The Association published the standards in Polish and in English
The Polish Bank Association (ZBP) has announced the publication of the Polish API documentation in two language versions, along with a public consultation report. ZBP vice president Włodzimierz Kiciński emphasizes that version 1.0 of the Polish API standard is fully compliant with European and Polish regulatory bodies’ requirements. - Besides, the standard is open and can be used by all interested parties. At the same time, it provides the highest level of security - he says.
Polish API is a solution which can allow third parties, such as fintech companies, to access their customers’ bank accounts. This possibility is ensured by the PSD II directive, which will soon be introduced to the Polish law. Polish API will provide two methods of verification of customers who will allow third parties to access their bank accounts. The first one is already known to many customers who use pay by link transfers. Fintech service users will be redirected to their bank's website, where they will enter the login and password to their account.
The second method introduced in the documentation is a novelty on the Polish market, but the mechanism has been used abroad. It would use authorization by an independent entity, such as the National Clearing House (KIR) or the operator for Blik, if all banks operating in Poland agree to use it. While using a given fintech's services, the customer would have to enter, for example, a one-time Blik code, confirming the authorization to access their account.
The Polish Bank Association's representatives underlined that they received around 300 suggestions from several dozen companies and institutions during the consultations for the Polish API project. Most of these suggestions were taken into account. A large part of them were in regard to the additional method of customer identity verification. The draft documentation presented in January included only one method - a redirect similar to pay by link transfers.
However, some suggestions were rejected. The most important ones included another customer identity verification method, in which the customer would enter the login and password to their bank account on the third party's website. Polish API creators decided this solution was not secure enough. A similar opinion was presented in the past by Polish supervisory bodies, such as the Financial Supervision Authority and the National Bank of Poland. The Polish Bank Association did not reveal who proposed the solution, but it is an open secret that the owners of Sofort have been pushing for it for a long time.
What will happen next? Włodzimierz Kiciński declares that the 2.0 version of Polish API will be published in mid 2018. It will include further suggestions and more precise regulatory requirements defined in the PSD II's RTS (regulatory technical standards). The Polish API standard may be extended to include additional customer identity verification methods and a corporate banking solution. Polish API 3.0 is set to be published in October. Banks should be able to make the API available to fintech companies for testing in mid March 2019.