{"id":430,"date":"2019-09-20T16:41:05","date_gmt":"2019-09-20T15:41:05","guid":{"rendered":"https:\/\/psd2meniet.nl\/?p=430"},"modified":"2021-07-19T10:50:43","modified_gmt":"2021-07-19T09:50:43","slug":"techniek-achter-psd2","status":"publish","type":"post","link":"https:\/\/psd2meniet.nl\/en\/techniek-achter-psd2\/","title":{"rendered":"Technology behind PSD2: APIs"},"content":{"rendered":"<p>The Don't-PSD2-me-Register requires data filtering. In order to know how this needs to be developed technically, we want to know better how the communication between account information service provider and bank takes place. In this article we will elaborate on how the PSD2 will be technically developed. To do so, we need to enter the code. For this we use the public API documentation that banks make available. We only focus on the AISPs, the account information services.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bank and AISP talk via an API<\/h2>\n\n\n\n<p>In order to better know which information of a bank is shared with an AISP, we have looked at several <a class=\"info-marker\" data-info=\"Een API is een application programming interface. Een API is een aansluitstuk waarmee een derde partij toegang krijgt tot functionaliteit van de applicatie. In het geval van de AISP kan een deze middels een API betalingsgegevens opvragen. Een API kan door iedere partij, die de juiste papieren zoals registratiecodes beschikt, gebruikt worden.\">APIs of banks<span class=\"icon\"><\/span><\/a> watched. The AISP and the bank communicate via an API. The API defines what a request looks like, and what information the bank sends back. There seems to be <a class=\"info-marker\" data-info=\"Hoewel we hier geen nader onderzoek naar hebben gedaan merkten we verschillen op tussen de banken. De Triodos gebruikt de industriestandaard NextGetPSD2 XS2A Framework  (https:\/\/www.berlin-group.org\/psd2-access-to-bank-accounts) terwijl de ING een eigen API ontwikkeld te hebben.\">not to be an industry standard used by all banks. <span class=\"icon\"><\/span><\/a> Every API will be different, but the functionality will match because it is described in the PSD2 and the RTS. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Hardly any restrictions possible within API<\/h3>\n\n\n\n<p>As soon as a customer wants to use an account information service, he will authorise an AISP and confirm this to the bank (see also the article <a rel=\"noreferrer noopener\" href=\"https:\/\/psd2meniet.nl\/en\/psd2-en-privacy\/\" target=\"_blank\">PSD2 and privacy<\/a>). Via the API, the AISP and the bank talk to each other. What the API looks like determines which information is transferred. For example, an AISP can make the following request. We have <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/developer.triodos.com\/docs\/account-information-service#section-example-consent-request\" target=\"_blank\">a piece of code<\/a> converted to more readable text. The content of the request is shown below.<\/p>\n\n\n\n<ul><li>accounts:<ul><li>iban:...an IBAN,<\/li><li>balances:iban:...an IBAN,<\/li><li>transactions:iban:...an IBAN,<\/li><\/ul><\/li><li>recurringIndicator:true, (may also be false)<\/li><li>validUntil:2019-05-30, (there is no default value, but there is a maximum of 90 days)<\/li><li>frequencyPerDay:4 (number of times data can be retrieved)<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"291\" src=\"https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-4.png\" alt=\"\" class=\"wp-image-476\" srcset=\"https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-4.png 853w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-4-300x102.png 300w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-4-768x262.png 768w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-4-100x34.png 100w\" sizes=\"(max-width: 853px) 100vw, 853px\" \/><figcaption><a rel=\"noreferrer noopener\" aria-label=\"Consent request with recurring access (opens in new tab)\" href=\"https:\/\/developer.triodos.com\/docs\/account-information-service#section-get-account-transactions\" target=\"_blank\">Consent request with recurring access<\/a> (source: Triodos)<br><br><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"441\" height=\"393\" src=\"https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-5.png\" alt=\"\" class=\"wp-image-477\" srcset=\"https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-5.png 441w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-5-300x267.png 300w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/afbeelding-5-100x89.png 100w\" sizes=\"(max-width: 441px) 100vw, 441px\" \/><figcaption><a rel=\"noreferrer noopener\" aria-label=\"Extract from the response (opens in new tab)\" href=\"https:\/\/developer.triodos.com\/docs\/account-information-service#section-get-account-transactions\" target=\"_blank\">Cutout of the response<\/a>  (source: Triodos) <\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">AISP can request data once or periodically and for a maximum of 90 days<\/h4>\n\n\n\n<p>A provider may specify whether data <a class=\"info-marker\" data-info=\"Een standaard API heeft een recurringIndicator (true of false)\">one-off or periodic<span class=\"icon\"><\/span><\/a> and how long the permission remains valid. <a class=\"info-marker\" data-info=\"Een standaard API bevat een validUntil waarde, een verplicht veld zonder een default waarde, met een maximum van 90 dagen.\">this can't be more than 90 days.<span class=\"icon\"><\/span><\/a>\n\n\n\n<p>The time an AISP has access to the account is 90 days, unless the AISP <a class=\"info-marker\" data-info=\" In die tijd kunnen ze toegang krijgen tot de betalingsgegevens.  Er leek  nog een mogelijkheid zijn om de duur van gegevens te beperken.  De  leiden we af uit de de ING API. Het om 'Pagination',  ofwel hoeveel   gegevens je kan terugzien. Bijvoorbeeld, 10 of 25  transacties. Daarmee   zou je bijvoorbeeld snel je laatste 10 transacties  kunnen zien, zonder   alle gegevens op te hoeven halen. Als we deze mogelijkheid goed   begrijpen gaat het alleen om een representatie van gegevens. een dienst   die all\u00e9\u00e9n de service aanbiedt van inzage in de laatste tien   transacties, hoeft hierdoor minder data op te vragen.   https:\/\/developer.ing.com\/api-marketplace\/marketplace\/b6d5093d-626e-41e9-b9e8-ff287bbe2c07\/documentation#country-specific-information \">indicates that time may be shorter.<span class=\"icon\"><\/span><\/a> Many banks <a class=\"info-marker\" data-info=\"De vraag is of ze op de hoogte zijn van deze mogelijkheid. In de documentatie over de Bunq API (https:\/\/doc.bunq.com\/#\/psd2 'Register as a service provider') worden ontwikkelaars niet ge\u00efnformeerd op deze  beperking: 'The session will last 90 days.' Hierdoor worden ontwikkelaars niet aangezet om na te denken over wat een noodzakelijke termijn is.\">seem to be based on the maximum term.<span class=\"icon\"><\/span><\/a>  <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Which account details\nbe shared?<\/h3>\n\n\n\n<p>In their information, banks <a class=\"info-marker\" data-info=\"De Triodos noemt legal name, IBAN, nationality, card validity data, transaction history en account balanceover, de ING heeft het over Account number, ID, Name en Currency. \">ambiguous<span class=\"icon\"><\/span><\/a> which data can be retrieved. <\/p>\n\n\n\n<p>To get a better understanding of what this means and how detailed data is, we have made a normal bank payment to Privacy First. Then we downloaded the transaction to a .csv file and MT940 file. We assume that no other data will be shared. The account statements show the following information:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">What does a donor see on the statement of account<\/h4>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"605\" height=\"360\" src=\"https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/Rekeningafschrift_donatie_SPF-1.png\" alt=\"\" class=\"wp-image-495\" srcset=\"https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/Rekeningafschrift_donatie_SPF-1.png 605w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/Rekeningafschrift_donatie_SPF-1-300x179.png 300w, https:\/\/psd2meniet.nl\/wp-content\/uploads\/2019\/09\/Rekeningafschrift_donatie_SPF-1-100x60.png 100w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">What does Privacy First see on the account statement?<\/h4>\n\n\n\n<p>\n(In bold the elements that can also be received via the API).\n\n<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><tbody><tr><td><strong>Book date<\/strong><\/td><td>16-7-2019<\/td><\/tr><tr><td><strong>Account number<\/strong><\/td><td>NL17TRIO1234567890 (IBAN adapted) <\/td><\/tr><tr><td><strong>Amount<\/strong><\/td><td>3  <em>(debit and credit can be derived from the +\/+ or -\/-)<\/em> <\/td><\/tr><tr><td>Debit \/\n  Credit<\/td><td>Debit<\/td><\/tr><tr><td><strong>Name contra account<\/strong><\/td><td>Foundation Privacy First through Mollie<\/td><\/tr><tr><td><strong>Counter account<\/strong><\/td><td>RABONL2U NL70RABO0115600000<\/td><\/tr><tr><td>Code<\/td><td>ID<\/td><\/tr><tr><td>Description<\/td><td>Order number M1661161M12LSZDX \/\n  Transaction number 0020002514859230 \/ 16-07-19 11:28 \/ anonymous privacyfirst.com<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>When we compare the normal bank statements with the API, it looks like the API shares less data than you can now see in the transaction. Some fields can be deduced from the transaction, such as debit or credit and a type such as a transfer or direct debit. It is not clear if the description is shared as well.   <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">What about location data?<\/h4>\n\n\n\n<p>Location data can be derived from the location of an account holder, such as an (online) shop, catering establishment or pin device. These location data deserve further investigation because it is questionable whether they can be deduced from the account statements when the description is not given. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">ING shares differently than expected<\/h4>\n\n\n\n<p> The ING <a rel=\"noreferrer noopener\" aria-label=\"indicates (opens in new tab)\" href=\"https:\/\/www.ing.nl\/particulier\/mobiel-en-internetbankieren\/internetbankieren\/digitale-afschiften\/papierloos-bankieren\/index.html\" target=\"_blank\">indicates<\/a> that in the mijnING environment \"you always have an up-to-date overview of your debits and credits and you can print these out. For your current account you can look back at the current year and the 9 years before that.\" But, in the API documentation, under the heading Country specific information, it says that ING has 2 years of Transaction history available after SCA. We reported this to them, it is of course important that the documentation is in order.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">What do we do with Mollie and Buckaroo?<\/h4>\n\n\n\n<p>How should we deal with account numbers from intermediaries such as Mollie and Buckaroo? For example, the political party D66 uses a Buckeroo account. In the comments field of a transaction, it says 'Politieke Partij Democraten 66: Contributie D66, February 2020', but the <a href=\"https:\/\/support.buckaroo.nl\/categorie%C3%ABn\/financieel\/buckaroo-rekeningnummers\">contra account of Buckaroo<\/a>.  In this case, inclusion in the register on the basis of the contra account would not be correct because Buckeroo is also used by other organisations. For reasons of purity, we choose not to include the Buckaroo account at this time. However, this means that information about the membership remains in the description field.<\/p>\n\n\n\n<p><br> <\/p>","protected":false},"excerpt":{"rendered":"<p>The PSD2-Me-Not-Register requires data filtering. In order to know how this has to be developed technically, we would like to ... <\/p>\n<div><a href=\"https:\/\/psd2meniet.nl\/en\/techniek-achter-psd2\/\" class=\"more-link\">Read More<\/a><\/div>","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","trp-custom-language-flag":"","post-thumbnail":"","entry":"","entry-cropped":"","entry-fullwidth":"","entry-cropped-fullwidth":""},"post_excerpt_stackable_v2":"<p>Het PSD2-me-niet-register maakt het filteren van gegevens nodig. Om te weten hoe dit technisch ontwikkeld moet worden, willen we beter weten hoe de communicatie tussen rekeninginformatiedienstverlener en bank verloopt. In dit artikel werken we uit hoe de PSD2 technisch tot uitvoer komt. Daarvoor moeten we de code in. Hiervoor gebruiken we de openbare API documentatie die banken beschikbaar stellen. We richten ons alleen op de AISP&#8217;s, de rekeninginformatiediensten. Bank en AISP praten via een API Om beter te weten welke informatie van een bank met een AISP wordt gedeeld hebben we naar verschillende API&#8217;s van banken gekeken. De AISP en&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/psd2meniet.nl\/en\/category\/achtergrond\/\" rel=\"category tag\">achtergrond<\/a>","author_info_v2":{"name":"Martijn van der Veen","url":"https:\/\/psd2meniet.nl\/en\/author\/martijn\/"},"comments_num_v2":"1 comment","_links":{"self":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts\/430"}],"collection":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/comments?post=430"}],"version-history":[{"count":10,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts\/430\/revisions"}],"predecessor-version":[{"id":752,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts\/430\/revisions\/752"}],"wp:attachment":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/media?parent=430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/categories?post=430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/tags?post=430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}