API Account Verification Service (AVS)

Overview

Account Verification Service API service allows you to submit a request to verify that the account details captured belong to the person or organisation that is intended.

This will be through a pull, where the client will send a request through an API call to the bank and the bank will respond with an AVS response through the API service.

Description

This service allows you to:

• Subscribe to the API on your own behalf
• Connect to the API on your own behalf
• Request to verify account(s) owner
• Single or bulk account owner verification service is available

FirstRand Group Division / Segments

• RMB Corporate
• FNB Commercial and Public Sector Banking

Jurisdictions

South African (Domestic On-Us and Off-Us) Account verification service available to South African FRG clients.

Account Types

On-Us and Off-Us Transactional and Savings account verifications including:

• Current
• Savings
• Transmissions

Information required for AVS requests

• Account number
• Branch code
• Connect to the API through a Third-Party.
• ID / Co Reg. number
• Initial
• Surname / Business name
• Cellphone number
• Email

AVS Service Volumes and Timing

• Single AVS verification service
  • In Real Time for On-Us and Off-Us
• Multiple / Bulk AVS verification service
  • In Batch and subject to cut-off time for Off-Us verification requests
  • In Real Time for Batch On-Us verification requests

Overview

OpenAPI Specification (OAS) is an industry standard programming language-agnostic specification standard for RESTful APIs. OAS allows easy access to discover and understand the API without having access to the source code, documentation or implementation logic. OAS is also widely known as Swagger specification.

How to get the API

The client can connect and consume the API in two ways:

• Unassisted: With unassisted, you can subscribe to the Account Verification Service API on integration channel, which is found under the Business Solutions tab on Online Banking Enterprise ™
• Assisted: You can contact your digital profile manager, transactional portfolio manager or implementation manager who can assist in connecting you to the API.

How to connect to the API

The client can connect and consume the API in two ways:

1 On my own behalf

You can connect to the API directly from your line of business system. This can be achieved without a technology intermediary or third-party (System Operator or Technology partner).

In both unassisted and assisted journeys, you can maintain your connection details to your line of business system.

2 Through a Third-Party

You delegate the API processing and connection responsibility to an intermediary or third-party (System Operator or Technology Partner).

With this connection type, you will be required to provide the bank with consent to share your product account information with the third-party as well as indicate which accounts the third-party can retrieve information on. Consent will be provided through completing a consent form on the integration channel and orchestrated through the authorisation code flow as described on the authorisation section of this document.

Security access and control

Our API is secured and protected. We require positive authentication and authorisation, and access tokens to gain access to the API.

Authentication

API client authentication use JWT signed tokens. Authentication will be done through the use of a Client ID and Client secret that will serve as credentials to positively identify the customer. The credentials are provided through the subscribe process on the integration channel.

Authorisation

Authorisation is achieved through the OAuth 2.0 standard using the Authorisation code flow. The Auth code flow includes using an Auth code to receive an access token to initiate the process to make calls. When connecting through a third-party, the Authorisation can be done in two ways:

• Auth Code: The Client receives the Auth code when subscribing to the service on Integration Channel and share the Auth code with the Third-party to connect to the API.
• OAuth 2.0: The third-party provides their Redirect URL when subscribing to the service and the client will be redirected to the Third-party's when they complete the subscription and choosing to connect through a third-party.

Access Token

This is treated as a subset of authorisation.

Access tokens can be obtained through the OAuth 2.0 token endpoint by either presenting the authorisation code or a refresh token. An access token is used each time a call is made and has a set life span, once expired the refresh token can be used to request a new access token. In the instance where both the access and refresh token expire, the client will need to request for a new access and refresh token by initiating the connect process again.

Rest API

RESTful API represents API call received through a RESTful service using the HTTP as a transport layer. RESTful API's are useful when broken down into simple method calls as it enables the simplified interaction with the Bank and the future development of the FirstRand API Economy.

API reference

The message follows the ISO20022 message standard in JSON Format.

Account Verification Service API contains the below method(s)

• GET - Retrieve AVS
  • Allows you to request for account verification on demand.
  • POST - Retrieve downloaded AVS
    • Allows you to retrieve AVS responses that have already been downloaded.