← View all articles 19 Sep 2023

API and PNR – why carriers need to share passenger data with border security

API and PNR – why carriers need to share passenger data with border security

Electronic data transfer concerning cross-border travellers is the way forward for national governments that aim to improve their border control and security processing. Carriers who do not comply with API and PNR regulations can potentially contribute to security threats and face hefty fines.

In this article, you will learn about the core difference between API and PNR and everything you need to know as a carrier to stay compliant with the passenger data regulations.

  1. What is Advanced Passenger Information and Passenger Name Record?
  2. Why are API data and PNR data collected from airlines?
  3. Challenges of meeting the API and PNR regulations
  4. Legal consequences of non-compliance
  5. How can air carriers easily comply with passenger reporting regulations?

What is Advanced Passenger Information and Passenger Name Record?

Advanced Passenger Information (API) and Passenger Name Record (PNR) are the two main types of passenger data that carriers collect and then pass to the relevant national agencies, along with some flight identification details.

Advanced Passenger Information

Advanced Passenger Information includes data relating to each passenger’s identity. API is typically collected from travel documents, such as passports, and includes:

  • Surname / Given Names
  • Nationality
  • Date of Birth
  • Gender
  • Travel Document details (type, number, issuing state/organization, expiration date)

Data transfer takes the form of a batch API (where carriers don’t receive a pax status as a reply) or an interactive API (after which states give airlines an instantaneous BOARD or NO BOARD response).

Passenger Name Record

Passenger Name Record contains all the information about travel reservations. PNR may differ from carrier to carrier, depending on the booking process and business approach. It can include a wide range of information, such as:

  • Phone numbers
  • E-mail addresses
  • Forms of payment
  • Seat information
  • Ticket information
  • Home / Destination addresses
  • Baggage information
  • SSR codes (Special Services Requests, e.g. meal requirements or wheelchair assistance)
  • Car / Hotel bookings

Why are API data and PNR data collected from airlines?

The collection of API data is required by border security for immigration purposes and improved border management. Meanwhile, the PNR data can be used for risk assessment in countering terrorism and serious crime as it allows data analysts and intelligence officers to spot potentially suspicious trends, relationships, or travel patterns.

Overall, passenger data can be a powerful tool for Immigration, Customs, Law Enforcement, and Security units around the world, and a growing number of countries are implementing their own data reporting programs that carriers need to comply with, on pain of financial penalties and other sanctions.

Challenges of meeting the API and PNR regulations

Bureaucratic challenge

Once you start looking into the API and PNR regulations, you can easily get lost in a maze of requirements. Even though there is a set of regulatory global standards (established and maintained jointly by the International Air Transport Association, International Civil Aviation Organization, and World Customs Organization), the devil is in the details. The level of implementation of those global standards as well as the specific local regulations differ from country to country. Here are some core aspects of difference:

  • Data type and scope: Some countries only require PNR data. Others only ask for API data. And some oblige you to send both. There are also countries where the scope of required data differs depending on the character of your flight operations (GA, private, scheduled, cargo, ect.).
  • Dedicated border control agencies: Within the EU, PNR is usually handled by the local Passenger Information Units (PIUs). API might be handled either by PIUs or by other agencies, such as the Ministry of the Interior or the Federal Police. Outside of the EU, the agencies differ even more.
  • Timing intervals: The number of submissions and the required data push times also vary a lot.

The number of submissions and the required data push times for PNR vary from country to country.

Just imagine managing this manually for every flight and all of your destination countries…

Technological challenge

If you don’t want to upload all the data manually for each flight and jump from one state web portal to another, you will need to build system connections for every country that you fly to, and then pass the connectivity tests. This is time-consuming and requires professional development resources. Not to mention that the connection needs to be secured properly since the process involves handling sensitive personal data.

Financial challenge

Staying up-to-date with changing national regulations and handling manual submissions in accordance with specific requirements costs time and manpower. But so does building your own system integration to automate the data transfer. ICAO, WCO, and IATA have estimated that airlines need at least 3 to 6 months for establishing a new standard API connection.

If you choose to submit data manually, bear in mind that some countries do not have web portals. In such a case, the simplest option left for carriers is to send Type B messages, which requires access to a paid distribution service.

Legal consequences of non-compliance

Non-compliance with the API and PNR regulations may cost you your business. You can be subjected to sanctions and fines. The penalty amounts are determined by local regulations. EU member states can be very strict, imposing fines that vary from 3,000 EUR to 100,000 EUR for each non-reported flight. These penalties can get much higher in case of repeated violations. Moreover, additional sanctions may apply, such as the aircraft’s takeoff ban or the carrier’s temporary suspension.

Some countries issue warnings to carriers that failed to meet the API / PNR obligations, while others may simply issue a penalty after a few months… once the penalties have accumulated. Note that there is also the cost of translation services (as the official correspondence is often conducted in the language of the country imposing the fine), and any legal costs if you hire a lawyer.

Poland is one of the EU countries that has become quite infamous in the aviation industry for not issuing any warnings. Their approach has resulted in a total of almost 900 million euros in penalties imposed on aircraft operators after the Polish PNR regulations were introduced in 2018.

How can air carriers easily comply with passenger reporting regulations?

The good news is that meeting the API and PNR regulations does not need to be as daunting as it sounds. The process can be automated, relieving your dispatch and operations teams from the stressful manual workload.

PnrGo has developed a large network of connections worldwide for API and PNR data transfer and we keep on adding new countries to our list. By choosing our solution, you can speed up the process of connecting to a new country. What’s even more important, your API / PNR data will get delivered in the correct format, to the right agency, and at the required time.

On top of that, our solution comes with a team of operations specialists who will support you every step of the way! You will benefit from our expertise in handling all the formal procedures (including connectivity tests and the necessary certification for operational data transmission). We take over from you the laborious communication process with the local authorities, reducing your input to a minimum.

Finally, our out-of-the-box integrations with popular flight management systems allow you to be up and running in no time, keeping your business compliant without much effort.

Are you interested in the automated API and PNR data transfer? Schedule a call with one of our Sales Representatives to discuss your needs.