The Bank’s API was designed with the principle in mind that our customers shall have the same experience with the Bank whether they are being re-directed from a TPP (using the Bank’s API) or whether they are logging directly into the Bank’s online banking system. In fact, they access the same information and the authentication process works in the same way across the two different channels. Payment instructions, if received before 15:00 Malta time, are processed irrespective of the portal they pass through to arrive securely to the Bank. Bank balances are also displayed in the same manner across the two channels.

The Payment Services Directive (PSD2) regulates new market players known as Third Party Providers (TPPs). PSD2 identifies two types of TPPs: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs provide a consenting customer with an aggregated view of all the customer’s payment accounts held with different banks. PISPs are able to initiate a payment on behalf of a consenting customer from the customer’s payment account held with a particular bank. The key aspect is that, as a result of new developments under PSD2, customers may elect to give consent to a third party to either aggregate their balances held with various banks or may give consent to a third party to initiate payments on their behalf froma specific bank with which they hold an account.

Consent may be granted to service providers for (i) payment initiation and (ii) account information:
Giving consent to Payment Initiation Service Providers (PISPs):

The process starts within the system or website of a TPP, e.g. a checkout or payment process with an online merchant. The TPP will then forward customers to a special page within Sparkasse Bank Malta plc’s (“the Bank”) online banking system, where customers are required to log in using Spar Key (for more information on Spar Key, the Bank’s authentication application, please click here. After successful login, customers will be able to review all of the payment details along with information related to the TPP. Subsequently, the online banking system will give customers the choice to either approve or decline the payment request.

In instances where a customer has sufficient signature rights to solely and fully sign for the account, the payment will be processed as usual. Where the customer can only partially sign for the account, the payment instruction will be placed in the signature folder(s) of the other authorized signatories and will await their authentication.

Giving consent to Account Information Service Providers (AISPs):

The process starts within the online interface system of the TPP. The TPP will then forward customers to a special page within the Bank’s online banking system, where customers are required to login also using Spar Key. Following this step, the Bank’s online banking system will display which permissions the TPP has requested to be granted. Customers can then either approve or decline this request. This consent will remain in force until revoked, if ever, at a future date.

Important: Customers who currently require instructions to the Bank to be approved by multiple signatories need to make arrangements to set up a specific approval process to grant consent to AISPs.
Please also note that all pages related to PSD2 Common Secure Communication (CSC) will be available under the URL path https://sbm.services/banking/openbanking/.  Any page reachable under a URL not starting with https://sbm.services is not related to Sparkasse Bank Malta plc’s online banking system.

Within the Bank’s online banking system it is possible to revoke consent that has been previously granted to TPPs. Customers may achieve this by logging into the Bank’s online banking system, navigating to the “Start” menu and clicking “AIS Consent Manager”. The “AIS Consent Manager” shows customers the consents granted to AISPs, in force at that time, and allows them to revoke consent with immediate effect.
Furthermore, customers are encouraged to visit the website of the specific TPP they wish to revoke access from and follow the consent revocation procedures, as and where applicable to that specific TPP.

Every TPP needs to be authorized by its national competent authority. Authorized TPPs will then be provided with a digital certificate (eIDAS) by a Qualified Trust Service Provider (QTSP). Any TPP which is able to present a valid, non-expired, and properly signed Digital Certificate will be able to request account access and submit payment initiation requests.
In line with prevailing regulatory guidance, the Bank verifies a TPP’s identity by verifying its Digital Certificate (eIDAS). Banks are not legally required to rely on any other means of verification, such as carrying out additional checks.
By way of clarification to all customers of the Bank, a TPP cannot access any customer’s personal or financial information or initiate payments as long as the customers themselves do not explicitly initiate and approve such an action. Customers’ authorization in this respect is paramount.
In the interest of security of the Bank’s customers and the Bank’s infrastructure, the Bank may perform regular checks on the TPPs that have been granted access by its customers. These checks, when performed, will not result in any obstacles to the customer’s continued use of services offered by TPPs.

By default the Bank will suspend access to a TPP if that TPP attempts to communicate with the Bank through the API with an invalid eIDAS certificate. Furthermore, at its discretion, the Bank may suspend access to a TPP in the following instances:

• Strong suspicion of fraud;
• Numerous instances of verified fraud originating from the same TPP;
• Negative press concerning the TPP; and
• Recurring Bank customer complaints concerning the quality of service received from the TPP in question.