The SEPA Payment Account Access (SPAA) Scheme Rulebook

The SEPA Payment Account Access (SPAA) scheme rulebook, which is created in line with the requirements defined in the June 2021 report of the ERPB Working Group on a SEPA Application Programming Interface (API) Access Scheme, covers the set of rules, practices and standards that will allow the exchange of payment accounts related data (i.e. data assets) and facilitates the initiation of payment transactions (i.e. transaction assets), in the context of ‘value-added’ (‘premium’1) API-based services provided by asset holders (i.e. Account-Servicing Payment Service Providers (ASPSPs)) to asset brokers (e.g. Third Party Providers (TPPs in a revised Payment Services Directive (PSD2) context) such as Payment Initiation Service Providers (PISPs) or Account Information Service Providers (AISP)).

The first version (v1.0) of the SPAA scheme rulebook, with an effective date of 30 November 2023, takes into account the comments received during a three-month rulebook public consultation which ended on 12 September 2022. A document containing the public consultation comments received and the related EPC responses is expected to be published by the end of 2022 on the EPC website.

All the services listed in version 1.0 of the rulebook are currently positioned as optional. In the coming months, the SPAA Multi-Stakeholder Group (SPAA MSG) will progress on defining a ‘minimum viable product’ (MVP) (a set of mandatory services to be supported by the asset holders) based on market demand and on the outcome of the work on the default business conditions performed by an independent economic consultant. This MVP will be reflected in a revised version of the first SPAA scheme rulebook for publication in 2023 subject to EPC Board approval. 

The EPC fully recognises that potential SPAA scheme participants will only be able to take a firm decision as to whether to adhere to the SPAA scheme when they will have a ‘full picture’ of the SPAA scheme, i.e. including the MVP and the default business conditions.

The publication of version 1.0 of the rulebook at this stage will however already enable the market (asset holders, asset brokers, infrastructures, API standardisation initiatives, …) to make an early assessment of the SPAA scheme and its requirements on the basis of a stable first version of the rulebook, which should facilitate a timely adoption of the scheme. 

It is however envisaged that the SPAA scheme will evolve further over time to support more elaborated functionalities, in line with market demand.

A public consultation is expected to be launched before the end of 2022 on strong customer authentication (SCA), to complement the current rulebook sections on SCA. 

The SPAA scheme default business conditions are expected to be published on the EPC website in Q2 2023  and will cover a set of default asset fees for the ‘premium’ assets exposed by the asset holder to the asset broker as well as default API access fees for the use of the SPAA API itself, as provided by the asset holder. 

The API Security Framework document provides the minimum security-related requirements applicable to the EPC scheme participants using APIs. It defines an API security framework based on widely available European or international security standards. The first version of this framework will focus on the SEPA Request-to-Pay (SRTP) scheme and be made available before the end of the year. The SPAA scheme related specifications are envisaged to be included in a second version to be published in Q2 2023 upon EPC Board approval. 

The SPAA API implementation guidelines which support the scheme operationally will be developed by the relevant European API standardisation initiatives in the field of PSD2. Scheme participants will be free to select the standardisation initiative of their choice. However, to ensure pan-European harmonisation in the field of SPAA API implementation, the EPC is envisaged to contract a homologation body in a future phase as need be, tasked with checking whether the SPAA API specifications developed by the standardisation initiatives comply with the requirements as defined in the rulebook.
The SPAA scheme adherence process will be open on 1 September 2023 to allow applicants to prepare their adherence application ahead of the effective date of the SPAA scheme.

1 Premium services are to be considered as:

  • services building on PSD2-regulated ones, but going beyond the minimum regulatory requirements via the combination with (a) so-called premium feature(s). For example, the transaction asset ‘one-off payments’ a basic service but when combined with a premium feature such as a ‘Payment certainty mechanism’, it becomes a premium service as described under the rulebook. 
  • PSD2 services that are not available via online banking interfaces but provided via a SPAA API.

Document download