VR SecureGo plus API integration & PSD2 OpenBanking

OpenBanking · PSD2 / XS2A · FinTS / HBCI · SCA push approval

Connect VR SecureGo plus accounts to your stack with PSD2-aligned APIs

VR SecureGo plus is the Strong Customer Authentication app used by more than six million customers across roughly 750 Volksbanken and Raiffeisenbanken cooperative banks in Germany, operated by the IT service provider Atruvia AG. The app holds no transaction data itself, but it gates access to every booking, statement, balance, and credit-card authorization in the cooperative banking network — which is exactly where the OpenData value lives.

Account & consent APIs — Mirror the PSD2 consent dance: build a consent, hand it to the user for SCA in their VR SecureGo plus app, then call AIS endpoints with a long-lived consentId.

Statement export APIs — Booked and pending transactions in camt.052/053, MT940, or normalized JSON, with date ranges, paging, and SEPA end-to-end IDs preserved for reconciliation.

Card & payment authorization — Trigger SEPA credit transfers, instant payments and credit-card 3-D Secure flows that the cardholder approves with a release code or biometric tap inside VR SecureGo plus.

Multi-device, multi-bank — VR SecureGo plus supports up to three active devices per user; our aggregation layer resolves device IDs and routes the SCA challenge to whichever phone the customer last used.

Data available for integration

The VR SecureGo plus app itself is the SCA channel; the underlying data sits in the Atruvia core banking system and is reachable through the regulated PSD2/XS2A interface and the older FinTS/HBCI stack. The table below summarizes what we typically expose to client backends.

Data type	Source / screen	Granularity	Typical use
Account list (giro, savings, sub-accounts)	OnlineBanking → Konten & Karten	IBAN, BIC, currency, holder, product code, status	Multi-bank aggregation, ERP onboarding
Booked transactions	Statement screen / camt.053	Booking date, value date, amount, counterparty, EREF, MREF, KREF, purpose code	Reconciliation, accounting sync, AML monitoring
Pending transactions	Vormerkungen / camt.052	Same fields, status = PDNG	Real-time cash position, treasury dashboards
Account balances	Balance widget	Booked, available, credit-line, currency	Liquidity reporting, credit decisioning
Credit card transactions	VR Banking app card view	Authorisation, clearing, merchant category code (MCC)	Expense management, card-level fraud rules
SCA / TAN events	VR SecureGo plus push log	Timestamp, device fingerprint, decision (approved/rejected)	Audit trail, dispute resolution, BaFin reporting
Standing orders & SEPA mandates	Daueraufträge screen	Mandate ID, creditor ID, schedule, next run	Subscription billing, churn analytics
SEPA credit transfer initiation	Überweisung dialog	Debtor IBAN, creditor IBAN, amount, purpose, instant flag	Payouts, refunds, supplier payments

Typical integration scenarios

1. Cross-bank cash-flow dashboard for SME finance teams

A German Mittelstand finance team holds accounts at a regional Volksbank, a Raiffeisenbank and a Sparkasse. We expose a single /accounts + /transactions facade that hides the per-bank ASPSP differences. The user opens our portal, picks their VR-Bank, and the consent flow lands as a push in their VR SecureGo plus app. Once approved, our worker pulls camt.053 every night and writes the rows into the customer's data warehouse for cash-flow forecasting. OpenData mapping: Account Information Service (AIS) under PSD2 with explicit consent, refreshed every 90 days as required by the EBA RTS.

2. Accounting sync into DATEV / SAP / Lexware

Bookkeepers want VR-Bank transactions in their accounting tool without manual CSV export. We deliver a Node.js connector that pulls daily statements via XS2A AIS, normalizes EREF/MREF references, runs a rule engine for cost-centre tagging, and posts journal entries through the DATEV REST or SAP S/4HANA APIs. The user's VR SecureGo plus push approval is the only manual step every 90 days. OpenData mapping: AIS read access plus customer-side ETL — no payment initiation needed.

3. Embedded SEPA payouts for marketplaces

A marketplace platform pays vendors with SEPA credit transfers from its operating Volksbank account. We wrap the XS2A Payment Initiation Service (PIS) so the platform can call POST /payments/sepa-credit-transfers from its backend. Each payout produces a scaRedirect link, the operator opens it on their phone, the bank pushes a SCA challenge to VR SecureGo plus, and the operator taps approve. Our webhook then posts the final ACSC status back to the marketplace ledger. OpenData mapping: PIS under PSD2; bulk payments use pain.001.001.09.

4. Fraud monitoring and SCA event audit

For a fintech that resells cards on the rails of a cooperative bank, every SCA approval and rejection from VR SecureGo plus is a feature in the fraud model. We deliver a thin webhook adapter that captures the SCA verdict, the device ID and the IP of the issuing back-end, and forwards it into the customer's SIEM (Splunk, Elastic, Datadog). Useful when chasing an account-takeover dispute or proving SCA happened during a chargeback. OpenData mapping: internal authorization log, exposed only with documented client consent.

5. Open-data research and compliance reporting

Compliance teams that need to file BaFin or Bundesbank reports often want long-tail aggregates: monthly inflow per industry MCC, exposure to a counterparty IBAN, or SEPA mandate counts. Our API serves materialized views over the same statement export — same data, but pre-aggregated, so reporting jobs do not re-pull years of camt files. OpenData mapping: derived analytics built on top of AIS, with raw data discarded after the agreed retention window.

Technical implementation

The stack speaks PSD2/XS2A as the primary modern interface (Berlin Group NextGenPSD2 1.3.x), with FinTS 3.0 / HBCI as the fallback for legacy back-office tools that still expect MT940 over the older protocol. Below are three representative endpoints.

Create AIS consent (XS2A, Berlin Group)

POST /v1/consents
PSU-IP-Address: 198.51.100.7
TPP-Redirect-URI: https://yourapp.example/cb
X-Request-ID: 5b8b3f4d-...

{
  "access": {
    "balances": [{"iban": "DE02..."}],
    "transactions": [{"iban": "DE02..."}]
  },
  "recurringIndicator": true,
  "validUntil": "2026-08-08",
  "frequencyPerDay": 4,
  "combinedServiceIndicator": false
}

201 Created
{
  "consentStatus": "received",
  "consentId": "c-7f2e...",
  "_links": {
    "scaRedirect": {
      "href": "https://xs2a.atruvia.de/sca/c-7f2e..."
    }
  }
}
# User opens scaRedirect, approves in VR SecureGo plus.

Pull a 30-day statement (Python)

import requests, datetime as dt

H = {
  "Consent-ID": CONSENT_ID,
  "X-Request-ID": "9e1c...",
  "PSU-IP-Address": "198.51.100.7",
  "Authorization": f"Bearer {ACCESS_TOKEN}",
}
params = {
  "dateFrom": (dt.date.today() - dt.timedelta(days=30)).isoformat(),
  "dateTo":   dt.date.today().isoformat(),
  "bookingStatus": "both",
}
r = requests.get(
  f"https://xs2a.example/v1/accounts/{ACCOUNT_RESID}/transactions",
  headers=H, params=params, timeout=30,
)
r.raise_for_status()
booked = r.json()["transactions"]["booked"]
for t in booked:
    print(t["bookingDate"], t["transactionAmount"]["amount"],
          t.get("creditorName") or t.get("debtorName"),
          t.get("endToEndId"))

SCA push webhook (Node.js)

// POST /webhooks/sca from our gateway
app.post('/webhooks/sca', express.json(), (req, res) => {
  const sig = req.header('X-OFL-Signature');
  if (!verifyHmac(sig, req.rawBody, SECRET)) {
    return res.status(401).end();
  }
  const { consentId, paymentId, decision,
          deviceId, decidedAt } = req.body;
  // decision: APPROVED | REJECTED | EXPIRED
  ledger.recordScaEvent({
    consentId, paymentId, decision,
    deviceId, decidedAt,
  });
  res.status(204).end();
});

Errors follow the Berlin Group tppMessages structure (FORMAT_ERROR, CONSENT_INVALID, SCA_METHOD_UNKNOWN, PSU_CREDENTIALS_INVALID). Rate limiting is per consentId and resets at 00:00 CET; we expose a X-RateLimit-Remaining header so client jobs can back off cleanly.

Compliance & privacy

Regulatory framing

Every flow we ship is designed around the EU's Second Payment Services Directive (PSD2) and the European Banking Authority's RTS on Strong Customer Authentication. The interface against the cooperative core is the regulated XS2A endpoint operated by Atruvia for the Volksbanken Raiffeisenbanken network. National supervision sits with BaFin and the Deutsche Bundesbank, and personal data handling is governed by the GDPR plus the German BDSG.

What we never do

We do not store the user's release code or biometric template.
We do not bypass the SCA push — every consent or payment crosses VR SecureGo plus (or the user's chosen Sm@rt-TAN / chipTAN fallback).
We do not scrape screens that a documented PSD2 endpoint already covers; scraping is reserved for back-office data with explicit written authorization.
We support data-minimization: only the IBANs, fields, and date ranges asked for in the consent are returned to the client.

Data flow / architecture

A typical pipeline in production looks like this:

Client app / backend calls our gateway with a tenant key and the user's consent reference.
OpenFinance Lab gateway resolves the target ASPSP (the customer's specific Volksbank or Raiffeisenbank), forwards the call to the Atruvia XS2A endpoint, and triggers the SCA push to VR SecureGo plus.
Storage layer persists camt.053 documents and a normalized transaction ledger in PostgreSQL, partitioned by month and IBAN.
Analytics / API output serves either raw transactions, materialized aggregates, or pushes change events into the customer's webhook, S3 bucket, or Kafka topic.

Market positioning & user profile

VR SecureGo plus is the Strong Customer Authentication factor for the Genossenschaftliche FinanzGruppe — Germany's cooperative banking network of around 750 Volksbanken, Raiffeisenbanken, Sparda-Banken, PSD Banken and church banks, all running on the Atruvia core. The user base is overwhelmingly retail and SME customers in the German-speaking DACH region (DE, AT, CH), on Android 10+ and iOS 17.6+. In 2024, VR rolled out the device-management redesign that lets one customer keep up to three active mobile devices simultaneously — a meaningful change for households and small business owners who previously had to deactivate one phone before activating the next. Integration buyers are typically German fintechs, accounting platforms, treasury vendors and ERP integrators that already serve Sparkassen / Deutsche Bank customers and now need parity for the cooperative side of the market.

Screenshots

Click any thumbnail to see a larger view. Screenshots are sourced from the official Google Play listing for VR SecureGo plus.

Similar apps & integration landscape

Most German banking customers do not live in a single app — they juggle a primary current account, a savings or brokerage app, and an authentication factor. The same backend integration patterns we use for VR SecureGo plus apply, with small protocol differences, to the apps below. We list them so teams searching for any of these names land on a useful page about the wider OpenBanking landscape.

S-pushTAN (Sparkasse) — The cooperative network's biggest competitor. S-pushTAN is the SCA app for the Sparkassen-Finanzgruppe; integrations follow the same Berlin Group XS2A spec and benefit from a unified consent layer.

BestSign (Postbank / Deutsche Bank) — Push-based SCA app for Postbank and Deutsche Bank customers; account aggregators usually need to support both BestSign and VR SecureGo plus to cover German retail.

photoTAN (Commerzbank, Deutsche Bank) — Optical TAN procedure, slightly different consent UX but the underlying XS2A endpoints align with the same Berlin Group standard.

VR Banking — The customer-facing online-banking app from the same cooperative network; VR SecureGo plus is its SCA companion.

ING Banking — ING DiBa's mobile banking app; one of the largest direct banks in Germany and a frequent counterparty in multi-bank aggregation projects.

DKB — Deutsche Kreditbank's mobile app, popular with freelancers; XS2A coverage is mature and pairs well with VR-Bank business accounts.

Comdirect — Brokerage-flavored mobile banking from a Commerzbank subsidiary; integrations often cover both transaction history and securities depots.

N26 — Berlin-based neobank with its own developer-friendly stack; relevant for pan-EU customers who keep both N26 and a Volksbank account.

Revolut (DE) — Pan-EU fintech under Lithuanian licence; multi-currency and crypto layers make it a frequent companion to a German cooperative-bank giro account.

finanzblick / Finanzguru — Multi-banking aggregators for German users; they consume the same XS2A endpoints we wrap and are useful reference implementations of consent UX.

What we deliver

Deliverables checklist

OpenAPI 3.1 specification covering accounts, balances, transactions, payments, SCA
Protocol & auth flow report (XS2A consent dance, FinTS dialog, optional eIDAS QWAC notes)
Runnable source for AIS and PIS clients in Python and Node.js, plus a Go statement-export worker
Postman / Bruno collection with sandbox + production environments
Automated tests against a synthetic ASPSP plus a sample Atruvia sandbox tenant
Compliance guidance pack: PSD2 SCA notes, GDPR data-minimization checklist, sample consent text

Engagement workflow

Scope confirmation: which Volksbanken, which data, AIS only or AIS + PIS.
Protocol analysis & API design (2–5 business days).
Build & internal validation against sandbox (3–8 business days).
Docs, samples, test cases (1–2 business days).
First delivery typically lands in 5–15 business days; eIDAS certificate procurement and BaFin-side approvals can extend that.

About OpenFinance Lab

We are an independent technical studio focused on mobile-app protocol analysis and OpenData / OpenFinance / OpenBanking integration. Engineers on the team have shipped production code for German cooperative banks, Sparkassen, neobanks, and a handful of pan-EU PSPs, so we know the difference between the documented Berlin Group spec and what a specific Volksbank actually returns at 23:59 on a Saturday.

DACH banking, payments, and brokerage stacks
PSD2/XS2A, FinTS/HBCI, EBICS, SWIFT MT and ISO 20022 fluency
Custom Python / Node.js / Go SDKs and reproducible test harnesses
End-to-end pipeline: protocol analysis → build → validation → compliance hand-off
Source code delivery from $300 — runnable code and full documentation; pay after delivery upon satisfaction
Pay-per-call hosted API — no upfront fee, ideal for usage-based pricing

Contact

For quotes, NDA review, or to send us your target requirements (which Volksbanken, which data fields, which downstream tools), open our contact page below. We typically reply within one business day.

Contact page

FAQ

Is VR SecureGo plus integration legal under German and EU rules?

Yes. We work strictly under customer authorization and rely on the regulated PSD2/XS2A interface that every German bank, including the Volksbanken Raiffeisenbanken cooperative network, must publish for licensed third parties. The VR SecureGo plus app remains the user-facing Strong Customer Authentication factor and approves each access through a push notification.

Can I export transaction history from VR cooperative bank accounts via API?

Yes. We provide an Account Information Service (AIS) endpoint that returns booked and pending transactions in camt.052 / camt.053 / MT940 form, plus a normalized JSON view with date, amount, currency, counterparty IBAN, BIC, and SEPA end-to-end ID. The same data can be exported to Excel, CSV, or pushed to a webhook.

How long does a typical delivery take?

5 to 15 business days for the first drop covering login, balance, and statement endpoints. Webhook-driven SCA approval, multi-account aggregation across several Volksbanken, or BaFin-aligned consent management can extend the timeline to 3–6 weeks.

How do you handle compliance and the SCA factor?

All flows are designed around PSD2 Strong Customer Authentication, the EBA RTS guidance, and German BaFin notes. The user always confirms in their VR SecureGo plus app or alternative TAN method (Sm@rt-TAN, chipTAN). We log each consent, store no release codes, and apply data minimization.

Common modules

Consent creation, status, refresh, and revoke
Account list, balances, booked & pending transactions
SEPA credit transfer and SEPA Instant payment initiation
Standing-order management and SEPA mandate sync
Credit-card transaction read with MCC and authorization metadata
SCA push webhook for downstream audit and fraud tooling
FinTS / HBCI fallback for back-office tools that need MT940

📱 Original app overview (appendix)

VR SecureGo plus (package de.fiduciagad.securego.vr) is the official Strong Customer Authentication app for the German cooperative banking group Volksbanken Raiffeisenbanken, published by Atruvia AG (formerly Fiducia & GAD). It is used by more than six million customers across roughly 750 cooperative banks. The app does not display account balances or transactions itself — its single purpose is to gate every banking and credit-card authorization with a release code or biometric tap.

The app at a glance:

Simply flexible — Authorize all banking transactions and online credit-card payments from a single app.
Simply convenient — Direct authorization for the new online banking and credit-card flows.
Simply secure — High security standards for data and transactions, aligned with PSD2 SCA.
Simply more — Usable for online banking on up to three devices simultaneously (rolled out fully in 2024).
Easily recognized — Authorization via fingerprint or facial recognition on request, alongside a release code.

Requirements: activation code from your bank, then on-device setup. Further information: vr.de/faqs-vr-securego-plus-app.

Alternative TAN procedures for users who cannot or do not want to use the app: Sm@rt-TAN plus / Sm@rt-TAN photo with a TAN generator, and chipTAN with a girocard. Our integration code paths handle both.