/
11.1 Key Principles

11.1 Key Principles

Overview

These five principles define how the platform is designed to be secure, user-focused, flexible and future-ready. They ensure that financial data sharing happens in a way that is safe, transparent and scalable.

Key Principles

Description

Key Principles

Description

Security by Design

  • Enforce strong authentication and authorization using OAuth 2.0, OpenID Connect and mTLS.

  • End-to-end encryption: Ensures all data exchanges are secure and protected from unauthorized access. All data exchanges must be encrypted (JWE) and signed (JWS) for integrity and confidentiality.​

  • Access tokens are sender-constrained and bound to client certificates.​

This approach ensures compliance with data protection standards and builds trust with users and partners.

Consent-Driven Data Sharing

  • All data access is strictly based on explicit, user-granted consent, and can be managed by the user (to view, to revoke, to grant new access).

  • Consent lifecycle (creation, update, revocation, suspension) is managed and auditable.​

  • No user financial data is stored by PayNet; only audit logs and request metadata are retained.​

This empowers users and ensures transparency in data usage.

Interoperability and Extensibility

  • API design follows open standards (OpenID, FAPI) to ensure compatibility across banks, fintechs, and other financial institutions.​

  • Data models are structured for extensibility, with recommendations to support custom JSON fields for any other data fields that are not part of the standardised data structure. ​

  • Provides custom endpoint where future use cases for future data types and new DP.

This ensures long-term adaptability and supports future innovations.

Scalability and Performance

  • Asynchronous resource server flows with webhook callbacks for large or long-running data requests.​

  • Mandatory pagination for all list endpoints to efficiently handle large datasets.​

  • Support for incremental data pulls using date range filters to minimize system load.​

This ensures the platform remains responsive and reliable under load.

Platform and Channel Agnosticism

  • Universal redirect URIs for authentication & authorisation must be pre-registered for all platforms (web, iOS, Android) to support multi-channel user journeys. We don't support Custom URIs.​

This guarantees a smooth and consistent user experience across web, mobile and future platforms.

Compliance and Auditability

  • All actions are logged for traceability and regulatory compliance.​

  • Data Provider status (online/offline) is visible and should be kept up to date.​

  • Error handling and status codes follow global standards for transparency and troubleshooting.​

Not finding the help you need?