References to "account request" to "account access consent"
References to "Financial Institution" to "API Provider"
Updated and standardised draft1-Steps to:
Step 1: Agree Account Access Consent
Step 2: Create Account Access Consent
Step 3: Authorise Consent
Step 4: Request Data
Step 5: Retrieve Status (consistency for all specifications)
Step 3: Authorise Consent includes alternative flows for:
In a redirection flow
In a decoupled flow
Updated draft1-ConsentAuthorisation to reference authorization code flow can either be redirect or decoupled
Updated section heading "Changes to Selected Account(s)" to draft1-ConsentUpdates and clarified that:
"An API Provider must not allow a Customer to update the parameters of an account-access-consent."
"The Customer must select the accounts to which the consent is linked at the point of consent authorisation." from "The Customer must select the accounts to which the consent should be applied at the point of consent authorisation."
Updated language in draft1-TransactionTo/FromDateTime to clarify "The API Provider must restrict access..." instead of "The Third Party must be restricted to..."
Additions:
Data Model and Usage Examples added to draft1-DocumentStructure
draft1-ReleaseManagement section for accessing Account Information APIs - taken from OBIE v3.1.2 but reworded for clarity
draft1-AccountInformationResources section to describe sub-page content
Added guidance (per OBIE v3.1.2) to draft1-Permissions to clarify that "While it is duplication for a Third Party to request a "Basic" permission code and the corresponding "Detail" permission code, it is not a malformed request, and the API Provider must not reject the request solely on the basis of duplication."
Guidance in draft1-DetailPermissions that "The ReadStatementsDetail is required to access the statement file download via: /accounts/{AccountId}/statements/{StatementId}/file"
draft1-ConsentRe-authentication (to align with OBIE v3.1.2)
Removed:
References to "v1.0"
"Accounts other than domestic retail Bank accounts." in draft1-OutofScope as scope of accounts has not been agreed.
References in draft1-Scope to "it is not clear from a Legal perspective how the changing of these details over time.." as no longer relevant.
"Handling Expired Account-Requests" as duplicated
Errata:
Updated references in table for Transaction permissions for completeness to to include access to /accounts/{AccountId}/statements/{StatementId}/transactions
In the Steps for the decoupled-flow updated “API Provider may make a callback to the Third Party to provide an access token” to “API Provider may make a callback to the Third Party to notify them of successful authorisation.“
Updating references to “resources” to clarify language
Updated references to “account-requests”
In the Steps section updated “The API Provider chooses either the redirection flow or a decoupled flow” to “The Third Party chooses either the redirection flow or a decoupled flow”
Removed guidance on Expiration Date Time that “If no ExpirationDateTime is provided, the API Provider will determine the validity period of the accounts request.” as this is inconsistent with consent being immutable
Reference to “account-request”
...
The Account Information API provides the ability for Third Parties to access a Customer's account information for NZ Bank accounts. While this version of the API specification only allows access to NZ BECS identifiable accounts, the API specification is silent on what account types must be accessible.
