Open Banking Specifics in Spain
# General Specifics
Most Spanish banks use PSD2-compliant Open Banking APIs developed and supported by Redsys (opens new window). Although the Redsys PSD2 platform provides a standardized API for all the banks it serves, there are significant differences in how the Open Banking interfaces behave across banks. These differences primarily relate to the end-user authentication experience, the data exposed through the Account Information APIs, and the range of payment products supported in the Payment Initiation APIs.
Availability and stability of Open Banking APIs also vary significantly between banks, even when both use the Redsys platform. Additionally, banks migrate between different versions of the Redsys platform at different times: some perform seamless transitions, while others face issues with newer API versions.
All banks leveraging the Redsys PSD2 platform outsource frontline TPP support to Redsys, which is provided through a dedicated helpdesk portal.
# Authentication flows and SCA
Spanish banks predominantly use redirect-based flows for Open Banking authentication. Users are redirected to the bank's authentication page, which can be accessed either via browser or for some banks through app-switching if the mobile banking app is installed. SCA is commonly performed through the bank's mobile app using biometrics or PIN, but fallback methods like SMS OTP are also used by smaller financial institutions.
When automatic app-switching to the mobile banking app is not available, banks' customers in Spain typically authenticate using a combination of a national ID number (DNI/NIE) and their password or PIN.
All banks relying on the Redsys PSD2 platform allow a maximum of one active authentication session per user per TPP, counting authentications used for both account information and payment initiation services. A new authentication performed by the end user automatically invalidates any authentication token.
# Major Banks (ASPSPs)
The most widely used Spanish ASPSPs are:
Full list of banks (as per EBA) is available here (opens new window).
# Payment Specifics
All Spanish banks support SEPA Credit Transfers (SCT) in EUR (Euro) via their open banking APIs. Support for Instant SEPA Credit Transfers (SCT Inst) is offered by some major Spanish banks but not yet adopted by all.
All banks relying on the Redsys PSD2 platform require authentication tokens to retrieve payment status. Because of this, it is not possible to track the status of multiple payments authorised by the same user, as each authorisation requires new authentication, which invalidates previous tokens.
# Specifics per ASPSP
# Banco Sabadell
Information about Open Banking specifics for Banco Sabadell is not yet available. We are actively working on it and will publish it as soon as possible. If you have any questions in the meantime, please contact us at support.api@enablebanking.com.
# Banco Santander
Information about Open Banking specifics for Banco Santander is not yet available. We are actively working on it and will publish it as soon as possible. If you have any questions in the meantime, please contact us at support.api@enablebanking.com.
# Bankinter
Bankinter's open banking interface uses a redirect authentication flow with SCA performed in the Bankinter Móvil app. App switch is not automatic and requires the user to input their credentials on the bank's authentication web page even when Bankinter Móvil app is installed on the device.
# BBVA
BBVA's open banking API provides redirect authentication flow. No automatic app switch if the BBVA mobile app is installed, authentication always requires a user ID and password, followed by a push notification for SCA approval using biometrics or PIN in the BBVA mobile app.
BBVA distinguishes between personal and business accounts, so after redirect to the bank's authentication page users must choose between business and private authentication. In case of the business authentication in addition to the user ID and password, eight-digit company code needs to be provided.
# CaixaBank
CaixaBank uses its CaixaBankNow app for SCA, supporting automatic app switch on mobile devices. Users authenticate with their DNI/NIE and a password, followed by biometric or PIN-based SCA in the app.
# Kutxabank
Kutxabank provides a redirect-based flow and uses the Kutxabank app for SCA. App switch is not supported, and users must manually navigate to the app after receiving a push notification.
# Unicaja Banco
Information about Open Banking specifics for Unicaja Banco is not yet available. We are actively working on it and will publish it as soon as possible. If you have any questions in the meantime, please contact us at support.api@enablebanking.com.