NAV Navbar

Introduction

These standards have been developed as part of the Australian Government's introduction of the Consumer Data Right legislation to give Australians greater control over their data.

The Consumer Data Right (CDR) is intended to be applied sector by sector across the whole economy, beginning in the banking, energy and telecommunications sectors. These standards have been developed to facilitate the Consumer Data Right by acting as a specific baseline for implementation.

These standards are maintained by the Data Standards Body (DSB), with the Data Standards Chair as the decision maker. The DSB is part of the Treasury. The work of standards development is conducted in consultation with the Australian Competition and Consumer Commission (ACCC) as co-regulator of the Consumer Data Right, along with the Office of the Australian Information Commissioner (OAIC).

The standards are required to be published. The obligations on CDR participants to apply the published standards commence on the commencement of the Consumer Data Right rules:

Future Dated Obligations

The standards, as published from time to time, may include specific statements indicating that a specific section of the standards will not take effect until a future date or may cease to have effect on some future date.

The table below highlights these areas of the standards.

Section Description Applicable Date
Non-functional Requirements The non-functional requirements for the CDR regime are documented but are not yet binding with no specific future binding date being set as yet Not yet specified
Get Product Detail V2 Data holders may obsolete version 2 of this end point from May 31st 2021. Data recipients must upgrade their implementations to use version 3 by this time May 31st 2021
Get Products V2 Data holders may obsolete version 2 of this end point from May 31st 2021. Data recipients must upgrade their implementations to use version 3 by this time May 31st 2021
Get Metrics V1 Data holders may obsolete version 1 of this end point from October 31st 2021. Data Holders who go live with consumer data sharing from July 1st 2021 MAY go live with only Get Metrics v2 support. The CDR Register must upgrade their implementation to use version 2 by this time October 31st 2021
Get Metrics V2 Version 2 of this end point must be made available by affected data holders by the end of July 2021 July 31st 2021
Get Customer V1 Data Holders providing valid ANZSIC and ANZSCO codes whose version is not ANZSIC_1292.0_2006_V2.0 and ANZSCO_1220.0_2013_V1.2 respectively must supply the appropriate version enumeration no later than July 1st 2021. The version codes allow data holders to reference the applicable document versions for the codes they hold. July 1st 2021
Banking Term Deposit Account Types Data Holders who support maturity instructions for term deposits whereby funds are held in a facility or similar mechanism upon maturity must update relevant product data no later than July 1st 2021 July 1st 2021
Amending Consent Data Holders MAY implement the following standards from July 1st 2021 when a CDR consumer is invited to amend a current authorisation as per rule 4.22A and the ADR has supplied a cdr_arrangement_id July 1st 2021
Amending Consent Data Holders MUST implement the following standards from November 1st 2021 when a CDR consumer is invited to amend a current authorisation as per rule 4.22A and the ADR has supplied a cdr_arrangement_id November 1st 2021
Standard Error Codes Data Recipients and Data Holders MAY implement the standard error codes from July 1st 2021 July 1st 2021
Standard Error Codes Data Recipients and Data Holders MUST implement the standard error codes from February 1st 2022 February 1st 2022
Standard Error Codes Data Holders MAY retire application-specific error codes in favour of standard error codes from November 1st 2022 November 1st 2022
CX Standards: Unavailable Accounts Data Holders MAY implement the following data standards effective from 1 November 2021:
  • Unavailable Accounts: No accounts can be shown
  • Unavailable Accounts: Authorisation not permitted
  • Unavailable Accounts: Request sharing rights
November 1st 2021
CX Standards: Withdrawals Data Holders MUST implement the following data standards effective from 1 February 2022:
  • Withdrawal: Secondary User Instruction
February 1st 2022

Endpoint Version Schedule

A table-view of all endpoint versioning is available here.

Please note this is currently experimental.

Standards

These standards represent version 1.11.0 of the high level standards. See the versioning section for more information on how versions are managed in the standard.

Note that, in this proposal, the key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in RFC2119.

Principles

The following principles, classified as Outcome Principles and Technical Principles, are the basis for the development of the standards for the Consumer Data Right.

Outcome Principles

These principles articulate qualitative outcomes that the API definitions should seek to deliver.

Outcome Principle 1: APIs are secure

The API definitions will consider and incorporate the need for a high degree of security to protect customer data. This includes the risk of technical breach but also additional concerns of inadvertent data leakage through overly broad data payloads and scopes. The security of customer data is a first order outcome that the API standards must seek to deliver.

Outcome Principle 2: APIs use open standards

In order to promote widespread adoption, open standards that are robust and widely used in the industry will be used wherever possible.

Outcome Principle 3: Data sharing provides a positive consumer experience

The standards will ensure that CDR consumers have simple, informed, and trustworthy data sharing experiences that provide them with positive outcomes over the short and long term.

Outcome Principle 4: APIs provide a good developer experience

To ensure that the entry hurdle for new developers is low the experience of the developers that are building clients using the APIs will be considered. The ability for a developer to easily understand and write code using the APIs in modern development environments should be facilitated by the API standards.

Outcome Principle 5: Standards are consistent across sectors

The standards will strive for consistency in patterns, structure, security mechanisms and user experience across sectors to facilitate the development of customer experiences and services that are able to integrate data from multiple sectors seamlessly and to reduce the cost of customer education for new sectors.

Technical Principles

These principles articulate specific technical outcomes that the API definitions should seek to deliver.

Technical Principle 1: APIs are RESTful

The API standards will adhere to RESTful API concepts where possible and sensible to do so. In particular the concepts of statelessness and resource orientation will be followed.

Technical Principle 2: APIs are implementation agnostic

The underlying implementation of the APIs should not be constrained or driven by the API definitions and standards. Conversely, the underlying implementation choices should not be visible or derivable to the client applications using the APIs.

Technical Principle 3: APIs are simple

As complexity will increase implementation costs for both holders and clients as well as reduce the utility of the APIs, API definitions should seek to be as simple as possible but no simpler.

Technical Principle 4: APIs are rich in capability

As the APIs are defined care should be taken to ensure that the data payloads defined represent rich data sets that can be used in many scenarios, including scenarios not necessarily front of mind during the design process.

Technical Principle 5: APIs are performant

The API definitions should consider and incorporate performance implications during design ensuring that repeated calls are not necessary for simple use cases and that payload sizes do not introduce performance issues.

Technical Principle 6: APIs are consistent

The API definitions across the full suite of APIs should be consistent with each other as much as possible. Where possible common data structures and patterns should be defined and reused.

Technical Principle 7: APIs are version controlled and backwards compatible

As the API definitions evolve care will be taken to ensure the operation of existing clients are protected when breaking changes occur. Breaking changes will be protected by a well-defined version control model and by a policy of maintaining previous versions for a period of time to allow for backwards compatibility.

Technical Principle 8: APIs are extensible

The API definitions and standards should be built for extensibility. This extensibility should accommodate future API categories and industry sectors but it should also allow for extension by data holders to create unique, value add offerings to the ecosystem.

Consumer Experience Principles

These principles articulate qualitative outcomes for consumer experience that the standards should seek to deliver.

CX Principle 1: The CDR is Consumer-centric

The CDR consumer experience is intuitive and is centred on consumer attitudes, needs, behaviours, and expectations – noting that these may change over time.

CX Principle 2: The CDR is Accessible and Inclusive

A diverse range of people are able to access, use, and comprehend the CDR ecosystem regardless of their background, situation, experience, or personal characteristics.

CX Principle 3: The CDR is Comprehensible

When interacting with the CDR, consumers are able to understand the following:

CX Principle 4: The CDR is Simple and Empowering

Consumer interactions with the CDR are as simple as possible, but not at the expense of informed consent, consumer control, transparency, privacy, or comprehension. Consumers should be encouraged to be privacy conscious without experiencing cognitive loads that lead to disengagement. Consumers should also be empowered by the CDR without interactive burdens being placed on them.

Consent is granted at a point in time and is only as current as the consumer’s original intent. Consumer attitudes and behaviours may change over time and be impacted by external events such as the expansion of the CDR or consumer awareness. Consent terms should always align to current consumer preferences.

Versioning

The standards have adopted a two level versioning strategy. The high level standards (including principles, Uniform Resource Identifier structure, payload naming conventions, etc) be versioned and each API end point will have an additional version specific to that end point.

Documentation Versioning

Sample versioning of the standards documentation is as follows: 1.12.2 - meaning major version 1, minor version 12 and bugfix version 2

The standards documentation will be versioned using three version parts <major>.<minor>.<bug fix>. This version will be used to describe updates in the Change Log.

Each of the three components will be independently incrementing integers and are described as follows:

Uniform Resource Identifier (URI) Versioning

The base URI structure containing the version for this standard is:
http://<holder path>/cds-au/v<major version>

The high level standard will be versioned as described above. The major component of this version will be embedded in the URI Structure for the APIs. This allows for a data holder to support multiple major versions of the standards in production even if the significant breaking changes occur between major versions.

End Point Versioning

Each end point will have multiple versions independent of other end points. A specific end point version will be requested by a client using a HTTP header. This header will be supported by all end points under the API standards. See the section on HTTP Headers for more information on how versions are requested and supplied under the standards.

URI Structure

Some example URIs that meet this standard are:
http://www.bank.com.au/api/cds-au/v1/banking/accounts
http://www.bank.com.au/complex/uri/taxonomy/cds-au/v1/banking/products
http://www.energyretailer.com.au/api/cds-au/v1/energy/usage

The URI structure for API end points in the standards MUST be implemented as follows:

uri-string = <holder-path> "/" cds-au "/" <version> "/" <industry> "/" <resource>

The components of this URI structure are described as follows:

  • <holder-path> = string. The holder path is a base path set by the data holder. It can be any URI desired by the holder. While all authenticated end points must be accessible under the same holder path the data holder may stipulate a different holder path for unauthenticated end points.
  • cds-au = "cds-au" string. This is a static string representing the end points defined by the Consumer Data Standards for Australia. This static string allows for separation from other APIs available at the same base holder path and also allows for extension if the standards are adopted by another jurisdiction in whole or in part.
  • <version> = "v1" string. The major version of the high level standards. This is not the version of the endpoint or the payload being requested but the version of the overall standards being applied. This version number will be “v” followed by the major version of the standards as a positive integer (e.g. v1, v12 or v76).
  • <industry> = banking / energy / telco / common A static string used to separate APIs for a specific industry. As standards for new industries are defined the list of industry strings will be extended. Note that the currently accepted values for the industry component of the base path are:
    • banking = "banking" string. For APIs related to banking and potentially wider financial services data,
    • energy = "energy" string. For APIs related to the energy distribution industry,
    • telco = "telco" string. For APIs related to telecommunications,
    • common = "common" string. For APIs that potentially span industries.
  • <resource> = string. The URI for the specific resource requested. This end point URI will be defined as part of the end point definitions for each API group.

Resource URIs

Resources that are collections, and members of collections, will follow the JSONAPI.org recommendation.

Under this model, collections, individual members and collection sub-resources would be accessed as follows:

GET …/accounts Returns an array of accounts
GET …/accounts/{id} Returns the detail of a specific account
GET …/accounts/transactions Returns the transactions of multiple accounts
GET …/accounts/{id}/transactions Returns the transactions of a specific account
POST …/accounts Create a new account
POST …/accounts/search Returns an array of accounts based on a complex query

The final example above represents a complex query accessed via a POST request. In this situation the POST URI should be applied to a sub-resource of the collection. A POST to a collection is reserved for the creation of a new collection member.

If no valid sub-resource exists then a dedicated sub-resource should be created, such as the “search” URI listed in the example above.

HTTP Headers

Supported HTTP headers, and their usage, for the standards are as laid out in the following sections.

Request Headers

A sample set of headers requesting version 3 to 5:

Content-Type : application/json;charset=UTF-8
Accept : application/json;charset=UTF-8
x-v : 5
x-min-v : 3
x-fapi-interaction-id : 6ba7b814-9dad-11d1-80b4-00c04fd430c8
x-fapi-auth-date : Thu, 16 Jan 2020 16:50:15 GMT
x-fapi-customer-ip-address : 2001:0db8:85a3:0000:0000:8a2e:0370:7334
x-cds-client-headers : TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzkuMC4zOTQ1Ljg4IFNhZmFyaS81MzcuMzY=

A Data Holder must be able to process Content-Type headers in accordance with [RFC7231]. The following would be valid:

Content-Type: application/json;charset=UTF-8
Content-Type: application/json
Content-Type: AppliCAtion/JSon;Charset=uTf-8

A Data Holder must be able to process Accept headers in accordance with [RFC7231]. The following would be valid:

Accept: */*
Accept: application/json;charset=UTF-8
Accept: application/json
Accept-Encoding: charset=UTF-8
Accept: AppliCAtion/JSon;Charset=uTf-8

Header Field Description Mandatory?
Content-Type Standard HTTP Header. Represents the format of the payload provided in the request. The media type must be set to application/json. Mandatory for PUT and POST calls. Conditional
Accept If specified, the media type must be set to application/json, unless otherwise specified in the resource end point standard.

If set to an unacceptable value the holder must respond with a 406 Not Acceptable. If not specified, or a wildcard (*/*) is provided, the default media type is application/json.
Optional
x-v Version of the API end point requested by the client. Must be set to a positive integer. The holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent.
If all versions requested are not supported then the holder must respond with a 406 Not Acceptable.
Mandatory
x-min-v Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent.
If all versions requested are not supported then the holder must respond with a 406 Not Acceptable.
Optional
x-<HID>-v A holder specific version of extension fields. Should not be used in conjunction with x-min-v. Optional
x-fapi-interaction-id An optional [RFC4122] UUID used as a correlation id. If provided, the data holder must "play back" this value in the x-fapi-interaction-id response header. Optional
x-fapi-auth-date The time when the customer last logged in to the data recipient as described in [FAPI-R]. Required for all resource calls (customer present and unattended). Not required for unauthenticated calls. Conditional
x-fapi-customer-ip-address The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls. Conditional
x-cds-client-headers The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.
This header is not required to include:
  • Headers containing security information
  • Custom or proprietary headers used to facilitate the client application
Conditional

Response headers

Header Field Description Mandatory?
Content-Type Standard HTTP Header. Represents the format of the payload returned in the response.
Must be application/json unless otherwise specified in the resource end point standard.
Mandatory
Retry-After Header indicating the time (in seconds) that the client should wait before retrying an operation. The holder should include this header along with responses with the HTTP status code of 429 Too many requests. Optional
x-v The version of the API end point that the holder has responded with. Mandatory
x-fapi-interaction-id An [RFC4122] UUID used as a correlation id. The data holder must set the response header x-fapi-interaction-id to the value received from the corresponding request header or to a new [RFC4122] UUID value if the request header was not provided. This header MUST be responded for success and error responses for authenticated APIs. Mandatory

Additional Headers

Generally understood headers used in HTTP transactions to provide caching guidance and the use of the compression are not specified but are considered acceptable. It is at the discretion of the data holder if these headers are used for a specific implementation. Data holders should not require these headers for successful API access, however.

HTTP Response Codes

The handling and usage of HTTP response codes for the standards will be according to the following table.

Situation HTTP Status Notes POST GET DELETE
Query completed successfully 200 OK Yes Yes No
Normal execution. The request has succeeded. 201 Created The operation results in the creation of a new resource. Yes No No
Delete operation completed successfully 204 No Content No No Yes
The response is not modified since last call 304 Not Modified May be returned if standard caching headers such as ETag or If-modified-since are utilised Yes Yes No
Request has malformed, missing or non-compliant JSON body or URL parameters 400 Bad Request The requested operation will not be carried out. Yes Yes Yes
Authorization header missing or invalid token 401 Unauthorized The operation was refused access. Re-authenticating may result in an appropriate token that may be used. Yes Yes Yes
Token has incorrect scope or a security policy was violated. 403 Forbidden The operation was refused access. Re-authenticating is unlikely to remediate the situation. It is expected that this error will result in an error payload Yes Yes Yes
The resource matching the request URI is not known or is unable to be processed due to business logic specific to the resource being requested 404 Not Found No indication is given of whether the condition is temporary or permanent. This response code MUST NOT be used for resources presented in the body of the request. Yes Yes Yes
The consumer tried to access the resource with a method that is not supported. 405 Method Not Allowed Yes Yes Yes
The request contained an Accept header other than permitted media types, a character set other than UTF-8 or a version that was not supported 406 Not Acceptable Yes Yes Yes
The operation was refused because the payload is in a format not supported by this method on the target resource. 415 Unsupported Media Type Yes No No
The request was well formed but was unable to be processed due to business logic specific to the request 422 Unprocessable Entity If applicable to the HTTP method it is expected that this error will result in an error payload Yes Yes No
The operation was refused as too many requests have been made within a certain timeframe. 429 Too Many Requests Throttling is a NFR. The data holder should include a Retry-After header in the response indicating how long the data consumer must wait before retrying the operation. Yes Yes Yes
Something went wrong on the API gateway or micro-service 500 Internal Server Error The operation failed. Yes Yes Yes
Service is currently unavailable 503 Service Unavailable Yes Yes Yes
The server was unable to respond in a timely manner 504 Gateway Timeout Returned if a timeout has occurred but a resend of the original request is viable (otherwise use 500 instead) Yes Yes Yes

Payload Conventions

This section of the standard outlines the request and response payload structures for all API end points as well as the naming conventions for fields.

Request Payload Structure

A sample request would be structured as follows:

{
  “data”: {
    ...
  },
  “meta”: {
    ...
  }
}

Each API request payload MUST have a JSON object at the root level known as the root object. This object MUST contain a data object to hold the primary data for the request.

The root object will contain a meta object if, and only if, it is specifically REQUIRED by the end point. The meta object is used to provide additional information such as second factor authorisation data, traffic management, pagination counts or other purposes that are complementary to the workings of the API.

The definition of the contents for the data object and meta object will be defined separately for each end point.

Response Payload Structure

A sample successful response:

{
  “data”: {
    ...
  },
  “links”: {
    “self”: “...”
  },
  “meta”: {
    ...
  }
}

A sample unsuccessful response:

{
  “errors”: [
    {
      “code”: “...”,
      “title”: “...”,
      “detail”: “...”
    }, {
      “code”: “...”,
      “title”: “...”,
      “detail”: “...”,
      “meta”: {
        ...
      }
    }
  ]
}

Each API request payload MUST have a JSON object at the root level known as the root object.

The contents of the root object are as follows:

The definition of the contents for the data object and meta object will be defined separately for each end point.

The links object will contain links to related API end points. This will include links to support pagination.

The links object MUST contain a field named self that will have the fully qualified URI to the current request as a value.

The errors object is defined in the Error Codes section.

Field Naming Conventions

Valid Characters In Field Names

All field names defined in either a request or response payload MUST be treated as case sensitive by clients and servers, and they MUST meet all of the following conditions:

Any other character MUST NOT be used in field names.

Field Naming Style

Field names MUST be meaningful names with defined semantics.

Fields representing the same data in different payloads or different parts of a payload MUST have the same name.

Array types SHOULD have plural field names. All other field names SHOULD be singular.

Field names MUST be defined using camel case with the following clarifications:

Fields MUST NOT be named using reserved javascript tokens.

Maps

For JSON maps (i.e. key/value pairs) any Unicode character MAY be used as a field name and stylistic requirements do not apply.

Field Property Conventions

Field Data Types

Each field defined for the payloads of an end point MUST have an assigned data type.

The list of valid data types are set out in the common field types section. If a custom data type is required for a field then the field SHOULD be classified as a string with a clear description of how the property value is to be interpreted or defined.

Mandatory/Optional Fields

Each field defined for the payloads of an end point MUST have an assigned status of mandatory, optional or conditional.

Mandatory fields MUST be present and have a non-null value in a request or response payload for the payload to be considered valid.

Optional fields MAY be present but this is not guaranteed. It is also valid for these fields to be present but have a null value. Note that optional fields indicate that data may sometimes not be held by a Data Holder and this is an expected scenario.

Conditional fields MUST have an associated conditional statement. If the conditional statement is true in a specific request or response the field is considered mandatory. If the conditional statement is false then the field is considered optional.

Empty/Null Fields

An empty field (ie. a field that is not present in a payload) will be considered equivalent with a field that is present with a null value.

An empty string (“”) is not considered to be equivalent to null.

A Boolean value of false is not considered to be equivalent to null. Optional Boolean fields, by implication, have three possible values: true, false and indeterminate (ie. null).

Object conventions

Sample union object structure:

“data”: {
    [
        {
            “shapeUType”: “circle”,
            “circle”: {
            }
        },
        {
            “shapeUType”: “square”,
            “square”: {
            }
        }
    ]
}

A specific convention will apply to union objects.

In the standards a union object is used in a situation where a set of data can be represented with different sets of fields depending on the context. To maintain strong typing of the fields one of a series of known object structures will be used. An example where this technique is used in the standard is in the definition of account balances where balance information can be represented differently, but unambiguously, for different account types.

For union objects an additional field, with a known suffix, is used to identify the object type that has been provided specifically.

As the name of this field is constant it can be used to perform an indirect lookup on the object type that has actually been provided removing the need to scan for which object is present.

A field of this type will always be specified with the suffix UType meaning Union Type.

Array Conventions

Samples for providing array values:

## Many-values:
"middleNames": ["Geoff", "John"],
"errors": [
    {
      "code": "...",
      "title": "...",
      "detail": "..."
    }, {
      "code": "...",
      "title": "...",
      "detail": "..."
    }
]

## Single-value:
"middleNames": ["Geoff"],
"errors": [
    {
      "code": "...",
      "title": "...",
      "detail": "..."
    }
]

## Empty array:
"middleNames": [ ],
"errors": [ ]

Unless otherwise stated within the data standards, arrays are explicitly expressed in response payloads.

Mandatory fields

In objects where an array field is defined as having 0..n values, the array field must be explicitly expressed as an array in the payload, even if it only contains one item or is empty.

This applies equally for object arrays. Where a field is defined as an array value, the response should be: * an array of objects, * an array of values, or * an empty array ([]).

An empty array is the representation for an array equivalent to an empty string.

Optional fields

If the field is optional a null value or omission of the field in the response is accepted.

Normative references

The only exception to this, unless explicitly stated, is normative standards. The requirements for expressing arrays within those normative standards apply per the normative references.

Common Field Types

The following table outlines the common data types for fields used in the standard.

Type Description Valid Examples
String Standard UTF-8 string but unrestricted in content. Any valid Unicode character can be used.
ASCIIString Standard UTF-8 string but limited to the ASCII character set.
Boolean Standard JSON boolean true
false
Enum String representing an option from a defined list of values
- All possible values should be provided
- Values should be in all caps
- Spaces should be replaced with under bars '_'
- Values should be limited to the ASCII character set
“OPTION1”
“ANOTHER_OPTION”
“VAL_ABC_123”
NaturalNumber A natural number (ie. a positive integer inclusive of zero) 0
1
10000
PositiveInteger A positive integer (zero excluded) 1
10000
NegativeInteger A negative integer inclusive of zero 0
-1
-10000
Integer Any positive or negative integer inclusive of zero 1
0
-1
Number A standard floating point number. Can be positive, negative or zero 0.1
-100.09
10
90.09
Base64 Base64 encoded string as per RFC 4648 Q29uc3VtZXIgRGF0YSBSaWdodA==
DateTimeString Combined Date and Time string as per RFC- 3339 (labelled date-time in the RFC). As specified in RFC-3339 times should be offset relative to UTC “2007-05-01T15:43:00.12345Z”
“2012-12-25T15:43:00-08:00”
“1997-01-12T15:43:00.121Z”
DateString Date string as per RFC-3339 (labelled full-date in the RFC) “2007-05-01”
“2012-12-25”
TimeString Time string as per RFC-3339 (labelled full-time in the RFC). As specified in RFC-3339 times should be offset relative to UTC “15:43:00.12345Z”
“15:43:00-12:00”
CurrencyString Standard 3 character currency codes as per ISO-4217 “AUD”
“USD”
“GBP”
RateString A string representing an interest rate. A rate of 100% would be represented by the value 1.0 and a rate of -100% by -1.0
- At least 1 and up to a total of 16 significant digits before decimal point
- Up to 16 digits following the decimal point
- No formatting, eg thousand separating commas
“0.05”
“-0.05”
“12.3456789”
“-99.123456789123”
AmountString A string representing an amount of currency.
- A positive, zero or negative number
- Negative numbers identified with a ‘-‘
- No currency symbols should be supplied
- At least 1 and up to a total of 16 significant digits before decimal point
- Minimum 2 digits following a decimal point (more digits allowable but only if required)
- No additional formatting, eg thousand separating commas
“0.01”
“10.00”
“1234567.89”
“-1001.23”
“1.999”
MaskedPANString Masked credit card number. Lower case ‘x’ should be used to mask numbers and only the last four digits should be exposed to facilitate identification. This type is expected to be used for display so the format should be logical for this context "xxxx xxxx xxxx 1234"
MaskedAccountString Masked bank account number genericised for a variety of account types. Should be represented as the full account number would normally be represented for display (including formatting) but with all digits except the last four replaced with a lowercase x. This type is expected to be used for display so the format should be logical for this context "xxxx xxxx xxxx 1234"
"xxx-xxx xxxxx1234"
URIString A valid URI "http://www.google.com"
ExternalRef The format is defined by an external reference such as ISO standard or an RFC Swift bank codes using ISO 9362

Pagination

Each API end point that can return multiple records will stipulate whether pagination is supported for the end point or not. For end points that will return less than a reasonably sized page of results in the majority of circumstances support for paging may not be included.

Note that the use of paging for an end point does not require or preclude the use of filtering query parameters. It is expected that filtering and paging will be applied independently of each other.

Query Parameters

The consumer will stipulate pagination requirements on the request using query parameters. When paging is supported the consumer MAY provide the following query parameters:

If the query parameters are not provided the following defaults will be assumed:

Response Fields

In addition to the data requested a holder MUST provide the following additional information in the response payload:

For each of these fields the page size specified in the request should be assumed when calculating values.

Additional Pagination Rules

Cursor Support

For performance reasons data holders may wish to support other pagination patterns such as cursors or continuation tokens. While the standard does not explicitly support these additional mechanisms it is considered allowable to implement these patterns and expose them via the pagination links.

In this scenario the URIs included in the links for other pages may not be compliant with the standard and may, instead, include other query parameters that support another pagination pattern. It is expected that all other pagination requirements such as link fields and meta fields will still be supported if other patterns are implemented.

To allow for a more performant implementation data consumers are encouraged to utilise pagination links wherever possible and only use constructed URIs for the first page or if random access to a specific set of records is required.

ID Permanence

Within these standards resource IDs are REQUIRED to comply with the following:

Error Codes

These standards define a standard list of error codes that Data Recipients and Data Holders SHOULD or MUST conform to. Further,

Error Response Structure

Non-Normative Example

{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-banking:Authorisation/UnavailableBankingAccount",
      "title": "Unavailable Banking Account",
      "detail": "808b5b1d-0798-4bdf-a3c8-f9cce2904eb2"
    }
  ]
}

The errors object will be an array of zero or more unnamed objects. The fields in each of these objects will be as follows:

If a Data Recipient or Data Holder responds with an application-specific error code, the standard CDR URN error code MUST be provided in the MetaError object.

URN Structure

When responding with a standard CDR error code, the URN structure is defined as follows:

urn-string = "urn:" NID ":" metatype ":" sub-type ":" error-category "/" error-code

  • NID = "au-cds" string.
  • metatype = "error" string.
  • sub-type = cds-all / cds-register / cds-banking / cds-energy
    • cds-all = "cds-all" string. An error code common to all API responses,
    • cds-register = "cds-register" string. Reserved for CDR Register issued error codes only,
    • cds-banking = "cds-banking" string. An error code specific to the CDR banking APIs only,
    • cds-energy = "cds-energy" string. An error code specific to the CDR energy APIs only.
  • error-category = string. The high-level category code for the error defined in the Consumer Data Standards
  • error-code = string. The specific error encountered, defined in the Consumer Data Standards

Standard Error Codes

A list of standard error codes to help categorise an error response. The applicable HTTP response code is also given.

General Errors

Non-Normative Example

# A request to a Data Holder extension API is made where an application-specific error is returned
#
# Request
POST https://data.acme.com.au/cds-au/v1/banking/ACME-new-loan-application HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-ACME-v : 7

# Response
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
  "errors": [
    {
      "code": "ACME-APPLY-017",
      "title": "Application Is Missing Product ID",
      "detail": "A new loan application was requested but the product ID was not provided",
      "meta": {
         "urn": "urn:au-cds:error:cds-all:GeneralError/Expected"
      }
    }
  ]
}
Error Title Error Code HTTP Status Category Description
Expected Error Encountered urn:au-cds:error:cds-all:
GeneralError/Expected
4xx An error code that can be used, when an expected error occurs that is otherwise not covered by a more specific error.

The error detail SHOULD be populated with a meaningful error description, without revealing sensitive information.

An application specific error code MAY be provided. The MetaError » urn MUST be populated with the standard CDR error code.
Unexpected Error Encountered urn:au-cds:error:cds-all:
GeneralError/Unexpected
5xx An error code that can be used, when an unexpected error occurs.

The error detail SHOULD be populated with a meaningful error description, without revealing sensitive information.

An application specific error code MAY be provided. The MetaError » urn MUST be populated with the standard CDR error code.
Service Unavailable urn:au-cds:error:cds-all:
Service/Unavailable
503 (Service Unavailable) A request is made but the API unavailable as due to an outage.

The error detail MAY describe whether the outage is scheduled or unexpected and whether it is fully unavailable or partially unavailable.

400 Bad Request Errors

Non-Normative Example

# A request to Get Accounts is made however
# the value of is-owned is not a Boolean value
#
# Request
GET https://data.holder.com.au/cds-au/v1/banking/accounts?is-owned=2007-05-01 HTTP/1.1
Host: data.holder.com.au
Accept: application/json

# Response
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-all:Field/Invalid",
      "title": "Invalid Field",
      "detail": "is-owned"
    }
  ]
}
Error Title Error Code Description
Missing Required Field urn:au-cds:error:cds-all:
Field/Missing
The request is missing a mandatory field required for the API. It MAY be a missing query parameter or missing field in the request payload. This error code can be used, where a more specific validation error is not applicable.

The error detail SHOULD be the parameter name of the missing field.

This error code MUST be supported for unauthenticated and authenticated APIs.
Missing Required Header urn:au-cds:error:cds-all:
Header/Missing
A required HTTP header has not been provided.

The error detail SHOULD be the HTTP header name.

This error code SHOULD be supported for unauthenticated and authenticated APIs.
Invalid Field urn:au-cds:error:cds-all:
Field/Invalid
Applies when the value of the URL parameter or request body parameter is an invalid type or the value violates the field's constraints as defined by the interface contract.
For example, is-owned is a Boolean but a DateString value is provided.

The error detail SHOULD be the parameter name of the invalid field. The error detail MAY include further details explaining the valid format.

This error code MUST be supported for unauthenticated and authenticated APIs.
Invalid Header urn:au-cds:error:cds-all:
Header/Invalid
Applies when a HTTP Header is provided but the value provided is an invalid type or violates the field type constraints as defined in the Consumer Data Standards.

The error detail SHOULD be the HTTP header name. The error detail MAY include further details explaining the valid format.

This error code SHOULD be supported for unauthenticated and authenticated APIs.
Invalid Date urn:au-cds:error:cds-all:
Field/InvalidDateTime
An invalid date is provided. For example, a future date value is expected, but a date in past or current date is supplied. Applies to DateTimeString, DateString, and TimeString field types.

The error detail SHOULD be the parameter name of the invalid date field. The error detail MAY include further details explaining the expected date value.

This error code MUST be supported for unauthenticated and authenticated APIs.
Invalid Page Size urn:au-cds:error:cds-all:
Field/InvalidPageSize
The value provided in the page-size pagination field is greater than the maximum allowed by the Consumer Data Standards (page_size > 1000).

This error code MUST be supported for unauthenticated and authenticated APIs.
Invalid Version urn:au-cds:error:cds-all:
Header/InvalidVersion
A request is made for a version that is not a PositiveInteger.
For example:
  • x-min-v, x-v or x-<HID>-v are not Integers (e.g. x-min-v=foo, x-v=bar, x-ACME-v=cheese)
  • x-min-v, x-v or x-<HID>-v are not positive-value integers (they are an Integer but <= 0)

This error code MUST be supported for unauthenticated and authenticated APIs.

If the version header is a PositiveInteger but is not a version supported by the Data Holder, the Unsupported Version code applies.

403 (Forbidden) Errors

Error Title Error Code Description
ADR Status Is Not Active urn:au-cds:error:cds-all:
Authorisation/AdrStatusNotActive
The ADR or the ADR's software product is not "active".

The error detail SHOULD contain the current status of the ADR software product.
Consent Is Revoked urn:au-cds:error:cds-all:
Authorisation/RevokedConsent
The consumer's consent is no longer authorised (for example revoked or expired) and the requested resource will not be provided.

This error code SHOULD be supported for authenticated APIs.
Consent Is Invalid urn:au-cds:error:cds-all:
Authorisation/InvalidConsent
The authorised consumer's consent is not associated to the resource requested, is insufficient to execute the resource or is in a status that prevents the resource being executed.

For example, if consent is awaiting authorisation of a secondary account holder.

The error detail SHOULD be a description of the status of consent without revealing sensitive information.

This error code SHOULD be supported for authenticated APIs.

404 (Not Found) Errors

Non-Normative Examples

# A request to a resource endpoint that does not exist
#
# Request
GET https://data.holder.com.au/cds-au/v1/banking/payments/294819e6-7ae0-4e20-900a-6a733fd97854/location HTTP/1.1
Host: data.holder.com.au
Accept: application/json

# Response
HTTP/1.1 404 Not Found
Content-Type: application/json
{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-all:Resource/NotFound",
      "title": "Resource Not Found"
    }
  ]
}

# A request to a resource endpoint that exists in the data standards,
# but is not currently implemented
#
# Request
POST https://data.holder.com.au/cds-au/v1/admin/register/metadata HTTP/1.1
Host: data.holder.com.au
Accept: application/json

# Response
HTTP/1.1 404 Not Found
Content-Type: application/json
{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-all:Resource/NotImplemented",
      "title": "Resource Not Implemented"
    }
  ]
}

#
# A request to a resource that is temporarily unavailable
#
# Request
GET https://data.holder.com.au/cds-au/v1/banking/accounts/b3f0c9d0/transactions/52e443ae13c5 HTTP/1.1
Host: data.holder.com.au
Accept: application/json

# Response
HTTP/1.1 404 Not Found
Content-Type: application/json
{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-all:Resource/Unavailable",
      "title": "Unavailable Resource",
      "detail": "52e443ae13c5"
    }
  ]
}

#
# A request to a get a banking account that is invalid
#
# Request
GET https://data.holder.com.au/cds-au/v1/banking/accounts/invalid-id/ HTTP/1.1
Host: data.holder.com.au
Accept: application/json

# Response
HTTP/1.1 404 Not Found
Content-Type: application/json
{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-banking:Authorisation/InvalidBankingAccount",
      "title": "Invalid Banking Account",
      "detail": "invalid-id"
    }
  ]
}

Error Title Error Code Description
Resource Not Implemented urn:au-cds:error:cds-all:
Resource/NotImplemented
The requested resource URL is a valid API endpoint defined by the Consumer Data Standards, but it is not implemented or not currently supported.

This error code SHOULD be supported for unimplemented APIs.
Resource Not Found urn:au-cds:error:cds-all:
Resource/NotFound
The requested resource URL is not an API endpoint defined by the Consumer Data Standards and it is not a URL recognised by the Data Holder or Data Recipient.
Invalid Resource urn:au-cds:error:cds-all:
Resource/Invalid
The requested resource identifier is permanently unavailable. No subsequent request for the resource will be successful. Applies when the resource ID is provided in the URI.

The error detail is the resource ID of the resource being requested.

This error code MUST be supported for unauthenticated and authenticated APIs.
Unavailable Resource urn:au-cds:error:cds-all:
Resource/Unavailable
The requested resource identifier is temporarily unavailable. Subsequent requests for the resource may be successful. Applies when the resource ID is provided in the URI.

The error detail is the resource ID of the resource being requested.

This error code MUST be supported for unauthenticated and authenticated APIs.
Invalid Banking Account urn:au-cds:error:cds-banking:
Authorisation/InvalidBankingAccount
The requested bank account is permanently unavailable. No subsequent request for the account will be successful. Applies when the account ID is provided in the URI.

The error detail is the account ID of the resource being requested.

This error code MUST be supported for authenticated APIs.
Unavailable Banking Account urn:au-cds:error:cds-banking:
Authorisation/UnavailableBankingAccount
The requested bank account is temporarily unavailable. Subsequent requests for the account may be successful. Applies when the account ID is provided in the URI.

The error detail is the account ID of the resource being requested.

This error code MUST be supported for authenticated APIs.

406 (Not Acceptable) Errors

Error Title Error Code Description
Unsupported Version urn:au-cds:error:cds-all:
Header/UnsupportedVersion
A request is made for a version that is lower than the minimum version or greater than maximum version the Data Holder supports for the requested endpoint.

The error detail MAY include the minimum and maximum versions the Data Holder supports.

This error code MUST be supported for unauthenticated and authenticated APIs.

422 (Unprocessable Entity) Errors

Non-Normative Example

#
# A bulk request to a get a banking account that is unavailable
#
# Request
POST https://data.holder.com.au/cds-au/v1/banking/accounts/balances HTTP/1.1
Host: data.holder.com.au
Accept: application/json

{
  "data": {
    "accountIds": [
      "b3f0c9d0-457d-4578-b0cd-52e443ae13c5",
      "b1bccd84-d29a-4233-8e44-be01c74eb85b"
    ]
  },
  "meta": {}
}

# Response
HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
{
  "errors": [
    {
      "code": "urn:au-cds:error:cds-all:Authorisation/UnavailableBankingAccount",
      "title": "Unavailable Banking Account",
      "detail": "b3f0c9d0-457d-4578-b0cd-52e443ae13c5"
    }
  ]
}

Error Title Error Code Description
Invalid Resource urn:au-cds:error:cds-all:
Resource/Invalid
The requested resource identifier is permanently unavailable. No subsequent request for the resource will be successful. Applies when the resource ID is provided in the request body.

The error detail is the resource ID of the resource being requested.

This error code MUST be supported for authenticated APIs.
Unavailable Resource urn:au-cds:error:cds-all:
Resource/Unavailable
The requested resource identifier is temporarily unavailable. Subsequent requests for the resource may be successful. Applies when the resource ID is provided in the request body.

The error detail is the resource ID of the resource being requested.

This error code MUST be supported for authenticated APIs.
Invalid Banking Account urn:au-cds:error:cds-banking:
Authorisation/InvalidBankingAccount
The requested bank account is permanently unavailable. No subsequent request for the account will be successful. Applies when the account ID is provided in the request body.

The error detail is the account ID of the resource being requested.

This error code MUST be supported for authenticated APIs.
Unavailable Banking Account urn:au-cds:error:cds-banking:
Authorisation/UnavailableBankingAccount
The requested bank account is temporarily unavailable. Subsequent requests for the account may be successful. Applies when the account ID is provided in the request body.

The error detail is the account ID of the resource being requested.

This error code MUST be supported for authenticated APIs.
Invalid Consent Arrangement urn:au-cds:error:cds-all:
Authorisation/InvalidArrangement
The arrangement being executed has previously been revoked and no further action will be taken.

The error detail is the CDR Arrangement ID of the being executed.

This error code MUST be supported for the Data Recipient and Data Holder CDR Arrangement Revocation endpoint.
Invalid Page urn:au-cds:error:cds-all:
Field/InvalidPage
The page being requested it out of of range. For example, the valid pagination range is 5 pages and the client requested page=10).

The error detail SHOULD be the maximum number of pages that are available.

This error code MUST be supported for unauthenticated and authenticated APIs.

CDR Register Errors

The following error codes apply to responses from the CDR Register. Data Recipient and Data Holder clients requesting data from the CDR Register MAY expect the following standard CDR error codes to be encountered:

Error Title Error Code HTTP Status Category Description
Invalid Brand urn:au-cds:error:cds-register:
Field/InvalidBrand
404 (Not Found) The brand provided to get the Data Recipient software statement assertion is invalid. Applies to the dataRecipientBrandId path parameter for CDR Register APIs.
Invalid Industry urn:au-cds:error:cds-register:
Field/InvalidIndustry
404 (Not Found) The industry requested in the path to get Data Recipient or Data Holder metadata is invalid / does not exist and cannot be found. Applies to the industry path parameter for CDR Register APIs.
Invalid Software Product urn:au-cds:error:cds-register:
Field/InvalidSoftwareProduct
404 (Not Found) The software product requested to get the Data Recipient software statement assertion is invalid or cannot be found. Applies to the softwareProductId path parameter.

Processing Errors

When a server encounters multiple problems for a single request, the most generally applicable HTTP error code SHOULD be used in the response. For instance, 400 Bad Request might be appropriate for multiple 4xx errors or 500 Internal Server Error might be appropriate for multiple 5xx errors.

A server MAY choose to stop processing as soon as a problem is encountered, or it MAY continue processing and encounter multiple problems. For instance, a server might process multiple attributes and then return multiple validation problems in a single response.

Extensibility And Application Specific Errors

Error handling has been designed with extensibility in mind. Where an application supports error codes specific to that implementation, it is intended that implementations can extend the standard CDR error codes with application-specific error responses whilst maintaining interoperability for clients.

Non-Normative Example

# Application-specific error code extends a standard CDR error code with
# details specific to the Data Holder
{
  "errors": [
    {
      "code": "acme-bank:JointAccountElectionRemoved",
      "title": "Joint Account Consent Election Is Removed",
      "detail": "Description of the specific error encountered",
      "meta": {
        "urn": "urn:au-cds:error:cds-banking:Authorisation/UnavailableBankingAccount"
      }
    }
  ]
}

To assist clients, the Data Recipient or Data Holder MUST provide the application-specific error code in the ResponseErrorListV2 » code and the standard CDR error code in the ResponseErrorListV2 » MetaError » urn field denoting the standard error code the implementation extends.

Transition arrangements

Non-Normative Examples

# Application-specific error code before transition

{ "errors": [
  {
    "code": "old error code",
    "title": "error message",
    "detail": "Description of the specific error encountered"
  }
] }

# Application-specific error code during transition

{ "errors": [
  {
    "code": "old error code",
    "title": "error message",
    "detail": "Description of the specific error encountered",
    "meta": {
      "urn": "urn:au-cds:error:cdr-all:Header/UnsupportedVersion"
    }
  }
] }

# Standardised-error code after retirement of application-specific error code

{ "errors": [
  {
    "code": "urn:au-cds:error:cdr-all:Header/UnsupportedVersion",    
    "title": "Unsupported Version",
    "detail": "'x-v' **MUST** be greater than or equal to '2'"
  }
] }

If Data Recipients or Data Holders support custom error codes prior to February 1st 2022, the following transition arrangements apply:

Extensibility

The Consumer Data Right standards will not cover all possible data sets or APIs that participants may wish to expose. Participants may also wish to innovate on top of the API standards by offering additional data to meet specific market opportunities. It is desirable that the standards not only allow for this to occur but actively encourage it with specific additions to the standards to enable such extension.

At the same time, it is important that a participant seeking to provide extensions does not hinder a data consumer that is only built for the published standards.

To accommodate these concerns the standards incorporate the following considerations specifically related to extension by data holders.

The three types of extension that the standards address are:

  1. Data holder offering entirely new API categories that are not covered by the API Standards
  2. Data holder offering additional end points to an API category that is already covered by the standards
  3. Data holder offering additional fields to the response payloads for an end point defined in the standards

Holder Identifier

For example, the prefixes for the four major Banks included in the first phases of implementation would be:

  • CBA – Commonwealth Bank
  • WBC – Westpac Banking Corporation
  • ANZ – ANZ Banking Group
  • NAB – National Australia Bank

Data holders seeking to extend the standards MUST nominate a prefix to identify all extensions. Extended fields and end points and would use this prefix consistently. This prefix would be, by preference, the ASX symbol for the holder. Care should be taken not to use a prefix already adopted by another holder in the regime.

In these standards, where a holder Identifier would be included, the term <HID> will be used.

New API Categories

When extending by adding new API categories a holder MUST add these to the overall URI structure by substituting the industry element with the Holder (Provider) ID.

For instance, the standard URI base path is structured as:
<holder path> / cds-au / <version> / <industry> / <resource>

For the extension API categories for a specific holder they would be structured as:
<holder path> / cds-au / <version> / <HID> / <resource>

The end points defined under this structure, including the payloads of these end points do not need to be prefixed in any way. The fact that they are underneath the holder section implies that they are additional to the standard.

Note that:

New End Points In Existing API Categories

When creating new end points that are in parallel to existing API categories in the standard the Holder Identifier MUST be used to prefix the highest URI element where divergence occurs.

For example, assume an existing balance end point is defined as follows:
<base path>/accounts/{account ID}/transactions

and the holder wishes to add an end point that summarises balance movement for a specific time period then they may define the end point as:
<base path>/account/{account ID}/<HID>-balance-movement

Note that:

Additional Fields In An Existing Response Payload

When adding a new field in an existing payload the field can be added to the JSON by prefixing the string <HID>-.

If an object is being added as an extension only the highest level object name needs to be prefixed. Any fields inside the extended object can be named normally.

Note that:

Additional Query Parameters

When adding support for a new query parameter to an existing end point that a data consumer is expected to supply, the new parameter should be prefixed by the string <HID>- to avoid potential collision with extension by another data holder.

Extension Versioning

As described previously in the versioning section the standard provides for multiple versions of each API end point. This implies the need for extensions to also be versioned.

An optional header x-<HID>-v will be supported for all end points that can be used by the data consumer to request a specific version of extension fields to include in the response. See the section on HTTP Headers for more information on the use of this header.

Security Profile

Overview

This information security profile builds upon the foundations of the Financial-grade API Read Write Profile [FAPI-RW] and other standards relating to Open ID Connect 1.0 [OIDC].

For information on the specific normative references that underpin this profile refer to the Normative References section.

Symbols and Abbreviated terms

CDR Federation

The CDR Federation will facilitate the secure exchange of consumer data and federation metadata between multiple system entities which will assume one or more of the following roles:

Data Holder

The Data Holder (DH) is a system entity that authenticates a Customer (resource owner or user), as part of an authorisation process initiated by a Data Recipient, and issues an authorisation for that Data Recipient to access the Customer's data via published APIs.

A Data Holder assumes the role of an [OIDC] OpenID Provider.

For the purposes of this standard a single designated organisation may be represented via the Register as multiple separate Data Holders to support multiple brands or market identities.

Data Recipient

A Data Recipient (DR) is a system entity that is authorised by a Data Holder to access consumer resources (APIs). A Data Recipient MUST capture consumer consent prior to commencing an authorisation process with a Data Holder.

A Data Recipient MUST be accredited in order to participate in the CDR Federation. Accreditation rules for Data Recipients are beyond the scope of this artifact.

A Data Recipient assumes the role of an [OIDC] Relying Party (Client).

For the purposes of this standard a single accredited organisation may be represented via the Register as multiple separate Data Recipients to support multiple applications or services.

Register

The Register is a central point of discovery for both Data Holders and Data Recipients. Data Holders and Data Recipients must be created as entities in the Register in order for them to participate as members of the CDR Federation. The functionality of the Register will include but will not be limited to:

Customer

For the purposes of this standard a single person or individual may be represented as multiple Customers according to the practice of the Data Holder according to their existing digital channels.

Authentication Flows

This profile supports the authentication flows specified by OpenID Connect [OIDC] as constrained further by FAPI [FAPI].

Specifically the Hybrid Flow outlined at section 3.3 of [OIDC].

No other flows are currently supported.

OIDC Hybrid Flow

The [OIDC] Hybrid Flow is a type of redirection flow where the consumer's user agent is redirected from a Data Recipient’s (Relying Party) web site to a Data Holder’s Authorisation end point in the context of an [OIDC] authentication request. The Hybrid flow incorporates aspects of the both the implicit flow and authorisation code flow detailed under [OIDC].

Only a response_type (see section 3 of [OIDC]) of code id_token SHALL be allowed.

The request_uri parameter is only supported if the Data Holder supports PAR.

In addition, the following statements are applicable for this flow:

In line with CDR Rule 4.24 on restrictions when asking CDR consumers to authorise disclosure of CDR data, unwarranted friction for OTP delivery is considered to include:

Additional requirements and guidelines for this flow are contained in the Consumer Experience section.

Client Authentication

This section outlines how participants in the CDR regime will authenticate clients seeking access to end points.

Note that, while [MTLS] is utilised for transaction security and as a Holder of Key mechanism, the PKI Mutual TLS OAuth Client Authentication Method SHALL NOT be supported as the mechanism for client authentication.

The following authentication methods are supported:

Private Key JWT Client Authentication

Private Key JWT Client Authentication Non-Normative Example - CDR Register calls the Data Holder's token end point to obtain an Access Token for the purposes of calling the Data Holder's Get Metrics endpoint.

POST /token HTTP/1.1
Host: www.holder.com.au
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
  client_id=5ntwEOpMdPxxy49Gt28SXWY6j3afl2CP2&
  scope=admin%3Ametrics.basic%3Aread&
  client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
  client_assertion=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...

## Decoded client assertion JWT
{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "12456"
}
{
  "iss": "5ntwEOpMdPxxy49Gt28SXWY6j3afl2CP2",
  "sub": "5ntwEOpMdPxxy49Gt28SXWY6j3aflCP2",
  "iat": 1516239022,
  "exp": 1516239322,
  "aud": "https://www.holder.com.au/token",
  "jti": "37747cd1-c105-4569-9f75-4adf28b73e31"
}

Authorisation Servers supporting private_key_jwt Client Authentication of clients MUST support the following requirements:

Self-signed JWT Client Authentication

Self-signed JWT Client Authentication Non-Normative Example - CDR Register calls the Data holder's Get Metrics end point using self-signed JWT Client Authentication (note that the “aud” claim represents the AdminBaseUri as defined in CDR Register Participant Endpoints).

GET https://admin.data.holder.com.au/cds-au/v1/admin/metrics HTTP:/1.1
Host: admin.data.holder.com.au
x-v: string
x-min-v: string
Authorization: Bearer eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...

## Decoded Bearer token JWT
{
   "alg":"PS256",
   "typ":"JWT",
   "kid":"12456"
}
{
   "iss":"cdr-register",
   "sub":"cdr-register",
   "aud":"https://admin.data.holder.com.au",
   "iat":1516239022,
   "exp":1516239322,
   "jti":"32358102-a44f-43cc-ad7c-42443d01507a"
}

Data Recipients and Data Holders supporting the self-signed JWT authentication of clients using a signed JWT MUST do so according to the following requirements:

CDR Register calling Data Holders

Data Holders MUST support either Private Key JWT Client Authentication or Self-signed JWT Client Authentication of the CDR Register.

Data Holders SHOULD support Private Key JWT Client Authentication but MAY support Self-signed JWT Client Authentication.

This method MAY be changed by updating Data Holder registration details with the CDR Register.

Private Key JWT authentication

If the Data Holder supports the Private Key JWT Client Authentication method for authenticating the CDR Register, it MUST also support the following requirements:

Self-signed JWT authentication

If the Data Holder supports the Self-signed JWT Client Authentication method for authenticating the CDR Register, the client ID MUST be set to a value of ‘cdr-register’.

Data Holders calling Data Recipients

Non-Normative Example - Data Holder calls the Data Recipient's revocation end point (note that the “aud” claim is the fully qualified path to the revocation end point because the full path is also the Base URI).

POST https://data.recipient.com.au/revocation HTTP/1.1
Host: data.recipient.com.au
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey …

token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

## Decoded Bearer token JWT
{
   "alg":"PS256",
   "typ":"JWT",
   "kid":"67890"
}
{
   "iss":"dataholderbrand-123",
   "sub":"dataholderbrand-123",
   "aud":"https://data.recipient.com.au/revocation",
   "iat":1516239022,
   "exp":1516239322,
   "jti":"dba86502-7cf5-4719-9638-c5339a0ddb06"
}

In addition to the requirements for Self-signed JWT Client Authentication, the client_id is the ID of the Data Holder obtained from the CDR Register.

Data Recipients calling Data Holders

Non-Normative Example - Data Recipient calls Data Holder's token end point.

POST /token HTTP/1.1
Host: www.holder.com.au
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
  code=i1WsRn1uB1&
  client_id=s6BhdRkqt3&
  client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
  client_assertion=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...

## Decoded client assertion JWT
{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "12456"
}
{
  "iss": "s6BhdRkqt3",
  "sub": "s6BhdRkqt3",
  "iat": 1516239022,
  "exp": 1516239322,
  "aud": "https://www.holder.com.au/token",
  "jti": "37747cd1-c105-4569-9f75-4adf28b73e31"
}

In addition to the requirements for Private Key JWT Client Authentication the following requirements MUST be supported:

OIDC Client Types

Only Confidential Clients SHALL be supported under this profile. Therefore, Public clients SHALL NOT be supported.

In reference to the client types referenced in section 2.1 of [OAUTH2]:

JSON Web Key Sets

Data Holder public keys MUST only be obtained from the standard OIDC end point used for that purpose.

Data Recipient public keys MUST only be obtained from the URI registered with the CDR Register.

CDR Register public keys MUST only be obtained from the end point exposed for that purpose.

Consent requirements will be communicated between the Data Recipient and Data Holder via the authorisation request object. The primary mechanism for capturing consent will be scopes and claims under [OIDC].

Other patterns for the establishment of consent may be considered in the future, including the incorporation of fine-grained consent for specific use cases.

Scopes and Claims

OIDC Scopes

In addition to CDR data scopes the following scopes MUST be supported:

Claims

The following normal [OIDC] claims MUST be supported. This list includes, but is not limited to, [OIDC] standard claims :

The following additional claims MUST be supported:

Tokens

ID Token

Non-Normative Example - acr

{
  "iss": "https://www.holder.com.au",
  "sub": "a9ebbef6-1f0b-44eb-96cf-0c5b51b37ab2",
  "aud": "12345",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970,
  "nbf": 1311280970,
  "auth_time": 1311280969,
  "acr": "urn:cds.au:cdr:3",
  "refresh_token_expires_at": 1311281970,
  "sharing_expires_at": 1311281970
}

ID Tokens are specified in section 2 of the [OIDC] standard. In accordance with [FAPI-RW], ID Tokens must be signed and encrypted when returned to a Data Recipient from both the Authorisation End Point and Token End Point.

In addition to the mandatory claims specified in section 2 of the [OIDC] standard, required claims for ID Tokens as part of Hybrid Flow authentication must align to section 3.3 (Authentication using the Hybrid Flow) of the [OIDC] standards and section 5.2.2 and section 8.4.3 of the [FAPI-RW] profile.

ID Tokens MUST be signed by Data Holders as specified in section 8.6 of [FAPI-RW].

The ID Token returned from the Authorisation End Point MUST NOT contain any Personal Information (PI) claims.

Hashing value for state and authorisation code

The c_hash value MUST be generated according to section 3.3.2.11 of [OIDC].

The s_hash value MUST be generated according to section 5.1 of [FAPI-RW].

Access Token

Access Tokens MUST be used as specified in section 10.3 of [OAUTH2].

An Access Token MUST expire between 2 minutes to 10 minutes after the Data Holder issues it (at the discretion of the Data Holder).

The process for refreshing an Access Token is described in section 12.1 of [OIDC].

Refresh Token

Refresh Tokens MUST be supported by Data Holders.

The usage of Refresh Tokens is specified in section 12 of [OIDC].

The expiration time for a Refresh Token MUST be set by the Data Holder.

Refresh Token expiration MAY be any length of time greater than 28 days but MUST NOT exceed the end of the duration of sharing consented to by the Consumer.

Data Holders MAY cycle Refresh Tokens when an Access Token is issued. If Refresh Token cycling is not performed then the Refresh Token MUST NOT expire before the expiration of the sharing consented by the Customer.

Token Expiry

The expiry time for issued access tokens and refresh tokens must be deterministic for the Data Recipient.

In order to achieve this:

Identifiers and Subject Types

sub claim

The identifier for an authenticated end-user (subject) MUST be passed in the sub claim of an ID Token and UserInfo response as defined by [OIDC].

The Data Holder MUST generate the sub value as a Pairwise Pseudonymous Identifier (PPID) as described in section 8 of [OIDC]. Furthermore, the identifier MUST be unique per customer as per the definition of customer in the CDR Federation section of this profile.

It is RECOMMENDED that the sub value is generated as a version 4 Universally Unique Identifier (UUID) [RFC4122].

CDR Arrangement ID

Non-normative example: Token Endpoint hydration

Request

POST /token HTTP/1.1
Host: https://data.holder.com.au
Content-Type: application/x-www-form-urlencoded

client_id=s6BhdRkqt3
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...
&grant_type=refresh_token
&refresh_token=8xLOxBtZp8
&scope=openid%20profile

Response

{
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "expires_in": 3600,
  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  "id_token": "eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUl...",
  "cdr_arrangement_id": "02e7c9d9-cfe7-4c3e-8f64-e91173c84ecb"
}

Decoded JWT

{
  "iss": "https://data.holder.com.au",
  "sub": "a9ebbef6-1f0b-44eb-96cf-0c5b51b37ab2",
  "aud": "12345",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970,
  "nbf": 1311280970,
  "auth_time": 1311280969,
  "acr": "urn:cds.au:cdr:3",
  "refresh_token_expires_at": 1311281970,
  "sharing_expires_at": 1311281970
}

Non-normative example: Token Introspection Endpoint hydration

Request

POST /token/introspect HTTP/1.1
Host: https://data.holder.com.au
Content-Type: application/x-www-form-urlencoded

client_id=s6BhdRkqt3
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...
&token=tGzv3JOkF0XG5Qx2TlKWIA
&token_type_hint=refresh_token

Response

{
  "active": true,
  "exp": 1311281970,
  "scope": "openid profile bank:accounts.basic:read bank:accounts.detail:read",
  "cdr_arrangement_id": "02e7c9d9-cfe7-4c3e-8f64-e91173c84ecb"
}

The CDR Arrangement ID is a unique string representing a consent arrangement between a Data Recipient and Data Holder for a given consumer.

The identifier MUST be unique per customer according to the definition of customer in the CDR Federation section of this profile.

The Data Holder MUST provide the CDR Arrangement ID as the claim cdr_arrangement_id in the Token End Point response and Token Introspection End Point response.

A Data Holder MUST only return the cdr_arrangement_id in the Token and Token Introspection End Point responses if they also support concurrent consent. This ensures that Data Recipients have a reliable way to determine whether a given Data Holder supports concurrent consent.

Statements related to the CDR Arrangement ID:

Obtaining a CDR Arrangement ID

For any existing consents, Data Holders must retrospectively generate a cdr_arrangement_id such that Data Recipients can obtain a valid cdr_arrangement_id for all active consents they hold.

A Data Recipient can call either the Token or Token Introspection End Points at any point post-consent to obtain the CDR Arrangement ID in the response JSON as the claim cdr_arrangement_id.

Levels of Assurance (LoAs)

Levels Of Assurance (LoAs), returned after a successful authentication MUST be represented in Single Ordinal form where a single LoA value is represented.

Single Ordinal

A Single LoA value is carried in the acr claim which is described in section 2 of [OIDC].

READ operations SHALL only be allowed where at least an LoA of 2 has been achieved during the establishment of consent.

WRITE operations SHALL only be allowed where:

Transaction Security

Use of TLS

All HTTP calls MUST be made using HTTPS incorporating TLS >= 1.2.

Use of MTLS

All back-channel communication between Data Recipient and Data Holder systems MUST incorporate, unless stated otherwise, [MTLS] as part of the TLS handshake:

End points for transferring CDR Data that are classified as not requiring authentication do not require the use of [MTLS].

Holder of Key Mechanism

[MTLS] MUST be supported as a Holder of Key (HoK) Mechanism.

Note that, by implication, resource requests MUST be validated to ensure the client certificate and access token match.

OAUTB SHALL NOT be supported due to a lack industry support.

[MTLS] HoK allows issued tokens to be bound to a client certificate as specified in section 3 of [MTLS].

Ciphers

Only the following cipher suites SHALL be permitted in accordance with section 8.5 of [FAPI-RW]:

CORS

Cross-origin resource sharing (CORS) must be enabled (ie. Access-Control-Allow-Origin set to "*") for the following end points:

Request Object

Non-Normative Example - acr as an Essential Claim

#Decoded Request Object JWT

{
  "iss": "s6BhdRkqt3",
  "exp": 1516239322,
  "aud": "https://www.recipient.com.au",
  "response_type": "code id_token",
  "client_id": "s6BhdRkqt3",
  "redirect_uri": "https://www.recipient.com.au/coolstuff",
  "scope": "openid profile bank:accounts.basic:read
            bank:accounts.detail:read",
  "nonce": "n-0S6_WzA2Mj",
  "state": "af0ifjsldkj",
  "claims": {
    "sharing_duration": 7776000,
    "cdr_arrangement_id": "02e7c9d9-cfe7-4c3e-8f64-e91173c84ecb",
    "id_token": {
      "acr": {
        "essential": true,
        "values": ["urn:cds.au:cdr:3"]
      }
    },
    "userinfo": {
      "given_name": null,
      "family_name": null
    }
  }
}

The Request Object is a signed and encoded JWT specified in section 6.1 of [OIDC]. As per [FAPI-RW] section 5.2.2, the request parameter MUST be present on requests to the [OIDC] Hybrid Authorisation End Point. The Request Object enables [OIDC] requests to be passed in a single and self-contained parameter.

Request Objects MUST be signed by Data Recipients as specified in section 8.6 of [FAPI-RW].

Request Object references MUST be supported if the Data Holder supports Pushed Authorisation Requests (PAR).

Requesting Sharing Duration

To facilitate the specification of the duration for consent to share CDR data that is approved by the consumer, a mechanism for the Data Recipient to specify a sharing duration to the Data Holder is required.

To accomplish this, the Data Holder MUST support an additional claim in the authorisation request object named sharing_duration. The sharing_duration claim MUST be handled as follows:

Note that the period of one year in the above statements should be interpreted as 365, 24 hour days (or 31,536,000 seconds).

The Data Recipient is able to obtain the expiration of sharing via the sharing_expires_at claim.

Specifying an existing arrangement

Provided a Data Holder supports PAR, they MUST also support the cdr_arrangement_id claim provided in the Request Object sent to the PAR End Point. The Data Recipient MAY provide the cdr_arrangement_id claim in the Request Object sent to the PAR End Point.

The cdr_arrangement_id claim MUST be handled as follows:

Until November 2020 data holders are not required to take any action if cdr_arrangement_id is supplied but MUST NOT respond with an error.

Until November 2020 data recipients MUST NOT implement scenarios that support concurrent consent. Only single, extant consent scenarios should be implemented until this date.

If a data recipient provides the cdr_arrangement_id claim in the request object to the data holder's PAR End Point, the data holder MUST revoke any existing tokens related to the arrangement once the new consent is successfully established and a new set of tokens has been provided to the data recipient.

For data recipients seeking to replace consent where the Data Holder does not support PAR, data recipients MUST actively revoke previously supplied refresh tokens, immediately after receiving the tokens for a newly established consent, using the appropriate revocation end point.

End Points

OpenID Provider Configuration End Point

Non-Normative Example

## Request

GET /.well-known/openid-configuration HTTP/1.1
Host: www.dh.com.au

## Response

HTTP/1.1 200 OK
Content-Type: application/json
{
  "issuer": "https://www.dh.com.au",
  "authorization_endpoint": "https://www.dh.com.au/authorise",
  "token_endpoint": "https://www.dh.com.au/token",
  "introspection_endpoint": "https://www.dh.com.au/introspect",
  "revocation_endpoint": "https://www.dh.com.au/revoke",
  "userinfo_endpoint": "https://www.dh.com.au/userinfo",
  "registration_endpoint": "https://www.dh.com.au/register",
  "jwks_uri": "https://www.dh.com.au/jwks",
  "scopes_supported": ["openid", "profile", "..."],
  "response_types_supported": ["code id_token"],
  "response_modes_supported": ["fragment"],
  "grant_types_supported": ["authorization_code", "client_credentials", "urn:openid:params:modrna:grant-type:backchannel_request"],
  "acr_values_supported": ["urn:cds.au:cdr:2","urn:cds.au:cdr:3"],
  "subject_types_supported": ["pairwise"],
  "id_token_signing_alg_values_supported": ["ES256", "PS256"],
  "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "dir", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A128KW", "A192KW", "A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW" ],
  "id_token_encryption_enc_values_supported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ],
  "cdr_arrangement_revocation_endpoint": "https://data.holder.com.au/arrangements/revoke",
  "pushed_authorization_request_endpoint": "https://data.holder.com.au/par",
  "request_object_signing_alg_values_supported": ["ES256", "PS256"],
  "token_endpoint_auth_methods_supported": ["private_key_jwt"],
  "tls_client_certificate_bound_access_tokens": true,
  "claims_supported": ["name", "given_name", "family_name", "acr", "auth_time", "sub", "refresh_token_expires_at", "sharing_expires_at"]
}
Description Value
Hosted By Data Holder
Transport Security TLS
Client Authentication Required No
Bearer Token Required No

Data Holders MUST make their OpenID Provider Metadata available via a configuration end point as outlined in Section 3 and 4 of the OpenID Connect Discovery standards [OIDD].

At a minimum, the Data Holder metadata MUST include:

Authorisation End Point

Non-Normative Example

## Request

GET /authorise?
   response_type=code%20id_token&client_id=12345&
   scope=openid%20profile%20bank:accounts.basic:read%20bank:accounts.detail:read&
   request=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.ey ...
HTTP/1.1
Host: www.holder.com.au

## Decoded request JWT
{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "123"
}
{
  "iss": "12345",
  "exp": 1516239322,
  "aud": "https://www.recipient.com.au",
  "response_type": "code id_token",
  "client_id": "12345",
  "redirect_uri": "https://www.recipient.com.au/coolstuff",
  "scope": "openid profile bank:accounts.basic:read bank:accounts.detail:read",
  "state": "af0ifjsldkj",
  "nonce": "n-0S6_WzA2Mj",
  "claims": {
    "sharing_duration": 7776000,
    "userinfo": {
      "given_name": null,
      "family_name": null
    },
    "id_token": {
      "acr": {
        "essential": true,
        "values": ["urn:cds.au:cdr:3"]
      }
    }
  }
}

Description Value
Hosted By Data Holder
Transport Security TLS
Client Authentication Required No
Bearer Token Required No

The requirements for the Authorisation End Point are specified in section 3.3.2 of [OIDC] and further specified under section 5.2.2 of [FAPI-RW]. This end point is invoked as part of the Hybrid Authentication flow.

JSON Web Key Set End Point

Description Value
Hosted By Data Holder & Data Recipient
Transport Security TLS
Client Authentication Required No
Bearer Token Required No

The requirements for the JWKS End Point are specified in various sections of [OIDC].

This end point is used by the Data Holder to provide the public keys they will use when required.

Data Holders MUST support a JWKS End Point.

Token End Point

Description Value
Hosted By Data Holder
Transport Security MTLS
Client Authentication Required Yes
Bearer Token Required No

The requirements for the Token End Point are specified in section 3.3.3 of [OIDC].

To obtain an Access Token, an ID Token, and a Refresh Token, the Data Recipient sends a Token Request to the Token End Point.

Data Holders MUST support a Token End Point.

UserInfo End Point

Description Value
Hosted By Data Holder
Transport Security MTLS
Client Authentication Required No
Bearer Token Required Yes

The requirements for the UserInfo End Point are specified in section 5.3 of [OIDC].

Data Holders MUST support a UserInfo End Point.

Introspection End Point

Description Value
Hosted By Data Holder
Transport Security MTLS
Client Authentication Required Yes
Bearer Token Required No

Data Holders MUST implement an Introspection End Point to allow Data Recipients to determine the status and expiry date of Refresh Tokens. The requirements for an Introspection End Point are described in section 2 of [RFC7662].

Introspection of Refresh Tokens MUST be supported.

Introspection of Access Tokens and ID Tokens MUST NOT be supported.

A Token Introspection End Point Response SHALL include, at least, the following fields:

A Token Introspection End Point Response MAY include claims defined in Section 2.2 of [RFC7662] but username SHALL NOT be allowed.

Token Revocation End Point

Description Value
Hosted By Data Holder and Data Recipient
Transport Security MTLS for Data Holders, TLS for Data Recipients
Client Authentication Required Yes (for verifying Data Recipients)
Bearer Token Required Yes (for verifying Data Holders)

Requirements for Data Holder implementations

Data Holders MUST implement a Token Revocation End Point as described in section 2 of [RFC7009].

The Revocation End Point serves as a revocation mechanism that allows a Data Recipient to invalidate its tokens as required to allow for token clean up.

Revocation of Refresh Tokens and Access Tokens MUST be supported.

Requirements for Data Recipient implementations

The Token Revocation End Point, when implemented by the Data Recipient allows a Data Holder to notify the Data Recipient of the revocation of a sharing arrangement by the Customer in totality as required by the ACCC CDR Rules. This revocation will have been actioned by the Customer via the Data Holder’s consent dashboard as described in the ACCC CDR Rules.

Revocation of Access Tokens MUST not be supported.

Revocation of Refresh Tokens MUST be supported and will be used to notify the Data Recipient of sharing revocation.

If consent is withdrawn by a Customer in writing or by using the Data Recipient’s dashboard the Data Recipient MUST revoke consent using Data Holder’s implementation.

Revoking consent

If the Data Holder does not support a CDR Arrangement Revocation End Point, Data Recipients MUST use the Data Holder's Token Revocation End Point with the current Refresh Token to notify the Data Holder.

If the Data Holder does support the CDR Arrangement Revocation End Point, Data Recipients MUST use the Data Holder's CDR Arrangement Revocation End Point with a valid cdr_arrangement_id to notify the Data Holder.

CDR Arrangement Revocation End Point

Non-Normative Example

Request

POST https://data.holder.com.au/arrangements/revoke
HTTP/1.1
Host: data.holder.com.au
Content-Type: application/x-www-form-urlencoded

  client_id=s6BhdRkqt3&
  client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
  client_assertion=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...&
  cdr_arrangement_id=5a1bf696-ee03-408b-b315-97955415d1f0
Description Value
Hosted By Data Holder & Data Recipient
Transport Security MTLS for Data Holders, TLS for Data Recipients
Client Authentication Required Yes (for Data Holders verifying Data Recipients)
Bearer Token Required Yes (for Data Recipients verifying Data Holders)

HTTP Method: POST
Data Holder Path: The cdr_arrangement_revocation_endpoint defined using OIDC Discovery
Data Recipient Path: <RecipientBaseUri>/arrangements/revoke where <RecipientBaseUri> is registered with the CDR Register.

Data Holders and Data Recipients MUST implement a CDR Arrangement Revocation End Point that can be used to revoke an existing sharing arrangement.

The request MUST include the following parameters using the application/x-www-form-urlencoded format in the HTTP request entity-body:
cdr_arrangement_id: The ID of the arrangement that the client wants to revoke.

This end point will be implemented according to the following:

Response Codes

The following responses are in addition to error responses covered by normative references. Error scenarios in the following table MUST use the error structure defined in the Payload Conventions.

Response Code Situation Description
204 No Content Success The sharing arrangement has been revoked successfully
422 Unprocessable Entity Invalid Arrangement ID The client submitted an invalid arrangement identifier or the identifier could not be found. The server MUST respond with Invalid Consent Arrangement.

Data Holders calling Data Recipients

Data Holders may discover that a given Data Recipient supports the CDR Arrangement Revocation End Point by the presence of the Recipient Base URI in the Software Statement Assertion (SSA). If a Data Recipient does not support the CDR Arrangement Revocation End Point, the Data Holder MUST call the Data Recipient Token Revocation End Point.

Data Recipients SHOULD update their client registration with each Data Holder as soon as is practical once they support the CDR Arrangement Revocation End Point.

Updating Register Meta Data and Client Registration

When a Data Recipient supports the CDR Arrangement Revocation End Point, they MUST: 1. Update their meta data with the CDR Register to include their recipient_base_uri. 2. Update their client registration with each Data Holder.

If the Data Recipient does not support the CDR Arrangement Revocation End Point, the Data Holder MUST instead revoke consent using the Data Recipient Token Revocation End Point.

Data Recipients calling Data Holders

Data Recipients may discover that a given Data Holder supports the CDR Arrangement Revocation End Point by the presence of the cdr_arrangement_revocation_endpoint in the Data Holder's OpenID Provider metadata.

If a Data Recipient does not support the CDR Arrangement Revocation End Point, Data Holders must notify Data Recipients when consent is withdrawn by calling the Data Recipient Revocation End Point.

Pushed Authorisation End Point

Non-Normative Example

Request

POST /par HTTP/1.1
     Host: data.holder.com.au
     Content-Type: application/x-www-form-urlencoded

request=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.ey...

Decoded Request

{
  "iss": "s6BhdRkqt3",
  "exp": 1516239322,
  "aud": "https://www.recipient.com.au",
  "response_type": "code id_token",
  "client_id": "s6BhdRkqt3",
  "redirect_uri": "https://www.recipient.com.au/coolstuff",
  "scope": "openid profile bank:accounts.basic:read
            bank:accounts.detail:read",
  "nonce": "n-0S6_WzA2Mj",
  "state": "af0ifjsldkj",
  "claims": {
    "sharing_duration": 7776000,
    "cdr_arrangement_id": "02e7c9d9-cfe7-4c3e-8f64-e91173c84ecb",
    "id_token": {
      "acr": {
        "essential": true,
        "values": ["urn:cds.au:cdr:3"]
      }
    },
    "userinfo": {
      "given_name": null,
      "family_name": null
    }
  }
}

Response

HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store
{
  "request_uri": "urn:data.holder.com.au:bwc4JK-ESC0w8acc191e-Y1LTC2",
  "expires_in": 3600
}

Authorise

## This is used by the ADR in the subsequent authorisation request as follows
## (note that until PAR is an RFC standard, the mandatory oAuth parameters as
## per FAPI R/W for confidential clients must be replayed in the request URL):

GET /authorise?client_id=s6BhdRkqt3&
   response_type=code%20id_token&
   scope=openid%20profile%20bank:accounts.basic:read%20bank:accounts.detail:read&
   request_uri=urn%3Adata.holder.com.au%3Abwc4JK-ESC0w8acc191e-Y1LTC2
HTTP/1.1
Host: data.holder.com.au
Description Value
Hosted By Data Holder
Transport Security MTLS
Client Authentication Required Yes
Bearer Token Required No

Data Holders MUST support Pushed Authorisation Requests (PAR) via the pushed authorisation end point according to [PAR].

Data Recipients MAY send authorisation requests using [PAR] if supported by the Data Holder. Request objects which contain the cdr_arrangement_id claim MUST only be sent using [PAR]. If a Data Holder does not support [PAR], a Data Recipient SHOULD NOT provide the cdr_arrangement_id claim in the request object.

The Data Holder response provides the Data Recipient with a Request URI in the response. The Request URI is then passed to the Data Holder’s Authorisation End Point to initiate an authorisation flow.

In addition:

Normative References

Reference Description Version
[FAPI-R] Financial-grade API - Part 1: Read Only API Security Profile: https://openid.net/specs/openid-financial-api-part-1.html Draft-06
[FAPI-RW] Financial-grade API - Part 2: Read and Write API Security Profile: https://openid.net/specs/openid-financial-api-part-2.html Draft-06
[JSON] The JavaScript Object Notation (JSON) Data Interchange Format: https://tools.ietf.org/html/rfc8259 Dec 2017
[JWA] JSON Web Algorithms (JWA): https://tools.ietf.org/html/rfc7518 May 2015
[JWK] JSON Web Key (JWK): https://tools.ietf.org/html/rfc7517 May 2015
[JWT] JSON Web Token (JWT): https://tools.ietf.org/html/rfc7519 May 2015
[JWS] JSON Web Signature (JWS): https://tools.ietf.org/html/rfc7797 Feb 2016
[JWE] JSON Web Encryption (JWE): https://tools.ietf.org/html/rfc7516 May 2015
[MTLS] OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens: https://tools.ietf.org/html/rfc8705 Feb 2020
[OAUTH2] The OAuth 2.0 Authorization Framework: https://tools.ietf.org/html/rfc6749 Oct 2012
[OIDC] OpenID Connect Core 1.0 incorporating errata set 1: http://openid.net/specs/openid-connect-core-1_0.html Nov 2014
[OIDD] OpenID Connect Discovery 1.0 incorporating errata set 1: http://openid.net/specs/openid-connect-discovery-1_0.html Nov 2014
[TDIF] Digital Transformation Agency - Trusted Digital Identity Framework https://www.dta.gov.au/our-projects/digital-identity/trusted-digital-identity-framework Apr 2019
[RFC2119] Key words for use in RFCs to Indicate Requirement Levels https://tools.ietf.org/html/rfc2119 Mar 1997
[RFC7009] OAuth 2.0 Token Revocation: https://tools.ietf.org/html/rfc7009 Aug 2013
[RFC7523] JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants: https://tools.ietf.org/html/rfc7523 May 2015
[RFC7662] OAuth 2.0 Token Introspection: https://tools.ietf.org/html/rfc7662 Oct 2015
[RFC6750] The OAuth 2.0 Authorization Framework: Bearer Token Usage: https://tools.ietf.org/html/rfc6750 Oct 2012
[PAR] OAuth 2.0 Pushed Authorization Requests: https://tools.ietf.org/html/draft-ietf-oauth-par-01 Feb 2020

Informative References

Reference Description
[BCP195] Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS): https://tools.ietf.org/html/bcp195
[RFC7231] Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content: https://tools.ietf.org/html/rfc7231
[CDR] Consumer Data Right: https://www.accc.gov.au/focus-areas/consumer-data-right
[FAPI] Financial-Grade API - Home Page https://openid.net/wg/fapi/
[RFC4122] A Universally Unique Identifier (UUID) URN Namespace: https://tools.ietf.org/html/rfc4122
[X.1254] X.1254 - Entity authentication assurance framework: https://www.itu.int/rec/T-REC-X1254-201209-I/en

Consumer Experience

The Consumer Experience (CX) Standards contain requirements for the creation of implementations by both Data Recipients and Data Holders. The full list of CX Standards can be found below.

The CX Guidelines provide examples and recommendations for how to implement key rules and standards that relate to the consumer experience. They can be found along with additional CX commentary at:

Data Language Standards


Example of data language standards presented in a consumer-facing interaction, where [1] refers to Data cluster language, and [2] refers to Data permission language.

In accordance with CDR Rule 8.11 (1)(d), a data standard must be made to provide descriptions of the types of data to be used by CDR participants in making and responding to requests. Adherence to this language will help ensure there is a consistent interpretation and description of the consumer data that will be shared across different CDR implementations.

Area CX Standard
Data Language Standards: Language to be used

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions as outlined in Table 1.

Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn.

Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' in Table 1.

Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared.

Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist.

Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' in Table 1

Data Language Standards: Detailed scope requests

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data.

Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' in Table 1 (rows greyed out for clarity).

Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Table 1.

Individual Consumer

Data cluster language Permission language Authorisation Scopes
Name and occupation Name
Occupation
common:customer.basic:read
Contact Details Phone;
Email address;
Mail address;
Residential address;
common:customer.detail:read
Name, occupation, contact details ‡ Name;
Occupation;
Phone;
Email address;
Mail address;
Residential address;
common:customer.detail:read

Business consumer

Data cluster language Permission language Authorisation Scopes
Organisation profile * Agent name and role;
Organisation name;
Organisation numbers (ABN or ACN);†
Charity status;
Establishment date;
Industry;
Organisation type
Country of registration;
common:customer.basic:read
Organisation contact details * Organisation address;
Mail address;
Phone number;
common:customer.detail:read
Organisation profile and contact details *‡ Agent name and role;
Organisation name;
Organisation numbers (ABN or ACN),†
Charity status;
Establishment date;
Industry;
Organisation type;
Country of registration;
Organisation address;
Mail address;
Phone number;
common:customer.detail:read

Common

Data cluster language Permission language Authorisation Scopes
Account name, type and balance Name of account;
Type of account;
Account balance;
bank:accounts.basic:read
Account numbers and features Account number;
Interest rates;
Fees;
Discounts;
Account terms;
Account mail address;
bank:accounts.detail:read
Account balance and details‡ Name of account;
Type of account;
Account balance;
Account number;
Interest rates;
Fees;
Discounts;
Account terms;
Account mail address;
bank:accounts.detail:read
Transaction details Incoming and outgoing transactions;
Amounts;
Dates;
Descriptions of transactions;
Who you have sent money to and received money from; (e.g. their name)†
bank:transactions:read
Direct debits and scheduled payments Direct debits;
Scheduled payments;
bank:regular_payments:read
Saved payees Names and details of accounts you have saved; (e.g. their BSB and Account Number, BPay CRN and Biller code, or NPP PayID)† bank:payees:read

Accessibility Standards

Area CX Standard
Accessibility

At a minimum, all CDR participants MUST seek to comply with the following accessibility guidelines throughout the Consent Model.

These standards SHOULD be assessed, tested, and refined further by accessibility consultants directly involved in implementation.

Accessibility
Content distinction
Data Recipients and Data Holders MUST seek to have all aspects of the Consent Model comply with WCAG 1.4. This will make it easier to see and hear content, including separate foreground information from the background. This will make it easier to see and hear content, including separate foreground information from the background.
Accessibility
Keyboard functionality
Data Recipients and Data Holders MUST seek to have all aspects of the Consent Model comply with WCAG 2.1. This will make all functionality available from a keyboard.
Accessibility
Pointer interactions
Data Recipients and Data Holders MUST seek to have all aspects of the Consent Model comply with WCAG 2.5. This will make it easier to operate functionality using various input devices
Accessibility
Reading experiences
Data Recipients and Data Holders MUST seek to have all aspects of the Consent Model comply with WCAG 3.1. This will make text content readable and understandable
Accessibility
Input assistance
Data Recipients and Data Holders MUST seek to have all aspects of the Consent Model comply with WCAG 3.3. This will help users avoid and correct mistakes.
Area CX Standard
Disclosure consent:
Collection source
In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent:
  1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from
  2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with
Note:
  • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s)
  • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data
  • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified
Disclosure Consent: Descriptions of Data to be Collected and Disclosed If:
  1. An accredited person is seeking a collection consent to collect CDR data from a particular accredited data recipient; or
  2. An accredited data recipient is seeking a disclosure consent from a consumer to disclose CDR data;
and the data subject to the disclosure or collection is not within the data language standards as it does not relate to a relevant data cluster, then that data MUST be described in language that is as easy to understand as practicable.
Consent:
Redirection
Data recipients MUST notify consumers of redirection prior to authentication.

Authentication Standards

Area CX Standard
Authentication:
'One Time Password' (OTP)

Data holders and data recipients MUST clearly refer to a "One Time Password" in consumer-facing interactions and communications.

The use of the term "One Time Password" MAY be presented alongside an existing term used by a data holder (e.g. Netcode, one time pin etc.).

Authentication:
Passwords
Data holders and data recipients MUST state in consumer-facing interactions and communications that services utilising the CDR do not need access to consumer passwords for the purposes of sharing data. The exact phrasing of this is at the discretion of the data holder and data recipient.
Authentication:
Password link
Data holders MUST NOT include forgotten details links in redirect screens. The inclusion of such links is considered to increase the likelihood of phishing attacks.
Authentication:
OTP expiry
Data holders MUST communicate the expiry period of the OTP to the consumer in the authentication flow.

Authorisation Standards

Area CX Standard
Authorisation:
Account selection
Data holders MUST allow the consumer to select which of their accounts to share data from if the data request includes account-specific data and if there are multiple accounts available. The Data holder MAY omit this step if none of the data being requested is specific to an account (e.g. Saved Payees).
Authorisation:
Profile selection

Data holders MAY add a 'profile selection' step or equivalent prior to the account selection step if a single identifier provides access to different customer accounts. For example, one customer ID may give access to business customer and individual customer accounts.

The 'profile selection' step SHOULD only be considered if it is an existing customer experience, and SHOULD be as minimal as possible to avoid introducing unwarranted friction (having regard to CDR Rule 4.24).

Unavailable Accounts:
Displaying accounts

If certain accounts are unavailable to share, data holders SHOULD show these unavailable accounts in the account-selection step.

Data holders SHOULD communicate why these accounts cannot be selected, and this SHOULD be communicated as in-line help or as a modal to reduce on-screen content.

Data holders MAY provide instructions on how to make these accounts available to share, and this SHOULD be communicated as in-line help or as a modal to reduce on-screen content.

Note: Unavailable accounts are to be interpreted in accordance with the rules on eligible consumers and required consumer data.

Unavailable Accounts:
No accounts can be shown
If unavailable accounts cannot be shown in the account selection step, data holders MAY display a generic explanation and instructions.
Unavailable Accounts:
Authorisation not permitted
If a successfully authenticated user cannot proceed to establish an authorisation in accordance with the rules on eligible consumers and required consumer data, data holders MAY provide the option of concluding the authorisation process.
Unavailable Accounts:
Request sharing rights
If a user does not have sharing rights for a particular account or set of accounts, data holders MAY invite the user to request sharing rights from the authorisation flow. The presentation of this mechanism MUST NOT introduce unwarranted friction as defined in rule 4.24 on restrictions.
Authorisation:
Account confirm
Data holders MUST show which accounts the data is being shared from prior to confirming authorisation if the data request includes account-specific data. The data holder MAY omit this information if none of the data being requested is specific to an account (e.g. Saved Payees).

Amending Authorisation Standards

Area CX Standard
Authorisation:
Amending consent
Effective from July 2021:
The following standards apply when a Data Holder invites a CDR consumer to amend a current authorisation as per rule 4.22A and the ADR has supplied a cdr_arrangement_id:

Customer Profile Where customer profile selection applies, Data Holders MAY omit the profile selection step and assume the customer profile associated with the existing authorisation. Data Holders MAY indicate which profile the authorisation relates to during the authorisation process.
Account Selection Where account selection applies, Data Holders MAY pre-select accounts that were associated with the previous authorisation provided these accounts remain eligible and available. Data Holders MAY allow these accounts to be amended, and MAY provide information regarding the pre-selection of accounts.
Changing Attributes Data Holders MAY indicate where a dataset is being added to an authorisation or a disclosure duration is being amended. Data Holders MAY apply this standard to other changing attributes, but this MUST ONLY apply where the attribute in the new authorisation differs to that of the previous authorisation. How a changed attributed is signified is at the Data Holder’s discretion.


Refer also to Future Dated obligations

Area CX Standard
Authorisation:
Amending consent
Effective from November 2021:
The following standards apply when a Data Holder invites a CDR consumer to amend a current authorisation as per rule 4.22A and the ADR has supplied a cdr_arrangement_id:
Customer Profile Where customer profile selection applies, Data Holders SHOULD omit the profile selection step and assume the customer profile associated with the existing authorisation. Data Holders MAY indicate which profile the authorisation relates to during the authorisation process.
Account Selection Where account selection applies, Data Holders MUST pre-select accounts that were associated with the previous authorisation provided these accounts remain eligible and available to share. Data Holders MAY allow these accounts to be amended, and MAY provide information regarding the pre-selection of accounts.
Changing Attributes Data Holders MUST indicate where a dataset is being added to an authorisation or a disclosure duration is being amended. Data Holders MAY apply this standard to other changing attributes, but this MUST ONLY apply where the attribute in the new authorisation differs to that of the previous authorisation. How a changed attributed is signified is at the Data Holder’s discretion.


Refer also to Future Dated obligations

Withdrawal Standards

Area CX Standard
Withdrawing consent If a data recipient does not have a general policy to delete redundant data, and the consumer has not already requested that their redundant data be deleted:
  • Data recipients MUST allow consumers to elect to have their redundant data deleted as part of the withdrawal process prior to the final withdrawal step.
  • Data recipients SHOULD consider prompting consumers to exercise this right at appropriate times (e.g. when inaction on the part of the consumer may cause them to lose the opportunity to exercise the right to delete their redundant data).
Withdrawing authorisation:
Consequences
As part of the withdrawal process, the data holder MUST advise the consumer to review the consequences of withdrawal with the data recipient before they stop sharing their data.
The data holder MAY consider using or paraphrasing the following message(s):
  • 'You should check with [Data Recipient] before you stop sharing to understand the consequences.'
  • 'You should check with [Data Recipient] to see if your service will be impacted before you stop sharing.'
Withdrawing authorisation:
Redundant data
As part of the withdrawal process, the data holder MUST inform the consumer about the handling of redundant data and the right to delete. The Data Holder MAY consider using or paraphrasing the following message(s):
  • 'CDR data is either deleted or de-identified when it is no longer required.'
  • '[Data recipient] will have specific policies on how to handle your data once it's no longer required.'
Withdrawal: Disclosure consent As part of the disclosure consent withdrawal process, Data Recipients MUST advise the consumer to review, with the recipient that the data was disclosed to:
  1. How their data will be handled; and
  2. The consequences of withdrawing the disclosure consent
Note: The precise wording of the withdrawal message is at the discretion of the ADR
Withdrawal:
Secondary User Instruction
As part of the secondary user instruction withdrawal process, data holders MUST advise the consumer:
  1. That removing a secondary user instruction will stop all current and future data sharing for the secondary user(s)
  2. To review the consequences of withdrawal with the secondary user(s) before removing the secondary user instruction
Note: The exact phrasing of this message is at the discretion of the data holder.

Banking APIs

Get Accounts

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts

Obtain a list of accounts

Endpoint Version

Version 1

Parameters

Name In Type Required Description
product-category query string optional Used to filter results on the productCategory field applicable to accounts. Any one of the valid values for this field can be supplied. If absent then all accounts returned.
open-status query string optional Used to filter results according to open/closed status. Values can be OPEN, CLOSED or ALL. If absent then ALL is assumed
is-owned query Boolean optional Filters accounts based on whether they are owned by the authorised customer. True for owned accounts, false for unowned accounts and absent for all accounts
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Enumerated Values

Parameter Value
product-category BUSINESS_LOANS
product-category CRED_AND_CHRG_CARDS
product-category LEASES
product-category MARGIN_LOANS
product-category OVERDRAFTS
product-category PERS_LOANS
product-category REGULATED_TRUST_ACCOUNTS
product-category RESIDENTIAL_MORTGAGES
product-category TERM_DEPOSITS
product-category TRADE_FINANCE
product-category TRANS_AND_SAVINGS_ACCOUNTS
product-category TRAVEL_CARDS
open-status ALL
open-status CLOSED
open-status OPEN

Example responses

200 Response

{
  "data": {
    "accounts": [
      {
        "accountId": "string",
        "creationDate": "string",
        "displayName": "string",
        "nickname": "string",
        "openStatus": "OPEN",
        "isOwned": true,
        "maskedNumber": "string",
        "productCategory": "BUSINESS_LOANS",
        "productName": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingAccountList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Bulk Balances

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/balances HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/balances',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/balances

Obtain balances for multiple, filtered accounts

Endpoint Version

Version 1

Parameters

Name In Type Required Description
product-category query string optional Used to filter results on the productCategory field applicable to accounts. Any one of the valid values for this field can be supplied. If absent then all accounts returned.
open-status query string optional Used to filter results according to open/closed status. Values can be OPEN, CLOSED or ALL. If absent then ALL is assumed
is-owned query Boolean optional Filters accounts based on whether they are owned by the authorised customer. True for owned accounts, false for unowned accounts and absent for all accounts
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Enumerated Values

Parameter Value
product-category BUSINESS_LOANS
product-category CRED_AND_CHRG_CARDS
product-category LEASES
product-category MARGIN_LOANS
product-category OVERDRAFTS
product-category PERS_LOANS
product-category REGULATED_TRUST_ACCOUNTS
product-category RESIDENTIAL_MORTGAGES
product-category TERM_DEPOSITS
product-category TRADE_FINANCE
product-category TRANS_AND_SAVINGS_ACCOUNTS
product-category TRAVEL_CARDS
open-status ALL
open-status CLOSED
open-status OPEN

Example responses

200 Response

{
  "data": {
    "balances": [
      {
        "accountId": "string",
        "currentBalance": "string",
        "availableBalance": "string",
        "creditLimit": "string",
        "amortisedLimit": "string",
        "currency": "string",
        "purses": [
          {
            "amount": "string",
            "currency": "string"
          }
        ]
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingAccountsBalanceList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Balances For Specific Accounts

Code samples

POST https://data.holder.com.au/cds-au/v1/banking/accounts/balances HTTP/1.1
Host: data.holder.com.au
Content-Type: application/json
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/balances',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

POST /banking/accounts/balances

Obtain balances for a specified list of accounts

Body parameter

{
  "data": {
    "accountIds": [
      "string"
    ]
  },
  "meta": {}
}

Endpoint Version

Version 1

Parameters

Name In Type Required Description
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.
body body RequestAccountIds mandatory The list of account IDs to obtain balances for

Example responses

200 Response

{
  "data": {
    "balances": [
      {
        "accountId": "string",
        "currentBalance": "string",
        "availableBalance": "string",
        "creditLimit": "string",
        "amortisedLimit": "string",
        "currency": "string",
        "purses": [
          {
            "amount": "string",
            "currency": "string"
          }
        ]
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingAccountsBalanceList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Account Balance

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/balance HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/balance',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/{accountId}/balance

Obtain the balance for a single specified account

Endpoint Version

Version 1

Parameters

Name In Type Required Description
accountId path ASCIIString mandatory ID of the specific account requested
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "accountId": "string",
    "currentBalance": "string",
    "availableBalance": "string",
    "creditLimit": "string",
    "amortisedLimit": "string",
    "currency": "string",
    "purses": [
      {
        "amount": "string",
        "currency": "string"
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingAccountsBalanceById
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Account Detail

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId} HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/{accountId}

Obtain detailed information on a single account

Endpoint Version

Version 1

Parameters

Name In Type Required Description
accountId path ASCIIString mandatory A tokenised identifier for the account which is unique but not shareable
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "accountId": "string",
    "creationDate": "string",
    "displayName": "string",
    "nickname": "string",
    "openStatus": "OPEN",
    "isOwned": true,
    "maskedNumber": "string",
    "productCategory": "BUSINESS_LOANS",
    "productName": "string",
    "bsb": "string",
    "accountNumber": "string",
    "bundleName": "string",
    "specificAccountUType": "creditCard",
    "termDeposit": [
      {
        "lodgementDate": "string",
        "maturityDate": "string",
        "maturityAmount": "string",
        "maturityCurrency": "string",
        "maturityInstructions": "HOLD_ON_MATURITY"
      }
    ],
    "creditCard": {
      "minPaymentAmount": "string",
      "paymentDueAmount": "string",
      "paymentCurrency": "string",
      "paymentDueDate": "string"
    },
    "loan": {
      "originalStartDate": "string",
      "originalLoanAmount": "string",
      "originalLoanCurrency": "string",
      "loanEndDate": "string",
      "nextInstalmentDate": "string",
      "minInstalmentAmount": "string",
      "minInstalmentCurrency": "string",
      "maxRedraw": "string",
      "maxRedrawCurrency": "string",
      "minRedraw": "string",
      "minRedrawCurrency": "string",
      "offsetAccountEnabled": true,
      "offsetAccountIds": [
        "string"
      ],
      "repaymentType": "PRINCIPAL_AND_INTEREST",
      "repaymentFrequency": "string"
    },
    "depositRate": "string",
    "lendingRate": "string",
    "depositRates": [
      {
        "depositRateType": "BONUS",
        "rate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "lendingRates": [
      {
        "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
        "rate": "string",
        "comparisonRate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "interestPaymentDue": "IN_ADVANCE",
        "repaymentType": "INTEREST_ONLY",
        "loanPurpose": "INVESTMENT",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "features": [
      {
        "featureType": "ADDITIONAL_CARDS",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "isActivated": true
      }
    ],
    "fees": [
      {
        "name": "string",
        "feeType": "DEPOSIT",
        "amount": "string",
        "balanceRate": "string",
        "transactionRate": "string",
        "accruedRate": "string",
        "accrualFrequency": "string",
        "currency": "string",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "discounts": [
          {
            "description": "string",
            "discountType": "BALANCE",
            "amount": "string",
            "balanceRate": "string",
            "transactionRate": "string",
            "accruedRate": "string",
            "feeRate": "string",
            "additionalValue": "string",
            "additionalInfo": "string",
            "additionalInfoUri": "string",
            "eligibility": [
              {
                "discountEligibilityType": "BUSINESS",
                "additionalValue": "string",
                "additionalInfo": "string",
                "additionalInfoUri": "string"
              }
            ]
          }
        ]
      }
    ],
    "addresses": [
      {
        "addressUType": "paf",
        "simple": {
          "mailingName": "string",
          "addressLine1": "string",
          "addressLine2": "string",
          "addressLine3": "string",
          "postcode": "string",
          "city": "string",
          "state": "string",
          "country": "AUS"
        },
        "paf": {
          "dpid": "string",
          "thoroughfareNumber1": 0,
          "thoroughfareNumber1Suffix": "string",
          "thoroughfareNumber2": 0,
          "thoroughfareNumber2Suffix": "string",
          "flatUnitType": "string",
          "flatUnitNumber": "string",
          "floorLevelType": "string",
          "floorLevelNumber": "string",
          "lotNumber": "string",
          "buildingName1": "string",
          "buildingName2": "string",
          "streetName": "string",
          "streetType": "string",
          "streetSuffix": "string",
          "postalDeliveryType": "string",
          "postalDeliveryNumber": 0,
          "postalDeliveryNumberPrefix": "string",
          "postalDeliveryNumberSuffix": "string",
          "localityName": "string",
          "postcode": "string",
          "state": "string"
        }
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingAccountById
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Transactions For Account

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/transactions HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/transactions',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/{accountId}/transactions

Obtain transactions for a specific account.

Some general notes that apply to all end points that retrieve transactions:

Endpoint Version

Version 1

Parameters

Name In Type Required Description
accountId path ASCIIString mandatory ID of the account to get transactions for. Must have previously been returned by one of the account list end points.
oldest-time query DateTimeString optional Constrain the transaction history request to transactions with effective time at or after this date/time. If absent defaults to newest-time minus 90 days. Format is aligned to DateTimeString common type
newest-time query DateTimeString optional Constrain the transaction history request to transactions with effective time at or before this date/time. If absent defaults to today. Format is aligned to DateTimeString common type
min-amount query AmountString optional Filter transactions to only transactions with amounts higher or equal to than this amount
max-amount query AmountString optional Filter transactions to only transactions with amounts less than or equal to than this amount
text query string optional Filter transactions to only transactions where this string value is found as a substring of either the reference or description fields. Format is arbitrary ASCII string. This parameter is optionally implemented by data holders. If it is not implemented then a response should be provided as normal without text filtering applied and an additional boolean field named isQueryParamUnsupported should be included in the meta object and set to true (whether the text parameter is supplied or not)
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "transactions": [
      {
        "accountId": "string",
        "transactionId": "string",
        "isDetailAvailable": true,
        "type": "DIRECT_DEBIT",
        "status": "PENDING",
        "description": "string",
        "postingDateTime": "string",
        "valueDateTime": "string",
        "executionDateTime": "string",
        "amount": "string",
        "currency": "string",
        "reference": "string",
        "merchantName": "string",
        "merchantCategoryCode": "string",
        "billerCode": "string",
        "billerName": "string",
        "crn": "string",
        "apcaNumber": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingTransactionList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Transaction Detail

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/transactions/{transactionId} HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/transactions/{transactionId}',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/{accountId}/transactions/{transactionId}

Obtain detailed information on a transaction for a specific account

Endpoint Version

Version 1

Parameters

Name In Type Required Description
accountId path ASCIIString mandatory ID of the account to get transactions for. Must have previously been returned by one of the account list end points
transactionId path ASCIIString mandatory ID of the transaction obtained from a previous call to one of the other transaction end points
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "accountId": "string",
    "transactionId": "string",
    "isDetailAvailable": true,
    "type": "DIRECT_DEBIT",
    "status": "PENDING",
    "description": "string",
    "postingDateTime": "string",
    "valueDateTime": "string",
    "executionDateTime": "string",
    "amount": "string",
    "currency": "string",
    "reference": "string",
    "merchantName": "string",
    "merchantCategoryCode": "string",
    "billerCode": "string",
    "billerName": "string",
    "crn": "string",
    "apcaNumber": "string",
    "extendedData": {
      "payer": "string",
      "payee": "string",
      "extensionUType": "x2p101Payload",
      "x2p101Payload": {
        "extendedDescription": "string",
        "endToEndId": "string",
        "purposeCode": "string"
      },
      "service": "X2P1.01"
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingTransactionById
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Direct Debits For Account

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/direct-debits HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/direct-debits',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/{accountId}/direct-debits

Obtain direct debit authorisations for a specific account

Endpoint Version

Version 1

Parameters

Name In Type Required Description
accountId path ASCIIString mandatory ID of the account to get direct debit authorisations for. Must have previously been returned by one of the account list end points.
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "directDebitAuthorisations": [
      {
        "accountId": "string",
        "authorisedEntity": {
          "description": "string",
          "financialInstitution": "string",
          "abn": "string",
          "acn": "string",
          "arbn": "string"
        },
        "lastDebitDateTime": "string",
        "lastDebitAmount": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingDirectDebitAuthorisationList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Bulk Direct Debits

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/direct-debits HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/direct-debits',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/direct-debits

Obtain direct debit authorisations for multiple, filtered accounts

Endpoint Version

Version 1

Parameters

Name In Type Required Description
product-category query string optional Used to filter results on the productCategory field applicable to accounts. Any one of the valid values for this field can be supplied. If absent then all accounts returned.
open-status query string optional Used to filter results according to open/closed status. Values can be OPEN, CLOSED or ALL. If absent then ALL is assumed
is-owned query Boolean optional Filters accounts based on whether they are owned by the authorised customer. True for owned accounts, false for unowned accounts and absent for all accounts
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Enumerated Values

Parameter Value
product-category BUSINESS_LOANS
product-category CRED_AND_CHRG_CARDS
product-category LEASES
product-category MARGIN_LOANS
product-category OVERDRAFTS
product-category PERS_LOANS
product-category REGULATED_TRUST_ACCOUNTS
product-category RESIDENTIAL_MORTGAGES
product-category TERM_DEPOSITS
product-category TRADE_FINANCE
product-category TRANS_AND_SAVINGS_ACCOUNTS
product-category TRAVEL_CARDS
open-status ALL
open-status CLOSED
open-status OPEN

Example responses

200 Response

{
  "data": {
    "directDebitAuthorisations": [
      {
        "accountId": "string",
        "authorisedEntity": {
          "description": "string",
          "financialInstitution": "string",
          "abn": "string",
          "acn": "string",
          "arbn": "string"
        },
        "lastDebitDateTime": "string",
        "lastDebitAmount": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingDirectDebitAuthorisationList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Direct Debits For Specific Accounts

Code samples

POST https://data.holder.com.au/cds-au/v1/banking/accounts/direct-debits HTTP/1.1
Host: data.holder.com.au
Content-Type: application/json
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/direct-debits',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

POST /banking/accounts/direct-debits

Obtain direct debit authorisations for a specified list of accounts

Body parameter

{
  "data": {
    "accountIds": [
      "string"
    ]
  },
  "meta": {}
}

Endpoint Version

Version 1

Parameters

Name In Type Required Description
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.
body body RequestAccountIds mandatory Array of specific accountIds to obtain authorisations for

Example responses

200 Response

{
  "data": {
    "directDebitAuthorisations": [
      {
        "accountId": "string",
        "authorisedEntity": {
          "description": "string",
          "financialInstitution": "string",
          "abn": "string",
          "acn": "string",
          "arbn": "string"
        },
        "lastDebitDateTime": "string",
        "lastDebitAmount": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingDirectDebitAuthorisationList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Scheduled Payments for Account

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/payments/scheduled HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/accounts/{accountId}/payments/scheduled',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/accounts/{accountId}/payments/scheduled

Obtain scheduled, outgoing payments for a specific account

Endpoint Version

Version 1

Parameters

Name In Type Required Description
accountId path ASCIIString mandatory ID of the account to get scheduled payments for. Must have previously been returned by one of the account list end points. The account specified is the source account for the payment
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "scheduledPayments": [
      {
        "scheduledPaymentId": "string",
        "nickname": "string",
        "payerReference": "string",
        "payeeReference": "string",
        "status": "ACTIVE",
        "from": {
          "accountId": "string"
        },
        "paymentSet": [
          {
            "to": {
              "toUType": "accountId",
              "accountId": "string",
              "payeeId": "string",
              "nickname": "string",
              "payeeReference": "string",
              "domestic": {
                "payeeAccountUType": "account",
                "account": {
                  "accountName": "string",
                  "bsb": "string",
                  "accountNumber": "string"
                },
                "card": {
                  "cardNumber": "string"
                },
                "payId": {
                  "name": "string",
                  "identifier": "string",
                  "type": "ABN"
                }
              },
              "biller": {
                "billerCode": "string",
                "crn": "string",
                "billerName": "string"
              },
              "international": {
                "beneficiaryDetails": {
                  "name": "string",
                  "country": "string",
                  "message": "string"
                },
                "bankDetails": {
                  "country": "string",
                  "accountNumber": "string",
                  "bankAddress": {
                    "name": "string",
                    "address": "string"
                  },
                  "beneficiaryBankBIC": "string",
                  "fedWireNumber": "string",
                  "sortCode": "string",
                  "chipNumber": "string",
                  "routingNumber": "string",
                  "legalEntityIdentifier": "string"
                }
              }
            },
            "isAmountCalculated": true,
            "amount": "string",
            "currency": "string"
          }
        ],
        "recurrence": {
          "nextPaymentDate": "string",
          "recurrenceUType": "eventBased",
          "onceOff": {
            "paymentDate": "string"
          },
          "intervalSchedule": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "nonBusinessDayTreatment": "ON",
            "intervals": [
              {
                "interval": "string",
                "dayInInterval": "string"
              }
            ]
          },
          "lastWeekDay": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "interval": "string",
            "lastWeekDay": "FRI",
            "nonBusinessDayTreatment": "ON"
          },
          "eventBased": {
            "description": "string"
          }
        }
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingScheduledPaymentsList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Scheduled Payments Bulk

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/payments/scheduled HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/payments/scheduled',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/payments/scheduled

Obtain scheduled payments for multiple, filtered accounts that are the source of funds for the payments

Endpoint Version

Version 1

Parameters

Name In Type Required Description
product-category query string optional Used to filter results on the productCategory field applicable to accounts. Any one of the valid values for this field can be supplied. If absent then all accounts returned.
open-status query string optional Used to filter results according to open/closed status. Values can be OPEN, CLOSED or ALL. If absent then ALL is assumed
is-owned query Boolean optional Filters accounts based on whether they are owned by the authorised customer. True for owned accounts, false for unowned accounts and absent for all accounts
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Enumerated Values

Parameter Value
product-category BUSINESS_LOANS
product-category CRED_AND_CHRG_CARDS
product-category LEASES
product-category MARGIN_LOANS
product-category OVERDRAFTS
product-category PERS_LOANS
product-category REGULATED_TRUST_ACCOUNTS
product-category RESIDENTIAL_MORTGAGES
product-category TERM_DEPOSITS
product-category TRADE_FINANCE
product-category TRANS_AND_SAVINGS_ACCOUNTS
product-category TRAVEL_CARDS
open-status ALL
open-status CLOSED
open-status OPEN

Example responses

200 Response

{
  "data": {
    "scheduledPayments": [
      {
        "scheduledPaymentId": "string",
        "nickname": "string",
        "payerReference": "string",
        "payeeReference": "string",
        "status": "ACTIVE",
        "from": {
          "accountId": "string"
        },
        "paymentSet": [
          {
            "to": {
              "toUType": "accountId",
              "accountId": "string",
              "payeeId": "string",
              "nickname": "string",
              "payeeReference": "string",
              "domestic": {
                "payeeAccountUType": "account",
                "account": {
                  "accountName": "string",
                  "bsb": "string",
                  "accountNumber": "string"
                },
                "card": {
                  "cardNumber": "string"
                },
                "payId": {
                  "name": "string",
                  "identifier": "string",
                  "type": "ABN"
                }
              },
              "biller": {
                "billerCode": "string",
                "crn": "string",
                "billerName": "string"
              },
              "international": {
                "beneficiaryDetails": {
                  "name": "string",
                  "country": "string",
                  "message": "string"
                },
                "bankDetails": {
                  "country": "string",
                  "accountNumber": "string",
                  "bankAddress": {
                    "name": "string",
                    "address": "string"
                  },
                  "beneficiaryBankBIC": "string",
                  "fedWireNumber": "string",
                  "sortCode": "string",
                  "chipNumber": "string",
                  "routingNumber": "string",
                  "legalEntityIdentifier": "string"
                }
              }
            },
            "isAmountCalculated": true,
            "amount": "string",
            "currency": "string"
          }
        ],
        "recurrence": {
          "nextPaymentDate": "string",
          "recurrenceUType": "eventBased",
          "onceOff": {
            "paymentDate": "string"
          },
          "intervalSchedule": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "nonBusinessDayTreatment": "ON",
            "intervals": [
              {
                "interval": "string",
                "dayInInterval": "string"
              }
            ]
          },
          "lastWeekDay": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "interval": "string",
            "lastWeekDay": "FRI",
            "nonBusinessDayTreatment": "ON"
          },
          "eventBased": {
            "description": "string"
          }
        }
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingScheduledPaymentsList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Scheduled Payments For Specific Accounts

Code samples

POST https://data.holder.com.au/cds-au/v1/banking/payments/scheduled HTTP/1.1
Host: data.holder.com.au
Content-Type: application/json
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/payments/scheduled',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

POST /banking/payments/scheduled

Obtain scheduled payments for a specified list of accounts

Body parameter

{
  "data": {
    "accountIds": [
      "string"
    ]
  },
  "meta": {}
}

Endpoint Version

Version 1

Parameters

Name In Type Required Description
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.
body body RequestAccountIds mandatory Array of specific accountIds to obtain scheduled payments for. The accounts specified are the source of funds for the payments returned

Example responses

200 Response

{
  "data": {
    "scheduledPayments": [
      {
        "scheduledPaymentId": "string",
        "nickname": "string",
        "payerReference": "string",
        "payeeReference": "string",
        "status": "ACTIVE",
        "from": {
          "accountId": "string"
        },
        "paymentSet": [
          {
            "to": {
              "toUType": "accountId",
              "accountId": "string",
              "payeeId": "string",
              "nickname": "string",
              "payeeReference": "string",
              "domestic": {
                "payeeAccountUType": "account",
                "account": {
                  "accountName": "string",
                  "bsb": "string",
                  "accountNumber": "string"
                },
                "card": {
                  "cardNumber": "string"
                },
                "payId": {
                  "name": "string",
                  "identifier": "string",
                  "type": "ABN"
                }
              },
              "biller": {
                "billerCode": "string",
                "crn": "string",
                "billerName": "string"
              },
              "international": {
                "beneficiaryDetails": {
                  "name": "string",
                  "country": "string",
                  "message": "string"
                },
                "bankDetails": {
                  "country": "string",
                  "accountNumber": "string",
                  "bankAddress": {
                    "name": "string",
                    "address": "string"
                  },
                  "beneficiaryBankBIC": "string",
                  "fedWireNumber": "string",
                  "sortCode": "string",
                  "chipNumber": "string",
                  "routingNumber": "string",
                  "legalEntityIdentifier": "string"
                }
              }
            },
            "isAmountCalculated": true,
            "amount": "string",
            "currency": "string"
          }
        ],
        "recurrence": {
          "nextPaymentDate": "string",
          "recurrenceUType": "eventBased",
          "onceOff": {
            "paymentDate": "string"
          },
          "intervalSchedule": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "nonBusinessDayTreatment": "ON",
            "intervals": [
              {
                "interval": "string",
                "dayInInterval": "string"
              }
            ]
          },
          "lastWeekDay": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "interval": "string",
            "lastWeekDay": "FRI",
            "nonBusinessDayTreatment": "ON"
          },
          "eventBased": {
            "description": "string"
          }
        }
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingScheduledPaymentsList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Payees

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/payees HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/payees',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/payees

Obtain a list of pre-registered payees

Endpoint Version

Version 1

Parameters

Name In Type Required Description
type query string optional Filter on the payee type field. In addition to normal type field values, ALL can be specified to retrieve all payees. If absent the assumed value is ALL
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Enumerated Values

Parameter Value
type ALL
type BILLER
type DOMESTIC
type INTERNATIONAL

Example responses

200 Response

{
  "data": {
    "payees": [
      {
        "payeeId": "string",
        "nickname": "string",
        "description": "string",
        "type": "BILLER",
        "creationDate": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingPayeeList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Payee Detail

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/payees/{payeeId} HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/payees/{payeeId}',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/payees/{payeeId}

Obtain detailed information on a single payee.

Note that the payee sub-structure should be selected to represent the payment destination only rather than any known characteristics of the payment recipient

Endpoint Version

Version 1

Parameters

Name In Type Required Description
payeeId path ASCIIString mandatory The ID used to locate the details of a particular payee
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "payeeId": "string",
    "nickname": "string",
    "description": "string",
    "type": "BILLER",
    "creationDate": "string",
    "payeeUType": "biller",
    "domestic": {
      "payeeAccountUType": "account",
      "account": {
        "accountName": "string",
        "bsb": "string",
        "accountNumber": "string"
      },
      "card": {
        "cardNumber": "string"
      },
      "payId": {
        "name": "string",
        "identifier": "string",
        "type": "ABN"
      }
    },
    "biller": {
      "billerCode": "string",
      "crn": "string",
      "billerName": "string"
    },
    "international": {
      "beneficiaryDetails": {
        "name": "string",
        "country": "string",
        "message": "string"
      },
      "bankDetails": {
        "country": "string",
        "accountNumber": "string",
        "bankAddress": {
          "name": "string",
          "address": "string"
        },
        "beneficiaryBankBIC": "string",
        "fedWireNumber": "string",
        "sortCode": "string",
        "chipNumber": "string",
        "routingNumber": "string",
        "legalEntityIdentifier": "string"
      }
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingPayeeById
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Products

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/products HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/products',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/products

Obtain a list of products that are currently openly offered to the market

Note that the results returned by this end point are expected to be ordered in descending order according to lastUpdated.

Conventions

In the product reference payloads there are a number of recurring conventions that are explained here, in one place.

Arrays Of Features

In the product detail payload there are a number of arrays articulating generic features, constraints, prices, etc. The intent of these arrays is as follows:

URIs To More Information

As the complexities and nuances of a financial product can not easily be fully expressed in a data structure without a high degree of complexity it is necessary to provide additional reference information that a potential customer can access so that they are fully informed of the features and implications of the product. The payloads for product reference therefore contain numerous fields that are provided to allow the product holder to describe the product more fully using a web page hosted on their online channels.

These URIs do not need to all link to different pages. If desired, they can all link to a single hosted page and use difference HTML anchors to focus on a specific topic such as eligibility or fees.

Linkage To Accounts

From the moment that a customer applies for a product and an account is created the account and the product that spawned it will diverge. Rates and features of the product may change and a discount may be negotiated for the account.

For this reason, while productCategory is a common field between accounts and products, there is no specific ID that can be used to link an account to a product within the regime.

Similarly, many of the fields and objects in the product payload will appear in the account detail payload but the structures and semantics are not identical as one refers to a product that can potentially be originated and one refers to an account that actual has been instantiated and created along with the associated decisions inherent in that process.

Dates

It is expected that data consumers needing this data will call relatively frequently to ensure the data they have is representative of the current offering from a bank. To minimise the volume and frequency of these calls the ability to set a lastUpdated field with the date and time of the last update to this product is included. A call for a list of products can then be filtered to only return products that have been updated since the last time that data was obtained using the updated-since query parameter.

In addition, the concept of effective date and time has also been included. This allows for a product to be marked for obsolescence, or introduction, from a certain time without the need for an update to show that a product has been changed. The inclusion of these dates also removes the need to represent deleted products in the payload. Products that are no long offered can be marked not effective for a few weeks before they are then removed from the product set as an option entirely.

Obsolete versions: v1 v2

Endpoint Version

Version 3

Parameters

Name In Type Required Description
effective query string optional Allows for the filtering of products based on whether the current time is within the period of time defined as effective by the effectiveFrom and effectiveTo fields. Valid values are ‘CURRENT’, ‘FUTURE’ and ‘ALL’. If absent defaults to 'CURRENT'
updated-since query DateTimeString optional Only include products that have been updated after the specified date and time. If absent defaults to include all products
brand query string optional Filter results based on a specific brand
product-category query string optional Used to filter results on the productCategory field applicable to accounts. Any one of the valid values for this field can be supplied. If absent then all accounts returned.
page query PositiveInteger optional Page of results to request (standard pagination)
page-size query PositiveInteger optional Page size to request. Default is 25 (standard pagination)
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.

Enumerated Values

Parameter Value
effective ALL
effective CURRENT
effective FUTURE
product-category BUSINESS_LOANS
product-category CRED_AND_CHRG_CARDS
product-category LEASES
product-category MARGIN_LOANS
product-category OVERDRAFTS
product-category PERS_LOANS
product-category REGULATED_TRUST_ACCOUNTS
product-category RESIDENTIAL_MORTGAGES
product-category TERM_DEPOSITS
product-category TRADE_FINANCE
product-category TRANS_AND_SAVINGS_ACCOUNTS
product-category TRAVEL_CARDS

Example responses

200 Response

{
  "data": {
    "products": [
      {
        "productId": "string",
        "effectiveFrom": "string",
        "effectiveTo": "string",
        "lastUpdated": "string",
        "productCategory": "BUSINESS_LOANS",
        "name": "string",
        "description": "string",
        "brand": "string",
        "brandName": "string",
        "applicationUri": "string",
        "isTailored": true,
        "additionalInformation": {
          "overviewUri": "string",
          "termsUri": "string",
          "eligibilityUri": "string",
          "feesAndPricingUri": "string",
          "bundleUri": "string"
        },
        "cardArt": [
          {
            "title": "string",
            "imageUri": "string"
          }
        ]
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingProductList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.

Get Product Detail

Code samples

GET https://data.holder.com.au/cds-au/v1/banking/products/{productId} HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/banking/products/{productId}',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /banking/products/{productId}

Obtain detailed information on a single product offered openly to the market.

Obsolete versions: v1 v2

Endpoint Version

Version 3

Parameters

Name In Type Required Description
productId path ASCIIString mandatory ID of the specific product requested
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.

Example responses

200 Response

{
  "data": {
    "productId": "string",
    "effectiveFrom": "string",
    "effectiveTo": "string",
    "lastUpdated": "string",
    "productCategory": "BUSINESS_LOANS",
    "name": "string",
    "description": "string",
    "brand": "string",
    "brandName": "string",
    "applicationUri": "string",
    "isTailored": true,
    "additionalInformation": {
      "overviewUri": "string",
      "termsUri": "string",
      "eligibilityUri": "string",
      "feesAndPricingUri": "string",
      "bundleUri": "string"
    },
    "cardArt": [
      {
        "title": "string",
        "imageUri": "string"
      }
    ],
    "bundles": [
      {
        "name": "string",
        "description": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "productIds": [
          "string"
        ]
      }
    ],
    "features": [
      {
        "featureType": "ADDITIONAL_CARDS",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "constraints": [
      {
        "constraintType": "MAX_BALANCE",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "eligibility": [
      {
        "eligibilityType": "BUSINESS",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "fees": [
      {
        "name": "string",
        "feeType": "DEPOSIT",
        "amount": "string",
        "balanceRate": "string",
        "transactionRate": "string",
        "accruedRate": "string",
        "accrualFrequency": "string",
        "currency": "string",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "discounts": [
          {
            "description": "string",
            "discountType": "BALANCE",
            "amount": "string",
            "balanceRate": "string",
            "transactionRate": "string",
            "accruedRate": "string",
            "feeRate": "string",
            "additionalValue": "string",
            "additionalInfo": "string",
            "additionalInfoUri": "string",
            "eligibility": [
              {
                "discountEligibilityType": "BUSINESS",
                "additionalValue": "string",
                "additionalInfo": "string",
                "additionalInfoUri": "string"
              }
            ]
          }
        ]
      }
    ],
    "depositRates": [
      {
        "depositRateType": "BONUS",
        "rate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "lendingRates": [
      {
        "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
        "rate": "string",
        "comparisonRate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "interestPaymentDue": "IN_ADVANCE",
        "repaymentType": "INTEREST_ONLY",
        "loanPurpose": "INVESTMENT",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseBankingProductById
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.

Common APIs

Get Customer

Code samples

GET https://data.holder.com.au/cds-au/v1/common/customer HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/common/customer',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /common/customer

Obtain basic information on the customer that has authorised the current session

Endpoint Version

Version 1

Parameters

Name In Type Required Description
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "customerUType": "organisation",
    "person": {
      "lastUpdateTime": "string",
      "firstName": "string",
      "lastName": "string",
      "middleNames": [
        "string"
      ],
      "prefix": "string",
      "suffix": "string",
      "occupationCode": "string",
      "occupationCodeVersion": "ANZSCO_1220.0_2013_V1.2"
    },
    "organisation": {
      "lastUpdateTime": "string",
      "agentFirstName": "string",
      "agentLastName": "string",
      "agentRole": "string",
      "businessName": "string",
      "legalName": "string",
      "shortName": "string",
      "abn": "string",
      "acn": "string",
      "isACNCRegistered": true,
      "industryCode": "string",
      "industryCodeVersion": "ANZSIC_1292.0_2006_V2.0",
      "organisationType": "COMPANY",
      "registeredCountry": "string",
      "establishmentDate": "string"
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseCommonCustomer
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Customer Detail

Code samples

GET https://data.holder.com.au/cds-au/v1/common/customer/detail HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string',
  'x-fapi-interaction-id':'string',
  'x-fapi-auth-date':'string',
  'x-fapi-customer-ip-address':'string',
  'x-cds-client-headers':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/common/customer/detail',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /common/customer/detail

Obtain detailed information on the authorised customer within the current session.

Endpoint Version

Version 1

Parameters

Name In Type Required Description
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.
x-fapi-interaction-id header string optional An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
x-fapi-auth-date header string optional The time when the customer last logged in to the data recipient. Required for all resource calls (customer present and unattended). Not to be included for unauthenticated calls.
x-fapi-customer-ip-address header string optional The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.
x-cds-client-headers header Base64 optional The customer's original standard http headers Base64 encoded, including the original User Agent header, if the customer is currently logged in to the data recipient. Mandatory for customer present calls. Not required for unattended or unauthenticated calls.

Example responses

200 Response

{
  "data": {
    "customerUType": "organisation",
    "person": {
      "lastUpdateTime": "string",
      "firstName": "string",
      "lastName": "string",
      "middleNames": [
        "string"
      ],
      "prefix": "string",
      "suffix": "string",
      "occupationCode": "string",
      "occupationCodeVersion": "ANZSCO_1220.0_2013_V1.2",
      "phoneNumbers": [
        {
          "isPreferred": true,
          "purpose": "HOME",
          "countryCode": "string",
          "areaCode": "string",
          "number": "string",
          "extension": "string",
          "fullNumber": "string"
        }
      ],
      "emailAddresses": [
        {
          "isPreferred": true,
          "purpose": "HOME",
          "address": "string"
        }
      ],
      "physicalAddresses": [
        {
          "addressUType": "paf",
          "simple": {
            "mailingName": "string",
            "addressLine1": "string",
            "addressLine2": "string",
            "addressLine3": "string",
            "postcode": "string",
            "city": "string",
            "state": "string",
            "country": "AUS"
          },
          "paf": {
            "dpid": "string",
            "thoroughfareNumber1": 0,
            "thoroughfareNumber1Suffix": "string",
            "thoroughfareNumber2": 0,
            "thoroughfareNumber2Suffix": "string",
            "flatUnitType": "string",
            "flatUnitNumber": "string",
            "floorLevelType": "string",
            "floorLevelNumber": "string",
            "lotNumber": "string",
            "buildingName1": "string",
            "buildingName2": "string",
            "streetName": "string",
            "streetType": "string",
            "streetSuffix": "string",
            "postalDeliveryType": "string",
            "postalDeliveryNumber": 0,
            "postalDeliveryNumberPrefix": "string",
            "postalDeliveryNumberSuffix": "string",
            "localityName": "string",
            "postcode": "string",
            "state": "string"
          },
          "purpose": "MAIL"
        }
      ]
    },
    "organisation": {
      "lastUpdateTime": "string",
      "agentFirstName": "string",
      "agentLastName": "string",
      "agentRole": "string",
      "businessName": "string",
      "legalName": "string",
      "shortName": "string",
      "abn": "string",
      "acn": "string",
      "isACNCRegistered": true,
      "industryCode": "string",
      "industryCodeVersion": "ANZSIC_1292.0_2006_V2.0",
      "organisationType": "COMPANY",
      "registeredCountry": "string",
      "establishmentDate": "string",
      "physicalAddresses": [
        {
          "addressUType": "paf",
          "simple": {
            "mailingName": "string",
            "addressLine1": "string",
            "addressLine2": "string",
            "addressLine3": "string",
            "postcode": "string",
            "city": "string",
            "state": "string",
            "country": "AUS"
          },
          "paf": {
            "dpid": "string",
            "thoroughfareNumber1": 0,
            "thoroughfareNumber1Suffix": "string",
            "thoroughfareNumber2": 0,
            "thoroughfareNumber2Suffix": "string",
            "flatUnitType": "string",
            "flatUnitNumber": "string",
            "floorLevelType": "string",
            "floorLevelNumber": "string",
            "lotNumber": "string",
            "buildingName1": "string",
            "buildingName2": "string",
            "streetName": "string",
            "streetType": "string",
            "streetSuffix": "string",
            "postalDeliveryType": "string",
            "postalDeliveryNumber": 0,
            "postalDeliveryNumberPrefix": "string",
            "postalDeliveryNumberSuffix": "string",
            "localityName": "string",
            "postcode": "string",
            "state": "string"
          },
          "purpose": "MAIL"
        }
      ]
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseCommonCustomerDetail
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.
200 x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.
4xx x-fapi-interaction-id string An RFC4122 UUID used as a correlation id. If provided, the data holder must play back this value in the x-fapi-interaction-id response header. If not provided a [RFC4122] UUID value is required to be provided in the response header to track the interaction.

Get Status

Code samples

GET https://data.holder.com.au/cds-au/v1/discovery/status HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/discovery/status',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /discovery/status

Obtain a health check status for the implementation

Endpoint Version

Version 1

Parameters

Name In Type Required Description
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.

Example responses

200 Response

{
  "data": {
    "status": "OK",
    "explanation": "string",
    "detectionTime": "string",
    "expectedResolutionTime": "string",
    "updateTime": "string"
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseCommonDiscoveryStatus
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.

Get Outages

Code samples

GET https://data.holder.com.au/cds-au/v1/discovery/outages HTTP/1.1
Host: data.holder.com.au
Accept: application/json
x-v: string
x-min-v: string

var headers = {
  'Accept':'application/json',
  'x-v':'string',
  'x-min-v':'string'

};

$.ajax({
  url: 'https://data.holder.com.au/cds-au/v1/discovery/outages',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

GET /discovery/outages

Obtain a list of scheduled outages for the implementation

Endpoint Version

Version 1

Parameters

Name In Type Required Description
x-v header string mandatory Version of the API end point requested by the client. Must be set to a positive integer. The data holder should respond with the highest supported version between x-min-v and x-v. If the value of x-min-v is equal to or higher than the value of x-v then the x-min-v header should be treated as absent. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable. See HTTP Headers
x-min-v header string optional Minimum version of the API end point requested by the client. Must be set to a positive integer if provided. The data holder should respond with the highest supported version between x-min-v and x-v. If all versions requested are not supported then the data holder must respond with a 406 Not Acceptable.

Example responses

200 Response

{
  "data": {
    "outages": [
      {
        "outageTime": "string",
        "duration": "string",
        "isPartial": true,
        "explanation": "string"
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Responses

Status Meaning Description Schema
200 OK Success ResponseDiscoveryOutagesList
4xx Client Error The following error codes MUST be supported:
ResponseErrorListV2

Response Headers

Status Header Type Format Description
200 x-v string The version of the API end point that the data holder has responded with.

Schemas

RequestAccountIds

{
  "data": {
    "accountIds": [
      "string"
    ]
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» accountIds [string] mandatory none none
meta Meta optional none none

ResponseBankingProductList

{
  "data": {
    "products": [
      {
        "productId": "string",
        "effectiveFrom": "string",
        "effectiveTo": "string",
        "lastUpdated": "string",
        "productCategory": "BUSINESS_LOANS",
        "name": "string",
        "description": "string",
        "brand": "string",
        "brandName": "string",
        "applicationUri": "string",
        "isTailored": true,
        "additionalInformation": {
          "overviewUri": "string",
          "termsUri": "string",
          "eligibilityUri": "string",
          "feesAndPricingUri": "string",
          "bundleUri": "string"
        },
        "cardArt": [
          {
            "title": "string",
            "imageUri": "string"
          }
        ]
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» products [BankingProductV3] mandatory none The list of products returned. If the filter results in an empty set then this array may have no records
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

BankingProductV3

{
  "productId": "string",
  "effectiveFrom": "string",
  "effectiveTo": "string",
  "lastUpdated": "string",
  "productCategory": "BUSINESS_LOANS",
  "name": "string",
  "description": "string",
  "brand": "string",
  "brandName": "string",
  "applicationUri": "string",
  "isTailored": true,
  "additionalInformation": {
    "overviewUri": "string",
    "termsUri": "string",
    "eligibilityUri": "string",
    "feesAndPricingUri": "string",
    "bundleUri": "string"
  },
  "cardArt": [
    {
      "title": "string",
      "imageUri": "string"
    }
  ]
}

Properties

Name Type Required Restrictions Description
productId ASCIIString mandatory none A data holder specific unique identifier for this product. This identifier must be unique to a product but does not otherwise need to adhere to ID permanence guidelines.
effectiveFrom DateTimeString optional none The date and time from which this product is effective (ie. is available for origination). Used to enable the articulation of products to the regime before they are available for customers to originate
effectiveTo DateTimeString optional none The date and time at which this product will be retired and will no longer be offered. Used to enable the managed deprecation of products
lastUpdated DateTimeString mandatory none The last date and time that the information for this product was changed (or the creation date for the product if it has never been altered)
productCategory BankingProductCategory mandatory none The category to which a product or account belongs. See here for more details
name string mandatory none The display name of the product
description string mandatory none A description of the product
brand string mandatory none A label of the brand for the product. Able to be used for filtering. For data holders with single brands this value is still required
brandName string optional none An optional display name of the brand
applicationUri URIString optional none A link to an application web page where this product can be applied for.
isTailored Boolean mandatory none Indicates whether the product is specifically tailored to a circumstance. In this case fees and prices are significantly negotiated depending on context. While all products are open to a degree of tailoring this flag indicates that tailoring is expected and thus that the provision of specific fees and rates is not applicable
additionalInformation object optional none Object that contains links to additional information on specific topics
» overviewUri URIString optional none General overview of the product
» termsUri URIString optional none Terms and conditions for the product
» eligibilityUri URIString optional none Eligibility rules and criteria for the product
» feesAndPricingUri URIString optional none Description of fees, pricing, discounts, exemptions and bonuses for the product
» bundleUri URIString optional none Description of a bundle that this product can be part of
cardArt [object] optional none An array of card art images
» title string optional none Display label for the specific image
» imageUri URIString mandatory none URI reference to a PNG, JPG or GIF image with proportions defined by ISO 7810 ID-1 and width no greater than 512 pixels. The URI reference may be a link or url-encoded data URI RFC 2397

ResponseBankingProductById

{
  "data": {
    "productId": "string",
    "effectiveFrom": "string",
    "effectiveTo": "string",
    "lastUpdated": "string",
    "productCategory": "BUSINESS_LOANS",
    "name": "string",
    "description": "string",
    "brand": "string",
    "brandName": "string",
    "applicationUri": "string",
    "isTailored": true,
    "additionalInformation": {
      "overviewUri": "string",
      "termsUri": "string",
      "eligibilityUri": "string",
      "feesAndPricingUri": "string",
      "bundleUri": "string"
    },
    "cardArt": [
      {
        "title": "string",
        "imageUri": "string"
      }
    ],
    "bundles": [
      {
        "name": "string",
        "description": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "productIds": [
          "string"
        ]
      }
    ],
    "features": [
      {
        "featureType": "ADDITIONAL_CARDS",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "constraints": [
      {
        "constraintType": "MAX_BALANCE",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "eligibility": [
      {
        "eligibilityType": "BUSINESS",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "fees": [
      {
        "name": "string",
        "feeType": "DEPOSIT",
        "amount": "string",
        "balanceRate": "string",
        "transactionRate": "string",
        "accruedRate": "string",
        "accrualFrequency": "string",
        "currency": "string",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "discounts": [
          {
            "description": "string",
            "discountType": "BALANCE",
            "amount": "string",
            "balanceRate": "string",
            "transactionRate": "string",
            "accruedRate": "string",
            "feeRate": "string",
            "additionalValue": "string",
            "additionalInfo": "string",
            "additionalInfoUri": "string",
            "eligibility": [
              {
                "discountEligibilityType": "BUSINESS",
                "additionalValue": "string",
                "additionalInfo": "string",
                "additionalInfoUri": "string"
              }
            ]
          }
        ]
      }
    ],
    "depositRates": [
      {
        "depositRateType": "BONUS",
        "rate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "lendingRates": [
      {
        "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
        "rate": "string",
        "comparisonRate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "interestPaymentDue": "IN_ADVANCE",
        "repaymentType": "INTEREST_ONLY",
        "loanPurpose": "INVESTMENT",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data BankingProductDetailV3 mandatory none none
links Links mandatory none none
meta Meta optional none none

BankingProductDetailV3

{
  "productId": "string",
  "effectiveFrom": "string",
  "effectiveTo": "string",
  "lastUpdated": "string",
  "productCategory": "BUSINESS_LOANS",
  "name": "string",
  "description": "string",
  "brand": "string",
  "brandName": "string",
  "applicationUri": "string",
  "isTailored": true,
  "additionalInformation": {
    "overviewUri": "string",
    "termsUri": "string",
    "eligibilityUri": "string",
    "feesAndPricingUri": "string",
    "bundleUri": "string"
  },
  "cardArt": [
    {
      "title": "string",
      "imageUri": "string"
    }
  ],
  "bundles": [
    {
      "name": "string",
      "description": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string",
      "productIds": [
        "string"
      ]
    }
  ],
  "features": [
    {
      "featureType": "ADDITIONAL_CARDS",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "constraints": [
    {
      "constraintType": "MAX_BALANCE",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "eligibility": [
    {
      "eligibilityType": "BUSINESS",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "fees": [
    {
      "name": "string",
      "feeType": "DEPOSIT",
      "amount": "string",
      "balanceRate": "string",
      "transactionRate": "string",
      "accruedRate": "string",
      "accrualFrequency": "string",
      "currency": "string",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string",
      "discounts": [
        {
          "description": "string",
          "discountType": "BALANCE",
          "amount": "string",
          "balanceRate": "string",
          "transactionRate": "string",
          "accruedRate": "string",
          "feeRate": "string",
          "additionalValue": "string",
          "additionalInfo": "string",
          "additionalInfoUri": "string",
          "eligibility": [
            {
              "discountEligibilityType": "BUSINESS",
              "additionalValue": "string",
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            }
          ]
        }
      ]
    }
  ],
  "depositRates": [
    {
      "depositRateType": "BONUS",
      "rate": "string",
      "calculationFrequency": "string",
      "applicationFrequency": "string",
      "tiers": [
        {
          "name": "string",
          "unitOfMeasure": "DAY",
          "minimumValue": 0,
          "maximumValue": 0,
          "rateApplicationMethod": "PER_TIER",
          "applicabilityConditions": {
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          },
          "additionalInfo": "string",
          "additionalInfoUri": "string"
        }
      ],
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "lendingRates": [
    {
      "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
      "rate": "string",
      "comparisonRate": "string",
      "calculationFrequency": "string",
      "applicationFrequency": "string",
      "interestPaymentDue": "IN_ADVANCE",
      "repaymentType": "INTEREST_ONLY",
      "loanPurpose": "INVESTMENT",
      "tiers": [
        {
          "name": "string",
          "unitOfMeasure": "DAY",
          "minimumValue": 0,
          "maximumValue": 0,
          "rateApplicationMethod": "PER_TIER",
          "applicabilityConditions": {
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          },
          "additionalInfo": "string",
          "additionalInfoUri": "string"
        }
      ],
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ]
}

Properties

allOf

Name Type Required Restrictions Description
anonymous BankingProductV3 mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» bundles [BankingProductBundle] optional none An array of bundles that this product participates in. Each bundle is described by free form information but also by a list of product IDs of the other products that are included in the bundle. It is assumed that the current product is included in the bundle also
» features [BankingProductFeature] optional none Array of features available for the product
» constraints [BankingProductConstraint] optional none Constraints on the application for or operation of the product such as minimum balances or limit thresholds
» eligibility [BankingProductEligibility] optional none Eligibility criteria for the product
» fees [BankingProductFee] optional none Fees applicable for the product
» depositRates [BankingProductDepositRate] optional none Interest rates available for deposits
» lendingRates [BankingProductLendingRateV2] optional none Interest rates charged against lending balances

BankingProductBundle

{
  "name": "string",
  "description": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string",
  "productIds": [
    "string"
  ]
}

Properties

Name Type Required Restrictions Description
name string mandatory none Name of the bundle
description string mandatory none Description of the bundle
additionalInfo string optional none Display text providing more information on the bundle
additionalInfoUri URIString optional none Link to a web page with more information on the bundle criteria and benefits
productIds [string] optional none Array of product IDs for products included in the bundle that are available via the product end points. Note that this array is not intended to represent a comprehensive model of the products included in the bundle and some products available for the bundle may not be available via the product reference end points

BankingProductFeature

{
  "featureType": "ADDITIONAL_CARDS",
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Properties

Name Type Required Restrictions Description
featureType string mandatory none The type of feature described
additionalValue string conditional none Generic field containing additional information relevant to the featureType specified. Whether mandatory or not is dependent on the value of the featureType.
additionalInfo string conditional none Display text providing more information on the feature. Mandatory if the feature type is set to OTHER
additionalInfoUri URIString optional none Link to a web page with more information on this feature

Enumerated Values

Property Value
featureType ADDITIONAL_CARDS
featureType BALANCE_TRANSFERS
featureType BILL_PAYMENT
featureType BONUS_REWARDS
featureType CARD_ACCESS
featureType COMPLEMENTARY_PRODUCT_DISCOUNTS
featureType DIGITAL_BANKING
featureType DIGITAL_WALLET
featureType DONATE_INTEREST
featureType FREE_TXNS
featureType FREE_TXNS_ALLOWANCE
featureType INSURANCE
featureType INTEREST_FREE
featureType INTEREST_FREE_TRANSFERS
featureType LOYALTY_PROGRAM
featureType NOTIFICATIONS
featureType NPP_ENABLED
featureType NPP_PAYID
featureType OFFSET
featureType OTHER
featureType OVERDRAFT
featureType REDRAW
featureType UNLIMITED_TXNS

BankingProductConstraint

{
  "constraintType": "MAX_BALANCE",
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Properties

Name Type Required Restrictions Description
constraintType string mandatory none The type of constraint described. See the next section for an overview of valid values and their meaning
additionalValue string conditional none Generic field containing additional information relevant to the constraintType specified. Whether mandatory or not is dependent on the value of constraintType
additionalInfo string optional none Display text providing more information the constraint
additionalInfoUri URIString optional none Link to a web page with more information on the constraint

Enumerated Values

Property Value
constraintType MAX_BALANCE
constraintType MAX_LIMIT
constraintType MIN_BALANCE
constraintType MIN_LIMIT
constraintType OPENING_BALANCE

BankingProductEligibility

{
  "eligibilityType": "BUSINESS",
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Properties

Name Type Required Restrictions Description
eligibilityType string mandatory none The type of eligibility criteria described. See the next section for an overview of valid values and their meaning
additionalValue string conditional none Generic field containing additional information relevant to the eligibilityType specified. Whether mandatory or not is dependent on the value of eligibilityType
additionalInfo string conditional none Display text providing more information on the eligibility criteria. Mandatory if the field is set to OTHER
additionalInfoUri URIString optional none Link to a web page with more information on this eligibility criteria

Enumerated Values

Property Value
eligibilityType BUSINESS
eligibilityType EMPLOYMENT_STATUS
eligibilityType MAX_AGE
eligibilityType MIN_AGE
eligibilityType MIN_INCOME
eligibilityType MIN_TURNOVER
eligibilityType NATURAL_PERSON
eligibilityType OTHER
eligibilityType PENSION_RECIPIENT
eligibilityType RESIDENCY_STATUS
eligibilityType STAFF
eligibilityType STUDENT

BankingProductFee

{
  "name": "string",
  "feeType": "DEPOSIT",
  "amount": "string",
  "balanceRate": "string",
  "transactionRate": "string",
  "accruedRate": "string",
  "accrualFrequency": "string",
  "currency": "string",
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string",
  "discounts": [
    {
      "description": "string",
      "discountType": "BALANCE",
      "amount": "string",
      "balanceRate": "string",
      "transactionRate": "string",
      "accruedRate": "string",
      "feeRate": "string",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string",
      "eligibility": [
        {
          "discountEligibilityType": "BUSINESS",
          "additionalValue": "string",
          "additionalInfo": "string",
          "additionalInfoUri": "string"
        }
      ]
    }
  ]
}

Properties

Name Type Required Restrictions Description
name string mandatory none Name of the fee
feeType string mandatory none The type of fee
amount AmountString conditional none The amount charged for the fee. One of amount, balanceRate, transactionRate and accruedRate is mandatory unless the feeType "VARIABLE" is supplied
balanceRate RateString conditional none A fee rate calculated based on a proportion of the balance. One of amount, balanceRate, transactionRate and accruedRate is mandatory unless the feeType "VARIABLE" is supplied.
transactionRate RateString conditional none A fee rate calculated based on a proportion of a transaction. One of amount, balanceRate, transactionRate and accruedRate is mandatory unless the feeType "VARIABLE" is supplied
accruedRate RateString conditional none A fee rate calculated based on a proportion of the calculated interest accrued on the account. One of amount, balanceRate, transactionRate and accruedRate is mandatory unless the feeType "VARIABLE" is supplied
accrualFrequency ExternalRef optional none The indicative frequency with which the fee is calculated on the account. Only applies if balanceRate or accruedRate is also present. Formatted according to ISO 8601 Durations (excludes recurrence syntax)
currency CurrencyString optional none The currency the fee will be charged in. Assumes AUD if absent
additionalValue string conditional none Generic field containing additional information relevant to the feeType specified. Whether mandatory or not is dependent on the value of feeType
additionalInfo string optional none Display text providing more information on the fee
additionalInfoUri URIString optional none Link to a web page with more information on this fee
discounts [BankingProductDiscount] optional none An optional list of discounts to this fee that may be available

Enumerated Values

Property Value
feeType DEPOSIT
feeType EVENT
feeType EXIT
feeType PAYMENT
feeType PERIODIC
feeType PURCHASE
feeType TRANSACTION
feeType UPFRONT
feeType VARIABLE
feeType WITHDRAWAL

BankingProductDiscount

{
  "description": "string",
  "discountType": "BALANCE",
  "amount": "string",
  "balanceRate": "string",
  "transactionRate": "string",
  "accruedRate": "string",
  "feeRate": "string",
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string",
  "eligibility": [
    {
      "discountEligibilityType": "BUSINESS",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ]
}

Properties

Name Type Required Restrictions Description
description string mandatory none Description of the discount
discountType string mandatory none The type of discount. See the next section for an overview of valid values and their meaning
amount AmountString conditional none Dollar value of the discount. One of amount, balanceRate, transactionRate, accruedRate and feeRate is mandatory.
balanceRate RateString conditional none A discount rate calculated based on a proportion of the balance. Note that the currency of the fee discount is expected to be the same as the currency of the fee itself. One of amount, balanceRate, transactionRate, accruedRate and feeRate is mandatory. Unless noted in additionalInfo, assumes the application and calculation frequency are the same as the corresponding fee
transactionRate RateString conditional none A discount rate calculated based on a proportion of a transaction. Note that the currency of the fee discount is expected to be the same as the currency of the fee itself. One of amount, balanceRate, transactionRate, accruedRate and feeRate is mandatory
accruedRate RateString conditional none A discount rate calculated based on a proportion of the calculated interest accrued on the account. Note that the currency of the fee discount is expected to be the same as the currency of the fee itself. One of amount, balanceRate, transactionRate, accruedRate and feeRate is mandatory. Unless noted in additionalInfo, assumes the application and calculation frequency are the same as the corresponding fee
feeRate RateString conditional none A discount rate calculated based on a proportion of the fee to which this discount is attached. Note that the currency of the fee discount is expected to be the same as the currency of the fee itself. One of amount, balanceRate, transactionRate, accruedRate and feeRate is mandatory. Unless noted in additionalInfo, assumes the application and calculation frequency are the same as the corresponding fee
additionalValue string conditional none Generic field containing additional information relevant to the discountType specified. Whether mandatory or not is dependent on the value of discountType
additionalInfo string optional none Display text providing more information on the discount
additionalInfoUri URIString optional none Link to a web page with more information on this discount
eligibility [BankingProductDiscountEligibility] conditional none Eligibility constraints that apply to this discount. Mandatory if discountType is ELIGIBILITY_ONLY.

Enumerated Values

Property Value
discountType BALANCE
discountType DEPOSITS
discountType ELIGIBILITY_ONLY
discountType FEE_CAP
discountType PAYMENTS

BankingProductDiscountEligibility

{
  "discountEligibilityType": "BUSINESS",
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Properties

Name Type Required Restrictions Description
discountEligibilityType string mandatory none The type of the specific eligibility constraint for a discount
additionalValue string conditional none Generic field containing additional information relevant to the discountEligibilityType specified. Whether mandatory or not is dependent on the value of discountEligibilityType
additionalInfo string conditional none Display text providing more information on this eligibility constraint. Whether mandatory or not is dependent on the value of discountEligibilityType
additionalInfoUri URIString optional none Link to a web page with more information on this eligibility constraint

Enumerated Values

Property Value
discountEligibilityType BUSINESS
discountEligibilityType EMPLOYMENT_STATUS
discountEligibilityType INTRODUCTORY
discountEligibilityType MAX_AGE
discountEligibilityType MIN_AGE
discountEligibilityType MIN_INCOME
discountEligibilityType MIN_TURNOVER
discountEligibilityType NATURAL_PERSON
discountEligibilityType OTHER
discountEligibilityType PENSION_RECIPIENT
discountEligibilityType RESIDENCY_STATUS
discountEligibilityType STAFF
discountEligibilityType STUDENT

BankingProductDepositRate

{
  "depositRateType": "BONUS",
  "rate": "string",
  "calculationFrequency": "string",
  "applicationFrequency": "string",
  "tiers": [
    {
      "name": "string",
      "unitOfMeasure": "DAY",
      "minimumValue": 0,
      "maximumValue": 0,
      "rateApplicationMethod": "PER_TIER",
      "applicabilityConditions": {
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      },
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Properties

Name Type Required Restrictions Description
depositRateType string mandatory none The type of rate (base, bonus, etc). See the next section for an overview of valid values and their meaning
rate RateString mandatory none The rate to be applied
calculationFrequency ExternalRef optional none The period after which the rate is applied to the balance to calculate the amount due for the period. Calculation of the amount is often daily (as balances may change) but accumulated until the total amount is 'applied' to the account (see applicationFrequency). Formatted according to ISO 8601 Durations (excludes recurrence syntax)
applicationFrequency ExternalRef optional none The period after which the calculated amount(s) (see calculationFrequency) are 'applied' (i.e. debited or credited) to the account. Formatted according to ISO 8601 Durations (excludes recurrence syntax)
tiers [BankingProductRateTierV3] optional none Rate tiers applicable for this rate
additionalValue string conditional none Generic field containing additional information relevant to the depositRateType specified. Whether mandatory or not is dependent on the value of depositRateType
additionalInfo string optional none Display text providing more information on the rate
additionalInfoUri URIString optional none Link to a web page with more information on this rate

Enumerated Values

Property Value
depositRateType BONUS
depositRateType BUNDLE_BONUS
depositRateType FIXED
depositRateType FLOATING
depositRateType INTRODUCTORY
depositRateType MARKET_LINKED
depositRateType VARIABLE

BankingProductLendingRateV2

{
  "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
  "rate": "string",
  "comparisonRate": "string",
  "calculationFrequency": "string",
  "applicationFrequency": "string",
  "interestPaymentDue": "IN_ADVANCE",
  "repaymentType": "INTEREST_ONLY",
  "loanPurpose": "INVESTMENT",
  "tiers": [
    {
      "name": "string",
      "unitOfMeasure": "DAY",
      "minimumValue": 0,
      "maximumValue": 0,
      "rateApplicationMethod": "PER_TIER",
      "applicabilityConditions": {
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      },
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "additionalValue": "string",
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Properties

Name Type Required Restrictions Description
lendingRateType string mandatory none The type of rate (fixed, variable, etc). See the next section for an overview of valid values and their meaning
rate RateString mandatory none The rate to be applied
comparisonRate RateString optional none A comparison rate equivalent for this rate
calculationFrequency ExternalRef optional none The period after which the rate is applied to the balance to calculate the amount due for the period. Calculation of the amount is often daily (as balances may change) but accumulated until the total amount is 'applied' to the account (see applicationFrequency). Formatted according to ISO 8601 Durations (excludes recurrence syntax)
applicationFrequency ExternalRef optional none The period after which the calculated amount(s) (see calculationFrequency) are 'applied' (i.e. debited or credited) to the account. Formatted according to ISO 8601 Durations (excludes recurrence syntax)
interestPaymentDue string optional none When loan payments are due to be paid within each period. The investment benefit of earlier payments affect the rate that can be offered
repaymentType string optional none Options in place for repayments. If absent, the lending rate is applicable to all repayment types
loanPurpose string optional none The reason for taking out the loan. If absent, the lending rate is applicable to all loan purposes
tiers [BankingProductRateTierV3] optional none Rate tiers applicable for this rate
additionalValue string conditional none Generic field containing additional information relevant to the lendingRateType specified. Whether mandatory or not is dependent on the value of lendingRateType
additionalInfo string optional none Display text providing more information on the rate.
additionalInfoUri URIString optional none Link to a web page with more information on this rate

Enumerated Values

Property Value
lendingRateType BUNDLE_DISCOUNT_FIXED
lendingRateType BUNDLE_DISCOUNT_VARIABLE
lendingRateType CASH_ADVANCE
lendingRateType DISCOUNT
lendingRateType FIXED
lendingRateType FLOATING
lendingRateType INTRODUCTORY
lendingRateType MARKET_LINKED
lendingRateType PENALTY
lendingRateType PURCHASE
lendingRateType VARIABLE
interestPaymentDue IN_ADVANCE
interestPaymentDue IN_ARREARS
repaymentType INTEREST_ONLY
repaymentType PRINCIPAL_AND_INTEREST
loanPurpose INVESTMENT
loanPurpose OWNER_OCCUPIED

BankingProductRateTierV3

{
  "name": "string",
  "unitOfMeasure": "DAY",
  "minimumValue": 0,
  "maximumValue": 0,
  "rateApplicationMethod": "PER_TIER",
  "applicabilityConditions": {
    "additionalInfo": "string",
    "additionalInfoUri": "string"
  },
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Defines the criteria and conditions for which a rate applies

Properties

Name Type Required Restrictions Description
name string mandatory none A display name for the tier
unitOfMeasure string mandatory none The unit of measure that applies to the tierValueMinimum and tierValueMaximum values e.g. a DOLLAR amount. PERCENT (in the case of loan-to-value ratio or LVR). Tier term period representing a discrete number of MONTH's or DAY's (in the case of term deposit tiers)
minimumValue Number mandatory none The number of tierUnitOfMeasure units that form the lower bound of the tier. The tier should be inclusive of this value
maximumValue Number optional none The number of tierUnitOfMeasure units that form the upper bound of the tier or band. For a tier with a discrete value (as opposed to a range of values e.g. 1 month) this must be the same as tierValueMinimum. Where this is the same as the tierValueMinimum value of the next-higher tier the referenced tier should be exclusive of this value. For example a term deposit of 2 months falls into the upper tier of the following tiers: (1 – 2 months, 2 – 3 months). If absent the tier's range has no upper bound.
rateApplicationMethod string optional none The method used to calculate the amount to be applied using one or more tiers. A single rate may be applied to the entire balance or each applicable tier rate is applied to the portion of the balance that falls into that tier (referred to as 'bands' or 'steps')
applicabilityConditions BankingProductRateCondition optional none Defines a condition for the applicability of a tiered rate
additionalInfo string optional none Display text providing more information on the rate tier.
additionalInfoUri URIString optional none Link to a web page with more information on this rate tier

Enumerated Values

Property Value
unitOfMeasure DAY
unitOfMeasure DOLLAR
unitOfMeasure MONTH
unitOfMeasure PERCENT
rateApplicationMethod PER_TIER
rateApplicationMethod WHOLE_BALANCE

BankingProductRateCondition

{
  "additionalInfo": "string",
  "additionalInfoUri": "string"
}

Defines a condition for the applicability of a tiered rate

Properties

Name Type Required Restrictions Description
additionalInfo string optional none Display text providing more information on the condition
additionalInfoUri URIString optional none Link to a web page with more information on this condition

ResponseBankingAccountList

{
  "data": {
    "accounts": [
      {
        "accountId": "string",
        "creationDate": "string",
        "displayName": "string",
        "nickname": "string",
        "openStatus": "OPEN",
        "isOwned": true,
        "maskedNumber": "string",
        "productCategory": "BUSINESS_LOANS",
        "productName": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» accounts [BankingAccount] mandatory none The list of accounts returned. If the filter results in an empty set then this array may have no records
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

BankingAccount

{
  "accountId": "string",
  "creationDate": "string",
  "displayName": "string",
  "nickname": "string",
  "openStatus": "OPEN",
  "isOwned": true,
  "maskedNumber": "string",
  "productCategory": "BUSINESS_LOANS",
  "productName": "string"
}

Properties

Name Type Required Restrictions Description
accountId ASCIIString mandatory none A unique ID of the account adhering to the standards for ID permanence
creationDate DateString optional none Date that the account was created (if known)
displayName string mandatory none The display name of the account as defined by the bank. This should not incorporate account numbers or PANs. If it does the values should be masked according to the rules of the MaskedAccountString common type.
nickname string optional none A customer supplied nick name for the account
openStatus string optional none Open or closed status for the account. If not present then OPEN is assumed
isOwned Boolean optional none Flag indicating that the customer associated with the authorisation is an owner of the account. Does not indicate sole ownership, however. If not present then 'true' is assumed
maskedNumber MaskedAccountString mandatory none A masked version of the account. Whether BSB/Account Number, Credit Card PAN or another number
productCategory BankingProductCategory mandatory none The category to which a product or account belongs. See here for more details
productName string mandatory none The unique identifier of the account as defined by the data holder (akin to model number for the account)

Enumerated Values

Property Value
openStatus CLOSED
openStatus OPEN

ResponseBankingAccountById

{
  "data": {
    "accountId": "string",
    "creationDate": "string",
    "displayName": "string",
    "nickname": "string",
    "openStatus": "OPEN",
    "isOwned": true,
    "maskedNumber": "string",
    "productCategory": "BUSINESS_LOANS",
    "productName": "string",
    "bsb": "string",
    "accountNumber": "string",
    "bundleName": "string",
    "specificAccountUType": "creditCard",
    "termDeposit": [
      {
        "lodgementDate": "string",
        "maturityDate": "string",
        "maturityAmount": "string",
        "maturityCurrency": "string",
        "maturityInstructions": "HOLD_ON_MATURITY"
      }
    ],
    "creditCard": {
      "minPaymentAmount": "string",
      "paymentDueAmount": "string",
      "paymentCurrency": "string",
      "paymentDueDate": "string"
    },
    "loan": {
      "originalStartDate": "string",
      "originalLoanAmount": "string",
      "originalLoanCurrency": "string",
      "loanEndDate": "string",
      "nextInstalmentDate": "string",
      "minInstalmentAmount": "string",
      "minInstalmentCurrency": "string",
      "maxRedraw": "string",
      "maxRedrawCurrency": "string",
      "minRedraw": "string",
      "minRedrawCurrency": "string",
      "offsetAccountEnabled": true,
      "offsetAccountIds": [
        "string"
      ],
      "repaymentType": "PRINCIPAL_AND_INTEREST",
      "repaymentFrequency": "string"
    },
    "depositRate": "string",
    "lendingRate": "string",
    "depositRates": [
      {
        "depositRateType": "BONUS",
        "rate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "lendingRates": [
      {
        "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
        "rate": "string",
        "comparisonRate": "string",
        "calculationFrequency": "string",
        "applicationFrequency": "string",
        "interestPaymentDue": "IN_ADVANCE",
        "repaymentType": "INTEREST_ONLY",
        "loanPurpose": "INVESTMENT",
        "tiers": [
          {
            "name": "string",
            "unitOfMeasure": "DAY",
            "minimumValue": 0,
            "maximumValue": 0,
            "rateApplicationMethod": "PER_TIER",
            "applicabilityConditions": {
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            },
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          }
        ],
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string"
      }
    ],
    "features": [
      {
        "featureType": "ADDITIONAL_CARDS",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "isActivated": true
      }
    ],
    "fees": [
      {
        "name": "string",
        "feeType": "DEPOSIT",
        "amount": "string",
        "balanceRate": "string",
        "transactionRate": "string",
        "accruedRate": "string",
        "accrualFrequency": "string",
        "currency": "string",
        "additionalValue": "string",
        "additionalInfo": "string",
        "additionalInfoUri": "string",
        "discounts": [
          {
            "description": "string",
            "discountType": "BALANCE",
            "amount": "string",
            "balanceRate": "string",
            "transactionRate": "string",
            "accruedRate": "string",
            "feeRate": "string",
            "additionalValue": "string",
            "additionalInfo": "string",
            "additionalInfoUri": "string",
            "eligibility": [
              {
                "discountEligibilityType": "BUSINESS",
                "additionalValue": "string",
                "additionalInfo": "string",
                "additionalInfoUri": "string"
              }
            ]
          }
        ]
      }
    ],
    "addresses": [
      {
        "addressUType": "paf",
        "simple": {
          "mailingName": "string",
          "addressLine1": "string",
          "addressLine2": "string",
          "addressLine3": "string",
          "postcode": "string",
          "city": "string",
          "state": "string",
          "country": "AUS"
        },
        "paf": {
          "dpid": "string",
          "thoroughfareNumber1": 0,
          "thoroughfareNumber1Suffix": "string",
          "thoroughfareNumber2": 0,
          "thoroughfareNumber2Suffix": "string",
          "flatUnitType": "string",
          "flatUnitNumber": "string",
          "floorLevelType": "string",
          "floorLevelNumber": "string",
          "lotNumber": "string",
          "buildingName1": "string",
          "buildingName2": "string",
          "streetName": "string",
          "streetType": "string",
          "streetSuffix": "string",
          "postalDeliveryType": "string",
          "postalDeliveryNumber": 0,
          "postalDeliveryNumberPrefix": "string",
          "postalDeliveryNumberSuffix": "string",
          "localityName": "string",
          "postcode": "string",
          "state": "string"
        }
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data BankingAccountDetail mandatory none none
links Links mandatory none none
meta Meta optional none none

BankingAccountDetail

{
  "accountId": "string",
  "creationDate": "string",
  "displayName": "string",
  "nickname": "string",
  "openStatus": "OPEN",
  "isOwned": true,
  "maskedNumber": "string",
  "productCategory": "BUSINESS_LOANS",
  "productName": "string",
  "bsb": "string",
  "accountNumber": "string",
  "bundleName": "string",
  "specificAccountUType": "creditCard",
  "termDeposit": [
    {
      "lodgementDate": "string",
      "maturityDate": "string",
      "maturityAmount": "string",
      "maturityCurrency": "string",
      "maturityInstructions": "HOLD_ON_MATURITY"
    }
  ],
  "creditCard": {
    "minPaymentAmount": "string",
    "paymentDueAmount": "string",
    "paymentCurrency": "string",
    "paymentDueDate": "string"
  },
  "loan": {
    "originalStartDate": "string",
    "originalLoanAmount": "string",
    "originalLoanCurrency": "string",
    "loanEndDate": "string",
    "nextInstalmentDate": "string",
    "minInstalmentAmount": "string",
    "minInstalmentCurrency": "string",
    "maxRedraw": "string",
    "maxRedrawCurrency": "string",
    "minRedraw": "string",
    "minRedrawCurrency": "string",
    "offsetAccountEnabled": true,
    "offsetAccountIds": [
      "string"
    ],
    "repaymentType": "PRINCIPAL_AND_INTEREST",
    "repaymentFrequency": "string"
  },
  "depositRate": "string",
  "lendingRate": "string",
  "depositRates": [
    {
      "depositRateType": "BONUS",
      "rate": "string",
      "calculationFrequency": "string",
      "applicationFrequency": "string",
      "tiers": [
        {
          "name": "string",
          "unitOfMeasure": "DAY",
          "minimumValue": 0,
          "maximumValue": 0,
          "rateApplicationMethod": "PER_TIER",
          "applicabilityConditions": {
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          },
          "additionalInfo": "string",
          "additionalInfoUri": "string"
        }
      ],
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "lendingRates": [
    {
      "lendingRateType": "BUNDLE_DISCOUNT_FIXED",
      "rate": "string",
      "comparisonRate": "string",
      "calculationFrequency": "string",
      "applicationFrequency": "string",
      "interestPaymentDue": "IN_ADVANCE",
      "repaymentType": "INTEREST_ONLY",
      "loanPurpose": "INVESTMENT",
      "tiers": [
        {
          "name": "string",
          "unitOfMeasure": "DAY",
          "minimumValue": 0,
          "maximumValue": 0,
          "rateApplicationMethod": "PER_TIER",
          "applicabilityConditions": {
            "additionalInfo": "string",
            "additionalInfoUri": "string"
          },
          "additionalInfo": "string",
          "additionalInfoUri": "string"
        }
      ],
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string"
    }
  ],
  "features": [
    {
      "featureType": "ADDITIONAL_CARDS",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string",
      "isActivated": true
    }
  ],
  "fees": [
    {
      "name": "string",
      "feeType": "DEPOSIT",
      "amount": "string",
      "balanceRate": "string",
      "transactionRate": "string",
      "accruedRate": "string",
      "accrualFrequency": "string",
      "currency": "string",
      "additionalValue": "string",
      "additionalInfo": "string",
      "additionalInfoUri": "string",
      "discounts": [
        {
          "description": "string",
          "discountType": "BALANCE",
          "amount": "string",
          "balanceRate": "string",
          "transactionRate": "string",
          "accruedRate": "string",
          "feeRate": "string",
          "additionalValue": "string",
          "additionalInfo": "string",
          "additionalInfoUri": "string",
          "eligibility": [
            {
              "discountEligibilityType": "BUSINESS",
              "additionalValue": "string",
              "additionalInfo": "string",
              "additionalInfoUri": "string"
            }
          ]
        }
      ]
    }
  ],
  "addresses": [
    {
      "addressUType": "paf",
      "simple": {
        "mailingName": "string",
        "addressLine1": "string",
        "addressLine2": "string",
        "addressLine3": "string",
        "postcode": "string",
        "city": "string",
        "state": "string",
        "country": "AUS"
      },
      "paf": {
        "dpid": "string",
        "thoroughfareNumber1": 0,
        "thoroughfareNumber1Suffix": "string",
        "thoroughfareNumber2": 0,
        "thoroughfareNumber2Suffix": "string",
        "flatUnitType": "string",
        "flatUnitNumber": "string",
        "floorLevelType": "string",
        "floorLevelNumber": "string",
        "lotNumber": "string",
        "buildingName1": "string",
        "buildingName2": "string",
        "streetName": "string",
        "streetType": "string",
        "streetSuffix": "string",
        "postalDeliveryType": "string",
        "postalDeliveryNumber": 0,
        "postalDeliveryNumberPrefix": "string",
        "postalDeliveryNumberSuffix": "string",
        "localityName": "string",
        "postcode": "string",
        "state": "string"
      }
    }
  ]
}

Properties

allOf

Name Type Required Restrictions Description
anonymous BankingAccount mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» bsb string optional none The unmasked BSB for the account. Is expected to be formatted as digits only with leading zeros included and no punctuation or spaces
» accountNumber string optional none The unmasked account number for the account. Should not be supplied if the account number is a PAN requiring PCI compliance. Is expected to be formatted as digits only with leading zeros included and no punctuation or spaces
» bundleName string optional none Optional field to indicate if this account is part of a bundle that is providing additional benefit for to the customer
» specificAccountUType string optional none The type of structure to present account specific fields.
» termDeposit [BankingTermDepositAccount] conditional none none
» creditCard BankingCreditCardAccount conditional none none
» loan BankingLoanAccount conditional none none
» depositRate RateString optional none current rate to calculate interest earned being applied to deposit balances as it stands at the time of the API call
» lendingRate RateString optional none The current rate to calculate interest payable being applied to lending balances as it stands at the time of the API call
» depositRates [BankingProductDepositRate] optional none Fully described deposit rates for this account based on the equivalent structure in Product Reference
» lendingRates [BankingProductLendingRateV2] optional none Fully described deposit rates for this account based on the equivalent structure in Product Reference
» features [allOf] optional none Array of features of the account based on the equivalent structure in Product Reference with the following additional field

allOf

Name Type Required Restrictions Description
»» anonymous BankingProductFeature mandatory none none

and

Name Type Required Restrictions Description
»» anonymous object mandatory none none
»»» isActivated Boolean optional none True if the feature is already activated and false if the feature is available for activation. Defaults to true if absent. (note this is an additional field appended to the feature object defined in the Product Reference payload)

continued

Name Type Required Restrictions Description
»» fees [BankingProductFee] optional none Fees and charges applicable to the account based on the equivalent structure in Product Reference
»» addresses [CommonPhysicalAddress] optional none The addresses for the account to be used for correspondence

Enumerated Values

Property Value
specificAccountUType creditCard
specificAccountUType loan
specificAccountUType termDeposit

BankingTermDepositAccount

{
  "lodgementDate": "string",
  "maturityDate": "string",
  "maturityAmount": "string",
  "maturityCurrency": "string",
  "maturityInstructions": "HOLD_ON_MATURITY"
}

Properties

Name Type Required Restrictions Description
lodgementDate DateString mandatory none The lodgement date of the original deposit
maturityDate DateString mandatory none Maturity date for the term deposit
maturityAmount AmountString optional none Amount to be paid upon maturity. If absent it implies the amount to paid is variable and cannot currently be calculated
maturityCurrency CurrencyString optional none If absent assumes AUD
maturityInstructions string mandatory none Current instructions on action to be taken at maturity. This includes default actions that may be specified in the terms and conditions for the product e.g. roll-over to the same term and frequency of interest payments

Enumerated Values

Property Value
maturityInstructions HOLD_ON_MATURITY
maturityInstructions PAID_OUT_AT_MATURITY
maturityInstructions ROLLED_OVER

BankingCreditCardAccount

{
  "minPaymentAmount": "string",
  "paymentDueAmount": "string",
  "paymentCurrency": "string",
  "paymentDueDate": "string"
}

Properties

Name Type Required Restrictions Description
minPaymentAmount AmountString mandatory none The minimum payment amount due for the next card payment
paymentDueAmount AmountString mandatory none The amount due for the next card payment
paymentCurrency CurrencyString optional none If absent assumes AUD
paymentDueDate DateString mandatory none Date that the next payment for the card is due

BankingLoanAccount

{
  "originalStartDate": "string",
  "originalLoanAmount": "string",
  "originalLoanCurrency": "string",
  "loanEndDate": "string",
  "nextInstalmentDate": "string",
  "minInstalmentAmount": "string",
  "minInstalmentCurrency": "string",
  "maxRedraw": "string",
  "maxRedrawCurrency": "string",
  "minRedraw": "string",
  "minRedrawCurrency": "string",
  "offsetAccountEnabled": true,
  "offsetAccountIds": [
    "string"
  ],
  "repaymentType": "PRINCIPAL_AND_INTEREST",
  "repaymentFrequency": "string"
}

Properties

Name Type Required Restrictions Description
originalStartDate DateString optional none Optional original start date for the loan
originalLoanAmount AmountString optional none Optional original loan value
originalLoanCurrency CurrencyString optional none If absent assumes AUD
loanEndDate DateString mandatory none Date that the loan is due to be repaid in full
nextInstalmentDate DateString mandatory none Next date that an instalment is required
minInstalmentAmount AmountString optional none Minimum amount of next instalment
minInstalmentCurrency CurrencyString optional none If absent assumes AUD
maxRedraw AmountString optional none Maximum amount of funds that can be redrawn. If not present redraw is not available even if the feature exists for the account
maxRedrawCurrency CurrencyString optional none If absent assumes AUD
minRedraw AmountString optional none Minimum redraw amount
minRedrawCurrency CurrencyString optional none If absent assumes AUD
offsetAccountEnabled Boolean optional none Set to true if one or more offset accounts are configured for this loan account
offsetAccountIds [string] optional none The accountIDs of the configured offset accounts attached to this loan. Only offset accounts that can be accessed under the current authorisation should be included. It is expected behaviour that offsetAccountEnabled is set to true but the offsetAccountIds field is absent or empty. This represents a situation where an offset account exists but details can not be accessed under the current authorisation
repaymentType string optional none Options in place for repayments. If absent defaults to PRINCIPAL_AND_INTEREST
repaymentFrequency ExternalRef mandatory none The expected or required repayment frequency. Formatted according to ISO 8601 Durations (excludes recurrence syntax)

Enumerated Values

Property Value
repaymentType INTEREST_ONLY
repaymentType PRINCIPAL_AND_INTEREST

ResponseBankingTransactionList

{
  "data": {
    "transactions": [
      {
        "accountId": "string",
        "transactionId": "string",
        "isDetailAvailable": true,
        "type": "DIRECT_DEBIT",
        "status": "PENDING",
        "description": "string",
        "postingDateTime": "string",
        "valueDateTime": "string",
        "executionDateTime": "string",
        "amount": "string",
        "currency": "string",
        "reference": "string",
        "merchantName": "string",
        "merchantCategoryCode": "string",
        "billerCode": "string",
        "billerName": "string",
        "crn": "string",
        "apcaNumber": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» transactions [BankingTransaction] mandatory none none
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

BankingTransaction

{
  "accountId": "string",
  "transactionId": "string",
  "isDetailAvailable": true,
  "type": "DIRECT_DEBIT",
  "status": "PENDING",
  "description": "string",
  "postingDateTime": "string",
  "valueDateTime": "string",
  "executionDateTime": "string",
  "amount": "string",
  "currency": "string",
  "reference": "string",
  "merchantName": "string",
  "merchantCategoryCode": "string",
  "billerCode": "string",
  "billerName": "string",
  "crn": "string",
  "apcaNumber": "string"
}

Properties

Name Type Required Restrictions Description
accountId ASCIIString mandatory none ID of the account for which transactions are provided
transactionId ASCIIString conditional none A unique ID of the transaction adhering to the standards for ID permanence. This is mandatory (through hashing if necessary) unless there are specific and justifiable technical reasons why a transaction cannot be uniquely identified for a particular account type. It is mandatory if isDetailAvailable is set to true.
isDetailAvailable Boolean mandatory none True if extended information is available using the transaction detail end point. False if extended data is not available
type string mandatory none The type of the transaction
status string mandatory none Status of the transaction whether pending or posted. Note that there is currently no provision in the standards to guarantee the ability to correlate a pending transaction with an associated posted transaction
description string mandatory none The transaction description as applied by the financial institution
postingDateTime DateTimeString conditional none The time the transaction was posted. This field is Mandatory if the transaction has status POSTED. This is the time that appears on a standard statement
valueDateTime DateTimeString optional none Date and time at which assets become available to the account owner in case of a credit entry, or cease to be available to the account owner in case of a debit transaction entry
executionDateTime DateTimeString optional none The time the transaction was executed by the originating customer, if available
amount AmountString mandatory none The value of the transaction. Negative values mean money was outgoing from the account
currency CurrencyString optional none The currency for the transaction amount. AUD assumed if not present
reference string mandatory none The reference for the transaction provided by the originating institution. Empty string if no data provided
merchantName string optional none Name of the merchant for an outgoing payment to a merchant
merchantCategoryCode string optional none The merchant category code (or MCC) for an outgoing payment to a merchant
billerCode string optional none BPAY Biller Code for the transaction (if available)
billerName string optional none Name of the BPAY biller for the transaction (if available)
crn string conditional none BPAY CRN for the transaction (if available).
Where the CRN contains sensitive information, it should be masked in line with how the Data Holder currently displays account identifiers in their existing online banking channels. If the contents of the CRN match the format of a Credit Card PAN they should be masked according to the rules applicable for MaskedPANString. If the contents are are otherwise sensitive, then it should be masked using the rules applicable for the MaskedAccountString common type.
apcaNumber string optional none 6 Digit APCA number for the initiating institution. The field is fixed-width and padded with leading zeros if applicable.

Enumerated Values

Property Value
type DIRECT_DEBIT
type FEE
type INTEREST_CHARGED
type INTEREST_PAID
type OTHER
type PAYMENT
type TRANSFER_INCOMING
type TRANSFER_OUTGOING
status PENDING
status POSTED

ResponseBankingTransactionById

{
  "data": {
    "accountId": "string",
    "transactionId": "string",
    "isDetailAvailable": true,
    "type": "DIRECT_DEBIT",
    "status": "PENDING",
    "description": "string",
    "postingDateTime": "string",
    "valueDateTime": "string",
    "executionDateTime": "string",
    "amount": "string",
    "currency": "string",
    "reference": "string",
    "merchantName": "string",
    "merchantCategoryCode": "string",
    "billerCode": "string",
    "billerName": "string",
    "crn": "string",
    "apcaNumber": "string",
    "extendedData": {
      "payer": "string",
      "payee": "string",
      "extensionUType": "x2p101Payload",
      "x2p101Payload": {
        "extendedDescription": "string",
        "endToEndId": "string",
        "purposeCode": "string"
      },
      "service": "X2P1.01"
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data BankingTransactionDetail mandatory none none
links Links mandatory none none
meta Meta optional none none

BankingTransactionDetail

{
  "accountId": "string",
  "transactionId": "string",
  "isDetailAvailable": true,
  "type": "DIRECT_DEBIT",
  "status": "PENDING",
  "description": "string",
  "postingDateTime": "string",
  "valueDateTime": "string",
  "executionDateTime": "string",
  "amount": "string",
  "currency": "string",
  "reference": "string",
  "merchantName": "string",
  "merchantCategoryCode": "string",
  "billerCode": "string",
  "billerName": "string",
  "crn": "string",
  "apcaNumber": "string",
  "extendedData": {
    "payer": "string",
    "payee": "string",
    "extensionUType": "x2p101Payload",
    "x2p101Payload": {
      "extendedDescription": "string",
      "endToEndId": "string",
      "purposeCode": "string"
    },
    "service": "X2P1.01"
  }
}

Properties

allOf

Name Type Required Restrictions Description
anonymous BankingTransaction mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» extendedData object mandatory none none
»» payer string conditional none Label of the originating payer. Mandatory for inbound payment
»» payee string conditional none Label of the target PayID. Mandatory for an outbound payment. The name assigned to the BSB/Account Number or PayID (by the owner of the PayID)
»» extensionUType string optional none Optional extended data provided specific to transaction originated via NPP
»» x2p101Payload object optional none none
»»» extendedDescription string mandatory none An extended string description. Only present if specified by the extensionUType field
»»» endToEndId string optional none An end to end ID for the payment created at initiation
»»» purposeCode string optional none Purpose of the payment. Format is defined by NPP standards for the x2p1.01 overlay service
»» service string mandatory none Identifier of the applicable overlay service. Valid values are: X2P1.01

Enumerated Values

Property Value
extensionUType x2p101Payload
service X2P1.01

ResponseBankingAccountsBalanceList

{
  "data": {
    "balances": [
      {
        "accountId": "string",
        "currentBalance": "string",
        "availableBalance": "string",
        "creditLimit": "string",
        "amortisedLimit": "string",
        "currency": "string",
        "purses": [
          {
            "amount": "string",
            "currency": "string"
          }
        ]
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» balances [BankingBalance] mandatory none The list of balances returned
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

ResponseBankingAccountsBalanceById

{
  "data": {
    "accountId": "string",
    "currentBalance": "string",
    "availableBalance": "string",
    "creditLimit": "string",
    "amortisedLimit": "string",
    "currency": "string",
    "purses": [
      {
        "amount": "string",
        "currency": "string"
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data BankingBalance mandatory none none
links Links mandatory none none
meta Meta optional none none

BankingBalance

{
  "accountId": "string",
  "currentBalance": "string",
  "availableBalance": "string",
  "creditLimit": "string",
  "amortisedLimit": "string",
  "currency": "string",
  "purses": [
    {
      "amount": "string",
      "currency": "string"
    }
  ]
}

Properties

Name Type Required Restrictions Description
accountId ASCIIString mandatory none A unique ID of the account adhering to the standards for ID permanence
currentBalance AmountString mandatory none The balance of the account at this time. Should align to the balance available via other channels such as Internet Banking. Assumed to be negative if the customer has money owing
availableBalance AmountString mandatory none Balance representing the amount of funds available for transfer. Assumed to be zero or positive
creditLimit AmountString optional none Object representing the maximum amount of credit that is available for this account. Assumed to be zero if absent
amortisedLimit AmountString optional none Object representing the available limit amortised according to payment schedule. Assumed to be zero if absent
currency CurrencyString optional none The currency for the balance amounts. If absent assumed to be AUD
purses [BankingBalancePurse] optional none Optional array of balances for the account in other currencies. Included to support accounts that support multi-currency purses such as Travel Cards

BankingBalancePurse

{
  "amount": "string",
  "currency": "string"
}

Properties

Name Type Required Restrictions Description
amount AmountString mandatory none The balance available for this additional currency purse
currency CurrencyString optional none The currency for the purse

ResponseBankingPayeeList

{
  "data": {
    "payees": [
      {
        "payeeId": "string",
        "nickname": "string",
        "description": "string",
        "type": "BILLER",
        "creationDate": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» payees [BankingPayee] mandatory none The list of payees returned
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

ResponseBankingPayeeById

{
  "data": {
    "payeeId": "string",
    "nickname": "string",
    "description": "string",
    "type": "BILLER",
    "creationDate": "string",
    "payeeUType": "biller",
    "domestic": {
      "payeeAccountUType": "account",
      "account": {
        "accountName": "string",
        "bsb": "string",
        "accountNumber": "string"
      },
      "card": {
        "cardNumber": "string"
      },
      "payId": {
        "name": "string",
        "identifier": "string",
        "type": "ABN"
      }
    },
    "biller": {
      "billerCode": "string",
      "crn": "string",
      "billerName": "string"
    },
    "international": {
      "beneficiaryDetails": {
        "name": "string",
        "country": "string",
        "message": "string"
      },
      "bankDetails": {
        "country": "string",
        "accountNumber": "string",
        "bankAddress": {
          "name": "string",
          "address": "string"
        },
        "beneficiaryBankBIC": "string",
        "fedWireNumber": "string",
        "sortCode": "string",
        "chipNumber": "string",
        "routingNumber": "string",
        "legalEntityIdentifier": "string"
      }
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data BankingPayeeDetail mandatory none none
links Links mandatory none none
meta Meta optional none none

BankingPayee

{
  "payeeId": "string",
  "nickname": "string",
  "description": "string",
  "type": "BILLER",
  "creationDate": "string"
}

Properties

Name Type Required Restrictions Description
payeeId ASCIIString mandatory none ID of the payee adhering to the rules of ID permanence
nickname string mandatory none The short display name of the payee as provided by the customer. Where a customer has not provided a nickname, a display name derived by the bank for the payee consistent with existing digital banking channels
description string optional none A description of the payee provided by the customer
type string mandatory none The type of payee. DOMESTIC means a registered payee for domestic payments including NPP. INTERNATIONAL means a registered payee for international payments. BILLER means a registered payee for BPAY
creationDate DateString optional none The date the payee was created by the customer

Enumerated Values

Property Value
type BILLER
type DOMESTIC
type INTERNATIONAL

BankingPayeeDetail

{
  "payeeId": "string",
  "nickname": "string",
  "description": "string",
  "type": "BILLER",
  "creationDate": "string",
  "payeeUType": "biller",
  "domestic": {
    "payeeAccountUType": "account",
    "account": {
      "accountName": "string",
      "bsb": "string",
      "accountNumber": "string"
    },
    "card": {
      "cardNumber": "string"
    },
    "payId": {
      "name": "string",
      "identifier": "string",
      "type": "ABN"
    }
  },
  "biller": {
    "billerCode": "string",
    "crn": "string",
    "billerName": "string"
  },
  "international": {
    "beneficiaryDetails": {
      "name": "string",
      "country": "string",
      "message": "string"
    },
    "bankDetails": {
      "country": "string",
      "accountNumber": "string",
      "bankAddress": {
        "name": "string",
        "address": "string"
      },
      "beneficiaryBankBIC": "string",
      "fedWireNumber": "string",
      "sortCode": "string",
      "chipNumber": "string",
      "routingNumber": "string",
      "legalEntityIdentifier": "string"
    }
  }
}

Properties

allOf

Name Type Required Restrictions Description
anonymous BankingPayee mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» payeeUType string mandatory none Type of object included that describes the payee in detail
» domestic BankingDomesticPayee conditional none none
» biller BankingBillerPayee conditional none none
» international BankingInternationalPayee conditional none none

Enumerated Values

Property Value
payeeUType biller
payeeUType domestic
payeeUType international

BankingDomesticPayee

{
  "payeeAccountUType": "account",
  "account": {
    "accountName": "string",
    "bsb": "string",
    "accountNumber": "string"
  },
  "card": {
    "cardNumber": "string"
  },
  "payId": {
    "name": "string",
    "identifier": "string",
    "type": "ABN"
  }
}

Properties

Name Type Required Restrictions Description
payeeAccountUType string mandatory none Type of account object included. Valid values are: account A standard Australian account defined by BSB/Account Number. card A credit or charge card to pay to (note that PANs are masked). payId A PayID recognised by NPP
account BankingDomesticPayeeAccount conditional none none
card BankingDomesticPayeeCard conditional none none
payId BankingDomesticPayeePayId conditional none none

Enumerated Values

Property Value
payeeAccountUType account
payeeAccountUType card
payeeAccountUType payId

BankingDomesticPayeeAccount

{
  "accountName": "string",
  "bsb": "string",
  "accountNumber": "string"
}

Properties

Name Type Required Restrictions Description
accountName string optional none Name of the account to pay to
bsb string mandatory none BSB of the account to pay to
accountNumber string mandatory none Number of the account to pay to

BankingDomesticPayeeCard

{
  "cardNumber": "string"
}

Properties

Name Type Required Restrictions Description
cardNumber MaskedPANString mandatory none Name of the account to pay to

BankingDomesticPayeePayId

{
  "name": "string",
  "identifier": "string",
  "type": "ABN"
}

Properties

Name Type Required Restrictions Description
name string optional none The name assigned to the PayID by the owner of the PayID
identifier string mandatory none The identifier of the PayID (dependent on type)
type string mandatory none The type of the PayID

Enumerated Values

Property Value
type ABN
type EMAIL
type ORG_IDENTIFIER
type TELEPHONE

BankingBillerPayee

{
  "billerCode": "string",
  "crn": "string",
  "billerName": "string"
}

Properties

Name Type Required Restrictions Description
billerCode string mandatory none BPAY Biller Code of the Biller
crn string conditional none BPAY CRN of the Biller (if available).
Where the CRN contains sensitive information, it should be masked in line with how the Data Holder currently displays account identifiers in their existing online banking channels. If the contents of the CRN match the format of a Credit Card PAN they should be masked according to the rules applicable for MaskedPANString. If the contents are are otherwise sensitive, then it should be masked using the rules applicable for the MaskedAccountString common type.
billerName string mandatory none Name of the Biller

BankingInternationalPayee

{
  "beneficiaryDetails": {
    "name": "string",
    "country": "string",
    "message": "string"
  },
  "bankDetails": {
    "country": "string",
    "accountNumber": "string",
    "bankAddress": {
      "name": "string",
      "address": "string"
    },
    "beneficiaryBankBIC": "string",
    "fedWireNumber": "string",
    "sortCode": "string",
    "chipNumber": "string",
    "routingNumber": "string",
    "legalEntityIdentifier": "string"
  }
}

Properties

Name Type Required Restrictions Description
beneficiaryDetails object mandatory none none
» name string optional none Name of the beneficiary
» country ExternalRef mandatory none Country where the beneficiary resides. A valid ISO 3166 Alpha-3 country code
» message string optional none Response message for the payment
bankDetails object mandatory none none
» country ExternalRef mandatory none Country of the recipient institution. A valid ISO 3166 Alpha-3 country code
» accountNumber string mandatory none Account Targeted for payment
» bankAddress object optional none none
»» name string mandatory none Name of the recipient Bank
»» address string mandatory none Address of the recipient Bank
» beneficiaryBankBIC ExternalRef optional none Swift bank code. Aligns with standard ISO 9362
» fedWireNumber string optional none Number for Fedwire payment (Federal Reserve Wire Network)
» sortCode string optional none Sort code used for account identification in some jurisdictions
» chipNumber string optional none Number for the Clearing House Interbank Payments System
» routingNumber string optional none International bank routing number
» legalEntityIdentifier ExternalRef optional none The legal entity identifier (LEI) for the beneficiary. Aligns with ISO 17442

ResponseBankingDirectDebitAuthorisationList

{
  "data": {
    "directDebitAuthorisations": [
      {
        "accountId": "string",
        "authorisedEntity": {
          "description": "string",
          "financialInstitution": "string",
          "abn": "string",
          "acn": "string",
          "arbn": "string"
        },
        "lastDebitDateTime": "string",
        "lastDebitAmount": "string"
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» directDebitAuthorisations [BankingDirectDebit] mandatory none The list of authorisations returned
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

BankingDirectDebit

{
  "accountId": "string",
  "authorisedEntity": {
    "description": "string",
    "financialInstitution": "string",
    "abn": "string",
    "acn": "string",
    "arbn": "string"
  },
  "lastDebitDateTime": "string",
  "lastDebitAmount": "string"
}

Properties

Name Type Required Restrictions Description
accountId ASCIIString mandatory none A unique ID of the account adhering to the standards for ID permanence.
authorisedEntity BankingAuthorisedEntity mandatory none none
lastDebitDateTime DateTimeString optional none The date and time of the last debit executed under this authorisation
lastDebitAmount AmountString optional none The amount of the last debit executed under this authorisation

BankingAuthorisedEntity

{
  "description": "string",
  "financialInstitution": "string",
  "abn": "string",
  "acn": "string",
  "arbn": "string"
}

Properties

Name Type Required Restrictions Description
description string optional none Description of the authorised entity derived from previously executed direct debits
financialInstitution string conditional none Name of the financial institution through which the direct debit will be executed. Is required unless the payment is made via a credit card scheme
abn string optional none Australian Business Number for the authorised entity
acn string optional none Australian Company Number for the authorised entity
arbn string optional none Australian Registered Body Number for the authorised entity

ResponseBankingScheduledPaymentsList

{
  "data": {
    "scheduledPayments": [
      {
        "scheduledPaymentId": "string",
        "nickname": "string",
        "payerReference": "string",
        "payeeReference": "string",
        "status": "ACTIVE",
        "from": {
          "accountId": "string"
        },
        "paymentSet": [
          {
            "to": {
              "toUType": "accountId",
              "accountId": "string",
              "payeeId": "string",
              "nickname": "string",
              "payeeReference": "string",
              "domestic": {
                "payeeAccountUType": "account",
                "account": {
                  "accountName": "string",
                  "bsb": "string",
                  "accountNumber": "string"
                },
                "card": {
                  "cardNumber": "string"
                },
                "payId": {
                  "name": "string",
                  "identifier": "string",
                  "type": "ABN"
                }
              },
              "biller": {
                "billerCode": "string",
                "crn": "string",
                "billerName": "string"
              },
              "international": {
                "beneficiaryDetails": {
                  "name": "string",
                  "country": "string",
                  "message": "string"
                },
                "bankDetails": {
                  "country": "string",
                  "accountNumber": "string",
                  "bankAddress": {
                    "name": "string",
                    "address": "string"
                  },
                  "beneficiaryBankBIC": "string",
                  "fedWireNumber": "string",
                  "sortCode": "string",
                  "chipNumber": "string",
                  "routingNumber": "string",
                  "legalEntityIdentifier": "string"
                }
              }
            },
            "isAmountCalculated": true,
            "amount": "string",
            "currency": "string"
          }
        ],
        "recurrence": {
          "nextPaymentDate": "string",
          "recurrenceUType": "eventBased",
          "onceOff": {
            "paymentDate": "string"
          },
          "intervalSchedule": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "nonBusinessDayTreatment": "ON",
            "intervals": [
              {
                "interval": "string",
                "dayInInterval": "string"
              }
            ]
          },
          "lastWeekDay": {
            "finalPaymentDate": "string",
            "paymentsRemaining": 1,
            "interval": "string",
            "lastWeekDay": "FRI",
            "nonBusinessDayTreatment": "ON"
          },
          "eventBased": {
            "description": "string"
          }
        }
      }
    ]
  },
  "links": {
    "self": "string",
    "first": "string",
    "prev": "string",
    "next": "string",
    "last": "string"
  },
  "meta": {
    "totalRecords": 0,
    "totalPages": 0
  }
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» scheduledPayments [BankingScheduledPayment] mandatory none The list of scheduled payments to return
links LinksPaginated mandatory none none
meta MetaPaginated mandatory none none

BankingScheduledPayment

{
  "scheduledPaymentId": "string",
  "nickname": "string",
  "payerReference": "string",
  "payeeReference": "string",
  "status": "ACTIVE",
  "from": {
    "accountId": "string"
  },
  "paymentSet": [
    {
      "to": {
        "toUType": "accountId",
        "accountId": "string",
        "payeeId": "string",
        "nickname": "string",
        "payeeReference": "string",
        "domestic": {
          "payeeAccountUType": "account",
          "account": {
            "accountName": "string",
            "bsb": "string",
            "accountNumber": "string"
          },
          "card": {
            "cardNumber": "string"
          },
          "payId": {
            "name": "string",
            "identifier": "string",
            "type": "ABN"
          }
        },
        "biller": {
          "billerCode": "string",
          "crn": "string",
          "billerName": "string"
        },
        "international": {
          "beneficiaryDetails": {
            "name": "string",
            "country": "string",
            "message": "string"
          },
          "bankDetails": {
            "country": "string",
            "accountNumber": "string",
            "bankAddress": {
              "name": "string",
              "address": "string"
            },
            "beneficiaryBankBIC": "string",
            "fedWireNumber": "string",
            "sortCode": "string",
            "chipNumber": "string",
            "routingNumber": "string",
            "legalEntityIdentifier": "string"
          }
        }
      },
      "isAmountCalculated": true,
      "amount": "string",
      "currency": "string"
    }
  ],
  "recurrence": {
    "nextPaymentDate": "string",
    "recurrenceUType": "eventBased",
    "onceOff": {
      "paymentDate": "string"
    },
    "intervalSchedule": {
      "finalPaymentDate": "string",
      "paymentsRemaining": 1,
      "nonBusinessDayTreatment": "ON",
      "intervals": [
        {
          "interval": "string",
          "dayInInterval": "string"
        }
      ]
    },
    "lastWeekDay": {
      "finalPaymentDate": "string",
      "paymentsRemaining": 1,
      "interval": "string",
      "lastWeekDay": "FRI",
      "nonBusinessDayTreatment": "ON"
    },
    "eventBased": {
      "description": "string"
    }
  }
}

Properties

Name Type Required Restrictions Description
scheduledPaymentId ASCIIString mandatory none A unique ID of the scheduled payment adhering to the standards for ID permanence
nickname string optional none The short display name of the scheduled payment as provided by the customer if provided. Where a customer has not provided a nickname, a display name derived by the bank for the scheduled payment should be provided that is consistent with existing digital banking channels
payerReference string mandatory none The reference for the transaction that will be used by the originating institution for the purposes of constructing a statement narrative on the payer’s account. Empty string if no data provided
payeeReference string conditional none The reference for the transaction, if applicable, that will be provided by the originating institution for all payments in the payment set. Empty string if no data provided
status string mandatory none Indicates whether the schedule is currently active. The value SKIP is equivalent to ACTIVE except that the customer has requested the next normal occurrence to be skipped.
from BankingScheduledPaymentFrom mandatory none Object containing details of the source of the payment. Currently only specifies an account ID but provided as an object to facilitate future extensibility and consistency with the to object
paymentSet [BankingScheduledPaymentSet] mandatory none [The set of payment amounts and destination accounts for this payment accommodating multi-part payments. A single entry indicates a simple payment with one destination account. Must have at least one entry]
recurrence BankingScheduledPaymentRecurrence mandatory none Object containing the detail of the schedule for the payment

Enumerated Values

Property Value
status ACTIVE
status INACTIVE
status SKIP

BankingScheduledPaymentSet

{
  "to": {
    "toUType": "accountId",
    "accountId": "string",
    "payeeId": "string",
    "nickname": "string",
    "payeeReference": "string",
    "domestic": {
      "payeeAccountUType": "account",
      "account": {
        "accountName": "string",
        "bsb": "string",
        "accountNumber": "string"
      },
      "card": {
        "cardNumber": "string"
      },
      "payId": {
        "name": "string",
        "identifier": "string",
        "type": "ABN"
      }
    },
    "biller": {
      "billerCode": "string",
      "crn": "string",
      "billerName": "string"
    },
    "international": {
      "beneficiaryDetails": {
        "name": "string",
        "country": "string",
        "message": "string"
      },
      "bankDetails": {
        "country": "string",
        "accountNumber": "string",
        "bankAddress": {
          "name": "string",
          "address": "string"
        },
        "beneficiaryBankBIC": "string",
        "fedWireNumber": "string",
        "sortCode": "string",
        "chipNumber": "string",
        "routingNumber": "string",
        "legalEntityIdentifier": "string"
      }
    }
  },
  "isAmountCalculated": true,
  "amount": "string",
  "currency": "string"
}

The set of payment amounts and destination accounts for this payment accommodating multi-part payments. A single entry indicates a simple payment with one destination account. Must have at least one entry

Properties

Name Type Required Restrictions Description
to BankingScheduledPaymentTo mandatory none Object containing details of the destination of the payment. Used to specify a variety of payment destination types
isAmountCalculated Boolean optional none Flag indicating whether the amount of the payment is calculated based on the context of the event. For instance a payment to reduce the balance of a credit card to zero. If absent then false is assumed
amount AmountString conditional none The amount of the next payment if known. Mandatory unless the isAmountCalculated field is set to true. Must be zero or positive if present
currency CurrencyString optional none The currency for the payment. AUD assumed if not present

BankingScheduledPaymentTo

{
  "toUType": "accountId",
  "accountId": "string",
  "payeeId": "string",
  "nickname": "string",
  "payeeReference": "string",
  "domestic": {
    "payeeAccountUType": "account",
    "account": {
      "accountName": "string",
      "bsb": "string",
      "accountNumber": "string"
    },
    "card": {
      "cardNumber": "string"
    },
    "payId": {
      "name": "string",
      "identifier": "string",
      "type": "ABN"
    }
  },
  "biller": {
    "billerCode": "string",
    "crn": "string",
    "billerName": "string"
  },
  "international": {
    "beneficiaryDetails": {
      "name": "string",
      "country": "string",
      "message": "string"
    },
    "bankDetails": {
      "country": "string",
      "accountNumber": "string",
      "bankAddress": {
        "name": "string",
        "address": "string"
      },
      "beneficiaryBankBIC": "string",
      "fedWireNumber": "string",
      "sortCode": "string",
      "chipNumber": "string",
      "routingNumber": "string",
      "legalEntityIdentifier": "string"
    }
  }
}

Object containing details of the destination of the payment. Used to specify a variety of payment destination types

Properties

Name Type Required Restrictions Description
toUType string mandatory none The type of object provided that specifies the destination of the funds for the payment.
accountId ASCIIString conditional none Present if toUType is set to accountId. Indicates that the payment is to another account that is accessible under the current consent
payeeId ASCIIString conditional none Present if toUType is set to payeeId. Indicates that the payment is to registered payee that can be accessed using the payee end point. If the Bank Payees scope has not been consented to then a payeeId should not be provided and the full payee details should be provided instead
nickname string conditional none The short display name of the payee as provided by the customer unless toUType is set to payeeId. Where a customer has not provided a nickname, a display name derived by the bank for payee should be provided that is consistent with existing digital banking channels
payeeReference string conditional none The reference for the transaction, if applicable, that will be provided by the originating institution for the specific payment. If not empty, it overrides the value provided at the BankingScheduledPayment level.
domestic BankingDomesticPayee conditional none none
biller BankingBillerPayee conditional none none
international BankingInternationalPayee conditional none none

Enumerated Values

Property Value
toUType accountId
toUType biller
toUType domestic
toUType international
toUType payeeId

BankingScheduledPaymentFrom

{
  "accountId": "string"
}

Object containing details of the source of the payment. Currently only specifies an account ID but provided as an object to facilitate future extensibility and consistency with the to object

Properties

Name Type Required Restrictions Description
accountId ASCIIString mandatory none ID of the account that is the source of funds for the payment

BankingScheduledPaymentRecurrence

{
  "nextPaymentDate": "string",
  "recurrenceUType": "eventBased",
  "onceOff": {
    "paymentDate": "string"
  },
  "intervalSchedule": {
    "finalPaymentDate": "string",
    "paymentsRemaining": 1,
    "nonBusinessDayTreatment": "ON",
    "intervals": [
      {
        "interval": "string",
        "dayInInterval": "string"
      }
    ]
  },
  "lastWeekDay": {
    "finalPaymentDate": "string",
    "paymentsRemaining": 1,
    "interval": "string",
    "lastWeekDay": "FRI",
    "nonBusinessDayTreatment": "ON"
  },
  "eventBased": {
    "description": "string"
  }
}

Object containing the detail of the schedule for the payment

Properties

Name Type Required Restrictions Description
nextPaymentDate DateString optional none The date of the next payment under the recurrence schedule
recurrenceUType string mandatory none The type of recurrence used to define the schedule
onceOff BankingScheduledPaymentRecurrenceOnceOff conditional none Indicates that the payment is a once off payment on a specific future date. Mandatory if recurrenceUType is set to onceOff
intervalSchedule BankingScheduledPaymentRecurrenceIntervalSchedule conditional none Indicates that the schedule of payments is defined by a series of intervals. Mandatory if recurrenceUType is set to intervalSchedule
lastWeekDay BankingScheduledPaymentRecurrenceLastWeekday conditional none Indicates that the schedule of payments is defined according to the last occurrence of a specific weekday in an interval. Mandatory if recurrenceUType is set to lastWeekDay
eventBased BankingScheduledPaymentRecurrenceEventBased conditional none Indicates that the schedule of payments is defined according to an external event that cannot be predetermined. Mandatory if recurrenceUType is set to eventBased

Enumerated Values

Property Value
recurrenceUType eventBased
recurrenceUType intervalSchedule
recurrenceUType lastWeekDay
recurrenceUType onceOff

BankingScheduledPaymentRecurrenceOnceOff

{
  "paymentDate": "string"
}

Indicates that the payment is a once off payment on a specific future date. Mandatory if recurrenceUType is set to onceOff

Properties

Name Type Required Restrictions Description
paymentDate DateString mandatory none The scheduled date for the once off payment

BankingScheduledPaymentRecurrenceIntervalSchedule

{
  "finalPaymentDate": "string",
  "paymentsRemaining": 1,
  "nonBusinessDayTreatment": "ON",
  "intervals": [
    {
      "interval": "string",
      "dayInInterval": "string"
    }
  ]
}

Indicates that the schedule of payments is defined by a series of intervals. Mandatory if recurrenceUType is set to intervalSchedule

Properties

Name Type Required Restrictions Description
finalPaymentDate DateString optional none The limit date after which no more payments should be made using this schedule. If both finalPaymentDate and paymentsRemaining are present then payments will stop according to the most constraining value. If neither field is present the payments will continue indefinitely
paymentsRemaining PositiveInteger optional none Indicates the number of payments remaining in the schedule. If both finalPaymentDate and paymentsRemaining are present then payments will stop according to the most constraining value, If neither field is present the payments will continue indefinitely
nonBusinessDayTreatment string optional none Enumerated field giving the treatment where a scheduled payment date is not a business day. If absent assumed to be ON.
AFTER - If a scheduled payment date is a non-business day the payment will be made on the first business day after the scheduled payment date.
BEFORE - If a scheduled payment date is a non-business day the payment will be made on the first business day before the scheduled payment date.
ON - If a scheduled payment date is a non-business day the payment will be made on that day regardless.
ONLY - Payments only occur on business days. If a scheduled payment date is a non-business day the payment will be ignored
intervals [BankingScheduledPaymentInterval] mandatory none An array of interval objects defining the payment schedule. Each entry in the array is additive, in that it adds payments to the overall payment schedule. If multiple intervals result in a payment on the same day then only one payment will be made. Must have at least one entry

Enumerated Values

Property Value
nonBusinessDayTreatment AFTER
nonBusinessDayTreatment BEFORE
nonBusinessDayTreatment ON
nonBusinessDayTreatment ONLY

BankingScheduledPaymentInterval

{
  "interval": "string",
  "dayInInterval": "string"
}

Properties

Name Type Required Restrictions Description
interval ExternalRef mandatory none An interval for the payment. Formatted according to ISO 8601 Durations (excludes recurrence syntax) with components less than a day in length ignored. This duration defines the period between payments starting with nextPaymentDate
dayInInterval ExternalRef optional none Uses an interval to define the ordinal day within the interval defined by the interval field on which the payment occurs. If the resulting duration is 0 days in length or larger than the number of days in the interval then the payment will occur on the last day of the interval. A duration of 1 day indicates the first day of the interval. If absent the assumed value is P1D. Formatted according to ISO 8601 Durations (excludes recurrence syntax) with components less than a day in length ignored. The first day of a week is considered to be Monday.

BankingScheduledPaymentRecurrenceLastWeekday

{
  "finalPaymentDate": "string",
  "paymentsRemaining": 1,
  "interval": "string",
  "lastWeekDay": "FRI",
  "nonBusinessDayTreatment": "ON"
}

Indicates that the schedule of payments is defined according to the last occurrence of a specific weekday in an interval. Mandatory if recurrenceUType is set to lastWeekDay

Properties

Name Type Required Restrictions Description
finalPaymentDate DateString optional none The limit date after which no more payments should be made using this schedule. If both finalPaymentDate and paymentsRemaining are present then payments will stop according to the most constraining value. If neither field is present the payments will continue indefinitely
paymentsRemaining PositiveInteger optional none Indicates the number of payments remaining in the schedule. If both finalPaymentDate and paymentsRemaining are present then payments will stop according to the most constraining value. If neither field is present the payments will continue indefinitely
interval ExternalRef mandatory none The interval for the payment. Formatted according to ISO 8601 Durations (excludes recurrence syntax) with components less than a day in length ignored. This duration defines the period between payments starting with nextPaymentDate
lastWeekDay string mandatory none The weekDay specified. The payment will occur on the last occurrence of this weekday in the interval.
nonBusinessDayTreatment string optional none Enumerated field giving the treatment where a scheduled payment date is not a business day. If absent assumed to be ON.
AFTER - If a scheduled payment date is a non-business day the payment will be made on the first business day after the scheduled payment date.
BEFORE - If a scheduled payment date is a non-business day the payment will be made on the first business day before the scheduled payment date.
ON - If a scheduled payment date is a non-business day the payment will be made on that day regardless.
ONLY - Payments only occur on business days. If a scheduled payment date is a non-business day the payment will be ignored

Enumerated Values

Property Value
lastWeekDay FRI
lastWeekDay MON
lastWeekDay SAT
lastWeekDay SUN
lastWeekDay THU
lastWeekDay TUE
lastWeekDay WED
nonBusinessDayTreatment AFTER
nonBusinessDayTreatment BEFORE
nonBusinessDayTreatment ON
nonBusinessDayTreatment ONLY

BankingScheduledPaymentRecurrenceEventBased

{
  "description": "string"
}

Indicates that the schedule of payments is defined according to an external event that cannot be predetermined. Mandatory if recurrenceUType is set to eventBased

Properties

Name Type Required Restrictions Description
description string mandatory none Description of the event and conditions that will result in the payment. Expected to be formatted for display to a customer

ResponseCommonDiscoveryStatus

{
  "data": {
    "status": "OK",
    "explanation": "string",
    "detectionTime": "string",
    "expectedResolutionTime": "string",
    "updateTime": "string"
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» status string mandatory none Enumeration with values. OK (implementation is fully functional). PARTIAL_FAILURE (one or more end points are unexpectedly unavailable). UNAVAILABLE (the full implementation is unexpectedly unavailable). SCHEDULED_OUTAGE (an advertised outage is in effect)
» explanation string conditional none Provides an explanation of the current outage that can be displayed to an end customer. Mandatory if the status property is any value other than OK
» detectionTime DateTimeString optional none The date and time that the current outage was detected. Should only be present if the status property is PARTIAL_FAILURE or UNAVAILABLE
» expectedResolutionTime DateTimeString optional none The date and time that full service is expected to resume (if known). Should not be present if the status property has a value of OK.
» updateTime DateTimeString mandatory none The date and time that this status was last updated by the Data Holder.
links Links mandatory none none
meta Meta optional none none

Enumerated Values

Property Value
status OK
status PARTIAL_FAILURE
status SCHEDULED_OUTAGE
status UNAVAILABLE

ResponseDiscoveryOutagesList

{
  "data": {
    "outages": [
      {
        "outageTime": "string",
        "duration": "string",
        "isPartial": true,
        "explanation": "string"
      }
    ]
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» outages [DiscoveryOutage] mandatory none List of scheduled outages. Property is mandatory but may contain and empty list if no outages are scheduled
links Links mandatory none none
meta Meta optional none none

DiscoveryOutage

{
  "outageTime": "string",
  "duration": "string",
  "isPartial": true,
  "explanation": "string"
}

Properties

Name Type Required Restrictions Description
outageTime DateTimeString mandatory none Date and time that the outage is scheduled to begin
duration ExternalRef mandatory none Planned duration of the outage. Formatted according to ISO 8601 Durations (excludes recurrence syntax)
isPartial Boolean optional none Flag that indicates, if present and set to true, that the outage is only partial meaning that only a subset of normally available end points will be affected by the outage
explanation string mandatory none Provides an explanation of the current outage that can be displayed to an end customer

ResponseCommonCustomer

{
  "data": {
    "customerUType": "organisation",
    "person": {
      "lastUpdateTime": "string",
      "firstName": "string",
      "lastName": "string",
      "middleNames": [
        "string"
      ],
      "prefix": "string",
      "suffix": "string",
      "occupationCode": "string",
      "occupationCodeVersion": "ANZSCO_1220.0_2013_V1.2"
    },
    "organisation": {
      "lastUpdateTime": "string",
      "agentFirstName": "string",
      "agentLastName": "string",
      "agentRole": "string",
      "businessName": "string",
      "legalName": "string",
      "shortName": "string",
      "abn": "string",
      "acn": "string",
      "isACNCRegistered": true,
      "industryCode": "string",
      "industryCodeVersion": "ANZSIC_1292.0_2006_V2.0",
      "organisationType": "COMPANY",
      "registeredCountry": "string",
      "establishmentDate": "string"
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» customerUType string mandatory none The type of customer object that is present
» person CommonPerson conditional none Mandatory if customerUType is person
» organisation CommonOrganisation conditional none Mandatory if customerUType is organisation
links Links mandatory none none
meta Meta optional none none

Enumerated Values

Property Value
customerUType organisation
customerUType person

ResponseCommonCustomerDetail

{
  "data": {
    "customerUType": "organisation",
    "person": {
      "lastUpdateTime": "string",
      "firstName": "string",
      "lastName": "string",
      "middleNames": [
        "string"
      ],
      "prefix": "string",
      "suffix": "string",
      "occupationCode": "string",
      "occupationCodeVersion": "ANZSCO_1220.0_2013_V1.2",
      "phoneNumbers": [
        {
          "isPreferred": true,
          "purpose": "HOME",
          "countryCode": "string",
          "areaCode": "string",
          "number": "string",
          "extension": "string",
          "fullNumber": "string"
        }
      ],
      "emailAddresses": [
        {
          "isPreferred": true,
          "purpose": "HOME",
          "address": "string"
        }
      ],
      "physicalAddresses": [
        {
          "addressUType": "paf",
          "simple": {
            "mailingName": "string",
            "addressLine1": "string",
            "addressLine2": "string",
            "addressLine3": "string",
            "postcode": "string",
            "city": "string",
            "state": "string",
            "country": "AUS"
          },
          "paf": {
            "dpid": "string",
            "thoroughfareNumber1": 0,
            "thoroughfareNumber1Suffix": "string",
            "thoroughfareNumber2": 0,
            "thoroughfareNumber2Suffix": "string",
            "flatUnitType": "string",
            "flatUnitNumber": "string",
            "floorLevelType": "string",
            "floorLevelNumber": "string",
            "lotNumber": "string",
            "buildingName1": "string",
            "buildingName2": "string",
            "streetName": "string",
            "streetType": "string",
            "streetSuffix": "string",
            "postalDeliveryType": "string",
            "postalDeliveryNumber": 0,
            "postalDeliveryNumberPrefix": "string",
            "postalDeliveryNumberSuffix": "string",
            "localityName": "string",
            "postcode": "string",
            "state": "string"
          },
          "purpose": "MAIL"
        }
      ]
    },
    "organisation": {
      "lastUpdateTime": "string",
      "agentFirstName": "string",
      "agentLastName": "string",
      "agentRole": "string",
      "businessName": "string",
      "legalName": "string",
      "shortName": "string",
      "abn": "string",
      "acn": "string",
      "isACNCRegistered": true,
      "industryCode": "string",
      "industryCodeVersion": "ANZSIC_1292.0_2006_V2.0",
      "organisationType": "COMPANY",
      "registeredCountry": "string",
      "establishmentDate": "string",
      "physicalAddresses": [
        {
          "addressUType": "paf",
          "simple": {
            "mailingName": "string",
            "addressLine1": "string",
            "addressLine2": "string",
            "addressLine3": "string",
            "postcode": "string",
            "city": "string",
            "state": "string",
            "country": "AUS"
          },
          "paf": {
            "dpid": "string",
            "thoroughfareNumber1": 0,
            "thoroughfareNumber1Suffix": "string",
            "thoroughfareNumber2": 0,
            "thoroughfareNumber2Suffix": "string",
            "flatUnitType": "string",
            "flatUnitNumber": "string",
            "floorLevelType": "string",
            "floorLevelNumber": "string",
            "lotNumber": "string",
            "buildingName1": "string",
            "buildingName2": "string",
            "streetName": "string",
            "streetType": "string",
            "streetSuffix": "string",
            "postalDeliveryType": "string",
            "postalDeliveryNumber": 0,
            "postalDeliveryNumberPrefix": "string",
            "postalDeliveryNumberSuffix": "string",
            "localityName": "string",
            "postcode": "string",
            "state": "string"
          },
          "purpose": "MAIL"
        }
      ]
    }
  },
  "links": {
    "self": "string"
  },
  "meta": {}
}

Properties

Name Type Required Restrictions Description
data object mandatory none none
» customerUType string mandatory none The type of customer object that is present
» person CommonPersonDetail conditional none Mandatory if customerUType is person
» organisation CommonOrganisationDetail conditional none Mandatory if customerUType is organisation
links Links mandatory none none
meta Meta optional none none

Enumerated Values

Property Value
customerUType organisation
customerUType person

CommonPerson

{
  "lastUpdateTime": "string",
  "firstName": "string",
  "lastName": "string",
  "middleNames": [
    "string"
  ],
  "prefix": "string",
  "suffix": "string",
  "occupationCode": "string",
  "occupationCodeVersion": "ANZSCO_1220.0_2013_V1.2"
}

Properties

Name Type Required Restrictions Description
lastUpdateTime DateTimeString optional none The date and time that this record was last updated by the customer. If no update has occurred then this date should reflect the initial creation date for the data
firstName string optional none For people with single names this field need not be present. The single name should be in the lastName field
lastName string mandatory none For people with single names the single name should be in this field
middleNames [string] mandatory none Field is mandatory but array may be empty
prefix string optional none Also known as title or salutation. The prefix to the name (e.g. Mr, Mrs, Ms, Miss, Sir, etc)
suffix string optional none Used for a trailing suffix to the name (e.g. Jr)
occupationCode ExternalRef optional none Value is a valid ANZSCO Standard Occupation classification code. If the occupation code held by the data holder is not one of the supported ANZSCO versions, then it must not be supplied.
occupationCodeVersion string conditional none The applicable ANZSCO release version of the occupation code provided. Mandatory if an occupationCode is supplied. If occupationCode is supplied but occupationCodeVersion is absent, default is ANZSCO_1220.0_2013_V1.2

Enumerated Values

Property Value
occupationCodeVersion ANZSCO_1220.0_2006_V1.0
occupationCodeVersion ANZSCO_1220.0_2006_V1.1
occupationCodeVersion ANZSCO_1220.0_2013_V1.2
occupationCodeVersion ANZSCO_1220.0_2013_V1.3

CommonPersonDetail

{
  "lastUpdateTime": "string",
  "firstName": "string",
  "lastName": "string",
  "middleNames": [
    "string"
  ],
  "prefix": "string",
  "suffix": "string",
  "occupationCode": "string",
  "occupationCodeVersion": "ANZSCO_1220.0_2013_V1.2",
  "phoneNumbers": [
    {
      "isPreferred": true,
      "purpose": "HOME",
      "countryCode": "string",
      "areaCode": "string",
      "number": "string",
      "extension": "string",
      "fullNumber": "string"
    }
  ],
  "emailAddresses": [
    {
      "isPreferred": true,
      "purpose": "HOME",
      "address": "string"
    }
  ],
  "physicalAddresses": [
    {
      "addressUType": "paf",
      "simple": {
        "mailingName": "string",
        "addressLine1": "string",
        "addressLine2": "string",
        "addressLine3": "string",
        "postcode": "string",
        "city": "string",
        "state": "string",
        "country": "AUS"
      },
      "paf": {
        "dpid": "string",
        "thoroughfareNumber1": 0,
        "thoroughfareNumber1Suffix": "string",
        "thoroughfareNumber2": 0,
        "thoroughfareNumber2Suffix": "string",
        "flatUnitType": "string",
        "flatUnitNumber": "string",
        "floorLevelType": "string",
        "floorLevelNumber": "string",
        "lotNumber": "string",
        "buildingName1": "string",
        "buildingName2": "string",
        "streetName": "string",
        "streetType": "string",
        "streetSuffix": "string",
        "postalDeliveryType": "string",
        "postalDeliveryNumber": 0,
        "postalDeliveryNumberPrefix": "string",
        "postalDeliveryNumberSuffix": "string",
        "localityName": "string",
        "postcode": "string",
        "state": "string"
      },
      "purpose": "MAIL"
    }
  ]
}

Properties

allOf

Name Type Required Restrictions Description
anonymous CommonPerson mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» phoneNumbers [CommonPhoneNumber] mandatory none Array is mandatory but may be empty if no phone numbers are held
» emailAddresses [CommonEmailAddress] mandatory none May be empty
» physicalAddresses [CommonPhysicalAddressWithPurpose] mandatory none Must contain at least one address. One and only one address may have the purpose of REGISTERED. Zero or one, and no more than one, record may have the purpose of MAIL. If zero then the REGISTERED address is to be used for mail

CommonOrganisation

{
  "lastUpdateTime": "string",
  "agentFirstName": "string",
  "agentLastName": "string",
  "agentRole": "string",
  "businessName": "string",
  "legalName": "string",
  "shortName": "string",
  "abn": "string",
  "acn": "string",
  "isACNCRegistered": true,
  "industryCode": "string",
  "industryCodeVersion": "ANZSIC_1292.0_2006_V2.0",
  "organisationType": "COMPANY",
  "registeredCountry": "string",
  "establishmentDate": "string"
}

Properties

Name Type Required Restrictions Description
lastUpdateTime DateTimeString optional none The date and time that this record was last updated by the customer. If no update has occurred then this date should reflect the initial creation date for the data
agentFirstName string optional none The first name of the individual providing access on behalf of the organisation. For people with single names this field need not be present. The single name should be in the lastName field
agentLastName string mandatory none The last name of the individual providing access on behalf of the organisation. For people with single names the single name should be in this field
agentRole string mandatory none The role of the individual identified as the agent who is providing authorisation. Expected to be used for display. Default to Unspecified if the role is not known
businessName string mandatory none Name of the organisation
legalName string optional none Legal name, if different to the business name
shortName string optional none Short name used for communication, if different to the business name
abn string optional none Australian Business Number for the organisation
acn string optional none Australian Company Number for the organisation. Required only if an ACN is applicable for the organisation type
isACNCRegistered Boolean optional none True if registered with the ACNC. False if not. Absent or null if not confirmed.
industryCode ExternalRef optional none A valid ANZSIC code for the organisation. If the industry code held by the data holder is not one of the supported ANZSIC versions, then it must not be supplied.
industryCodeVersion string conditional none The applicable ANZSIC release version of the industry code provided. Should only be supplied if industryCode is also supplied. If industryCode is supplied but industryCodeVersion is absent, default is ANZSIC_1292.0_2006_V2.0
organisationType string mandatory none Legal organisation type
registeredCountry ExternalRef optional none Enumeration with values from ISO 3166 Alpha-3 country codes. Assumed to be AUS if absent
establishmentDate DateString optional none The date the organisation described was established

Enumerated Values

Property Value
industryCodeVersion ANZSIC_1292.0_2006_V1.0
industryCodeVersion ANZSIC_1292.0_2006_V2.0
organisationType COMPANY
organisationType GOVERNMENT_ENTITY
organisationType OTHER
organisationType PARTNERSHIP
organisationType SOLE_TRADER
organisationType TRUST

CommonOrganisationDetail

{
  "lastUpdateTime": "string",
  "agentFirstName": "string",
  "agentLastName": "string",
  "agentRole": "string",
  "businessName": "string",
  "legalName": "string",
  "shortName": "string",
  "abn": "string",
  "acn": "string",
  "isACNCRegistered": true,
  "industryCode": "string",
  "industryCodeVersion": "ANZSIC_1292.0_2006_V2.0",
  "organisationType": "COMPANY",
  "registeredCountry": "string",
  "establishmentDate": "string",
  "physicalAddresses": [
    {
      "addressUType": "paf",
      "simple": {
        "mailingName": "string",
        "addressLine1": "string",
        "addressLine2": "string",
        "addressLine3": "string",
        "postcode": "string",
        "city": "string",
        "state": "string",
        "country": "AUS"
      },
      "paf": {
        "dpid": "string",
        "thoroughfareNumber1": 0,
        "thoroughfareNumber1Suffix": "string",
        "thoroughfareNumber2": 0,
        "thoroughfareNumber2Suffix": "string",
        "flatUnitType": "string",
        "flatUnitNumber": "string",
        "floorLevelType": "string",
        "floorLevelNumber": "string",
        "lotNumber": "string",
        "buildingName1": "string",
        "buildingName2": "string",
        "streetName": "string",
        "streetType": "string",
        "streetSuffix": "string",
        "postalDeliveryType": "string",
        "postalDeliveryNumber": 0,
        "postalDeliveryNumberPrefix": "string",
        "postalDeliveryNumberSuffix": "string",
        "localityName": "string",
        "postcode": "string",
        "state": "string"
      },
      "purpose": "MAIL"
    }
  ]
}

Properties

allOf

Name Type Required Restrictions Description
anonymous CommonOrganisation mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» physicalAddresses [CommonPhysicalAddressWithPurpose] mandatory none Must contain at least one address. One and only one address may have the purpose of REGISTERED. Zero or one, and no more than one, record may have the purpose of MAIL. If zero then the REGISTERED address is to be used for mail

CommonPhoneNumber

{
  "isPreferred": true,
  "purpose": "HOME",
  "countryCode": "string",
  "areaCode": "string",
  "number": "string",
  "extension": "string",
  "fullNumber": "string"
}

Properties

Name Type Required Restrictions Description
isPreferred Boolean optional none May be true for one and only one entry to indicate the preferred phone number. Assumed to be 'false' if not present
purpose string mandatory none The purpose of the number as specified by the customer
countryCode string optional none If absent, assumed to be Australia (+61). The + should be included
areaCode string conditional none Required for non Mobile Phones, if field is present and refers to Australian code - the leading 0 should be omitted.
number string mandatory none The actual phone number, with leading zeros as appropriate
extension string optional none An extension number (if applicable)
fullNumber ExternalRef mandatory none Fully formatted phone number with country code, area code, number and extension incorporated. Formatted according to section 5.1.4. of RFC 3966

Enumerated Values

Property Value
purpose HOME
purpose INTERNATIONAL
purpose MOBILE
purpose OTHER
purpose UNSPECIFIED
purpose WORK

CommonEmailAddress

{
  "isPreferred": true,
  "purpose": "HOME",
  "address": "string"
}

Properties

Name Type Required Restrictions Description
isPreferred Boolean optional none May be true for one and only one email record in the collection. Denotes the default email address
purpose string mandatory none The purpose for the email, as specified by the customer (Enumeration)
address ExternalRef mandatory none A correctly formatted email address, as defined by the addr_spec format in RFC 5322

Enumerated Values

Property Value
purpose HOME
purpose OTHER
purpose UNSPECIFIED
purpose WORK

CommonPhysicalAddressWithPurpose

{
  "addressUType": "paf",
  "simple": {
    "mailingName": "string",
    "addressLine1": "string",
    "addressLine2": "string",
    "addressLine3": "string",
    "postcode": "string",
    "city": "string",
    "state": "string",
    "country": "AUS"
  },
  "paf": {
    "dpid": "string",
    "thoroughfareNumber1": 0,
    "thoroughfareNumber1Suffix": "string",
    "thoroughfareNumber2": 0,
    "thoroughfareNumber2Suffix": "string",
    "flatUnitType": "string",
    "flatUnitNumber": "string",
    "floorLevelType": "string",
    "floorLevelNumber": "string",
    "lotNumber": "string",
    "buildingName1": "string",
    "buildingName2": "string",
    "streetName": "string",
    "streetType": "string",
    "streetSuffix": "string",
    "postalDeliveryType": "string",
    "postalDeliveryNumber": 0,
    "postalDeliveryNumberPrefix": "string",
    "postalDeliveryNumberSuffix": "string",
    "localityName": "string",
    "postcode": "string",
    "state": "string"
  },
  "purpose": "MAIL"
}

Properties

allOf

Name Type Required Restrictions Description
anonymous CommonPhysicalAddress mandatory none none

and

Name Type Required Restrictions Description
anonymous object mandatory none none
» purpose string mandatory none Enumeration of values indicating the purpose of the physical address

Enumerated Values

Property Value
purpose MAIL
purpose OTHER
purpose PHYSICAL
purpose REGISTERED
purpose WORK

CommonPhysicalAddress

{
  "addressUType": "paf",
  "simple": {
    "mailingName": "string",
    "addressLine1": "string",
    "addressLine2": "string",
    "addressLine3": "string",
    "postcode": "string",
    "city": "string",
    "state": "string",
    "country": "AUS"
  },
  "paf": {
    "dpid": "string",
    "thoroughfareNumber1": 0,
    "thoroughfareNumber1Suffix": "string",
    "thoroughfareNumber2": 0,
    "thoroughfareNumber2Suffix": "string",
    "flatUnitType": "string",
    "flatUnitNumber": "string",
    "floorLevelType": "string",
    "floorLevelNumber": "string",
    "lotNumber": "string",
    "buildingName1": "string",
    "buildingName2": "string",
    "streetName": "string",
    "streetType": "string",
    "streetSuffix": "string",
    "postalDeliveryType": "string",
    "postalDeliveryNumber": 0,
    "postalDeliveryNumberPrefix": "string",
    "postalDeliveryNumberSuffix": "string",
    "localityName": "string",
    "postcode": "string",
    "state": "string"
  }
}

Properties

Name Type Required Restrictions Description
addressUType string mandatory none The type of address object present
simple CommonSimpleAddress conditional none none
paf CommonPAFAddress conditional none Australian address formatted according to the file format defined by the PAF file format

Enumerated Values

Property Value
addressUType paf
addressUType simple

CommonSimpleAddress

{
  "mailingName": "string",
  "addressLine1": "string",
  "addressLine2": "string",
  "addressLine3": "string",
  "postcode": "string",
  "city": "string",
  "state": "string",
  "country": "AUS"
}

Properties

Name Type Required Restrictions Description
mailingName string optional none Name of the individual or business formatted for inclusion in an address used for physical mail
addressLine1 string mandatory none First line of the standard address object
addressLine2 string optional none Second line of the standard address object
addressLine3 string optional none Third line of the standard address object
postcode string conditional none Mandatory for Australian addresses
city string mandatory none Name of the city or locality
state string mandatory none Free text if the country is not Australia. If country is Australia then must be one of the values defined by the State Type Abbreviation in the PAF file format. NSW, QLD, VIC, NT, WA, SA, TAS, ACT, AAT
country ExternalRef optional none A valid ISO 3166 Alpha-3 country code. Australia (AUS) is assumed if country is not present.

CommonPAFAddress

{
  "dpid": "string",
  "thoroughfareNumber1": 0,
  "thoroughfareNumber1Suffix"