Data restrictions

Historical Data

When executing Get Transactions, the amount of historical data provided by each Institution is ultimately decided by the Institution. By default, each Institution should provide a minimum of 90 days of historical transactions, however, the amount of transactions available tends to vary across regions e.g. in the UK, it is common to receive several years whereas a European Institution is more likely to only provide 90 days worth of history.

CBI Globe Gateway

For institutions accessed via the CBI Globe Gateway, to retrieve historical transactions older than 90 days, an additional consent is needed from the PSU. In the POST Create Account Authorisation use the transactionFrom and transactionTo fields from AccountRequest to specify the dates you would like to retrieve transactions for. You can specify a time frame for up to 1 year. Once the consent is authorised, the consentToken can be used to retrieve the transactions for this period.

Note: The consentToken (that can access historical data older than 90 days) can only be used once. If you need to retrieve transactions older than 90 days again, you must follow the same process to create a new consent token.

Institution Restrictions

Some restrictions are not always commonly shared across each region and are more Institution specific. One example of this is Intesa Sanpaolo which limits the amount of transactions you can obtain to a window of 2 weeks at a time. As these Institution specific restrictions are less common, Yapily will pass on such restrictions via the API error response.

UK Banks

For UK institutions, certain endpoints can be accessed once and for a short duration after the consent has been authorised

  • /accounts/{{account-id}}/beneficiaries
  • /accounts/{{account-id}}/direct-debits
  • /identity
  • /accounts/{{account-id}}/periodic-payments
  • /accounts/{{account-id}}/scheduled-payments

To access these endpoints again or after the valid period, you will have to obtain a new consent or reauthorise the existing consent.

Limited Access

As part of the European Banking Authority's (EBA) Regulatory Technical Standards (RTS), it is in Article 31(5) that:

Account information service providers shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers for the purposes of performing the account information service... where the payment service user is not actively requesting such information, no more than four times in a 24 hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user’s consent.

As a result, without the PSU actively requesting for their information, you should expect an Institution to limit the number of times you can call any of the AIS data endpoints to a maximum of four times in a single 24 hour period. This limit is reset at the end of the 24 hour period but subsequent calls after this limit will fail until the next 24 hour period. This will typically apply to EU banks but not UK.

The error message will ultimately depend on the Institution, but we will always provide HTTP response 429 for this scenario. For instance, Intesa Sanpaolo returns the following error message:

Copy
Copied
{
    "code" : "ACCESS_EXCEEDED",
    "text" : "The access on the account has been exceeding the consented multiplicity per day.",
    "category" : "ERROR"
}