The only way Third Party Account Information Providers can act on the customers’ behalf is if the customer has given explicit consent (authorization) to have such permissions. Consent is valid for up to 90 days. Consent can be revoked by the customer at any time.
To initiate payment on behalf of the customer, the customer will always be asked for Strong Customer Authentication (SCA) to confirm such payment.
Redirect SCA authorization works to access APIs. Customers can give Consent or authorize payments using these SCA methods: MobileSCAN (Latvia, Lithuania), Code card, Code calculator, Mobile-ID (Estonia), Mobile Signature (Lithuania).
APIs are built on EU PSD2 regulation guidelines and standards. No customer data can be accessed by third parties without proper licensing and receiving customer consent or authorization first.
Citadele API contains these endpoints: