Open Banking Specifics in Sweden

# Authentication flows and SCA

Major banks operating in Sweden support both redirect and decoupled auth flows in their Open Banking interfaces. Primary Strong Customer Authentication (SCA) method supported by all Swedish banks is BankID, Sweden’s widely used national e-identification system.

Although BankID exists as desktop and mobile application, Mobile BankID (Mobilt BankID) is the one used the most.

App-to-app switching is used when Mobile BankID is installed on the device where authentication is initiated. On desktop, a QR code is presented for the user to scan with their mobile device to complete authentication.

In Sweden, Personal Identity Number (personnummer) — commonly referred to as Swedish SSN — plays a crucial role in user identification. Most major Swedish banks support SSN verification via their Open Banking APIas as part of the authentication flow. When using BankID for Open Banking SCA, the user's SSN is provided by the TPP to the bank, which uses it in the BankID auth session.

# Major Banks (ASPSPs)

The most widely used Swedish ASPSPs, in order of significance, are:

• Swedbank (and Sparbanken)
• SEB
• Handelsbanken
• Nordea
• Länsförsäkringar Bank

A full list of Swedish banks (as per EBA) is available here (opens new window).

# Payment Specifics

All Swedish banks support domestic credit transfers in SEK and SEPA Credit Transfers (SCT) in EUR** via their open banking APIs.

SEPA Instant Credit Transfers (SCT Inst) are not supported in Sweden. Most payments are processed as regular SCTs or domestic transfers.

Domestic account numbers follow the bank clearing number + account number scheme and need to be provided in this format when domestic payments are initiated via open banking APIs.

Domestic payments in SEK are the most common, however real-time settlement between banks is not supported and there are strict cut-off times after which payments are not executed.

Bankgirot (opens new window) is a proprietary clearing system in Sweden used for bill payments. Bankgirot provides its own account numbers for receiving payments, which differ from the domestic account numbers. After settled by the Bankgirot, multiple payments are transferred to the receiver's bank account in batches. Individual payments in the batches have limited details in PSD2 AIS data, which is why when fetching transaction data for accounts that receive Bankgiro payments, it may prove difficult to define the original sender of the transaction.

Most Swedish banks support initiation of Bankgirot payments through their open banking APIs. Account owners can define if they accept payments only with a valid OCR (opens new window) or a message field. When initiating Bankgiro payments using Enable Banking API, OCR should be used in reference_number field and message in the remittance_information field in CreditTransferTransaction (opens new window). If both are supplied, reference_number has priority in cases where only either is accepted by the ASPSP.

# Specifics per ASPSP

# Danske Bank

Danske Bank provides redirect authentication flow only.

# Handelsbanken

Handelsbanken provides both redirect and decoupled auth flows for Open Banking.

Domestic payments in SEK and SEPA payments in EUR are supported.

# Power of attorney for access to business accounts

User willing to authorise TPPs to access business accounts or initiate payments from business accounts need to make sure that they have a power of attorney to use Open Banking services on behalf of the company, which can be done through Handelsbanken online bank.

Guides for end users on authorisation and actions, which might be required to enable access to open banking are available here (opens new window).

# Sandbox Availability

Handelsbanken provides a sandbox environment suitable for end-to-end testing including authorisation flows, account information retrieval, and initiation of payments.

It is available through the Enable Banking API's sandbox environment. Please refer to the Sandbox Credentials section for the credentials to be used for authentication in the Handelsbanken sandbox.

# Länsförsäkringar Bank

Länsförsäkringar Bank offers only the redirect flow in the Open Banking interface.

Payments in SEK and EUR are supported.

# Nordea

In Sweden, Nordea provides both redirect and decoupled auth flows for Open Banking.

As with Nordea in Finland, Swedish Nordea users must specify a debtor account when initiating a payment. If not specified, additional SCA steps may be required.

For the business users Nordea provides multiple account types managed through different systems. Open banking APIs differ for this systems and correspondingly when using Enable Banking API end-users have to choose different "brands" depending on the system they use. Available the options are:

• Nordea (for the users of Nordea Business (opens new window), which is used mostly by SME customers),
• Nordea Corporate (for the users of Nordea Corporate Netbank (opens new window), which is mainly used by larger companies),
• Norde First Card (for the users of Nordea First Card (opens new window) providing payment cards for businesses).

When initiating a payment without explicitly specifying a debtor account in the request, Nordea requires double SCA: the first authentication is used to fetch the list of accounts, and the second is used to authorise the selected payment.

Guides for end users on authorisation and actions, which might be required to enable access to open banking are available here:

• Nordea (opens new window)
• Nordea Corporate (opens new window)

# Sandbox Availability

Nordea provides a sandbox environment suitable for end-to-end testing including authorisation flows, account information retrieval, and initiation of payments.

It is available through the Enable Banking API's sandbox environment. Please refer to the Sandbox Credentials section for the credentials to be used for authentication in the Nordea sandbox.

The sandbox environment is also available for Nordea Corporate and Nordea First Card.

# SEB

SEB provides both redirect and decoupled auth flows for Open Banking.

Guides for end users on authorisation and actions, which might be required to enable access to open banking are available here (opens new window).

# Swedbank

Swedbank, along with the Savings Banks that are part of the Swedbank Group (opens new window), provides both redirect and decoupled auth flows for Open Banking.

# Account Holder Name Availability

Swedbank makes the account holder name available only right after authorisation. This means that it won't be possible to get the account holder name through Enable Banking API in response to the GET /accounts/{account_id}/details request and it is only available in the response to the POST /sessions request, which completes the authorization process and make all account details available.

# Historic Transaction Limitations

Swedbank provides different mechanisms for retrieving recent transactions (less than 90 days old) and historic transactions (older than 90 days). Recent transactions are provided with more detailed information, can be retrieved within seconds, and are available after any time since authorisation has been completed. However, historic transactions are subject to certain restrictions listed below.

• Less detailed information: Multiple fields are omitted. Particularly, transaction entry reference is missing.
• Longer processing time: Retrieval of historic transactions requires additional, it may take up to several minutes. Enable Banking API will return an empty list of transactions and non-null continuation_key, which should be passed back into the /accounts/{account_id}/transactions endpoint until all transactions are returned. If a very long period of transactions has been requested (over 3 years), the retrieval process may fail because the bank may not be able to prepare all data within reasonable timeframe.

# Payment Specifics

Swedbank allows Bankgiro payments only to creditor accounts which the PSU has added to their recipient list. When using redirect authorization method, the user may add these during the payment initiation flow in the bank's UI. A payment is considered a duplicate when these fields contain identical information: the type of payment, date, amount, debit account, credit account and remittance information (OCR number/message). This will lead to a rejected payment.

# Sandbox Availability

Swedbank provides a sandbox environment suitable for end-to-end testing including authorisation flows, account information retrieval, and initiation of payments.

It is available throuhg the Enable Banking API's sandbox environment. Please refer to the Sandbox Credentials section for the credentials to be used for authentication in the Swedbank sandbox.