Access account information, read only. Most endpoints return previous day information and so should be called no more than once a day

# Summary The **NextGenPSD2** *Framework Version 1.3.4* offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services ('Banking as a Service') by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data. The possible Approaches are: * OAuth SCA Approach * Decoupled SCA Approach Not every message defined in this API definition is necessary for all approaches. Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional Therefore for a particular implementation of a Berlin Group PSD2 compliant API it is only necessary to support a certain subset of the methods defined in this API definition. **Please have a look at the implementation guidelines if you are not sure which message has to be used for the approach you are going to use.** ## Some General Remarks Related to this version of the OpenAPI Specification: * **This API definition is based on the Implementation Guidelines of the Berlin Group PSD2 API.** It is not an replacement in any sense. The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group PSD2 API. * **This API definition contains the REST-API for requests from the PISP to the ASPSP.** * **This API definition contains the messages for all different approaches defined in the Implementation Guidelines.** * According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md] "If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored." The element "Accept" will not be defined in this file at any place. The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security". * There are several predefined types which might occur in payment initiation messages, but are not used in the standard JSON messages in the Implementation Guidelines. Therefore they are not used in the corresponding messages in this file either. We added them for the convenience of the user. If there is a payment product, which need these field, one can easily use the predefined types. But the ASPSP need not to accept them in general. * **We omit the definition of all standard HTTP header elements (mandatory/optional/conditional) except they are mention in the Implementation Guidelines.** Therefore the implementer might add the in his own realisation of a PSD2 comlient API in addition to the elements define in this file. ## General Remarks on Data Types The Berlin Group definition of UTF-8 strings in context of the PSD2 API have to support at least the following characters a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #BOI-REMARK: The Hebrew alphabt must be supported as part of the character set � � � � � � � � � � � � � � � � � � � � � � � � � � � 0 1 2 3 4 5 6 7 8 9 / - ? : ( ) . , ' + Space

Security validations done in TPP's security context (client secret and client certificate)

SMS and Mail services

Warning! This API Requires the following additional private claims in the content-authorization header JWT: AccountID, PerformerID, CustomerID. CustomerID PerformerID

CustomerServices

בדיקה האם משתמש מורשה לאירוע הרשאות

FeeServices

InternalCommunicationServices

Send lead to the bank

Access code flow

Issue B2B token

OAUTH2 WITH SUPPORT IN OPENID

Warning! This API requires consultant authorization to be send along the claims of the JWT: ConsultantID ConsultantCode ConsultantPhone

# Endpoint urls 1 discount sandbox https://mtls-api-nonprod.discountbank.co.il/devapi/cert discount prod https://mtls-api.discountbank.co.il/prod/d mercantile sandbox https://mtls-api-nonprod.mercantile.co.il/devapi/cert mercantile prod https://mtls-api.discountbank.co.il/prod/d # Summary The **NextGenPSD2** *Framework Version 1.3.11* offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services ('Banking as a Service') by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data. The possible Approaches are: * OAuth SCA Approach * Decoupled SCA Approach Not every message defined in this API definition is necessary for all approaches. Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional. Therefore for a particular implementation of a Berlin Group PSD2 compliant API it is only necessary to support a certain subset of the methods defined in this API definition. **Please have a look at the implementation guidelines if you are not sure which message has to be used for the approach you are going to use.** ## Some General Remarks Related to this version of the OpenAPI Specification: * **This API definition is based on the Implementation Guidelines of the Berlin Group PSD2 API.** It is not a replacement in any sense. The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group PSD2 API. * **This API definition contains the REST-API for requests from the PISP to the ASPSP.** * **This API definition contains the messages for all different approaches defined in the Implementation Guidelines.** * According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md] "If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored." The element "Accept" will not be defined in this file at any place. The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security". * There are several predefined types which might occur in payment initiation messages, but are not used in the standard JSON messages in the Implementation Guidelines. Therefore they are not used in the corresponding messages in this file either. We added them for the convenience of the user. If there is a payment product, which needs these fields, one can easily use the predefined types. But the ASPSP need not to accept them in general. * **We omit the definition of all standard HTTP header elements (mandatory/optional/conditional) except they are mentioned in the Implementation Guidelines.** Therefore the implementer might add these in his own realisation of a PSD2 comlient API in addition to the elements defined in this file. ## General Remarks on Data Types The Berlin Group definition of UTF-8 strings in context of the PSD2 API has to support at least the following characters a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #BOI-REMARK: The Hebrew alphabt must be supported as part of the character set א ב ג ד ה ו ז ח ט י כ ך ל מ ם נ ן ס ע פ ף צ ץ ק ר ש ת 0 1 2 3 4 5 6 7 8 9 / - ? : ( ) . , ' + Space

Contains Single cards data # Summary As before, specific card reconciliation accounts (called "card accounts" in [XS2A-IG]) can be addressed in a consent request by identifying the card account by its corresponding masked PAN. Please note that the card accounts are providing card information in an accumulated way. In addition, this specification adds to this consent model, that a masked PAN is addressing a single card. It is up to the ASPSP if this consent grants access - to the single card identified by the masked PAN, - the card account identified by the masked PAN or - both, delivering these information on the related endpoints /card-accounts or /cards. The ASPSP's respective decision must be documented by the ASPSP. Additionally, a card account or single cards can be addressed by an Account Access Object containing an identifier of the reconciliation account accompanied by the specification of the cashAccountType to Type "CARD" (see Section 6.3). A consent of this type will grant the respective access to both, - all cards reconciled through this account and - the related card account, if the ASPSP supports the corresponding endpoints at all. As a third / fourth way to establish a card specific consent, the TPP can request a bank-offered consent or a global consent but restricting the requested access to a certain cashAccountType - e.g. CARD. A consent of this type will grant the respective access to both - cards and - card accounts, if the ASPSP supports the related endpoints at all. BOI-REMARK: In the Israeli market there is no need in explicit consent for requesting account/card owner data.

# Summary The **NextGenPSD2** *Framework Version 1.3.11* offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services ('Banking as a Service') by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data. The possible Approaches are: * OAuth SCA Approach * Decoupled SCA Approach Not every message defined in this API definition is necessary for all approaches. Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional. Therefore for a particular implementation of a Berlin Group PSD2 compliant API it is only necessary to support a certain subset of the methods defined in this API definition. **Please have a look at the implementation guidelines if you are not sure which message has to be used for the approach you are going to use.** ## Some General Remarks Related to this version of the OpenAPI Specification: * **This API definition is based on the Implementation Guidelines of the Berlin Group PSD2 API.** It is not a replacement in any sense. The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group PSD2 API. * **This API definition contains the REST-API for requests from the PISP to the ASPSP.** * **This API definition contains the messages for all different approaches defined in the Implementation Guidelines.** * According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md] "If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored." The element "Accept" will not be defined in this file at any place. The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security". * There are several predefined types which might occur in payment initiation messages, but are not used in the standard JSON messages in the Implementation Guidelines. Therefore they are not used in the corresponding messages in this file either. We added them for the convenience of the user. If there is a payment product, which needs these fields, one can easily use the predefined types. But the ASPSP need not to accept them in general. * **We omit the definition of all standard HTTP header elements (mandatory/optional/conditional) except they are mentioned in the Implementation Guidelines.** Therefore the implementer might add these in his own realisation of a PSD2 comlient API in addition to the elements defined in this file. ## General Remarks on Data Types The Berlin Group definition of UTF-8 strings in context of the PSD2 API has to support at least the following characters a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #BOI-REMARK: The Hebrew alphabt must be supported as part of the character set א ב ג ד ה ו ז ח ט י כ ך ל מ ם נ ן ס ע פ ף צ ץ ק ר ש ת 0 1 2 3 4 5 6 7 8 9 / - ? : ( ) . , ' + Space

# Endpoints url discount sandbox https://mtls-api-nonprod.discountbank.co.il/devapi/cert discount prod https://mtls-api.discountbank.co.il/prod/d mercantile sandbox https://mtls-api-nonprod.mercantile.co.il/devapi/cert mercantile prod https://mtls-api.mercantile.co.il/prod/d # Summary The **NextGenPSD2** *Framework Version 1.3.11* offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services ('Banking as a Service') by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data. The possible Approaches are: * OAuth SCA Approach * Decoupled SCA Approach Not every message defined in this API definition is necessary for all approaches. Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional. Therefore for a particular implementation of a Berlin Group PSD2 compliant API it is only necessary to support a certain subset of the methods defined in this API definition. **Please have a look at the implementation guidelines if you are not sure which message has to be used for the approach you are going to use.** ## Some General Remarks Related to this version of the OpenAPI Specification: * **This API definition is based on the Implementation Guidelines of the Berlin Group PSD2 API.** It is not a replacement in any sense. The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group PSD2 API. * **This API definition contains the REST-API for requests from the PISP to the ASPSP.** * **This API definition contains the messages for all different approaches defined in the Implementation Guidelines.** * According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md] "If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored." The element "Accept" will not be defined in this file at any place. The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security". * There are several predefined types which might occur in payment initiation messages, but are not used in the standard JSON messages in the Implementation Guidelines. Therefore they are not used in the corresponding messages in this file either. We added them for the convenience of the user. If there is a payment product, which needs these fields, one can easily use the predefined types. But the ASPSP need not to accept them in general. * **We omit the definition of all standard HTTP header elements (mandatory/optional/conditional) except they are mentioned in the Implementation Guidelines.** Therefore the implementer might add these in his own realisation of a PSD2 comlient API in addition to the elements defined in this file. ## Not supported query parameters Read Account List: withBalance Read Account Details: withBalance Read Transaction List: entryReferenceFrom, deltaList, withBalance ## General Remarks on Data Types The Berlin Group definition of UTF-8 strings in context of the PSD2 API has to support at least the following characters a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #BOI-REMARK: The Hebrew alphabt must be supported as part of the character set א ב ג ד ה ו ז ח ט י כ ך ל מ ם נ ן ס ע פ ף צ ץ ק ר ש ת 0 1 2 3 4 5 6 7 8 9 / - ? : ( ) . , ' + Space

Contains Single cards data # Summary As before, specific card reconciliation accounts (called "card accounts" in [XS2A-IG]) can be addressed in a consent request by identifying the card account by its corresponding masked PAN. Please note that the card accounts are providing card information in an accumulated way. In addition, this specification adds to this consent model, that a masked PAN is addressing a single card. It is up to the ASPSP if this consent grants access - to the single card identified by the masked PAN, - the card account identified by the masked PAN or - both, delivering these information on the related endpoints /card-accounts or /cards. The ASPSP's respective decision must be documented by the ASPSP. Additionally, a card account or single cards can be addressed by an Account Access Object containing an identifier of the reconciliation account accompanied by the specification of the cashAccountType to Type "CARD" (see Section 6.3). A consent of this type will grant the respective access to both, - all cards reconciled through this account and - the related card account, if the ASPSP supports the corresponding endpoints at all. As a third / fourth way to establish a card specific consent, the TPP can request a bank-offered consent or a global consent but restricting the requested access to a certain cashAccountType - e.g. CARD. A consent of this type will grant the respective access to both - cards and - card accounts, if the ASPSP supports the related endpoints at all. BOI-REMARK: In the Israeli market there is no need in explicit consent for requesting account/card owner data.

Contains Single cards data # Endpoints url discount sandbox https://mtls-api-nonprod.discountbank.co.il/devapi/cert discount prod https://mtls-api.discountbank.co.il/prod/d mercantile sandbox https://mtls-api-nonprod.mercantile.co.il/devapi/cert mercantile prod https://mtls-api.mercantile.co.il/prod/d # Summary As before, specific card reconciliation accounts (called "card accounts" in [XS2A-IG]) can be addressed in a consent request by identifying the card account by its corresponding masked PAN. Please note that the card accounts are providing card information in an accumulated way. In addition, this specification adds to this consent model, that a masked PAN is addressing a single card. It is up to the ASPSP if this consent grants access - to the single card identified by the masked PAN, - the card account identified by the masked PAN or - both, delivering these information on the related endpoints /card-accounts or /cards. The ASPSP's respective decision must be documented by the ASPSP. Additionally, a card account or single cards can be addressed by an Account Access Object containing an identifier of the reconciliation account accompanied by the specification of the cashAccountType to Type "CARD" (see Section 6.3). A consent of this type will grant the respective access to both, - all cards reconciled through this account and - the related card account, if the ASPSP supports the corresponding endpoints at all. As a third / fourth way to establish a card specific consent, the TPP can request a bank-offered consent or a global consent but restricting the requested access to a certain cashAccountType - e.g. CARD. A consent of this type will grant the respective access to both - cards and - card accounts, if the ASPSP supports the related endpoints at all. BOI-REMARK: In the Israeli market there is no need in explicit consent for requesting account/card owner data. Not supported query parameters Read Card Balances: dateFrom Read Card Transaction List: dateFrom, dateTo, deltaList

# Endpoints url discount sandbox https://mtls-api-nonprod.discountbank.co.il/devapi/cert discount prod https://mtls-api.discountbank.co.il/prod/d mercantile sandbox https://mtls-api-nonprod.mercantile.co.il/devapi/cert mercantile prod https://mtls-api.mercantile.co.il/prod/d With the XS2A Specification [XS2A-IG], a standard for an XS2A Interface is defined for the core services defined by the PSD2.\nWith [oFA-IG-SecAIS] an extension of the NextGenPSD2 XS2A Specification [XS2A-IG]. It describes how the existing services for \naccount information can be extended to provide account information on securities accounts. Therefore, new endpoints are \ndefined in order to provide the information.This yaml file reflects the API definition given in [oFA-IG-SecAIS] and therefore \nprovides the (essentially) same information regarding the data definition in a machine readable form.\n **[XS2A-IG]** NextGenPSD2 XS2A Framework, Implementation Guidelines, The Berlin Group Joint Initiative on a PSD2 Compliant XS2A Interface, version 1.3.12, published 01 July 2022.\n **[oFA-IG-SecAIS]** openFinance API Framework Implementation Guidelines for Extended Services AIS for Securities Accounts\n Not supported query parameters Read Securities Accounts List: evaluationCurrency Read Securities Account Details: evaluationCurrency Read Securities Account Transaction List: entryReferenceFrom, deltaList

Access code flow. NO application scope check. PKCE secured. Token exchange mtls enforcement against x-Client-Certificate or TLS handshake. Access token live 1 week, can be refreshed up to 2600 times = 50 years

# Summary Like a (regular payment) account, specific savings accounts can be addressed in a consent request by identifying the account by its IBAN. In some cases, a savings / loan accountmight not be connected to any globally defined identifier. Therefore, the additional element "other" is used, which might be provided instead of or in addition to an IBAN thereby identifying the specific account, for which a consent is requested. Additionally, a savings account can be addressed by an Account Access Object containing an identifier of the savings account / loan account accompanied by the specification of the cashAccountType to Type "SVGS"/ "LOAN". A consent of this type will grant the access to the related savingsaccount/ loan account, if the ASPSP supports the corresponding endpoints at all. As a third / fourth way to establish a savings specific consent, the TPP can request a bank-offered consent or a global consent but restricting the requested access to a certain cashAccountType �e.g. "SVGS" or "LOAN". A consent of this type grant the access to accounts of only the related type (e.g. savings account/ loan account),if the ASPSP supports the corresponding endpoints at all.

# Endpoints url discount sandbox https://mtls-api-nonprod.discountbank.co.il/devapi/cert discount prod https://mtls-api.discountbank.co.il/prod/d mercantile sandbox https://mtls-api-nonprod.mercantile.co.il/devapi/cert mercantile prod https://mtls-api.discountbank.co.il/prod/d # Summary Like a (regular payment) account, specific savings accounts can be addressed in a consent request by identifying the account by its IBAN. In some cases, a savings / loan accountmight not be connected to any globally defined identifier. Therefore, the additional element "other" is used, which might be provided instead of or in addition to an IBAN thereby identifying the specific account, for which a consent is requested. Additionally, a savings account can be addressed by an Account Access Object containing an identifier of the savings account / loan account accompanied by the specification of the cashAccountType to Type "SVGS"/ "LOAN". A consent of this type will grant the access to the related savingsaccount/ loan account, if the ASPSP supports the corresponding endpoints at all. As a third / fourth way to establish a savings specific consent, the TPP can request a bank-offered consent or a global consent but restricting the requested access to a certain cashAccountType �e.g. "SVGS" or "LOAN". A consent of this type grant the access to accounts of only the related type (e.g. savings account/ loan account),if the ASPSP supports the corresponding endpoints at all.

# Summary

Serves as intermediary (1st redirect from OAuth2 API) which decides how to handle the request. Can redirect onto website to receive consent or can directly activate a grant and redirect back to OAuth2 API with grant. Can be used to revive data power tokens.

Brings back tokens from the dead

Used by TPP to inform the bank about changes in it's customers, which are also bank customers. For example if a customer leaves the TPP, the bank will remove existing grants by that customer to the TPP

Security validations done in TPP's security context (client secret and client certificate)

Used by TPP to inform the bank about changes in it's customers, which are also bank customers. For example if a customer leaves the TPP, the bank will remove existing grants by that customer to the TPP