The Technology Behind the GSMA Mobile Money API Compliance Verification Service

APIs are at the core of interconnected and growing ecosystems for mobile money services. They allow seamless integration between providers and third parties and pave the way for faster and cheaper developments.  

Today, the GSMA Inclusive Tech Lab is launching the GSMA Mobile Money API Compliance Verification Service. This free service will help providers create open APIs to drive the ecosystem forward together. Providers will benefit from smoother integrations while third parties will thrive through partnerships. You can read more about the benefits of becoming API-compliant, along with exciting news of several GSMA partners that that will soon be deploying their GSMA Mobile Money compliant APIs.

In this blog, we take a closer look at how this service works behind the scenes to provide those benefits. We explore the design and architecture, how the compliance process works and the technical implementation of the underlying compliance platform.  We explain how partners can use the service to build, test and release high-quality, compliant APIs. Finally, we describe how the Inclusive Tech Lab has enhanced and tailored the service to the requirements of the mobile money industry, which we did by working closely with our launch partners Sasai FinTech, Comviva and AfriMoney on their new APIs. 

Functionality and scope of the Compliance Verification Service 

The Compliance Verification Service is currently open to any mobile money provider that provides open mobile money platform APIs to third-party service providers that meet the requirements of the GSMA Mobile Money API Specification. This includes both mobile money operators and technology platform providers. 

The service works by assessing the provider’s API implementation and associated security. This is described in more detail in the Compliance Verification Service brochure. Compliance is verified once the API provider has implemented their selected use case from the GSMA API Specification. Mandatory use case scenarios and APIs are defined in each API 1.2 Use Case Specification. The service currently supports the latest 1.2.0 version of the GSMA API Specification and two use cases: merchant payments and disbursements. 

The GSMA is committed to supporting financial inclusion by encouraging the growth of a thriving ecosystem around mobile money platforms. This new service will enable all service providers to connect with each other in a simplified manner and reduce the lengthy and cumbersome mobile money API integration process.

Alex Sinclair, GSMA Chief Technology Officer

The service has been designed to be primarily self-service. So, once a provider has completed an invitation to register on the compliance platform, they can start reading the documentation and tutorials and watching the demos to understand how the platform works and how to create and execute sessions. They will also learn about the business rules for response codes and other requirements for passing compliance tests. Developers can then test and hone their implementations until they are ready to submit their APIs to the GSMA for compliance. 

The service will check all mandatory API schema validations and constraints, including response flows, HTTP response codes, response parameters, required headers, required JSON body fields and error codes (as applicable), for each of the mandatory use case APIs and mandatory supporting APIs for the use case. 

Where there are multiple business options available for a use case in the API Specifications, the service is flexible. By answering a use case questionnaire, providers can validate only those scenarios relevant to their implementation. This flexibility covers business options (such as types of merchant payment or disbursement flows supported), optional APIs, and API request-response flows (synchronous, asynchronous polling and asynchronous callback, for success and failure cases as applicable). 

The use cases selected for the initial roll-out of the service are two of the most common integrations in the mobile money ecosystem. Merchant payments enable merchants to accept payments from a customer’s mobile money account, and disbursements enable organisations to disburse funds to a recipient’s mobile money account. The GSMA will expand the use cases as the industry requires. 

Compliance Platform 

The Compliance Platform launched today is built on the foundations of the Interoperability Test Platform.  The Compliance Platform is used by the GSMA to verify mobile money platforms that have implemented the GSMA Mobile Money API Specification and to support developers while they are building and testing their GSMA API-based platform. 

The platform functions as a simulated service provider, such as merchant, which is “on-boarded” to the mobile money platform during the compliance process. After the provider has set up the necessary connectivity and configuration required by their platform, the compliance test cases are ready to be executed. In this case, the system being tested is the mobile money providers. During the execution of a test run, the compliance platform makes API requests to the mobile money platform and analyses and validates the responses received from the platform to ensure they conform to the rules of the Compliance Verification Service. 

More comprehensive details on how the validation is completed can be found in this ITP architecture blog and in the compliance architecture overview. In a nutshell, the platform uses an automatic OAS Validator to validate the GSMA API Specification schema and custom test case logic to validate any additional business rules. This ensures that all mandatory requirements of the GSMA API Specification described earlier have been met by the provider’s responses. 

A deep dive into the compliance verification process 

What tools are available to developers in the verification phase? 

Three distinct modes are provided within the platform to support developers in different stages of development, testing and compliance.  In manual mode, the developer can create and execute bespoke test sessions to check specific parts of their implementation. In test mode, developers can run all the required compliance tests according to their use case customisations as specified in the questionnaire responses. Finally, in compliance mode, developers can create an official compliance session and submission their final test results to the GSMA. 

The service allows the test cases to be configured according to the provider’s requirements via environment variables that can be used to set the API endpoints for requests, call-back URLs and data, such as test MSISDNs and currencies. 

The platform has many tools for examining and debugging APIs. For instance, as well as pass/fail indicators, the platform will display request and response expected and actual data, as well as message logs and cURLs for each test within each step of a test run for a particular test case. These enable developers to easily analyse failed test cases and resolve errors by updating their implementations until the test cases pass with expected response data. 

The service enables addition of permitted custom headers and parameters in API requests by means of implementing a simple plugin script which can be uploaded into a session in order to amend the compliance platform API requests as required. 

The platform supports user groups, which enables organisations to create jointly accessible sessions and group environment variables for multiple users within an organisation or even multiple organisations. The group admin can manage other users and allow users to easily share results within the group. 

The GSMA Inclusive Tech Lab maintains the Compliance Verification Service and platform, and is available to support partners, resolve platform issues and review and roadmap new use case and test case requests. This will ensure the service continues to meet the needs of the industry as adoption increases. 

What happens when providers are ready to apply for official compliance with the GSMA? 

When developers are ready to submit compliance of their APIs to the GSMA, they simply create a compliance mode session. This can be identical to a successfully executed test mode session, except that, in this formal session, the test cases are not editable, and a limited number of attempts are allowed. 

In addition, in this mode, the GSMA requests that the provider read the API compliance security guidelines and be able to submit to the GSMA a brief security self-assessment. This covers baseline security conformance for the API provider’s operational security, and technical API security for client authentication and authorisation.  

The GSMA checks all aspects of the submission, including the test case results, the provider’s use case questionnaire and security questionnaire responses, and validates that all required test cases have passed. As part of the compliance confirmation, the GSMA sends providers the full details of their compliance test application and test results and, of course, their approval letter and compliant mark. 

How the GSMA can help providers optimise their use of the Compliance Verification Service 

Building high-quality and secure mobile money APIs that meet the needs of your merchants and other service providers can be time consuming, difficult and expensive.  The GSMA API Specification is designed to reduce some of this effort by providing a well-designed API that follows technology best practices. Based on insights from working with our launch partners over the past year, we would also recommend following the recommendations below to get the most out of the Compliance Verification Service to support creating and complying a GSMA API based platform. 

We are delighted to have the GSMA Mobile Money API compliance mark of approval for merchant payments and bulk disbursements for the Sasai Super App. With this verification, we believe we will be able to simplify our integration process for partners and help more customers access our services.

Owen Takadiyi, Chief Marketing Officer, Sasai Fintech. 

Before development even starts, the GSMA Mobile Money API Developer Portal can be explored to understand both the use case and the specific use case scenarios and flows that are relevant to your ecosystem and supported by your platform. Checking the compliance use case questionnaire in advance for desired scenarios and flows will give an early indication of exactly which test cases will be required to comply your implementation, including all mandatory scenarios and some customised ones. 

During development, both the developer portal and the compliance platform in manual mode can be used in tandem to build and test your implementation in iterative cycles. The user group functionality can also be used to share implementation details, such as API responses and test execution results, with others in your organisation or affiliated organisations. These shared test sessions can contribute to your own internal QA and UAT processes.   

After development, the compliance platform can be used in test mode to ensure the platform is ready for formal compliance, which can then be performed in compliance mode just before UAT to production deployment. This ensures that your platform can benefit from GSMA API compliance marketing as soon as it is ready for integration by your ecosystem. 

The GSMA can provide support during all three development phases to ensure that your API is implemented correctly to be verified as compliant, and that any valid bespoke requirements are supported by the platform. 

Over the past year, we have worked hard to make the compliance service industry-ready by working closely with our launch partners to meet the real-world requirements of mobile money. This has included resolving issues on the platform, adding and updating test cases and adding many enhancements and customisations to both the platform and the service. 

Working with technology means continuously making improvements and expanding the scope. The Inclusive Tech Lab team will continue to enhance the platform, including our roadmap for additional GSMA API use cases. Some initial candidates are Account Linking, Agent Services and P2P use cases. Others will follow based on feedback from the industry on their priorities. 

Further Resources 

If you are interested in learning more about this service, there are many more resources to explore. You can find more details on the service and its current scope in the Compliance Verification Service brochure. If you are interested in joining the Compliance Platform, please request an invite.  After joining, you can read the compliance FAQs and find further details about the platform architecture, test cases, user manual, tutorials, demos, business rules and security in the Compliance Platform documentation.  And of course, to explore the underlying specification and help you implement a GSMA-compliant API, all developer documentation and tools are available at the GSMA Mobile Money API Developer Portal

Get in touch! 

If you are interested in either compliance for an existing implementation of a GSMA API, or you are creating a new GSMA-compliant API, please get in touch at [email protected]. You can request an invite to the compliance platform to explore the service further and/or set up a meeting to discuss your options.