PSD2 aims to create a single and integrated payment services market, aligning standards for institutional banks and emerging Payment Service Providers (PSPs) and accelerating the digital transformation in payments.
Its main objectives are to:
- Contribute to a more integrated and efficient European payments market
- Open up payments market to new entrants increasing competition
- Promote innovative and internet payment services
- Introduce strict security rules for the initiation and processing of electronic payments and for the protection of consumers’ data
Authentication processes related to information and transactions must adhere to updated strong authentication requirements.
A significant change is the possibility for customers to allow licensed third party providers (TPP) to access to their online payment account’s information and to initiate payment from their account.
Customer safety is at the basis of PSD2. No customer data can be accessed any PSP without proper licensing and without having received the customer consent first.
Unicredit will never give access to third parties access to customer's data without the customer’s specific consent.
Here are some useful links:
In order to access to PSD2 APIs you need:
- To have obtained a license from your National Competent Authority (NCA) to operate as a PSP according to the PSD2 regulation (AISP and/or PISP and/or CBPII)
- A passport license to other countries if you want to access PSD2 APIs not only in the country where you obtained the license, but also elsewhere
- To have a qualified certificates for electronic seals as defined in Article 3(30) of Regulation (EU) No 910/2014 4 or website authentication as defined in Article 3(39) of that Regulation.
At the moment it is possible to access UniCredit PSD2 APIs in the Sandbox environment with an eIDAS Qualified Website Certificates (QWACs), provided by a qualified trust service provider published in the EU Trusted List Of Trust Service Providers.
It also possible to access to the Sandbox environment with an eIDAS test certificate, provided that the certificate has to be considered trusted by UniCredit (please refer to Onboarding section for more details).
Our PSD2 APIs are developed according to the Berlin Group API implementation guidelines.
For further information, please, visit the Berlin Group’s website.
For Czech Republic and Slovakia our APIs follow CZ standard and SK standard.
We are committed to comply with further national standards and will follow up on this topic, as soon as official news will be available.
When a new version of APIs become available, UniCredit publish the new version on the Developer Portal. The old version remains available for at least 3 months, then it’s removed. All the registered parties will be informed about the new APIs or the removal of old ones.
UniCredit Group has received the exemption from providing a contingency mechanism from National Competent Authorities in Bulgaria, Croatia, Hungary, Italy and Slovenia. For Austria, Czech Republic, Germany and Romania UniCredit Group is working closely with the National Competent Authorities to receive this exemption shortly. In Austria, the National Competent Authority has asked us to provide fallback solution for accessing the customer interfaces with TPP identification starting from January 1st 2020 and until the exemption will be granted. As we do not support an automated eIDAS certificate check on our customer interfaces, we are asking you as Third Party Provider in case you´d like to still use the customer interface of Bank Austria to provide us with your IP addresses which you use for accessing Bank Austria’s customer interfaces, and the details of your eIDAS certificate, to allow us identifying you as authorized TPP when you will access the customer interfaces. We will use this approach ad interim as we are committed to provide a dedicated interface for you which allows you offering your services as TPP under the PSD2 regulation.
2. Developer Portal
It’s the UniCredit’s website where software developers of TPPs can:
- Browse the API catalog and discover our APIs
- Read about our overall APIs solution
- Find out how to use the APIs and download the Swagger documentation
- Find documentation about testing facility, or to interact with test environment APIs
- Access security policy information for APIs and generate Keys and APIs OAuth keys (only for Czech Republic and Slovakia)
- Contact our team for support
- Manage the own developer team
The list of the offered APIs is shown in the API catalog page.
The complete developer documentation about API catalog and related APIs are accessible only after having completed the registration and the following onboarding process, as described in the Getting started page
For UniCredit Bank Czech Republic and Slovakia a.s., following local API implementation standards, the registration (and onboarding) is needed in order to create an Oauth token to access UniCredit APIs, both for the Sandbox and production environment.
For the rest of UniCredit Group, having followed the Berlin Group guidelines for the APIs implementation, the access to both production APIs and the related Sandbox APIs, does not require any mandatory registration.
The Developer Portal has two types of users:
- Organization administrator, who is allowed to:
- create and manage other users;
- create and manage applications (Czech Republic and Slovakia standards only);
- access to the API catalog, according to his/her organization’s authorized roles and passporting, as an application developer.
- Application developer, who is allowed to:
- access to the API catalog, according to his/her organization’s authorized roles and passporting;
- create and manage their own applications;
- read only capabilities for applications shared by other users.
The Organization administrator can go to the Developer Portal registration page, and will be asked to provide the following information:
- Company name
- Organization Admin Email
- Password Confirmation
He/she will then receive a confirmation email to activate the account.
Please consider that the first user registering the TPP is by default an Organization administrator.
The onboarding process consists of a specific API call in which a TPP confirms its identity and with which it is authorized to access the functionalities offered by the developer portal, in particular access to the documentation about the API catalog and to the creation of applications as requested in the Czech Republic and Slovakia standards.
If your organization already has an eIDAS Qualified Website Certificate (QWAC), it is possible to invoke the API for TPP onboarding with your eIDAS certificate.
If your organization has not yet obtained on eIDAS QWAC, it is possible to onboard with an eIDAS test certificate, which enables access to the API catalog and to the functionalities of the developer portal until an eIDAS QWAC is obtained. The eIDAS QWAC will be however necessary to access UniCredit’s API production environment.
Please refer to the Getting started page for more information on this process.
To complete the onboarding process the eIDAS test certificate must be considered trustable by UniCredit.
To consider a test certificate trustable UniCredit must be able to trust the entire test certificate chain (ROOT, Intermediate) of the CA that signed the eIDAS test certificate used for onboarding.
If problems occur during onboarding with your eIDAS test certificate, send a request with the form available on the support page for the registered TPPs and attach to it the certificate chain, usually provided by the CAs during the provisioning of the certificate.
Please refer to the Getting started page for more details on this process.
It is possible to perform the onboarding with an eIDAS test certificate only once and therefore it will not be possible to use multiple eIDAS test certificates for the same organization.
Once the eIDAS QWAC certificate is obtained, it is possible to invoke the API for onboarding with the new certificate.
Roles and passporting of your organization will be aligned in accordance with the TPP registry (PRETA registry) and developers and applications previously added by the TPP will be deleted.
It is possible to onboard once with a single eIDAS certificate. Other onboarding calls will be rejected.