Information on the access of new payment service providers to payment accounts maintained at banks

Published: 18/10/2019

The Payment Services Directive (PSD2) came into effect in early 2018 and was transposed into the Croatian legislation by the Payment System Act in July 2018. Several provisions of this Directive and related regulatory technical standards contained in Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the RTS Regulation) have been applied in Member States since 14 September 2019. The RTS Regulation defines, inter alia, secure standards of communication between payment service providers and contains provisions on open banking, i.e., on enabling new payment service providers – third party providers (TTP) to access clients’ accounts opened at banks. In order for new services to be provided in a safe environment, payment service providers had to establish common and secure open standards for communication in accordance with the RTS Regulation.

Changes that banks had to make in their information systems include setting up access interfaces enabling identification and secure access to clients’ accounts to payment initiation service providers (PISP) and account information service providers (AISP). Access to payment accounts can be offered by means of a special, dedicated interface – application programming interface (API) – or by modifying the interface used by bank clients for direct, online access to their payment accounts (internet and mobile banking).

A specification was made at the level of the Croatian banking association for a single standardised interface in order to ensure a single model for third party access to clients’ payment accounts opened at banks. On the date of application of the RTS Regulation, 14 September 2019, all banks in the Republic of Croatia adjusted their third party access interfaces either by means of dedicated API interfaces or by modified client interfaces. The communication of banks and third parties is in both cases secured by qualified electronic certificates (eIDAS) so that banks at all times know who is accessing their interfaces (a client or a TTP on behalf of a client).

Banks that had opted for third party access through dedicated API interfaces were exempted by the Croatian National Bank from having to provide fallback/contingency mechanisms, based on submitted applications and their fulfilling the conditions prescribed by the RTS and the Guidelines on the conditions to benefit from an exemption from the contingency mechanism. All banks have both the production and test environments, clearly defined access and problem resolution procedures as well as technical specification and documentation made available to third parties published on their websites. Listed below are banks in the Republic of Croatia separated according to their choice of third party interfaces.

Banks that set up dedicated API interfaces and were exempted from having to set up fallback mechanisms:

  1. Addiko Bank d.d., Zagreb
  2. Agram banka d.d., Zagreb
  3. Erste&Steiermärkische Bank d.d., Rijeka
  4. Hrvatska poštanska banka, dioničko društvo, Zagreb
  5. Istarska kreditna banka Umag d.d., Umag
  6. Karlovačka banka d.d., Karlovac
  7. OTP banka Hrvatska dioničko društvo, Split
  8. Partner banka d.d., Zagreb
  9. Podravska banka d.d., Koprivnica
  10. Privredna banka Zagreb d.d., Zagreb
  11. Raiffeisenbank Austria d.d., Zagreb
  12. Samoborska banka d.d., Samobor
  13. Sberbank d.d., Zagreb
  14. Slatinska banka d.d., Slatina
  15. Zagrebačka banka d.d., Zagreb

Banks that set up modified client interfaces:

  1. Banka Kovanica d.d., Varaždin
  2. Croatia banka d.d., Zagreb
  3. Imex banka d.d., Split
  4. J&T banka d.d., Varaždin
  5. KentBank d.d., Zagreb

The Croatian National Bank does not intend to allow screen scraping during the access of third parties to clients’ accounts maintained at banks that set up dedicated API interfaces and were exempted from having to set up fallback mechanisms.