Guidelines for finAPI Access PSD2 Migration to XS2A interface
This section provides an overview of the actions that have to be taken for the migration. The intended audience is (BaFin/FMA) registered TPPs as well as finAPI customers using the finAPI PSD2 license (web form).
On , the EBA RTS related to PSD2 become effective and the following requirements have to be fulfilled by finAPI Access:
Payment accounts in general must only be accessed through dedicated ASPSP interfaces (APIs) that fulfill the requirements of EBA
In case an ASPSP does not provide an API that fulfills EBA requirements, TPPs like finAPI must use the Fallback according to EBA requirements.
BaFin has granted an exception that for 6 weeks after Sept. 14 the continued usage of FinTS interfaces will not be penalized by BaFin
For Austria, FMA has not granted an exception. So either PSD2 APIs or EBA fallbacks have to be used and if neither of them is available, the existing interface must be switched off until either one of them is available.
For Czech Republic and Slovakia no exception is known to finAPI.
Call to action for finAPI customers
All finAPI customers must migrate to XS2A interfaces before the deadline given by the National Financial Supervisory Authorities (BaFin, FMA). This migration must be actively performed by finAPI customers by using new finAPI services.
Migration principle overview
Since mid September, finAPI Access provides the means to migrate to new XS2A interfaces. The migration of a bank connection can be performed by executing one simple new service call to connect a new XS2A interface to an existing bank connection. This way, existing data is kept and can be updated through new XS2A interfaces. finAPI customers can choose for themselves when they want to perform the migration for which (group) of their customers. Legacy interfaces and XS2A interfaces can be used in parallel in separate bank connections until BaFin ends the exemption period.
Due to the insufficient completion status of XS2A bank interfaces on the bank side, BaFin has granted an extended an ongoing period of allowed legacy interface usage (FinTS, Webscraping). In return, each market participant had to submit a migration schedule. The current finAPI migration schedule can be seen on this page: finAPI Access PSD2 Migration Plan.
All German finAPI customers have to fit their migration plans into the finAPI migration plan reconciled with BaFin, meaning the customer migration has to be completed at least until the migration deadlines in the finAPI migration schedule.
TPPs vs. unregulated Web Form customers
Concerning the XS2A migration, special requirements apply to TPPs that have an AIS/PIS licence from the National Financial Services Supervisory Authority. TPPs have to authenticate themselves with their proper TPP authentication means towards the ASPSP. At the very least this means, TPPs have to use their own eIDAS certificates for authentication. In addition, some ASPSPs require a TPP authentication, meaning TPPs have to register themselves with each ASPSP. For more details about this requirement and how it is supported in finAPI Access PSD2, see Licensed vs. Unlicensed.
Unregulated Web Form customers can use the builtin finAPI eIDAS certificate and TPP credentials. No additional activities are required.
Detailed technical migration documentation
For detailed technical migration documentation, please refer to: