PSD2
Overview
Sparebanken Norge and Bulder Bank offers PSD2 services by use of our PSD2 APIs based on the Berlin Group NextGenPSD2 standard, as a dedicated PSD2 interface for all TPPs. Note that Sparebanken Norge is operating on two separate PSD2 interfaces until the technical merger of Sparebanken Vest and Sparebanken Sør is completed as planned in Q4 2026:
-
Sparebanken Norge (Sør) (former Sparebanken Sør) is operating on Tieto Evry Open Banking Portal https://openbanking.sor.no/developer/
-
Sparebanken Norge (former Sparebanken Vest) and Bulder Bank offers PSD2 services by use of PSD2 APIs https://developer.spvapi.no/documentation/psd2/ based on the Berlin Group NextGenPSD2 standard, as a dedicated PSD2 interface for all TPPs.
One common PSD2 interface is currently planned in Q4 2026. We will inform all TPPs well ahead of the technical merger into one common interface.
Sparebanken Norge and Bulder Bank’s dedicated interfaces (APIs) are continously being developed. We strive to provide interfaces that suits the use cases of all our TPPs, enabling good customer experiences for our common customers.
Please see TPP requirements for accessing APIs below.
Important notice to TPPs using our ordinary interfaces: During the early development of our PSD2 APIs in 2019-2020 as our dedicated PSD2 interface, some TPPs connected to our ordinary interfaces as the only (or primary) interface of their PSD2 services. We strongly advice all TPPs using our ordinary interfaces as the only (or primary) interface for their PSD2 services, to start the transition to our dedicated interface in our PSD2 APIs as the primary interface of their PSD2 services. Sparebanken Norge and Bulder Bank will offer PSD2 services by use of our PSD2 APIs as a dedicated PSD2 interface for all TPPs.
TPP Requirements for PSD2 APIs
In order to authenticate towards Sparebanken Norge and Bulder Banks PSD2 APIs in production, the TPP must:
- Be in possession of one or more valid, qualified QWAC eIDAS certificates in accordance with ETSI TS 119 495
- Use a QWAC certificate to establish mutually authenticated TLS connections (mTLS)
- Support at least TLS 1.2, and strong cipher suites (subject to continuous change)
Subscribe to updates at our status page
Information about ongoing incidents, planned maintenance and change announcements will be published on our statuspage. We recommend that you subscribe to these updates to stay informed.
Account Information Services (AIS)
With these services you will be able to retrieve balances and transactions from your end users’ account. Read about our account information services here
The difference between the two endpoints is mainly the SCA solution and each endpoint uses each bank’s respective SCA solution.
Endpoint for dedicated interface Sparebanken Norge: https://psd2.spvapi.no
Endpoint for dedicated interface Bulder Bank: https://psd2-bulder.spvapi.no
Request Limits
The header PSU-IP-Address must be present when a PSU is requesting information. PSU-IP-Address shall be the IP address of the device used by the PSU to access the TPP service. If the TPP wants to make a request without a PSU present, the PSU-IP-Address header shall not be set.
There are cases where a TPP can make requests without the PSU-IP-Address that does not generally require SCA. However, some restrictions apply:
-
GET /v1/accounts is limited to
- No more than 4 calls per 24-hour period
- Accounts for which the PSU has given consent to access
-
GET /v1/accounts/
{accountId}/balances is limited to- No more than 4 calls per 24-hour period
- Accounts for which the PSU has given consent to access
-
GET /v1/accounts/
{accountId}/transactions is limited to- No more than 4 calls per 24-hour period
- Transactions no more than 90 days old
Payment Initiation Services (PIS)
These services allows end users to initiate payments from their accounts at Sparebanken Norge. The service will ask for a strong customer authentication as long as no exemption is applied. Read about our payment initiation services here
The difference between the two endpoints is mainly the SCA solution and each endpoint uses each bank’s respective SCA solution.
Endpoint for dedicated interface Sparebanken Norge: https://psd2.spvapi.no
Endpoint for dedicated interface Bulder Bank: https://psd2-bulder.spvapi.no
Status Codes
Non-final payment status codes are updated asynchronously, which is why you need to poll for status updates after payment user approval. Different payment products have different statuses, and SCA exemptions may result in instantly completed payments. See XS2A Framework Implementation Guidelines, Sections 14.12 and 14.13 for details on the payment statuses.
Status Codes Description
| Code | Name | ISO 20022 Definition | Instruction |
|---|---|---|---|
| ACSC | AcceptedSettlementCompleted | Settlement on the debtor’s account has been completed. | No need for further polling |
| ACCC | AcceptedCreditSettlementCompleted | Settlement on the creditor’s account has been completed. | No need for further polling |
| ACCP | AcceptedCustomerProfile | The preceding technical validation and customer profile checks have been successful. | Not in use |
| ACSP | AcceptedSettlementInProcess | All preceding checks, such as technical validation and customer profile were successful and payment initiation has been accepted for execution. | Consider polling |
| ACTC | AcceptedTechnicalValidation | Authentication and syntactical and semantical validations have been successful. | No need for further polling |
| ACWC | AcceptedWithChange | The instruction has been accepted but a change will be made, such as date or remittance not sent. | No need for further polling |
| ACWP | AcceptedWithoutPosting | The payment instruction included in the credit transfer has been accepted without being posted to the creditor customer’s account. | No need for further polling |
| ACFC | AcceptedFundsChecked | The preceding check of technical validation and customer profile have been successful and the automatic funds check was positive. | Not in use |
| RCVD | Received | Payment initiation has been received by the bank. | Continue polling |
| PART | PartiallyAccepted | A number of transactions have been accepted, but some transactions have not yet achieved ‘accepted’ status. This code may be used only in case of bulk payments. It is only used in a situation where all mandated authorisations have been applied, but some payments have been rejected. | Continue polling |
| PATC | PartiallyAcceptedTechnicalCorrect | The payment initiation needs multiple authentications, where some but not yet all have been performed. Syntactical and semantical validations have been successful. | Continue polling |
| PDNG | Pending | The payment initiation or individual transaction included in the payment initiation is pending. Further checks and a status update will be performed. | Continue polling |
| RJCT | Rejected | Payment initiation or an individual transaction included in the payment initiation has been rejected. | No need for further polling |
| CANC | Cancelled | Payment initiation has been cancelled before execution | No need for further polling |
Payment Status Transitions
These are the status transitions that you most commonly will see, and which it makes sense to act upon as a TPP. Note that RJCT is not part of these flows as it can happen at any time before ACSC, and should thus be handled generally as an error.
Normal payment
In general, payments should be expected to follow this state flow.
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | RCVD | Start authorisation | Yes | Authorize if startAuthorisation link is present |
| 2 | ACSP or PDNG | Poll until next status | Yes (ACSP) / N (PDNG) | PDNG if due date is current date |
| 3 | ACSC | N/A | No | Payment is completed |
Payment with instant completion
Some payments get completed instantly which means polling for status is irrelevant.
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | RCVD | Start authorisation | Yes | Authorize if startAuthorisation link is present |
| 2 | ACSC | N/A | No | Payment is completed |
Payment with SCA Exemption
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | ACSP or PDNG | Poll until next status | Yes (ACSP) / No (PDNG) | PDNG if due date is current date |
| 2 | ACSC | N/A | No | Payment is completed |
Payment without posting to creditor’s account
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | RCVD | Start authorisation | Yes | Authorize if startAuthorisation link is present |
| 2 | ACWP | N/A | No | Payment is completed |
Payment with multiple signatures required
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | RCVD | Start authorisation | Yes | Authorize if startAuthorisation link is present |
| 2 | PATC | Start authorisation again for next PSU | Yes | |
| 3 | ACSP | Poll until next status | Yes | |
| 4 | ACSC | N/A | No | Payment is completed |
Periodic payment
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | RCVD | Start authorisation | Yes | Authorize if startAuthorisation link is present |
| 2 | ACSP | N/A | Yes |
Cancel Payment Before Payment Authorisation
| Step | Code | Next Action | Updatable | Comment |
|---|---|---|---|---|
| 1 | RCVD | Delete | Yes | |
| 2 | CANC | N/A | No | Payment is cancelled |
Error Codes and Responses
The XS2A Framework Implementation Guidelines describes the error codes and responses that are used in the Berlin Group NextGenPSD2 standard. The error codes are described in detail in the Berlin Group NextGenPSD2 documentation. Those lists can be found below where “Message Code” is the value of the code field in the API response.
Service Unspecific Error Codes
| Message Code | HTTP Response Code | Description |
|---|---|---|
| CERTIFICATE_INVALID | 401 | The contents of the signature/corporate seal certificate are not matching PSD2 general PSD2 or attribute requirements. |
| ROLE_INVALID | 401 | The TPP does not have the correct PSD2 role to access this service. |
| CERTIFICATE_EXPIRED | 401 | Signature/corporate seal certificate is expired. |
| CERTIFICATE_BLOCKED | 401 | Signature/corporate seal certificate has been blocked by the ASPSP or the related NCA. |
| CERTIFICATE_REVOKED | 401 | Signature/corporate seal certificate has been revoked by QSTP. |
| CERTIFICATE_MISSING | 401 | Signature/corporate seal certificate was not available in the request but is mandated for the corresponding field. |
| SIGNATURE_INVALID | 401 | Application layer eIDAS Signature for TPP authentication is not correct. |
| SIGNATURE_MISSING | 401 | Application layer eIDAS Signature for TPP authentication is mandated by the ASPSP but is missing. |
| FORMAT_ERROR | 400 | Format of certain request fields are not matching the XS2A requirements. An explicit path to the corresponding field might be added in the return message. This applies to headers and body entries. It also applies in cases where entries are referring to erroneous or non-existing data instances, e.g. a malformed IBAN. |
| PARAMETER_NOT_CONSISTENT | 400 | Parameters submitted by TPP are not consistent. This applies only for query parameters. |
| PARAMETER_NOT_SUPPORTED | 400 | The parameter is not supported by the API provider. This code should only be used for parameters that are described as “optional if supported by API provider.” |
| PSU_CREDENTIALS_INVALID | 401 | The PSU-ID cannot be matched by the addressed ASPSP or is blocked, or a password response OTP was not correct. Additional information might be added. |
| SERVICE_INVALID | 400 (if payload) or 405 (if HTTP method) | The addressed service is not valid for the addressed resources or the submitted data. |
| SERVICE_BLOCKED | 403 | This service is not reachable for the addressed PSU due to a channel independent blocking by the ASPSP. Additional information might be given by the ASPSP. |
| CORPORATE_ID_INVALID | 401 | The PSU-Corporate-ID cannot be matched by the addressed ASPSP. |
| CONSENT_UNKNOWN | 403 (if path) or 400 (if payload) | The Consent-ID cannot be matched by the ASPSP relative to the TPP. |
| CONSENT_INVALID | 401 | The consent was created by this TPP, but is not valid for the addressed service/resource. |
| CONSENT_EXPIRED | 401 | The consent was created by this TPP, but has expired and needs to be renewed. |
| RESOURCE_UNKNOWN | 404 (if account-id in path), 403 (if other resource in path) or 400 (if payload) | The addressed resource is unknown relative to the TPP. An example for a payload reference is creating a signing basket with an unknown resource identification. |
| RESOURCE_EXPIRED | 403 (if path) or 400 (if payload) | The addressed resource is associated with the TPP but has expired, not addressable anymore. |
| RESOURCE_BLOCKED | 400 | The addressed resource is not addressable by this request since it is blocked e.g. by a grouping in a signing basket. |
| TIMESTAMP_INVALID | 400 | Timestamp not in accepted time period. |
| PERIOD_INVALID | 400 | Requested time period out of bound. |
| SCA_METHOD_UNKNOWN | 400 | Addressed SCA method in the Authentication Method Select Request is unknown or cannot be matched by the ASPSP with the PSU. |
| STATUS_INVALID | 409 | The addressed resource does not allow additional authorisation. |
Payment Initiation Service Specific HTTP Error Codes
| Message Code | HTTP Response Code | Description |
|---|---|---|
| PRODUCT_INVALID | 403 | The addressed payment product is not available for the PSU . |
| PRODUCT_UNKNOWN | 404 | The addressed payment product is not supported by the ASPSP. |
| PAYMENT_FAILED | 400 | The payment initiation POST request failed during the initial process. Additional information may be provided by the ASPSP. |
| KID_MISSING | 400 | The payment initiation has failed due to a missing KID. This is a specific message code for the Norwegian market, where ASPSP can require the payer to transmit the KID. |
| KID_INVALID | 400 | The payment initiation has failed due to an invalid KID. This is a specific message code for the Norwegian market, where ASPSP can require the payer to transmit the KID. |
| EXECUTION_DATE_INVALID | 400 | The requested execution date is not a valid execution date for the ASPSP. |
| CANCELLATION_INVALID | 405 | The addressed payment is not cancellable e.g. due to cut off time passed or legal constraints. |
Account Information Service Specific HTTP Error Codes
| Message Code | HTTP Response Code | Description |
|---|---|---|
| SESSIONS_NOT_SUPPORTED | 400 | The combined service flag may not be used with this ASPSP. |
| ACCESS_EXCEEDED | 429 | The access on the account has exceeded the consented frequency without PSU involvement per day. |
| REQUESTED_FORMATS_INVALID | 406 | The requested formats in the Accept header entry do not match the offered formats. |
Signing Basket Specific HTTP Error Codes
| Message Code | HTTP Response Code | Description |
|---|---|---|
| REFERENCE_MIX_INVALID | 400 | The used combination of referenced objects is not supported in the ASPSPs signing basket function. |
| REFERENCE_STATUS_INVALID | 409 | At least one of the references is already fully authorised. |
Sandbox Environment for PSD2 APIs
A sandbox environment for the dedicated PSD2 interface is available. The sandbox environment has the same TPP requirements for use as our production environment. (At the moment we do not trust test QWACs) No sign-up or registration is needed. The Sandbox environment covers both Sparebanken Norge, and Bulder Banks API experience. It only provides a single sandbox SCA solution.
For more information about the sandbox environment check this Github repository.
Endpoint for sandbox interface: https://psd2-sandbox.spvapi.no
Details for Contingency Solution
Authentication when using our ordinary interfaces for PSD2 access to accounts
Third Party Providers (TPPs) must authenticate themselves before accessing the Payment Service User’s (PSUs) online banking data. There is no “natural” approach to this in traditional user centric online banking websites, so a more untraditional authentication approach needs to be taken for this access.
This access will also be our fallback solution until we are exempted from having a fallback.
Requirements for TPPs using Sparebanken Norge’s fallback mechanism
For every HTTP request made to Sparebanken Norge, the following two request headers must be included:
SPV-PSD2-Fallback-TPP-Cert: Base64 encoded JWK Qseal certificate
The TPPs Qseal certificate (including intermediates) must be presented in the JSON Web Key (JWK) format, using the “x5c” (X.509 Certificate Chain) Parameter (see RFC 7517, Section 4.7). The JWK should be UTF-8 encoded and then Base64 encoded for inclusion in the HTTP header.
SPV-PSD2-Fallback-TPP-Qseal: TPP issued JWT
To prove possession of the Qseal certificate private key, a JSON Web Token (JWT) must be constructed. It must be signed with the Qseal private key, using one of the following algorithms (see RFC 7518, Section 3.1):
- RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
- ES256 (ECDSA using P-256 and SHA-256)
The JWT must include the following header fields (kid/x5t are example values only):
{
"alg": "RS256",
"kid": "E7B3AE9190916FDB58091EEE5FA7A55B56A736B3",
"x5t": "57OukZCRb9tYCR7uX6elW1anNrM",
"typ": "JWT"
}The JWT must include the following claims:
- “iss”: The full name of the TPP, as registered in the Qseal certificate.
- “aud”:
spv fallback prodfor production use - “exp”: Expiry must be set to no longer than one hour from the time the token was issued. (A new token should be created after one hour, if needed).
- “nbf”: Not before, should be set to the time of issuance.
- “iat”: Issued at, should be set to the time of issuance.
- “jti”: JWT ID - a 128-bit randomly generated ID.
Inclusion of both headers enables us to verify that the TPP has a valid Qseal certificate and also controls its private key.