Overview of the v3.0 standard

Purpose

This page provides a high-level overview of the scope of changes that have been included in version 3.0 of the API Centre API Specifications. This is a non-technical explainer of changes made and included in this version of the API Standards. If you would like to see more detailed information about the changes, this information can be seen in the change logs at the top of each the API specification pages.

High level scope

v3.0 of the API Standards scope and main purpose is to:

  • Deliver the first brand-new API specification in the Event Notification API since the Centre launched in 2019; and,

  • Provide major upgrades to the security profile that build on international best practice and standards.

  • Decouple the security standards from the functional specifications, allowing independent version management, enabling quicker upgrades to the specs in response to the changes to the security landscape and international standards.

Description of standard

The scope of v3.0 was initially discussed in May 2020, this standard follows the completion of the 2.x series where effort had been on elements that will improve the value and uptake of already published standards rather than introducing entirely new functionalities. With the publication of v2.3 in June 2022, the v2.x series was complete, setting the foundations of data sharing and payment initiation for Open Banking in Aotearoa.

Throughout the development of the v2.x standards and consultation on the standards pipeline for v3.0 scope, a strong theme emerged around the API Centre putting focus of standards development efforts on elements that will improve the value and ultimate uptake of published standards functions rather than introducing entirely new functionalities i.e. refunds or batch / bulk payments.

There are no functional changes to either of the existing Payment Initiation or Account Information APIs, only corrections or clarifications to the specifications themselves. Details of these changes can be found on the relevant specification version change logs.

Event notification API

The industry agreed through consultation that a key building block towards scale of the existing Payment Initiation and Account Information APIs would be the introduction of a mechanism by which an API Provider could inform a Third Party of a change to a designated resource. This function has been introduced in v3.0 as the new ‘Event notification API', it is the first new API standard that has been published since the API Centre’s launch in 2019.

In v3.0 a Third Party can subscribe to receive notifications as/when the status of a Customer’s consent changes, however this underling event notification functionality has the potential for expansion in future standards releases to support a wider range of innovative payments and account information services. The v3.0 event notification API also allows API Providers to develop custom events notifications.

API Providers using version 3.0 must allow Third Parties to establish subscriptions to be notified of changes to consents. Establishing a subscription is optional for Third Parties, but if they choose to subscribe they must provide an endpoint as defined in the standard. This marks the first time in our API standards that Third Parties have been required to supply an endpoint to enable a function.

Security profile

In addition to this, Standards Users highlighted that the security landscape has significantly changed since the publication of the last major version v2.0 in September 2020. A significant focus for v3.0 therefore was on ensuring the security standards were up to date, with a focus on leveraging the most recent international security standards, aligning with Open ID’s FAPI 1.0 published in 2021.

Major changes were also made to the overall usability, format and structure of the security specifications themselves, with previously illustrative examples now being able to be validated in testing environments, enabling faster and more efficient implementation of security standards.

Further feedback that was received on the security standards also centered around the need for the API Centre to enable faster updates and upgrades to security standards as new threats to the safety of the ecosystem arise and as best practice standards are updated in the future. We have therefore updated our standards management policy effectively ‘decoupling’ the security standards from the functional standards from v3.0 onwards.