Spar Konnekt - the Bank's XS2A API
Spar Konnekt is Sparkasse Bank Malta plc’s XS2A API required under PSD2. The API is derived from the Berlin Group’s NextGenPSD2 Framework, developed with the appropriate level of customisation to suit the Bank’s business model. The API provides all of the PSD2 XS2A core functionality in line with the service offering accessible via the Bank’s online banking platform in respect of:
- Payment Initiation Service (PIS);
- Confirmation of Funds Service; and
- Account Information Service (AIS).
The Bank is committed to handle its customers’ data safely and securely. The API has been developed to facilitate customers wishing to grant consent to Third Party Providers to access their data for use within various service offerings.
Spar Konnekt is available around the clock, with the exception of scheduled intervals where limited functionality is available due to system maintenance being carried out by the Bank. Customers are notified beforehand of such scheduled maintenance in a timely manner. Should there be any issues with unprocessed transactions, a member of the Bank’s team will inform customers accordingly.
That said the Bank only guarantees uptime of Spar Konnekt, Monday to Friday (excluding public holidays in Malta) from 8am to 5pm. Further information concerning Spar Konnekt, TPPs and other PSD2 elements is available in the FAQs section below.
A comprehensive technical outline of Spar Konnekt and how to connect to it, including access to the Bank's Sandbox test environment is available here.
In line with PSD2, the Bank has also published its API Availability Statistics available here.
AISPs, PISPs and CBPIIs interested in connecting to our API for testing purposes are kindly requested to contact the Software Integrations Department on firstname.lastname@example.org
Spar Konnekt FAQs
The Bank’s API was designed with the principle in mind that our customers shall have the same experience with the Bank whether they are being re-directed from a TPP (using the Bank’s API) or whether they are logging directly into the Bank’s online banking system. In fact, they access the same information and the authentication process works in the same way across the two different channels. Payment instructions, if received before 15:00 Malta time, are processed irrespective of the portal they pass through to arrive securely to the Bank. Bank balances are also displayed in the same manner across the two channels.
The Payment Services Directive (PSD2) regulates new market players known as Third Party Providers (TPPs). PSD2 identifies two types of TPPs: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs provide a consenting customer with an aggregated view of all the customer’s payment accounts held with different banks. PISPs are able to initiate a payment on behalf of a consenting customer from the customer’s payment account held with a particular bank. The key aspect is that, as a result of new developments under PSD2, customers may elect to give consent to a third party to either aggregate their balances held with various banks or may give consent to a third party to initiate payments on their behalf froma specific bank with which they hold an account.
Consent may be granted to service providers for (i) payment initiation and (ii) account information:
Giving consent to Payment Initiation Service Providers (PISPs):
The process starts within the system or website of a TPP, e.g. a checkout or payment process with an online merchant. The TPP will then forward customers to a special page within Sparkasse Bank Malta plc’s (“the Bank”) online banking system, where customers are required to log in using Spar Key (for more information on Spar Key, the Bank’s authentication application, please click here. After successful login, customers will be able to review all of the payment details along with information related to the TPP. Subsequently, the online banking system will give customers the choice to either approve or decline the payment request.
In instances where a customer has sufficient signature rights to solely and fully sign for the account, the payment will be processed as usual. Where the customer can only partially sign for the account, the payment instruction will be placed in the signature folder(s) of the other authorized signatories and will await their authentication.
Giving consent to Account Information Service Providers (AISPs):
The process starts within the online interface system of the TPP. The TPP will then forward customers to a special page within the Bank’s online banking system, where customers are required to login also using Spar Key. Following this step, the Bank’s online banking system will display which permissions the TPP has requested to be granted. Customers can then either approve or decline this request. This consent will remain in force until revoked, if ever, at a future date.
Important: Customers who currently require instructions to the Bank to be approved by multiple signatories need to make arrangements to set up a specific approval process to grant consent to AISPs.
Please also note that all pages related to PSD2 Common Secure Communication (CSC) will be available under the URL path https://sbm.services/banking/openbanking/. Any page reachable under a URL not starting with https://sbm.services is not related to Sparkasse Bank Malta plc’s online banking system.
Within the Bank’s online banking system it is possible to revoke consent that has been previously granted to TPPs. Customers may achieve this by logging into the Bank’s online banking system, navigating to the “Start” menu and clicking “AIS Consent Manager”. The “AIS Consent Manager” shows customers the consents granted to AISPs, in force at that time, and allows them to revoke consent with immediate effect.
Furthermore, customers are encouraged to visit the website of the specific TPP they wish to revoke access from and follow the consent revocation procedures, as and where applicable to that specific TPP.
Every TPP needs to be authorized by its national competent authority. Authorized TPPs will then be provided with a digital certificate (eIDAS) by a Qualified Trust Service Provider (QTSP). Any TPP which is able to present a valid, non-expired, and properly signed Digital Certificate will be able to request account access and submit payment initiation requests.
In line with prevailing regulatory guidance, the Bank verifies a TPP’s identity by verifying its Digital Certificate (eIDAS). Banks are not legally required to rely on any other means of verification, such as carrying out additional checks.
By way of clarification to all customers of the Bank, a TPP cannot access any customer’s personal or financial information or initiate payments as long as the customers themselves do not explicitly initiate and approve such an action. Customers’ authorization in this respect is paramount.
In the interest of security of the Bank’s customers and the Bank’s infrastructure, the Bank may perform regular checks on the TPPs that have been granted access by its customers. These checks, when performed, will not result in any obstacles to the customer’s continued use of services offered by TPPs.
By default the Bank will suspend access to a TPP if that TPP attempts to communicate with the Bank through the API with an invalid eIDAS certificate. Furthermore, at its discretion, the Bank may suspend access to a TPP in the following instances:
- Strong suspicion of fraud;
- Numerous instances of verified fraud originating from the same TPP;
- Negative press concerning the TPP; and
- Recurring Bank customer complaints concerning the quality of service received from the TPP in question.