This guide walks you through onboarding corporate bank accounts via the Open Banking channel. The onboarding process connects your organization's bank accounts to the Aritma Banking API, enabling account information retrieval and payment initiation.
Getting a customer live requires up to two separate tracks, depending on what you're building:
- Bank & Aritma onboarding — required for every customer, regardless of whether you read account info or send payments. This connects the customer's bank accounts to Aritma.
- User onboarding — required only if you send payments with pre-approval. Nordic regulation requires a user-level authentication flow at the point of payment, so an identity solution needs to be in place before you can send payments through the API.
Diagram here
Before you begin, make sure you have the following in place:
- A tenant and subscription - see the Getting Started guide
- A client with the
banking.consents.createIAM action granted on the subscription. In most cases, grantingbanking.manageis sufficient as it includesbanking.consents.createand other required actions. - The scope
banking.ais.readto verify onboarded accounts
The examples below use the following values - replace them with your own:
| Placeholder | Example value | Description |
|---|---|---|
subscriptionId | 992606c793984bcf81e543d90ecfbb36 | Your subscription ID |
organisationNumber | 999999999 | The organization number |
bankId | cba4beaf-9b52-40c5-8929-e0af6c1e8b18 | The bank identifier |
Call GET /banks to find the bank and get its bankId. The response also includes bank order information — a description, of what the customer needs to do at their bank to authorize communication with Aritma. If you want to own this part of the frontend yourselves, use this response as a starting point and build your own version of the ordering flow.
The bank order itself is solely owned by the bank, and typically takes 0–5 business days from when the customer submits it until the bank is ready to communicate with Aritma. Plan for this lead time, and make sure the customer is aware they can check with their bank directly for visibility into the time needed.
- Mock serverhttps://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/banks
- https://banking.aritma.io/api/banks
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/banks?countryCode=NO&channels=string&includeAdditionalInformation=true' \
-H 'api-version: string'Some banks include an onboarding field with links to external onboarding documents or pages. Check these for any bank-specific requirements before proceeding.
Create a consent by calling POST /consents with the organization and bank account details.
| Field | Description |
|---|---|
channelType | Must be "openBanking" for open banking |
subscriptionId | Your subscription ID (e.g. 992606c793984bcf81e543d90ecfbb36) |
resourceGroupName | The organization number (e.g. "999999999"). A new resource group is created automatically if one does not already exist. |
resourceGroupDisplayName | Display name of the resource-group which this consent will be organized under. (e.g. "Organisation AB"). |
bankId | The bank identifier from Step 1 |
properties.isHeadless | Must be "true" for open banking |
properties.psuCorporateId | The organization number |
properties.accountNumbers | Comma-separated list of account numbers to onboard |
properties.combinedServiceIndicator | Set to "true" to enable combined AIS and PIS services |
properties.numberOfApprovers | Number of required approvers (e.g. "1") — ⚠️ Beta, not yet fully available in production |
The required consent properties may vary between banks. Use GET /banks/{bankId} with includeAdditionalInformation=true to discover bank-specific property requirements.
- Mock serverhttps://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/consents
- https://banking.aritma.io/api/consents
curl -i -X POST \
https://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/consents \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-H 'api-version: string' \
-d '{
"channelType": "openBanking",
"subscriptionId": "992606c793984bcf81e543d90ecfbb36",
"resourceGroupName": "999999999",
"properties": {
"psuCorporateId": "999999999",
"combinedServiceIndicator": "true",
"isHeadless": "true",
"numberOfApprovers": "1",
"accountNumbers": "<AccountNumber1>, <AccountNumber2>"
},
"bankId": "cba4beaf-9b52-40c5-8929-e0af6c1e8b18"
}'The response contains:
consentId- store this for later usestatus- the initial consent status.awaitingApprovalis the normal happy path — expect this by default and continue to Step 3.authorizedcan happen too (the consent is immediately ready, skip to Step 7), but treat it as a shortcut, not the default case.
Aritma only allows one active consent per company, per bank. Check for an existing consent before creating a new one for the same bankId and organization.
There will not be a Aritma-hosted UI forwared for this step — call the refresh endpoint yourself to obtain the BankID / MitID / Swedish BankID link.
Call the refresh endpoint to generate the strong customer authentication (SCA) link. The response contains a redirectUrl — send the customer here to complete authentication.
- Mock serverhttps://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/consents/{id}/refresh
- https://banking.aritma.io/api/consents/{id}/refresh
curl -i -X PUT \
'https://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/consents/{id}/refresh' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-H 'api-version: string' \
-d '{
"properties": {}
}'- The link expires within 7 days. If it expires, call the refresh endpoint again to get a new one.
- The link is single use only — opening it more than once invalidates it. Watch out for link-preview crawlers (Slack, Teams, email scanners) fetching the URL before the actual user does; deliver it in a way that avoids automated pre-fetching.
- Deliver it to a person with procura (signing authority) for both the company and the specific account(s) being onboarded — sending it to someone without that authority will cause validation to fail.
The PSU (a person with a valid organizational role) opens the SCA link and logs in with BankID or the local equivalent. This confirms their identity — it does not yet confirm they're allowed to act for the organization; that's the next step.
Aritma automatically checks two things:
- Role validation — does this person actually have a valid role at the organization?
- Account ownership — does the organization actually own the requested accounts? If you specified a redirect URL, the result comes back as a
scaStatusquery parameter:
finalized— succeededfailed— failed, can be retriedexempted— exempted from validation, treated as succeeded If validation fails and a different person needs to try, generate a new SCA link by repeating step 3.
If verification has failed and you want another user to perform role validation, create a redirect link for the current onboarding using the refresh endpoint.
What happens next depends on the state of the bank agreement and KYC results:
- Bank agreement exists - If an agreement with the bank has already been established (external process), the onboarding service will typically complete the onboarding automatically and provision the accounts.
- No bank agreement or insufficient information - If no bank agreement has been received at the time of SCA (see Step 1 for bank order timing), Aritma will wait for the bank. If the information received is insufficient, or the bank doesn't supply enough onboarding information, the Aritma support team will manually review the onboarding.
- KYC insufficient - If KYC validation is not sufficient, or KYC is not supported for the country, Aritma support can execute manual KYC validation.
You can track the consent status by polling GET /consents/{consentId} or by subscribing to consent events through the Events API. The consent status will transition from Created → Started → Authorized when complete, or to AwaitingApproval if manual review is required.
- Mock serverhttps://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/consents/{id}
- https://banking.aritma.io/api/consents/{id}
curl -i -X GET \
https://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/consents/1E5EFC3B-635E-4973-A605-41D7F0D6D7B3 \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'api-version: string'Once the consent status is Authorized, verify the onboarding by retrieving the accounts. You can scope the request in two ways:
- Mock serverhttps://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/accounts
- https://banking.aritma.io/api/accounts
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/accounts?withBalance=true&balanceDate=string&bban=12345612345678&iban=FR7612345987650123456789014&search=string&cursor=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Channel-Type: unspecified' \
-H 'Consent-ID: <consentId>' \
-H 'PSU-IP-Address: string' \
-H 'Resource-Group-Name: string' \
-H 'Scopes: /subscriptions/7fdf00601dfb/resource-groups/my-company' \
-H 'Subscription-Id: string' \
-H 'api-version: string'- Mock serverhttps://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/accounts
- https://banking.aritma.io/api/accounts
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/banking/v4/openapi/banking-openapi/accounts?withBalance=true&balanceDate=string&bban=12345612345678&iban=FR7612345987650123456789014&search=string&cursor=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Channel-Type: openBanking' \
-H 'Consent-ID: string' \
-H 'PSU-IP-Address: string' \
-H 'Resource-Group-Name: 999999999' \
-H 'Scopes: /subscriptions/7fdf00601dfb/resource-groups/my-company' \
-H 'Subscription-Id: 992606c793984bcf81e543d90ecfbb36' \
-H 'api-version: string'If accounts are returned with status enabled, they are ready for use - including payment initiation.
You are now ready to start using the account and payment APIs. To modify the consent later (for example, to request access to an additional account), use the refresh consent endpoint PUT /consents/{id}/{refresh}and specify the properties you want to change.
How long does bank & Aritma onboarding take, end to end? Two waiting periods stack: the bank order (0–5 business days) plus however long KYC and provisioning take. If a bank agreement already exists and KYC passes automatically, provisioning can complete within minutes of the customer completing the SCA link.
Can I onboard accounts from multiple banks for one customer? Yes, but each bank needs its own consent — a consent is tied to one bankId. Since only one consent per company per bank is allowed, check for an existing consent before creating a second one at the same bank.
Who should I send the SCA link to? Someone with procura (signing authority) for the company and for the specific accounts being onboarded. If it goes to someone without that authority, validation will fail even if they successfully log in with BankID.
What if the SCA link expires or was already used? It expires after 7 days, and it's single use — opening it a second time invalidates it. Call the refresh endpoint again to generate a new one for the same consent. Note that link-preview crawlers (Slack, Teams, email scanners) can trigger this by fetching the link before the actual user opens it. Excessive and unnecessary use of the SCA URL may be subject to invoicing.
Why did KYC validation fail, and how will I know? There's no automated signal if KYC fails — no separate status or event. If you suspect it, contact Aritma support with the consentId. When it does happen, it's usually because the person who completed the SCA link doesn't have a valid role or procura for the organization, or the organization doesn't own the account(s) listed in the consent.
What does scaStatus=exempted mean — is that a problem? No — it means the bank or flow exempted this request from strong customer authentication, and it's treated as successful, same as finalized.
How do I know if manual review is happening? Consent status will show AwaitingApproval instead of progressing to Authorized. There's no separate API signal for why — if it's stuck, contact Aritma support with the consentId.
Should I fetch account data using Consent-ID, or subscription/resource-group headers? Prefer subscription and resource group headers over scoping to the consent currently being onboarded. This lets you fetch data across a customer's other banks even while a separate onboarding is still in progress.
What's the difference between Authorized and an account being enabled? Authorized is the consent-level status — the connection itself is confirmed. enabled is per-account, returned from GET /accounts — it confirms that specific account is usable for account info or payments. Always check the account-level status even after the consent shows Authorized.