App Accreditation

Find out how to receive Akahu accreditation before your app goes live

Akahu’s purpose is to give people control of their data. We want to work with reputable third party developers who deliver on that purpose through their products.

Our accreditation process is designed to assess whether you meet our minimum standards for the protection of consumer data, and whether your product adds real value to consumers. We aim to strike a balance between getting you up and running quickly, while also ensuring that we’re supporting products that deliver great consumer experiences.

While developing your Akahu integration, we place sandbox restrictions on your app. Before you can release your Akahu integration for public/production use, your application must pass the Akahu accreditation process. After successful completion of the accreditation process, the sandbox restrictions on your application will be removed.

Steps to Becoming Accredited

Before beginning this process, please first verify that your app meets all accreditation requirements outlined below. Once complete, you can get in contact with our team on Slack or at [email protected] to begin the process.

1. Privacy Notice

You will need to provide Akahu with a copy of your Privacy Notice, including any amendments relating to your intended use of user data that is exchanged via Akahu.

2. Consumer Information Page

We will review your Consumer Information Page. You will need to provide us with a link to this page on your website or app.

3. Penetration Test

You will need to provide Akahu with evidence of a recent, relevant, and competent penetration test of your application. This requirement may be waived if there is relevant certification that provides assurance of your security posture. Get in touch to find out whether this applies to you.

4. Application Review

Akahu needs to review your product to ensure that it complies with our Security, Authentication, and Functionality requirements as outlined in the sections below. Once your application is production ready, you will need to provide Akahu with access so we can carry out this review process.

You can provide access to either a staging environment, or a production environment with Akahu functionality enabled only for selected testing users.

We require access to a copy of your application on each platform that you are releasing on. For instance, if you are releasing a mobile app, we require both Android and iOS copies of your app. You will need to provide us with the following (dependent on platform):

  • iOS: A TestFlight invite or AppStore link
  • Android: An APK download link
  • Web: A publicly accessibly URL

Please also include any additional instructions that our testers might need to get signed in and use your application.

📘

Application Review Policy

Successful completion of the Application Review stage is not an official endorsement by Akahu of your application's security posture or compliance with our requirements. As the application developer, it is your responsibility to ensure that your application is secure and compliant.

Requirements

This section details the minimum requirements of an accredited Akahu app. We will check that your app meets these requirements as part of our Application Review process.

It is recommended that you familiarise yourself with this section in the early stages of development to ensure that your accreditation is not delayed.

Note: all requirements are ongoing for the duration of your accreditation. You must notify Akahu in the event that you make changes that affect compliance with these requirements, at which point we reserve the right to reassess your accreditation status.

Security

You must ensure that any data exchanged via Akahu or held in your systems are processed and stored securely. Below are the minimum standards that we expect:

  • All traffic to/from the client is encrypted with strong SSL encryption.
  • Akahu credentials (your App Secret and User Access Tokens) are not exposed to the client.*
  • User authentication meets the minimum requirements listed below.*
  • All relevant risks identified in the OWASP Top 10 list are appropriately addressed.
  • All relevant controls identified in the CIS Controls list are implemented.
  • We strongly recommend that you undertake an external penetration test at least every 12 months during your accreditation.

*We can be flexible on these constraints depending on the scopes required by your app. All apps with the PAYMENTS scope must meet these requirements, but we may review other apps on a case-by-case basis.

Authentication

Your app must implement server-validated multi-factor authentication for device registration (mobile) or login (web). Multi-factor authentication may occur at login or on demand (e.g. before authorising a payment). Allowable authentication schemes include:

  • Username & password* + sms/email code
  • Username & password* + authenticator code
  • Server-validated PIN + sms/email code

Mobile apps that use a long-lived client side access/refresh token must implement either:

  • A PIN lock (can be client-validated)
  • A secure biometric lock

*Passwords must have high quality strength requirements (minimum length & character variation).

PINs must be 5 digits minimum and server-validated with a conservative rate limit (e.g. 5 attempts per minute).

Functionality

Your app must:

  • Provide functionality for a user to revoke your access to their data (by calling DELETE /token).
  • Revoke the user access token when a user deletes their account with you (by calling DELETE /token).
  • Gracefully handle the user access token being revoked externally (e.g. the user logs in to my.akahu.io and revokes your app's access). This can be implemented by either:
    • Subscribing to and handling the TOKEN DELETE webhook, or
    • Handling 403 responses from the Akahu API (which indicate that the user access token is no longer valid).

📘

Data Privacy

In accordance with New Zealand’s Privacy Act 2020, you may only retain user data for as long as it is reasonably required by your application. Please consider this obligation when a user revokes your access to their accounts - it is your responsibility to ensure that you delete user data that has been exchanged via Akahu and is no longer reasonably required.

Privacy Notice

Your privacy notice must include all relevant information regarding your use of user data exchanged via Akahu.

You must notify Akahu in the event that, subsequent to accreditation, you make changes to your Privacy Notice regarding your use of this data.

Consumer Information Page

We want to ensure that consumers are well informed when making decisions about how to connect and derive value from their data.

To become an accredited, we require a dedicated page on your website or app to explain the relationship between your product and Akahu, and provide enough detail for consumers to choose whether they see value in connecting their account(s) to your product.

Describe Your Product

Describe your value proposition. Clearly explain the problem your product solves and/or the specific benefits it delivers.

Describe the way your product uses Akahu.

Describe the benefits your customers will get from connecting their accounts to your product through Akahu.

Describe whether the connection is one-off or ongoing.

Describe any data that you collect, and how you use it.

About Akahu

Include this description of Akahu, along with a clear Akahu logo:

About Akahu

Akahu is New Zealand's open finance platform.

Akahu makes it simple to connect your financial accounts to trusted third partues. If you choose to connect your accounts via Akahu, you can manage those connections at my.akahu.nz.

Find out more about Akahu here. [include a link to akahu.nz]


Did this page help you?