App Accreditation

Find out how to receive Akahu accreditation before your app goes live

ℹ️

This guide is intended for developers using Akahu's enduring account connectivity.

Akahu’s purpose is to give people control of their data. We want to work with reputable third party developers who deliver on that purpose through their products.

Our accreditation process is designed to assess whether you meet our minimum standards for the protection of consumer data, and whether your product adds real value to consumers. We aim to strike a balance between getting you up and running quickly, while also ensuring that we’re supporting products that deliver great consumer experiences.

While developing your Akahu integration, we place sandbox restrictions on your app. Before you can release your Akahu integration for public/production use, your application must be accredited by Akahu. After successful completion of the accreditation process, the sandbox restrictions on your application will be removed.

Steps to Becoming Accredited

Before beginning this process, please first verify that you have signed our Developer Terms and that your app meets all accreditation requirements outlined below. Once complete, you can get in contact with our team on Slack or at [email protected] to begin the process.

1. Privacy notice

You will need to provide Akahu with a copy of your Privacy Notice, including any amendments relating to your intended use of data that is exchanged via Akahu.

2. Consumer Information Page

We will review your Consumer Information Page. You will need to provide us with a link to this page on your website or app.

3. Security and Penetration Testing

You will need to provide Akahu with a recent, relevant, and competent security and penetration test. We expect the scope to cover your user applications, any relevant administration applications, and security review of supporting infrastructure.

This requirement may be waived if you hold a relevant certification that provides assurance of your security posture. Get in touch to find out whether this applies to you.

4. Application Review

Akahu needs to review your product to ensure that it complies with our Security, Authentication, and Functionality requirements as outlined in the sections below. Once your application is production ready, you will need to provide Akahu with access so we can carry out this review process.

You can provide access to either a staging environment, or a production environment with Akahu functionality enabled only for selected testing users.

We require access to a copy of your application on each platform that you are releasing on. For instance, if you are releasing a mobile app, we require both Android and iOS copies of your app. You will need to provide us with the following (dependent on platform):

  • iOS: A TestFlight invite or AppStore link
  • Android: An APK download link
  • Web: A publicly accessibly URL

Please also include any additional instructions that our testers might need to get signed in and use your application.

📘

Application Review Policy

Successful completion of the Application Review stage is not an official endorsement by Akahu of your application's security posture or compliance with our requirements. As the application developer, it is your responsibility to ensure that your application is secure and compliant.

Requirements

This section details the minimum requirements of an accredited Akahu app. We will check that your app meets these requirements as part of our Application Review process.

It is recommended that you familiarise yourself with this section in the early stages of development to ensure that your accreditation is not delayed.

Note: all requirements are ongoing for the duration of your accreditation. You must notify Akahu in the event that you make changes that affect compliance with these requirements, at which point we reserve the right to reassess your accreditation status.

Security

You must ensure that any data exchanged via Akahu or held in your systems are processed and stored securely. Below are the minimum standards that we expect:

  • All traffic to/from the client is encrypted with strong SSL encryption.
  • Akahu credentials (your App Secret and User Access Tokens) are not exposed to the client.
  • User authentication meets the minimum requirements listed below.
  • All relevant risks identified in the OWASP Top 10 list are appropriately addressed.
  • All relevant controls identified in the CIS Controls list are implemented.
  • We strongly recommend that you undertake an external penetration test at least every 12 months during your accreditation.

Authentication

Server validated multi-factor authentication must be required for all users of your application's Akahu functionality.

Multi-factor authentication may occur at the time of device registration (mobile apps), login (web apps), or on-demand before allowing the user to take action (e.g. initiate a payment). If your application grants long-lived authentication, see our guidance on Persistent Sessions below.

Allowable multi-factor authentication methods include:

  • Username + password* + SMS code
  • Username + password* + authenticator code
  • Username + server-validated PIN + SMS code

*Passwords must have high quality strength requirements (minimum length & character variation).

PINs must be 5 digits minimum and server-validated with a conservative rate limit (e.g. 5 attempts per minute).

Read Only Access

At the discretion of Akahu, we may apply less strict authentication requirements to your application if you are only requesting read access to users' accounts via Akahu. Please get in touch with us prior to your accreditation to check whether this applies to your application.

Allowable authentication methods for read-only access include:

  • Username + password*
  • A short lived, single use URL or 6+ digit code sent via SMS or email

*Passwords must have high quality strength requirements (minimum length & character variation).

Persistent Sessions

Web applications that allow sessions that last more than 2 hours (including "keep me logged in") must expire the MFA status of a session after 2 hours. After expiry, the MFA status of the session must be renewed (by the user completing another MFA challenge) before allowing the user to initiate payments via Akahu.

Mobile applications that use a long-lived client side access/refresh token must implement either:

  • A PIN lock (can be client-validated)
  • A secure biometric lock

Functionality

Your app must:

  • Provide functionality for a user to revoke your access to their data (by calling DELETE /token).
  • Revoke the user access token when a user deletes their account with you (by calling DELETE /token).
  • Gracefully handle the user access token being revoked externally (e.g. the user logs in to my.akahu.io and revokes your app's access). This can be implemented by either:
    • Subscribing to and handling the TOKEN DELETE webhook, or
    • Handling 403 responses from the Akahu API (which indicate that the user access token is no longer valid).

Guidance on managing Akahu users can be found in this guide.

📘

Data Privacy

In accordance with New Zealand’s Privacy Act 2020, you may only retain user data for as long as it is reasonably required by your application. Please consider this obligation when a user revokes your access to their accounts - it is your responsibility to ensure that you delete user data that has been exchanged via Akahu and is no longer reasonably required.

Privacy Notice

Your privacy notice must include all relevant information regarding your use of user data exchanged via Akahu.

You must notify Akahu in the event that, subsequent to accreditation, you make changes to your Privacy Notice regarding your use of this data.

Consumer Information Page

We want to ensure that consumers are well informed when making decisions about how to connect and derive value from their data.

To become an accredited, we require a dedicated page on your website or app to explain the relationship between your product and Akahu, and provide enough detail for consumers to choose whether they see value in connecting their account(s) to your product.

Describe Your Product

Describe your value proposition. Clearly explain the problem your product solves and/or the specific benefits it delivers.

Describe the way your product uses Akahu.

Describe the benefits your customers will get from connecting their accounts to your product through Akahu.

Describe whether the connection is one-off or ongoing.

Describe any data that you collect, and how you use it.

About Akahu

Include this description of Akahu, along with a clear Akahu logo:

About Akahu

Akahu is New Zealand's open finance platform.

Akahu makes it simple to connect your financial accounts to trusted third parties. If you choose to connect your accounts via Akahu, you can manage those connections at my.akahu.nz.

Find out more about Akahu here. [include a link to akahu.nz]