Spar Konnekt


Spar Konnekt is Sparkasse Bank Malta plc’s XS2A API required under PSD2.

The API is derived from the Berlin Group’s NextGenPSD2 Framework, developed with the appropriate level of customisation to suit our business model.

Spar Konnekt was developed in-house and has been released for external testing.

The API provides all of the PSD2 XS2A core functionality in line with the service offering accessible via the Bank’s online banking platform in respect of:

  • Payment Initiation Service (PIS);
  • Confirmation of Funds Service; and
  • Account Information Service (AIS). 

The Bank is committed to handle its customers’ data safely and securely. The API has been developed to facilitate customers wishing to grant consent to Third Party Providers to access their data for use within various service offerings.

Spar Konnekt is available around the clock, with the exception of scheduled intervals where limited functionality is available due to system maintenance being carried out by the Bank. Customers are notified beforehand of such scheduled maintenance in a timely manner. Should there be any issues with unprocessed transactions, a member of the Bank’s team will keep you informed.

That said the Bank only guarantees uptime of Spar Konnekt, Monday to Friday (excluding public holidays in Malta) from 8am to 5pm.

A comprehensive technical outline of Spar Konnekt and how to connect to it, including access to the Bank's Sandbox test environment is available on the following URL: https://sparkonnekt-sandbox.sbm.services/doc/

In line with PSD2, the Bank has also published its API Availability Statistics available on the following URL: https://sparkonnekt-sandbox.sbm.services/psd2-statistics-ui/.

AISPs, PISPs and CBPIIs interested in connecting to our API for testing purposes are kindly requested to contact Mr. Neil Gambin – Manager Payments on:

Neil.Gambin(at)Sparkasse-Bank-Malta.com

FAQs

Q. Who are Third Party Providers (“TPPs”)?

A: The Payment Services Directive  (“PSD2”) regulates new market players known as Third Party Providers (TPPs). PSD2 identifies two types of TPPs: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs provide a consenting customer with an aggregated view of all the customer’s payment accounts held with different banks. PISPs are able to initiate a payment on behalf of a consenting customer from the customer’s payment account held with a particular bank. The key aspect is that, as a result of new developments under PSD2, customers may elect to give consent to a third party to either aggregate their balances held with various banks or may give consent to a third party to initiate  payments on their behalf from  a specific bank with which they hold an account.

Q. How do I give consent to a Third Party Provider (TPP) to access my information or initiate payments on behalf?

A: Consent may be granted to service providers for (i) payment initiation and (ii) account information:

Giving consent to Payment Initiation Service Providers (PISPs):

The process starts within the system or website of a TPP, e.g. a checkout or payment process with an online merchant. The TPP will then forward customers to a special page within Sparkasse Bank Malta plc’s (“the Bank”) online banking interface, where customers are required to login using Spar Key (For more information on Spar Key, the Bank’s authentication application, please visit: https://www.sparkasse-bank-malta.com/General/authapp). After successful login, customers will be able to review all of the payment’s details along with information related to the TPP. Subsequently, the interface will give customers the choice to either approve or decline the payment request.

In instances where a customers has sufficient signature rights to solely and fully sign for the underlying debit account, the payment will be processed as usual. Where the customer can only partially sign for the debit account being used, the payment instruction will be placed in the signature folder(s) of the other authorized signatories and will await their authentication.

Giving consent to Account Information Service Providers (AISPs):

The process starts within the system of online interface of the TPP. The TPP will then forward customers to a special page within the Bank’s online banking interface, where customers are required to login also using Spar Key. Following this step, the interface will display which permissions the TPP has requested to be granted. Customers can then either approve or decline this request. This consent will remain in force until revoked, if ever, at a future date. This consent will remain in force until revoked, if ever, at a future date.

Important: Customers who currently require instructions to the Bank to be approved by multiple signatories need to make arrangements to set up a specific approval process to grant consent to AISPs.

Please also note that all pages related to PSD2 Common Secure Communication (CSC) will be available under the URL path (https://sbm.services/banking/openbanking/). Any page reachable under a URL not starting with https://sbm.services is not related to Sparkasse Bank Malta plc’s online banking interface.

Q: How do I withdraw consent previously granted to a TPP?

A: Within the Bank’s online banking interface it is possible to revoke consent that has been previously granted to TPPs. Customers may achieve this by logging into the Bank’s online banking interface, navigating to the “Start” menu and clicking “AIS Consent Manager”. The “AIS Consent Manager” shows customers the consents granted to AISPs, in force at that time, and allows them to revoke consent with immediate effect.

Furthermore, customers are encouraged to visit the website of the specific TPP they wish to revoke access from and follow the consent revocation procedures, as and where applicable to that specific TPP.

Q: What checks are carried out by the Bank in relation to a TPP?

A: Every TPP needs to be authorized by its National Competent Authority. Authorized TPPs will then be provided with a Digital Certificate (eIDAS) by a Qualified Trust Service Provider (QTSP). Any TPP which is able to present a valid, non-expired, properly signed Digital Certificate will be able to request account access and submit payment initiation requests. 

In line with prevailing regulatory guidance, the Bank verifies a TPP’s identity by verifying its Digital Certificate eIDAS. Banks are not legally required to rely on any other means of verification, such as carrying out additional checks

By way of clarification to all customers of the Bank, a TPP cannot access any customer’s personal or financial information or initiate payments so long as the customers themselves do not explicitly initiate and approve such an action. Customers’ authorization in this respect is paramount.

In the interest of security of the Bank’s customers and its banking infrastructure, the Bank may perform regular checks on the TPPs that have been granted access by its customers. These checks, when performed, will not result in any obstacles to customer’s continued use of services offered by TPPs.

Q: When can the Bank suspend a TPP from accessing its Application Programme Interface (API) and customer information?

A: By default the Bank will suspend access to a TPP  if that TPP attempts to communicate with the Bank through the API with an invalid eIDAS certificate. Furthermore, at its discretion, the Bank may suspend access to a TPP in the following instances:

  • Strong suspicion of fraud;
  • Numerous instances of verified fraud originating from the same TPP;
  • Negative press concerning the TPP; and
  • Recurring Bank customer complaints concerning the quality of service received from the TPP in question.

Q: Does information accessed through Spar Konnekt have limitations?

A: The Bank’s API was designed with the principle that our customers shall have the same experience with the Bank whether they are being re-directed from a TPP (using the Bank’s API) or whether they are logging in directly onto the Bank’s online banking interface. In fact, they would be accessing the same information and the authentication process will work in the same way across the two different channels. Payment instructions will also be processed if received before 14:00 Malta time irrespective of the portal they pass through to arrive securely to the Bank. Bank balances are also displayed in the same manner across the two channels.

Sparkasse Bank Malta plc 101 Townsquare, Ix-Xatt ta' Qui-si-Sana, Sliema SLM3112, Malta
Tel: +356 21 335 705 / Fax: +356 21 335 710