Nedbank Private Wealth third party integration

Note: our primary PSD2 offering is available at https://developer.nedbankprivatewealth.com. This page details a fallback solution available when that API is not.

Nedbank Private Wealth now offers a PSD2 compliant API which allows third parties to query account information and make payments on behalf of our clients. Third party providers (TPPs) are registered with various European national competent authorities (NCAs) to qualify to act as providers in this capacity.

If your organisation is certified to act as a TPP, you may integrate with our third party APIs. Please see more information here. You may be required to complete a registration form as instructed. We reserve the right to discontinue interaction with any third party based upon our terms and conditions, and within the parameters set forth by our regulators.

In the event that our API is unavailable, you may also interact with our backup services, which is provided on top of our existing, client-facing online banking offering to assure highest availability. These services are online as long as our own online banking is online.

Important note: You must inform us of your intention to interact with our fallback solution by contacting us . Please be sure to include your PSD2 license number and any other relevant information, as well as contact details for a return message. Please allow six to eight weeks for us to verify and complete your application.

OAuth2 OpenID Connect authentication

Our banking app, and by extension our PSD2 and PSD2 fallback solutions, rely on OAuth2 for authentication. Our primary PSD2 API delegates some authentication activities to our main OAuth2 server, and maintains some for itself. When interacting with the fallback solution, you will interact only with our main authentication server.

Third parties can only log users in by using delegated authentication via the OpenID Connect 'auth code' flow. More information about using this type of authentication in general exists in many forms on the internet. Only the specific requirements for our third party provider integration will be provided here.

  • Our discovery endpoint is here: https://auth.nedsecure-int.com/.well-known/openid-configuration
  • You will only be permitted to use the auth code flow, as detailed online elsewhere
  • Your client ID will be in the format 'tps_[PSD License Number]', which is the same license value stored in your QWAC certificate.
  • A client secret will be required. You can configure your client secret at https://auth.nedsecure-int.com/tpp/setup
  • You should provide prompt=login parameter when requesting a token. This will prevent a situation where your user doesn't receive a full SCA (which will restrict some functionality.)
  • We strongly recommend you provide a suitably randomized state value to the connect request avoid certain types of attacks. We recommend you validate the returning state value against one you've stored in a cookie.
  • You will be require to register your postback URLs to our whitelist. This is a security measure to prevent certain types of attack.
  • When communicating with us, you must authenticate with your QWAC. We will use data from your certificate to validate parts of your interaction with us.
  • When using a QWAC, you must alter any requests to be made. This enables our infrastructure to prompt you for your QWAC. Otherwise, communication will not be permitted.
    • For https://auth.nedsecure-int.com you will need to use https://tpp.auth.nedsecure-int.com
    • For https://client.nedsecure-int.com you will need to use https://tpp.client.nedsecure-int.com

Integration with our authentication server should otherwise be straight-forward and by-the book. We actively monitor these endpoints for security reasons.

Step 1: Making a connect request

A sample redirect request used to authenticate a user looks similar to this:
https://auth.nedsecure-int.com/connect/authorize?client_id=tpp_PSDGB-SAMPLE-LICENSE&prompt=login&response_type=code&redirect_uri=https://localhost/callback&scope=openid%20profile%20offline_access&state=YOURSTATEVALUE

Step 2: Receiving the access code

Eventually, or not at all (if the client changes their mind), you will receive a postback to your callback URI as specified in the connect request. Use a cookie and/or the state value, after verification, to retrieve the context of your login to associate with the original user.

You may now obtain an access token and refresh token pair from our token endpoint. The access token can be used to interact with our APIs (separate from the primary PSD2). Alternatively, you may use the access code response to log into our Online Banking as the user, facilitating scenarios where the main PSD2 API is unavailable.

The refresh token obtained by making a call to the token endpoint (instead of logging into online banking) can be used to interact with any future open banking API we implement, and may also be used to log into our Online Banking. Logging into Online Banking this way is preferable to using an access code as it can be reused later without requiring the user to re-authenticate... though you should be capable of handling a situation where the refresh token is invalid (due to expiring or the user terminating it.) In such cases, the user should be presented with the option to re-register (Starting with Step 1).

Online Banking for Third Parties

Online Banking (OBI) is a service we offer our clients to interact with their accounts through the web. It is hosted at https://client.nedsecure-int.com/, and delegates authentication requests to https://auth.nedsecure-int.com.

To log into our client banking as a third party, you must do one of the following, which will result in a logged in session to online banking:

  • If you are using an auth code directly (from Step 2), you will only be able to access online banking until you time out. Auth codes last only a very short time, and must be used immediately. Log in by making a request to:
    https://tpp.auth.nedsecure-int.com/tpp/connect?code=[Your Auth]&clientId=[Client ID]&clientSecret=[Client Secret]
    You will be redirected to online banking. You may also supply your client ID and secret in a basic authentication header.
  • If you are using a refresh token (from Step 2), you may continue to connect without user interaction for some time. Log in by making a request to:
    https://tpp.auth.nedsecure-int.com/tpp/reconnect?refreshToken=[Refresh Token]&clientId=[Client ID]&clientSecret=[Client secret]
Note: You must be authenticated with a QWAC and using https://tpp.client.nedsecure-int.com (which you will be redirected to.)

Testing and Integration

As you will not have access to any of our systems until you enroll a client, you will probably wish to communicate directly with us first to set up an integration testing environment. We cannot permit the use of any of our live client data in test systems. You must therefore engage with us directly to arrange for a set up which suits both of us.

Our effort with these APIs are to provide an alternative solution to our main PSD2 solution, in the event that it is unavailable. We cannot advise regular use of this method and may contact you after periods of use to recommend more permanent solutions, and reserve the right to discontinue use to this version of the API at any time due to misuse, availability of the main API, or any other reason permitted by the PSD2 articles.