Which Application Programming Interface (API) standard has MUFG implemented?

MUFG has implemented the Berlin Group API standard.

Detailed API specifications can be downloaded from the Berlin Group website or you can check our Summary Developer's Guide.


Are MUFGs APIs compliant with the Revised Payment Services Directive (PSD2)?

MUFG follows the Berlin Group API standard which is compliant with Payment Services Directive (PSD2).


What is the available scope of MUFG's APIs?

COMSUITE API Service is currently available for the following European countries: United Kingdom, France, Italy, Netherlands, Germany, Belgium, Austria, Czech Republic, Spain, Poland.

MUFG provides 3 types of API service:

  1. Account Information Service (AIS) (Consent, account detail, account balance, transaction details)
  2. Payment Initiation Service (PIS) (Payments, SCT, UK LVP, DCT)
  3. Fund Confirmation Service (FCS)


When did the PSD2 Production phase go live?

20 May 2019.


When will you provide a full set of API functionality as per PSD2 requirements?

We have been providing API functionality per PSD requirements since 14 September 2019.

We will continue to release updates and enhancements to the API on a regular basis.


What future APIs and features are planned and when?

The roadmap for new features is currently being developed.


Do I need a contract to use the COMSUITE API Portal and APIs?

There is no need to enter into a contract to use the COMSUITE API Service, however you must hold the relevant registration with your National Competent Authority (NCA) and have submitted your eIDAS or OBWAC certificate via our application form to MUFG.


What is a Sandbox?

A Sandbox is a testing environment that isolates untested code outright experimentation from the production environment and live data. Our Sandbox has dummy data to simulate responses as close to the production environment as possible.


What certificates will I need to develop and launch my application with your API Sandbox and Production environments?

An eIDAS certificate (QWAC) issued by a QTSP is necessary for both our Sandbox and Production environments. For a UK TPP, an OBWAC certificate issued by OBIE is required.


What are the available hours of the COMSUITE API service?

The COMSUITE API service will be available for testing the API, 24 hours - 7 days a week.

*Please note: The test facility may become unavailable, without prior notice, due to urgent maintenance when unavoidable.

MUFG's Production API environment has scheduled maintenance every Saturday 22:00 (JST) to Monday 02:00 (JST). During this time the API will be unavailable.


How do I get started with the API service?

You must be an authorised Third Party Provider (TPP) and have a valid eIDAS certificate issued by a QTSP (or OBWAC issued by OBIE) to access the API services. The following steps are required.

  1. Register an account on the COMSUITE API Portal.
  2. Complete and submit your TPP application form and eIDAS / OBWAC certificate to MUFG via the email link from the "Getting Started" page on the COMSUITE API Portal.
  3. MUFG will then inform you via email once your TPP application has been checked and approved.
  4. You will now be able to see the API services you can subscribe to in the "API Products" section of COMSUITE API Portal.


My company name has changed. What should I do to update our details on the COMSUITE API Service?

Please resend the application form or send an email with both the new and old company names as well as the eIDAS / OBWAC authorisation number to MUFG's support desk.


My company's address has changed. What should I do to update our details on the COMSUITE API Service?

Please resend the application form or send an email with both the new and old company addresses as well as the eIADS authorisation number to MUFG's support desk.


Where can I find a list of available endpoints when testing the API?

The endpoint for each Sandbox API is written in the full Developer's Guide.


Is the data in the Sandbox real client data?

The data in the Sandbox is not real client data - it is dummy data from MUFG that simulates customer data to ensure that the testing result is as realistic as possible.


Can I upload my own test transaction data to the Sandbox?

You cannot upload your own test transactions. Testing can be completed with the conditions listed below:

  • Payment initiation services (PIS): You can use any optional parameter for testing.
  • Account information services (AIS): You can only use pre-set data for testing.


Is it possible to customise the test data in the Sandbox?

The test data in the Sandbox cannot be changed or updated.

You can customise error patterns with the Error Registration Tool in the Sandbox.

It is used for simulating error patterns that cannot occur within the Sandbox API.


Are the Sandbox APIs the same as the APIs that will be provided in the Production environment?

Yes, from 14 September 2019 the APIs in the Sandbox will mirror the Production environment APIs.

*From May to September 2019 the Production environment will have partial implementation.


Do you have sample or reference applications that could demonstrate some API calls?

API requests and response samples can be found in the Full Developer's Guide.


What are your API call limits?

The limit is 2 calls/second (per endpoint).


How do I report a bug or request a feature for the COMSUITE API Service?

If you find a bug or would like to request a feature, please contact the Transaction Banking EMEA Client Support Team with screen shots and a description.


Can I use a test certificate to access your Sandbox?

You can use the test eIDAS / OBWAC certificate that is issued by a QTSP for our Sandbox environment.


What system of authorisation do you use for your APIs?

MUFG uses OAuth 2.0 as the authorisation procedure.


What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for authorisation. OAuth 2.0 focuses on client developer simplicity while providing specific authorisation flows for various types of applications.


What is the difference between Bearer and Basic tokens?

Bearer tokens are the predominant type of access token with Oauth 2.0.

Basic authentication (Basic tokens) is a method for a HTTP user agent to provide a user name and password when making a request.


What are the expiration times of the various tokens?

  • Account Information Services (AIS): 90 days
  • Payment Initiation Services (PIS): 30 days
  • Fund Confirmation Service (FCS): Currently there is no token issued in this service. A future update is planned for March 2020.


How secure is the MUFG API Gateway and how is unauthorised access prevented?

The communication between Third Party Providers (TPPs) and MUFG is always secured by using TLS version 1.2 or higher. In addition, MUFG checks that all TPPs are officially registered and authorised by the relevant National Competent Authority (NCA).


When will the MUFG API Service be compliant with PSD2?

MUFG COMSUITE API Service will be compliant with PSD2 from 14 September 2019. MUFG will continue to improve and update the API version after the regulatory due date.


I have an account on the COMSUITE API Portal. Where are the APIs and how do I subscribe to the APIs?

While you may have created an account on the COMSUITE API Portal, you will only be able to access our APIs once you have submitted your Third Party Provider (TPP) application form with the relevant registration certificates.

Once your application is approved, you will be able to subscribe to the APIs from the "API Products" page.

Detailed information for each API is written in the full Developer's Guide.


Where do I get my API key?

Within the Sandbox environment - The API key (client ID and client secret) will be displayed after the creation of an API service within the COMSUITE API Portal site. Please be sure to write them down.

Please be aware that the client secret only appears on this screen.

Within the Production environment - No API keys are generated. MUFG generates the API Key and links the API Key to the Authorisation Number set in the eIDAS. MUFG will inform you of the API key when transitioning to the Production environment.


Where can I upload my eIDAS certificate?

MUFG asks Third Party Providers (TPPs) to submit their eIDAS certificate as part of the TPP application form accessed via the email link on the "Getting Started" page of the COMSUITE API Portal website. You will need to submit the eIDAS / OBWAC certificate in an encrypted zip file format.


Where are MUFG's KPIs published?

You can view the KPIs for our COMSUITE API Service on our "Getting started" page well as on our MUFG EMEA website.


What is MUFG's SLA for technical queries?

We will aim to respond to technical queries within 1 week.


What happens if I forget my user account password for the COMSUITE API Portal?

Within the COMSUITE API Portal you can use the "Password Reset Key" link to submit your unique key to retrieve the password. You will have been supplied this unique key when you first registered on the COMSUITE API Service. If you have forgotten the key, you will need to re-register and submit the application again. Alternatively, contact our Transaction Banking EMEA Client Support Team.


My customer wants additional API functionality. Who can I contact about using MUFG's subscription APIs?

Please contact the Transaction Banking EMEA Client Support Team including a detailed description of the API functionality you would like to see. Please title your email "Feature Request".


Do the MUFG APIs provide access to all payment services offered by the bank?

MUFG APIs provide access only to payment accounts for GCMS Plus.

MUFG also uses white-labelled third-party products in Germany and Italy.


I have changed my email address. Could you resend the notification email so we can start using your API gateway?

Please resend the application form or send an email with both new and old email addresses and eIDAS / OBWAC authorisation number to our Transaction Banking EMEA Client Support Team at etbosupport@uk.mufg.jp.


How can I interpret the error messages I receive from the API?

A list of error messages and their descriptions can be found in the full Developer's Guide.

If it is still unclear, please send the error message and its screenshot to our Transaction Banking EMEA Client Support Team at etbosupport@uk.mufg.jp.


Under GDPR regulation can you please let me know where your server is located?

Our Sandbox cloud server is located in Germany, with our Open API channel server located in Japan


I would like to contact you to understand further details about the specification and implementation of the API. How can I do this?

Please contact our Transaction Banking EMEA Client Support Team at etbosupport@uk.mufg.jp with your query.


What languages are your API Service documents available in?

Our API Service documentation is currently only available in English.


Where can I find more information about your COMSUITE API Service on your website?

A general summary and links to the COMSUITE API Portal can be found on our EMEA website and on the MBE external website.


Can I access the API Service using a smartphone?

Currently our API Service is only available via a desktop browser.