PolishAPI, the KNF, and consenting to a cooperative-bank account
PolishAPI, the account-access standard the Polish Bank Association maintains under PSD2, names cooperative banks as a covered tier — and cooperative banks are the entire customer base BSGo serves. That single fact decides the route. BSGo is the Asseco mobile front end that customers and companies of banki spółdzielcze use to reach internet banking; the regulated way to read that same account data from outside the app is an Account Information Service consent against the customer's specific cooperative bank.
Poland transposed PSD2 through its Payment Services Act (Ustawa o usługach płatniczych), supervised by the Komisja Nadzoru Finansowego (KNF). Account access runs over PolishAPI — which defines AIS, payment initiation, and confirmation of funds — used alongside the Berlin Group NextGenPSD2 profile by some institutions. PolishAPI version 3.0 launched in December 2019; versions 2.1.4 and 3.0.1 were published on 17 June 2025 with changes tied to the ISO 20022 migration, per the standard's own site. Reading data this way needs a consent the customer grants and an account information service provider authorised by a competent authority; consent is time-boxed and the customer re-confirms it on the cadence the technical standard sets. We design the sync around that refresh cycle so it does not silently lapse, keep consent records and access logs, minimise the fields pulled to what the use case needs, and work under an NDA where the engagement calls for one. None of that is an entry hurdle for you — it is how we run the build, arranged with you during onboarding against a consenting account.
What a BSGo account actually holds
The app describes its own surfaces plainly, and they map cleanly onto things an integrator wants. Each row below is something a BSGo user already sees on screen.
| Data domain | Where it shows up in BSGo | Granularity | What an integrator does with it |
|---|---|---|---|
| Balances & available funds | Account view, plus the pre-login balance peek before authentication | Per account, near real time | Cash-position dashboards, low-balance triggers, reconciliation |
| Account history | "full insight into balances, account and credit history" | Per posting, dated, with counterparties | Bookkeeping sync, categorisation, audit trails |
| Credit / loan history | Credit history view within the account profile | Per facility: balance and schedule | Affordability checks, debt monitoring |
| Deposits | Open, close and check deposits on the phone | Per deposit: rate, term, principal | Treasury and yield tracking |
| Transfers (PLN & foreign currency) | Transfer module to own and external accounts, including FX | Per instruction with status | Payout confirmation, payment-status feeds |
| BLIK activity | BLIK payments online and in store, and ATM withdrawals | Per transaction / token | Spend analytics, instant-payment reconciliation |
| Account events | Alerts after "any event on your account as soon as it occurs" | Per event, push or SMS | Real-time webhooks into downstream systems |
| Junior & Parent Panel | BSGo Junior: Piggy Banks, allowance cycles, parent-approved requests | Per child ledger, with approval state | Family-finance and youth-banking products |
| Profile context | Personal-to-business switch and MojeID identity confirmation | Per customer, multi-profile | KYC context, multi-entity routing |
Three ways in, and the one we'd take
Three routes genuinely apply to a BSGo account. They differ in what they reach and how long they last.
1 · PolishAPI AIS consent (recommended)
The customer grants a consent and we read accounts, balances, and transaction history through their cooperative bank's PSD2 interface. Reach is broad for the core ledger, the durability is the best of the three because it tracks a published standard rather than a UI, and the effort is mostly per-bank endpoint resolution and consent handling. We set up the authorised-provider path and the per-institution routing as part of the work. For a Polish cooperative-bank account this is the route we recommend, because BSGo's whole base sits on the exact bank tier PolishAPI covers.
2 · Authorized protocol analysis of the BSGo ↔ CBP traffic
Under the customer's authorization we analyse the documented exchange between BSGo and the Asseco CBP backend and rebuild the calls that return balances, history, deposits, and BLIK records. This reaches surfaces the consent route does not enumerate — Junior/Parent Panel state, deposit lifecycle actions, event-alert payloads — and is our fallback where AIS scope stops short.
3 · User-consented credential access
Where a consenting account holder supplies access for their own data, we drive the authenticated session the way the app does, with biometrics or password plus the on-device transaction authorisation BSGo uses. Narrowest in durability, useful for a single-tenant internal sync.
What lands at the end of the build
Everything is tied to BSGo's real surfaces, not a generic banking template:
- An OpenAPI specification covering the account, balance, transaction-history, deposit and transfer-status operations as they map to a cooperative-bank AIS endpoint.
- A protocol and auth-flow report: the consent grant, the OAuth2 authorization-code exchange with the PSD2 certificate, token refresh, and the per-bank endpoint resolution that the shared app hides.
- Runnable source for the key endpoints in Python and Node.js — session, account list, paged transactions, deposit read, transfer status.
- Automated tests against a sandbox or a consenting account, including the consent-expiry and re-confirmation paths.
- Interface documentation a developer can hand to a teammate, plus data-retention and consent-logging guidance scoped to PolishAPI and the KNF posture.
A look at the session and statement call
Illustrative, and confirmed against the customer's own cooperative bank during the build — base URLs and field names are resolved per institution because each bank spółdzielczy publishes its own endpoint even though they share the BSGo app.
// 1. Resolve the customer's cooperative bank -> its PolishAPI base
// (shared app, per-ASPSP endpoint; resolved during onboarding)
ASPSP_BASE = resolve_aspsp(customer.bank_code) // e.g. https://api.<bank>.pl/v3_0.1
// 2. Authorization-code consent with the PSD2 QWAC client cert
POST {ASPSP_BASE}/auth/v3_0.1/authorize
scope = "ais"
consentId = <granted by customer>
client_cert = <QWAC>
-> 200 { access_token, refresh_token, expires_in }
// 3. Accounts, then a dated, paged statement
GET {ASPSP_BASE}/accounts/v3_0.1/getAccounts
Authorization: Bearer <access_token>
-> { accounts: [ { accountNumber, nameAddress, currency } ] }
GET {ASPSP_BASE}/accounts/v3_0.1/getTransactionsDone
accountNumber: <PL IBAN>
transactionDateFrom: "2026-04-01"
transactionDateTo: "2026-04-30"
pageId: <cursor> // pages are cursor-based; loop until pageId is null
-> { transactions: [ { amount, currency, tradeDate, counterparty, title } ],
nextPage: <cursor|null> }
// token nears expiry -> refresh; consent nears its window -> prompt re-confirm
if (expires_in < 60) refresh(refresh_token)
if (consent.near_window_end) request_reconfirmation(consentId)
The protocol-analysis fallback returns the same shapes from the BSGo ↔ CBP exchange, with the Junior and deposit-lifecycle fields the AIS scope does not enumerate normalised into the same model.
Where this data gets used
- An accounting tool pulls dated transaction history for a company that runs its books on a cooperative-bank account, refreshed nightly.
- A lender reads balance and credit history with the applicant's consent to size an offer without a manual statement upload.
- A youth-finance product mirrors a BSGo Junior Piggy Bank goal and the parent's allowance cycle into its own UI.
- A treasury dashboard tracks deposit terms and rates across several cooperative banks one customer holds.
- An alerts service forwards BSGo account events as webhooks into a finance team's chat.
What we plan around in the cooperative-bank stack
Concrete things this specific app forces us to handle — we account for them so you do not have to.
- One app, many institutions. Every cooperative bank is its own account-servicing institution with its own PolishAPI base URL, even though they all ship through the same BSGo app and Asseco CBP backend. We resolve the bank from the customer's account and route per institution, so a customer who banks with more than one cooperative is handled correctly.
- Two profiles behind one login. The personal-to-business switch changes the visible account set and the authorization rules — corporate profiles can carry multi-signature approval. We model the profile as its own dimension rather than flattening business accounts into the personal view.
- Junior is not a plain account. A BSGo Junior account carries parent-controlled constraints: allowance cycles, Piggy Bank goals, and parental approval of transfer requests. We represent the parent-child relationship and approval state instead of treating it as a standard personal account.
- The CBP front end moves on its own clock. Asseco CBP is a mini-application front end that updates independently. The AIS route is insulated from that; on the protocol-analysis fallback we build against stable response contracts and keep a change-detection check on the parsed fields so a UI change is caught early.
Working with us, and the price
Source for the BSGo session and statement endpoints, with the auth-flow report and automated tests, starts at $300 and is invoiced only after delivery, once it runs on your side and you are satisfied. The alternative is our hosted API: you call our endpoints for BSGo account data and pay per call, with no upfront fee. Either way you give us the app name and what you need from its data; access, the consenting account or sandbox, and the compliance paperwork are arranged with you as part of the engagement. The delivery cycle is one to two weeks. Tell us what you are building and we will scope it — start a conversation here.
Screens from the app
Public Play Store screenshots, used here only to scope the interface. Select one to enlarge.
Questions integrators ask about BSGo
Does one BSGo build cover every cooperative bank, or is it per-bank?
The app and the Asseco CBP backend are shared, but each cooperative bank is its own account-servicing institution with its own PolishAPI endpoint. We resolve the bank from the customer's account and route per institution, so a customer who banks with more than one cooperative bank is handled correctly under one consent model.
How does the personal-to-business profile switch affect what can be read?
BSGo lets a customer move between a personal and a business profile inside one login, and the account set plus the authorization rules change with it. We model the profile as its own dimension so corporate accounts and any multi-signature authorization are not flattened into the personal view.
Can BSGo Junior and Parent Panel data be part of an integration?
Yes. Junior accounts carry parent-controlled constraints such as allowance cycles, Piggy Bank goals, and parental approval of transfer requests. We represent the parent-child relationship and the approval state rather than treating a Junior account as a plain personal one.
Which regulator and standard governs account access to a Polish cooperative bank?
Poland transposed PSD2 through its Payment Services Act, supervised by the Komisja Nadzoru Finansowego (KNF). Account access uses the PolishAPI standard maintained by the Polish Bank Association (ZBP), which names cooperative banks as a covered tier; an account information service provider must be authorised by a competent authority.
If a cooperative bank updates its CBP front end, does the integration break?
Asseco CBP is a mini-application front end that ships UI changes on its own cadence. The regulated AIS route is insulated from that. Where we use the authorized protocol-analysis route as a fallback, we build against the stable response contracts and keep a change-detection check on the parsed fields so a front-end change is caught early rather than failing silently.
Sources, and who looked at this
Checked in May 2026 against the app's Google Play listing, the PolishAPI standard's own documentation including its cooperative-banks resource, and the KNF's public material on the supervisor's remit. Findings rest on those sources plus BSGo's own published feature description.
- PolishAPI — standard overview (AIS/PIS/CAF, version history)
- PolishAPI — cooperative banks resource
- KNF — Polish Financial Supervision Authority
- BSGo — Google Play listing
OpenBanking Studio integration desk · mapping reviewed 2026-05-18.
BSGo — factual recap
BSGo is the Asseco Poland mobile banking app for individual and company clients of Polish cooperative banks (banki spółdzielcze), per its Google Play listing under package com.asseco.poland.mobile.auth.bank.prodma. It covers PLN and foreign-currency transfers to own and external accounts, BLIK, deposit open/close/check, full balance and account and credit history, account-event notifications, biometric login, on-device transaction authorisation, personal-to-business profile switching, and MojeID identity confirmation. A teenager edition, BSGo Junior, adds Piggy Banks, allowance cycles and a Parent Panel; the app describes an age-tiered model that grows from a kids version into the full adult app at majority. The scope of services varies by the offering of each individual cooperative bank.