Getting Started

Overview

In response to the Payment Services Directive 2 (PSD2), SMBC Group offers a collection of APIs that will allow third party providers (TPPs) to integrate the bank's services into their applications. This page will guide TPP developers through the necessary steps required to interact with SMBC Group's API services in the sandbox environment and retrieve simulated responses. The reader should:

1. review SMBC Group's implementations of PSD2 APIs (Berlin Group) and the OAuth v2 delegated access model;
2. review the section on using the sandbox including the sandbox API flows, testing your application and testing digital signatures;
3. register an account on the developer portal. We will ask for some basic information, including your company's TPP authorisation number;
4. register your sandbox application in the developer portal to obtain the credentials to interact with our sandbox API environment; and
5. test your application against our sandbox API environment, making reference to our API documents section to obtain access to the mocked data.

PSD2 APIs

In support of the PSD2, SMBC Group has implemented APIs to enable its end-users, also referred to as payment service users (PSUs), to interact with the bank's payment services via a TPP.

To support pan-European payments interoperability, SMBC Group has adopted the Berlin Group Specification v1.3 standards, with refinements, to ensure a consistent level of service relative to its online banking solutions, e.g., a field that is optional in the Berlin Group specification may be mandatory when using the SMBC Group implementation.

The APIs fall into two broad categories:

1. Account Information Service (AIS): These are operated by an Account Information Service Provider (AISP) that retrieves account information from financial institutions on behalf of the end-user. The AISP APIs enable the end-customer to retrieve account details, balances and transactions.
2. Payment Initiation Service (PIS): These are operated by a Payment Information Service Provider (PISP) that provides payment initiation and authorisation services for the end-user. The PISP APIs enable the end-customer to initiate and authorise payments in addition to querying the status of payments.

OAuth v2 Delegated Access Model

As detailed in our token service page, SMBC Group implements two specific OAuth 2 flows:

• OAuth2 client credentials grant to enable a TPP to initiate, query and revoke PSU consents resources; and
• OAuth2 authorisation code grant to enable end-users to securely authorise TPPs to access banking services on their behalf without exposing their online banking credentials to TPPs.

Access to Production APIs

When your organisation is ready to connect to our production APIs, you should:

1. register a dedicated TPP registration application in the developer portal with which you will manage the lifecycle of your production TPP application using the production Dynamic Client Registration Service;
2. configure the TPP registration application with the following:
   
   1. credentials obtained from the developer portal for the TPP registration application;
   2. valid eIDAS qualified certificate for website authentication (QWAC) issued by a Qualified Trust Service Providers (QTSPs) to establish a mutually authenticated TLS connection between your TPP registration application and the production Dynamic Client Registration Service; and
   3. valid eIDAS qualified certificate for electronic seal (QSEAL) issued by a QTSP with which your TPP registration application must digitally sign your registration requests to the production Dynamic Client Registration Service.
3. register your organisation's production TPP application with your TPP registration application;
4. configure the production TPP application with the following:
   
   1. credentials obtained from the Dynamic Client Registration Service for the production TPP application;
   2. valid eIDAS QWAC issued by a QTSP to establish mutually authenticated TLS connection required for all production APIs; and
   3. valid eDIAS QSEAL certificate issued by a QTSP (for PISP only).
5. access the production APIs using the production TPP application.