All Standards Users can contribute to the Working Groups. You can see who the API provider and Third Party Standards Users are on the API Centre public website here.

The Working Group’s main focus during this period was the development of the standards, ensuring the final standard aligns with the group’s expectations, accurately reflecting the Group’s previous discussions, and that the standard held together as a whole.

Non-technical standards conceptual design issues were put to the Business Working Group for direction.

The API Centre Security Profile sets out “how” Third Parties connect securely to an API Provider.

The “NZ Banking Data Security Profile” is based on the OpenID Foundation's FAPI Read+Write specification document, and applies this standard into the NZ market context. This specification is used to help define requirements for how API Providers can safely make APIs available, and connect with Third Parties. This specification applies to both the Payment Initiation and Account Information API specifications. The Security Profile:

• Aligns with the U.K.’s upstream OBIE Standards.

• Aligns with Australian direction being taken under their ‘open data’ programme.

• Aligns with general best practice API security practices, and global standards.

Key changes made to the v2.0 Security profile (compared to v1.0) include:

• Adding the decoupled authentication flow (FAPI CIBA profile) to accompany the redirect authentication flow

• Reducing existing optional elements where applicable to simplify implementations and enhance security

• Additional guidance for clarity

• Simplifying and restructuring the content of the Security Profile document

The Standard draws extensively from international standards and global best practices, notably:

• The U.K.’s Open Banking Implementation Entity’s v3.0 Payments Initiation and Account Information API standard

• OpenID’s Financial-grade API Client Initiated Backchannel Authentication Profile

• OpenID’s Financial-grade API Read and Write API Security Profile

• JSON (a lightweight data-interchange format)

• OAuth (an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords).

• RESTful (a type of API that uses HTTP requests to GET, PUT, POST and DELETE data)

• ISO 20022 (a messaging and data format for financial information)

The v2.0 Standard has delivered a range of other smaller improvements and enhancements. The v2.0 Standard contains a detailed ‘version control’ log of all changes made to the Standard compared to v1.0. A summary of key general improvements and enhancements include:

• Structural improvements and clarifications to the Standard.

• Release management guidance on what is available across different versions of the standard.

• More clarity on refresh tokens for long-lived consent.

• Re-naming consent resources (from payments to payment-consents; account-requests to account-access-consents; and from payment-submissions to payments) for clarity

• Addition of minimum certificate security standards

• Detailed error codes so the API providers can provide useful information back to the Third Party in failure scenarios.

• Updated Data Model and Usage Examples added to help explain the standard.