1 Contents
2 Version Control
3 Overview
- 3.1 Document Structure
- 3.2 Payments NZ API Standards Overview
  - 3.2.1 Overview Diagram
  - 3.2.2 Steps
- 3.3 Design Principles
  - 3.3.1 RESTful APIs
  - 3.3.2 Standards
  - 3.3.3 Open Banking
  - 3.3.4 Extensibility
  - 3.3.5 Idempotency
  - 3.3.6 Message Signing
  - 3.3.7 Agnostic to Payment Schemes
  - 3.3.8 Status Codes
  - 3.3.9 Unique Identifiers (Id Fields)
  - 3.3.10 Definition of Optionality
4 Basics
- 4.1 Actors
- 4.2 Character Encoding
- 4.3 Date Formats
- 4.4 Resource URI Path Structure
- 4.5 Headers
  - 4.5.1 Request Headers
  - 4.5.2 Response Headers
- 4.6 Return & Error Codes
  - 4.6.1 Further information about status codes
  - 4.6.2 403 (Forbidden)
  - 4.6.3 429 (Too Many Requests)
- 4.7 Pre-Conditions
  - 4.7.1 Pre-conditions for Third Parties
  - 4.7.2 Pre-conditions for API Providers
- 4.8 Idempotency
- 4.9 Message Signing
- 4.10 Pagination
- 4.11 Archiving
5 Security & Access Control
6 Data Model
- 6.1 Common Payload Structure
  - 6.1.1 Request Structure
    - - 6.1.1.1.1 Request
    - 6.1.1.2 Data
    - 6.1.1.3 Risk
  - 6.1.2 Response Structure
    - - 6.1.2.1.1 Response
    - 6.1.2.2 Links
      - 6.1.2.2.1 Example Links (Self only)
      - 6.1.2.2.2 Example Links
    - 6.1.2.3 Meta
      - 6.1.2.3.1 Example Meta
- 6.2 Reused Classes
  - 6.2.1 NZRisk1
    - 6.2.1.1 UML Diagram
    - 6.2.1.2 Notes
    - 6.2.1.3 Data Dictionary
7 Usage Examples
- 7.1 Pagination Flows
  - 7.1.1 Request
  - 7.1.2 Paginated Resource Response
  - 7.1.3 Request Next Page of Results
  - 7.1.4 Paginated Resource Response (Next)
- 7.2 Error Flows
  - 7.2.1 Missing or Expired Access Token
  - 7.2.2 Incomplete or Malformed Request Payload
  - 7.2.3 Missing or Invalid Access Token Scope
  - 7.2.4 Sudden Burst of API Requests
  - 7.2.5 Failed Authorisation Consent

Version Control

Version	Date	Author	Comments
1.0.0	01 March 2019	Payments NZ API Working Group	NZ Banking Data API Specification with common elements

Overview

The NZ Banking Data API Specification provides a description of the elements that are common across all the NZ Banking Data APIs.

This specification should be read in conjunction with the individual NZ Banking API Specifications for Payment Initiation and Account Information.

Document Structure

This document consists of the following parts:

Overview: Provides an overview of the Payments NZ API Standards and the key decisions and principles that contributed to the specification.

Basics: The section begins with an introduction to how the APIs are used.

Security & Access Control: Specifies the means for Third Parties and Customers to authenticate themselves and provide consent.

Data Model: Describes the data model for the API payloads.

Payments NZ API Standards Overview

The Payments NZ (PNZ) API Standards were designed to create an API-based payments ecosystem for NZ and simplify partnering in the payments industry. These standards enable retail Banks to develop API endpoints to an agreed standard so that Third Parties can build web and mobile applications that make it easier for banking customers to pay for goods and services. Below is a high level overview of the context in which these APIs will be used.

Overview Diagram

Steps

Step 1: Request account information or make a payment

The Customer interacts with a Third Party, such as an online merchant or payment services provider. For example, to buy goods or services.
The Customer elects to access their account information and/or make a payment via the Third Party.

Step 2: Inform Financial Institution that one of its Customers is requesting the Third Party access their account information or make a payment on their behalf

The Third Party connects to the Financial Institution that services the Customer's account(s) and informs the Financial Institution that one of its Customer's wants the Third Party to access their account information or make a payment on their behalf.
The Third Party must have been previously approved/authorised by the Financial Institution.

Step 3: Authorise consent for Third Party to access their account information or make a payment on their behalf

The Financial Institution authenticates the Customer and asks the Customer to select the accounts the Third Party may request information about and/or make payments from.
The principle we have agreed is that consent is managed between the Customer and the Third Party - so the details cannot be changed (with the Financial Institution) in this step. The Customer will only be able to authorise or reject the Third Party's request in its entirety.

Step 4: Request access to the Customer's account information or make a payment

The Financial Institution authenticates the Third Party and ensures the Customer has authorised consent for the request before providing the account information or making a payment.

The PNZ API standards are based on the UK Open Banking standard. The PNZ API standards include adjustments to and place limitations on the UK Open Banking standard to make the standards more suitable to the NZ market. Version 1.0.0 of the Payments NZ API standards are now in the public domain in read-only format and cannot currently be used in partnership with any API Provider (as defined in the specification).

Design Principles

RESTful APIs

The API adheres to RESTful API concepts where possible and sensible to do so.

However, the priority is to have an API that is simple to understand and easy to use. In instances where following RESTful principles would be convoluted and complex, the principles have not been followed.

References:

The highest level Data Description Language used is the JSON Schema : http://json-schema.org/
Best Practice has also been taken from the Data Description Language for APIs; JSON API : http://jsonapi.org/
The Interface Description Language used is the Swagger Specification version 2.0 (also known as Open API) : http://swagger.io/ and OpenAPI-Specification

Standards

The PNZ API Working Group principles for developing these API standards:

PNZ API Working Group will adopt existing standards where relevant/appropriate to minimise re-inventing the wheel.
The initial scope of these Standards is limited to current scope - i.e., PNZ API pilot. However, the intention is that the scope of the Standards will extend to include additional resources and APIs.
PNZ API Working Group will work with other relevant bodies to align with, contribute to and/or adopt other Standards work, especially relating to Open Banking

Open Banking

The principles we have applied to re-use of the UK Open Banking Standard are:

Only resources that are required for the PNZ API pilot will be included in the API documentation. The specification will leave all other resources intact and unchanged.
We will modify Open Banking elements where the existing standard does not cater for the NZ Market (such as adding the "BECSElectronicCredit" Scheme or the addition of the Payment link).

Extensibility

It is intended that the API flows will be extended to cater for more complex use-cases in subsequent releases - and we have kept this in mind during the design.

Idempotency

Idempotency is difficult to implement consistently and leverage consistently.

As a result, idempotency is used sparingly in these specifications; with a preference to allow Third Parties to simply re-submit a request under failure conditions.

APIs have been defined to be idempotent, where not doing so would cause a poor Customer user-experience or increase false positive risk indicators.

Message Signing

Digital signatures will facilitate non-repudiation for Open Banking APIs.

Important

API requests and responses MUST NOT be digitally signed for implementation of the v1.x specification.

This section is for future reference only.

Agnostic to Payment Schemes

The API will be designed so that it is agnostic to the underlying payment scheme that is responsible for carrying out the payment.

Due diligence has been carried out to ensure that the API has the necessary fields to function with BECS payments - as per agreed scope.

We will provide further mapping guidance to ensure that differences are understood between the Open Banking Payment API standard, and BECS payments where applicable.

Status Codes

The API uses two status codes that serve two different purposes:

The HTTP Status Code reflects the outcome of the API call (the HTTP operation on the resource).
A Status field in some of the resource payloads reflects the status of resources.

Additional status codes may be provided at the discretion of the API Provider.

Unique Identifiers (Id Fields)

A REST resource should have a unique identifier (e.g. a primary key) that may be used to identify the resource. These unique identifiers are used to construct URLs to identify and address specific resources.

However, considering that some of the resources described in this specification do not have a primary key in the system of record, the Id fields will be option for some resources.

An API Provider that chooses to populate optional Id fields must ensure that the values are unique and immutable.

Definition of Optionality

For endpoints and fields within each resource, the following definitions apply:

'Mandatory' endpoints or fields marked must be implemented by the API Provider.
'Optional' endpoints may be implemented by the API Provider.

Notes

API Providers are free to decide whether to implement any of the ‘Optional’ endpoints and fields.
API Providers must make documentation available to Third Parties as to which optional endpoints and fields are implemented for this specification.

Basics

Actors

In the NZ context, there are three actors:

Actor	Type	NZ Description

Actor

Type

NZ Description

API Provider

Legal Entity

API Provider refers to a Registered Bank or Non-Bank Deposit Taker that has been accredited by the Payments NZ API Standards Body to utilise its API specifications and standards, and contribute to the standards ecosystem. The API Provider provides APIs in a manner that complies with the API Standards (e.g. Account Information and Payment Initiation APIs), and connects those APIs with a Third Party(s).

Customer

Person

Individuals who operate retail banking accounts who make use of a PNZ API Standards-based information service or payment service. The retail banking accounts may be personal accounts or associated with businesses, trusts, etc.

Third Party

Legal Entity

Third Party refers to a legal entity that has been accredited by the Payments NZ API Standards Body to utilise its API specifications and standards, and contribute to the standards ecosystem. The Third Party is the entity that consumes an API in a manner that complies with the API Standards.

References to a "Third Party" in the specification relate to a piece of registered software with an API Provider (with a specific client_id).

The upstream Open Banking standard uses PSD2 parlance and acronyms that are is not applicable or relevant to the New Zealand market. Below is a summary of the NZ equivalent for many common Open Banking/PSD2 terms. Note that where practical, the documentation and specifications have retained the Open Banking parlance and acronyms in brackets:

Open Banking Abbreviation	Open Banking / PSD2 Actor	NZ Actor	NZ Description

Open Banking Abbreviation	Open Banking / PSD2 Actor	NZ Actor	NZ Description
AISP	Account Information Service Provider	Third Party	Accredited organisations providing web and mobile applications which consume one or more API Provider’s Account Information API in a manner that complies with the Payments NZ’s API Standards.
ASPSP	Account Servicing Payment Service Provider	API Provider	An accredited financial institution who provides and maintains a payment account for banking customers, and provides account information APIs to one or more Third Parties in a manner that complies with the Payments NZ’s API Standards.
PISP	Payment Initiation Service Provider	Third Party	Accredited organisations providing web and mobile applications which consume one or more API Provider’s payment initiation APIs in a manner that complies with the Payments NZ’s API Standards.
PSP	Payment Service Provider (ASPSP or TPP)	API Provider or Third Party	An accredited financial institution who provides payment services to customers and provides payment initiation APIs to one or more Third Parties in a manner that complies with the Payments NZ’s API Standards.
PSU	Payment Service User	Customer	A person making use of a payment service as either payer, payee or both. The customer’s account may be a personal account or associated with businesses, trusts, etc.
TPP	Third Party Provider	Third Party	An accredited organisation that provides payment related services in a manner that complies with the Payments NZ’s API Standards. References to a "Third Party" in the specification relate to a piece of registered software with an API Provider (with a specific client_id).

Character Encoding

The API requests and responses must use a UTF-8 character encoding. This is the default character encoding for JSON (RFC 7158 - Section 8.1).

However, an API Provider's downstream system may not accept some UTF-8 characters, such as emoji characters (e.g. "Happy Birthday 🎂🎂!" may not be an acceptable Payment Reference). If the API Provider rejects the message with a UTF-8 character that cannot be processed, the API Provider must respond with an HTTP 400 (Bad Request) status code.

Date Formats

All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below:

2017-04-05T10:43:07+00:00

All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below:

Sun, 10 Sep 2017 19:43:31 UTC

All dates in the JWT claims are expressed as a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

//Sun, 12 Feb 2018 14:45:00 UTC
1518446700

Resource URI Path Structure

The resources defined by these APIs may be addressed through a path structure consisting of the following parts:

An optional API Provider specific path prefix
The constant string "open-banking-nz"
The version of the APIs expressed as /v[major-version].[minor-version]/
The resource name

Examples:

/examplebank.api.co.nz/open-banking-nz/v1.1/payments

/open-banking-nz/v1.0/payments

/apis/open-banking-nz/v1.1/accounts

Headers

Request Headers

The following headers should be inserted by the Third Party in each API call:

Header Value	Notes	POST Requests	GET Requests	DELETE Requests

Header Value	Notes	POST Requests	GET Requests	DELETE Requests
x-fapi-financial-id	The unique id of the API Provider to which the request is issued. The unique id will be issued by PNZ. If provided it will be ignored by the API Provider.	Not for v1.x	Not for v1.x	Not for v1.x
x-fapi-customer-last-logged-time	The time when the Customer last logged in with the Third Party.	Optional	Optional	Optional
x-fapi-customer-ip-address	The Customer's IP address if the Customer is currently logged in with the Third Party.	Optional	Optional	Optional
x-fapi-interaction-id	An RFC4122 UID used as a correlation id. If provided, the API Provider must "play back" this value in the x-fapi-interaction-id response header.	Optional	Optional	Optional
Authorization	Standard HTTP Header; Allows Credentials to be provided to the Authorisation / Resource Server depending on the type of resource being requested. For OAuth 2.0, this comprises of either the Basic / Bearer Authentication Schemes.	Mandatory	Mandatory	Mandatory
Content-Type	Standard HTTP Header; Represents the format of the payload being provided in the request. This must be set to application/json. If set to any other value the API Provider must respond with 415 Unsupported Media Type.	Mandatory	Do not use	Do not use
Accept	Standard HTTP Header; Determine the Content-Type that is required from the Server. If specified, it must indicate that the only a JSON response is accepted (e.g by setting the value to `application/json)` as a content header for all endpoints that respond with JSON. For endpoints that do not respond with JSON (e.g GET ../statements/{StatementId}/file), the API Provider must specify the available options on their developer portals. If set to any other value, API Provider must respond with a 406 Not Acceptable. If not specified, default is application/json	Optional	Optional	Optional
x-idempotency-key	Custom HTTP Header; Unique request identifier to support idempotency. Mandatory for POST requests to idempotent resource end-points. Must not be specified for other requests.	Conditionally Mandatory	Do not use	Do not use
x-jws-signature	Header containing a detached JWS signature of the body of the payload. If provided will be ignored by the API Provider	Not for v1.x	Not for v1.x	Not for v1.x

(Reference: Section 6.3 - Financial API — Part 1: Read Only API Security Profile (Implementer’s Draft).)

Whether the Customer is present or not-present is identified via the x-fapi-customer-ip-address header. If the Customer IP address is supplied, it is inferred that the Customer is present during the interaction.

The implications to this are:

API Providers will need to rely on the Third Party's assertion.

Response Headers

Header Value	Notes	Mandatory ?

Header Value	Notes	Mandatory ?
Content-Type	Standard HTTP Header; Represents the format of the payload returned in the response. The API Provider must return Content-Type: application/json as a content header in response to requests that return a HTTP body (e.g. POST and GET requests)	Conditionally Mandatory
x-jws-signature	Header containing a detached JWS signature of the body of the payload. If provided will be ignored by the Third Party.	Not for v1.x
x-fapi-interaction-id	An RFC4122 UID used as a correlation id. The API Provider must set the response header `x-fapi-interaction-id` to the value received from the corresponding fapi client request header or to aRFC4122UUID value if the request header was not provided to track the interaction.	Mandatory
Retry-After	Header indicating the time (in seconds) that the Third Party should wait before retrying an operation. The API Provider determines the rate limits and retry time frames. The API Provider should include this header along with responses with the HTTP status code of 429 (Too many requests).	Optional

Return & Error Codes

The following are the HTTP response codes for the different HTTP methods - across all API endpoints.

Situation	HTTP Status	Notes	Returned by POST	Returned by GET	Returned by DELETE

Situation	HTTP Status	Notes	Returned by POST	Returned by GET	Returned by DELETE
Query completed successfully	200 OK		No	Yes	No
Normal execution. The request has succeeded.	201 Created	The operation results in the creation of a new resource.	Yes	No	No
Delete operation completed successfully	204 No Content		No	No	Yes
Request has malformed, missing or non-compliant JSON body, URL parameters or header fields.	400 Bad Request	The requested operation will not be carried out.	Yes	Yes	Yes
Authorization header missing or invalid token	401 Unauthorized	The operation was refused access. Re-authenticating the Customer may result in an appropriate token that may be used.	Yes	Yes	Yes
Token has incorrect scope or a security policy was violated.	403 Forbidden	The operation was refused access. Re-authenticating the Customer is unlikely to remediate the situation.	Yes	Yes	Yes
The Third Party tried to access the resource with a method that is not supported.	405 Method Not Allowed		Yes	Yes	Yes
The request contained an Accept header that requested a content-type other than application/json and a character set other than UTF-8	406 Not Acceptable		Yes	Yes	Yes
The operation was refused as too many requests have been made within a certain timeframe.	429 Too Many Requests	API Providers may throttle requests when they are made in excess of their fair usage policy. API Providers must document their fair usage policies in their developer portals. The API Provider must respond with this status if it throttles the request. The API Provider should include a Retry-After header in the response indicating how long the Third Party must wait before retrying the operation.	Yes	Yes	Yes
Something went wrong on the API gateway or micro-service	500 Internal Server Error	The operation failed.	Yes	Yes	Yes
The Third Party tried to access a resource that has not been implemented by the API Provider	501 Not Implemented		Yes	Yes	Yes

An API Provider may return other standard HTTP status codes (e.g. from gateways and other edge devices) as described in RFC 7231 - Section 6.

API Providers must respond with error response in the OAuth/OIDC flow with mandatory alignment of error codes to those specified in RFC 6749 Section 4.1.2.1

Further information about status codes

When a Third Party tries to request a resource URL with a resource Id that does not exist, the API Provider must respond with a 403 (Forbidden) rather than a 404 (Not Found).

E.g., if a Third Party tries to GET /payments/22289 where 22289 is not a valid PaymentId, the API Provider must respond with a 403.

When a Third Party tries to request a resource URL that results in no business data being returned (e.g. a request to retrieve standing order on an account that does not have standing orders) the API Provider must respond with a 200 (OK) and set the array to be empty.

NZ Banking Data API Specification v1.0.0

Contents