The API standards were developed primarily by two working groups: the API Technical Working Group and the API Business Working Group. All Standards Users can contribute and participate on these working groups. Each group generally meets fortnightly, on alternating weeks. You can see who the API Provider and Third Party Standards Users are on the API Centre public website.

The API standards documentation on Confluence, and Swagger documentation on GitHub, are developed iteratively against an agreed scope for each version of the API standards. Once final drafts of the standard are developed, the working group holds longer working sessions to walk through the draft API standards. This ensures the final API standard aligns with the scope, accurately reflected the group’s previous discussions and agreements, and that the API standard holds together as a whole.

The Business Working Group is tasked with making scoping decisions on non-technical issues that arise through the development process and assess the risks and scope of the standards, generally supporting the API Centre to run the API standards development process.

The ‘NZ Banking Data Security Security Profile’ sets out how Third Parties connect securely to an API Provider and supports each version of the API Standards.

It is based on the OpenID Foundation's FAPI Read+Write specification document, and applies this standard to the New Zealand market context. This specification is used to help define requirements for how API Providers can safely make APIs available and connect with Third Parties. This specification applies to both the Payment Initiation and Account Information API specifications. The security profile:

• Aligns with the UK’s upstream OBIE standards.

• Aligns with Australian direction being taken under their open data programme.

• Aligns with general best practice API security practices and global standards.

The security profile is reviewed and updated along with every standards version release to ensure it remains up to date and capable of supporting any new functions implemented in the standards.

The standard draws extensively from international standards and global best practices, notably:

• The UK’s Open Banking Payments Initiation and Account Information API standards.

• OpenID’s Financial-grade API Client Initiated Backchannel Authentication Profile.

• OpenID’s Financial-grade API Read and Write API Security Profile.

• JSON (a lightweight data-interchange format).

• OAuth 2.0 (an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites, but without giving them the passwords).

• REST (a style of API architecture).

• ISO 20022 (messaging semantics for financial information).

Every version of the standard will have detailed and comprehensive documentation published alongside the specifications that can be read in conjunction with the relevant version change logs for a full summary of the key functional changes and improvements for that version.

These explainers and support materials can be found below:

• https://paymentsnz.atlassian.net/wiki/spaces/PaymentsNZAPIStandards/pages/298909713

Functionality delivered by the API standard is supported through the use of static endpoint URLs that allow a developer to enable specific functionality as defined in the specification.

• The Account Information API has 24 defined endpoints, enabling access to 11 functions, further detail can be found in the Account Information API Specifications.

• The Payments Initiation API has 8 defined endpoints, enabling both domestic single payment and enduring payment consents, further detail can be found in the Payments Initiation API Specifications.