre PSD2-Schnittstelle dermaleinst von einem angelsächsischen RegTech namens Token.io bauen lassen. Klang ziemlich hipp. Funktionierte nach übereinstimmenden Aussagen von Menschen, die von Berufswegen auf solche Schnittstellen zugreifen, aber häufig nur so semi-toll.
Dieser Tage indes erreichte die API-Gemeinde eine N26-Mail („Sensitive Information“), der zufolge das deutsche Vorzeige-Fintech der Token.io-Lösung abgeschworen hat und stattdessen nun einer Eigenbau-Schnittstelle basierend auf dem 0-8-15-mäßigen „Berlin Group“-Standard vertraut. „Der Zugriff klappt jetzt sehr viel besser“, schreibt uns einer der Aficionados. Freut uns!
Hier zu dokumentarischen Zwecken, was in der N26-Mail genau stand (zumindest auszugsweise):
Hello from N26,
We’re excited to let you know that the PSD2 Dedicated Interface (API) for PISP is out now.
The new PISP extension to our recently released PSD2 API makes the whole API functionally complete. Whenever you’re an AISP, PISP or a Card-Based Payment Initiation service, you can now enjoy all the features in the scope of PSD2 using our new API. The PISP API has exactly the same mechanics as the AISP API, so those TPPs already integrated with our AISP API can start making calls to the additional payment initiation endpoints right away.
The new PSD2 API is implemented by the N26 team and doesn’t involve any partners. It’s a Berlin Group 1.3 compliant API with some additional benefits and future extensions that we hope you’ll enjoy using. We’ve already tested the API in production together with a limited number of early adopters, so you can be sure it works as expected.
You can find the complete documentation for both AISP and PISP attached to this email as well as it’s publicly available in our support center. We’ll post updates on that page regularly as well as notify you by email.
Advantages of the new N26 PSD2 API:
- No registration required. Unlike with token.io or N26 fallback API, TPPs don’t need to register with N26 to start making calls to the API. All you need to do is to start making calls according to the documentation providing your QWAC certificate
- Spaces are also provided for free. N26 Spaces are virtual subaccounts without IBANs where users can stash their money. Since they’re not recognized as payment accounts, they’re not mandatory on the dedicated interface. We made the decision to provide it to TPPs with the standard user consent for free
- No need to manage user credentials. Unlike with N26 fallback API, TPPs are no longer required to store and process the user credentials, since the authentication happens directly between users and N26. This improves security as well as provides users with the original N26 UX. Users shouldn’t worry about sharing credentials with 3rd parties anymore
- No need to manage PIN encryption: Unlike with N26 fallback API, TPPs don’t have to implement PIN encryption and deal with complexities of the N26 app API any longer.
- Unified standard API. We follow the latest Berlin Group 1.3 standard with as little deviation as possible
- Direct support from the dedicated N26 team. We’re open to suggestions and fixing problems you might experience with us. Just drop us a line and we’ll pick it up from there
- An unlimited number of requests within sessions. We provide you 4 sessions per day for AIS requests. Each session is about 15 minutes and you can make an unlimited number of requests during those sessions just like the user can get all that info during the session using our mobile/web apps
Note for TPPs on-boarded on N26 Fallback API
N26 Fallback API is going to stay available and accessible for TPPs as the alternative PSD2 interface. If you’re already integrated with fallback – you can stay on it. However, we do recommend migrating to the Dedicated Interface since it’s more stable and provides more functionality. A simple example: for AIS/PIS functionality with the fallback API you’d need to manage user credentials manually as well as implement PIN encryption logic on your side to make the calls go through. With the Dedicated Interface, it’s all on our side. In the future, all extensions and additional auth methods will be available only on the dedicated interface. We’ll shut down the fallback API only after we get the PSD2 fallback exemption from BaFin with prior notice to relevant TPPs.
Sandbox environment: Currently there’s no possibility to test the N26 PSD2 API in a sandbox environment with mock data. Since our implementation is standard Berlin Group it hasn’t been an issue with the TPPs we tested it with. Temporarily we provide extensive 1:1 tech support for all TPPs integrating with us
Additional authentication mechanisms: as advised by BaFin and some of the early adopters of the N26 PSD2 API – we’re going to add additional authentication mechanisms to the dedicated interface. Currently, only the “Decoupled with Oauth as a pre-step” method is available, which perfectly matches the original behavior of our N26 apps and is a compliant implementation recognized by the PSD2 standards. To improve the experience for both TPPs and end-users we’re discovering the additional app2app authentication as well as the standard redirect in addition to the already existing method.