A growing number of states around the world require international travel operators to share API PNR passenger data with them. In this comprehensive guide, you will learn what API PNR is, why it’s important, and how you can collect and transmit it.
- What API PNR is and what it shows
- Why Passenger Information Units need this data
- How data can be shared and processed
- Challenges of complying with the requirements of individual states
- Ways to collect and transmit API PNR data effectively
Advanced Passenger Information (API) and Passenger Name Records (PNR) are two types of data that travel operators create whenever customers purchase tickets and travel with them. Over the past decade, individual states, blocs such as the EU, and international organisations have begun asking travel operators to collect and share API PNR data with them for purposes of national security and crime detection.
For major international airlines, train companies or ferry businesses, collecting and sharing API PNR data with states is an increasingly common process. However, for countless small and medium sized travel operators, conforming with API PNR requirements remains complex, expensive and time consuming.
To help you understand API PNR rules and requirements, this guide will give you a comprehensive overview of API PNR data, and show how you can comply.
What is API PNR?
As noted above, API and PNR are two kinds of data which most travel operators around the world collect any time they transport passengers across borders.
Advanced Passenger Information (API)
API refers to a passenger’s identity. This includes key information such as their full name, nationality and date of birth. It is usually found in passports, ID cards, or other travel documents.
API data is usually collected by airlines and other transport operators during the check-in process.
Different countries have different rules, but they usually require travel operators to send API at the time of departure – and some request it at other times too.
Passenger Name Records (PNR)
PNR is data that all airlines (and some other travel operators) collect about a passenger for business/operation purposes. It includes information such as:
- Passenger name
- Flight number
- Itinerary information
- Home address
- Meal requests
- Credit card details
- Phone number
- Onward travel information
- Frequent flyer details
- And much more
Different transport operators collect different amounts of information for their PNR. Some operators’ PNR includes little more than the passenger’s name, flight number and itinerary, while others collect much more personal information.
Why do a growing number of states request API PNR data?
In many countries, the authorities request API PNR data from travel operators who are arriving inside their borders. In most of Europe, this body is called a Passenger Information Unit (PIU), but similar bodies are known by other names elsewhere – Customer Border Protection or CBP in the USA, the Home Office in the UK, or the Bureau of Immigration (BI) in the Philippines, for example.
At first glance, API PNR data may seem mundane – details about names, passport details and routes may not initially appear particularly valuable.
However, when analysed on a large scale, it can provide a very powerful tool for states and international police to capture criminals, terrorists, and identify suspicious behaviour.
Here are some of the ways API PNR data is valuable:
- Known suspects: API PNR data can be cross referenced against national and international watch lists to identify criminals, terrorists, individuals on sanctions lists, and other people of interest. The PIU can check who is onboard all incoming flights (or ferries/trains/buses).
In some cases, the PIU may tell the airline that one particular passenger is not allowed to depart the origin country. Alternatively, the passenger information unit will alert police in their own country, who can apprehend a suspect when they arrive on the territory.
- Individuals that a state does not wish to travel: API PNR data can flag up individuals who have previously overstayed on their visa, people who have a criminal record, or anyone who is believed to pose a national security threat.
- Identify suspicious activity: PIUs can process and analyse API PNR data to identify suspicious activity. By analysing the kinds of journeys and travel plans, it might be possible to identify patterns. Here are some examples of how this data analysis can work:
- Sex trafficking: A PIU could use API PNR data to identify women travellers who are potential sex trafficking victims. Based on previous cases, they could set an automatic alert when API PNR data identifies people with a certain profile. For example, if the API PNR includes a young female passenger, who is travelling alone, who has a new passport, who booked her flight from a certain town, with a certain travel agency, at a certain time of year, the police may decide to interview her to determine if she is being trafficked.
- Terrorism: A man aged 20-25 books flight from a country that neighbours a war zone. He pays with cash the day before travel, and flies late at night. Based on travel patterns of known terrorists, the PIU may decide this passenger could be worth interviewing on arrival.
- Drug mules: A 15-year old child is flying from country X on her own, for her first ever flight. The API PNR data shows she has no luggage with her and is flying directly on a flight that costs over $1,000, on a ticket that was paid in cash. This kind of pattern could indicate the individual is a drug mule.
API PNR data has proven very valuable to states, anti-terrorism units and police investigators. For example, in France this data has been used to tackle money laundering, and to catch several ‘wanted’ individuals.
Related: Learn how the French government developed its API PNR system
History of API PNR data sharing
Over the past few decades, the number of people taking international flights has grown dramatically. In 1980, there were 200 million international flight passengers according to the IEA, but this has grown almost tenfold, reaching 1.9 billion by 2019. Because so many more people are travelling internationally today, it’s simply impossible for border forces to manually check every single passenger. Receiving, processing and analysing API PNR data therefore provides an effective way for states to find out who is entering their territory.
The United States was the first country to begin requesting API from airlines, beginning in 1990 on a voluntary basis. It requested operators to send this information before a flight had departed (but after the doors were closed) and allowed the authorities to cross reference passengers against lists of wanted individuals. Throughout the 1990s, several other countries began implementing API systems.
Then, following the September 11th terrorist attacks in 2001, the US government made the sharing of PNR data mandatory too, as a means to identify potential terrorists. Governments and industry around the world then spent much of the next decade standardising the kinds of systems and information required.
Which countries require API PNR data?
Today, around 106 countries require API data, and around 64 mandate the sharing of PNR data too. These include:
- All countries in North America (Mexico, United States, Canada)
- CARICOM – most countries in the Caribbean
- The European Union and most European countries
- Gulf countries including the UAE, Qatar and Bahrain
- East Asian countries including Thailand and Indonesia
- South Africa
API PNR laws, directives and guidelines
Until the past decade, sharing API PNR data was not mandatory. However, in the last 10 years, a growing number of countries have made it mandatory for airlines to share this information. There are several national, regional and international rules, directives and laws covering API PNR transmission. Here are some of the most important pieces of legislation:
UN Security Council Resolution 2178 on Foreign Terrorist Fighters
This 2014 UN resolution describes how UN Member States should combat terrorism. Among its requirements is for Member States to require airlines operating from their territory to transmit API data to destination states.
European Union (EU) Directive 2016/681
This piece of 2016 legislation requires all EU Member States to collect API PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Learn more about EU Directive 2016/681 in our analysis
United Nations Security Council Resolution 2309
This 2016 UN resolution has similar goals to resolution 2178, but has an additional focus on requiring Member States to invest in technological capacity development to manage API data and share it.
OSCE Ministerial Council Decision 6/16 on Enhancing the Use of Advance Passenger Information
This 2016 decree requires all members of the OSCE (Organization for Security and Co-operation in Europe) to establish API systems, and also to automatically cross check API information against national and international watch lists.
Chicago Convention Annex 9 by the ICAO
The Chicago Convention is a long standing convention that governs the principles of international transport by air. Annex 9 of this convention (updated in 2017), states that each contracting state should establish an API system.
IATA/ICAO/WTO Guidelines on Advance Passenger Information (API)
These 2022 guidelines from three international trade and travel organisations are not laws and are therefore not mandatory, but outline best practice rules around the use of API, its capture and the way it is transmitted.
Who needs to transmit API PNR data?
Rules about who needs to collect and transmit API PNR data to passenger information units vary significantly from one country to another. Even in blocs like the EU, interpretation of the rules by individual states varies, and some countries are much more mature in their adoption and implementation than others. Ultimately, it is down to travel operators to understand the requirements in countries they travel to and from.
- API and PNR requirements have historically mainly applied to regular airlines that operate many international flights per day.
- However, a growing number of PIUs also request this information from private, unscheduled, charter and emergency flights.
- API PNR data is not required as often from train, ferry, cruise and bus operators. Nevertheless, there are some countries which do request this data from these operators. For example, in the USA, land and sea travel operators must share API data with the CBP. In Europe, ferries travelling between the UK and European ports must provide API data too.
Why it’s important to be able to transmit API PNR
There are multiple reasons that travel operators should transmit API PNR data. In some cases, it is simply mandatory. In other cases, it is not obligatory, but has several wider benefits:
- State requirement
Several governments require all travel operators to share API and PNR data with their national PIUs. Failing to share this data could result in fines, or your airline/travel business from being banned.
- The trend towards API PNR data sharing
Although many countries around the world still do not require API PNR data to be shared, it is clear that this is the trend, with more countries requiring it every year. By starting to collect and process this data now, you will be ready for when it becomes mandatory.
- Support the fight against crime and terrorism
As described above, collecting and sharing API PNR data can help states, the police and other international organisations to fight crime and terrorism.
- Avoid delays
Ensuring you have shared all API and PNR data in advance, and in the format that the destination passenger information unit requests, means you are less likely to face delays from authorities that want more information on your passengers.
What’s the process of sharing API PNR data with a passenger information unit?
The following table illustrates how API PNR data is normally collected and shared:
The airline transmits the different API PNR data to the PIU :
- via the state’s web portal
- directly to the State’s system (using oftenly its official gateway provider such as Streamlane)
States do not accept this information via email as it is not a secure transmission way, except in very rare cases
Methods of transmitting API PNR data
Airlines and other travel operators can transmit data to PIUs using a variety of methods, including:
- Third party providers
A third party provider can handle the processing, formatting and transmission of API and PNR data to PIUs, and is responsible for ensuring data is shared in the destination state’s required format.
- State web portal
This is a free service that allows travel operators to log into the passenger information unit’s portal, and upload all API and PNR data manually.
- Direct connection to PIU system
The travel company can request a direct connection to the state system. In the case, it means to be able to gather the requested data, generate the message into the format expected by the state and send the messages on due time. It also means to follow the connection process: follow the process imposed by the authority to get registered administratively in the state system, implement the requested connectivity and pass the test campaigns.
Common challenges with API PNR
For travel operators, collecting and transmitting API PNR data to passenger information units can be very challenging – particularly for smaller airlines and operators who don’t have large budgets to invest in IT.
Here are some of the key challenges with API PNR:
- Diverse requirements: Requirements around API PNR data can vary significantly from one destination to the next. Knowing what needs to be sent, and in what format is often unclear, since individual countries have set their own rules.
- No universal process: Unfortunately, there is no universal process that national PIUs follow. For example, in some EU countries, only flights coming from outside the Schengen zone must share API data. For other EU Member States, flights from/to countries inside EU must also share this PNR and sometimes API data.
- Formatting: To transmit API PNR data, it’s vital that the information is transmitted in the format that PIUs accept. Again, this requires operators to know which types of information to include and how it should be formatted.
- System communication challenges: Sometimes travel operators collect API and PNR data in their own reservation system. Each reservation system needs to build a secure link to each state’s system, so they can then ‘speak’ to each other (transfers API-PNR files to state systems and receives acknowledgement). Making these different systems communicate with each other is very complex.
- Security: Ensuring that data is transmitted via a secure method is vital, especially as it contains such sensitive information. Travel operators must ensure their data collection and transmission methods are watertight.
- Costs: There are several costs related to API PNR data transmission, including time spent inputting data, costs of training staff to use technology, and investing in software and hardware.
Up and running: Learn how Luxembourg set up its own PIU
Where to begin with API PNR?
Many travel operators who are new to API PNR find it can be challenging to start adapting to the requirements of these rules and regulations. However, complying with the needs of different PIUs is actually relatively straightforward.
The following three steps outline how airlines, maritime operators, rail firms and even bus companies can begin meeting destination countries’ API PNR requirements.
1. Learn what the passenger information unit needs
Your first step is to gather information on what the PIU requires in terms of API and PNR. If you are launching a route to a new destination country, contact the state’s PIU to learn what data they require and what format they need it in.
2. Review your API PNR data consolidation process
Once you know what the PIU’s requirements are, you can then review your own processes to learn what additional data you need to collect. This may require you to change the parameters around what data you ask passengers to provide when they reserve tickets with you.
3. Transmit the data
When you have updated your data collection processes, you now simply need to transmit this data in the format the destination PIU requires, at the different time they need.
Although this process is, in theory, fairly simple, it is not always straightforward. States may change their rules, data format or types may evolve, and completing this process for multiple countries is time consuming.
Ready to go: How we help carriers of all sizes comply with API PNR rules
Helping you send API PNR data to passenger information units
At Streamlane, we help governments and travel operators to secure borders against international terrorism and crime, while offering a simple and efficient border crossing process. Our technology, built in close partnership with several states’ PIUs and airlines, provides travel operators of any size with a single place to collect and transmit API and PNR data.
Our cloud-based platform connects with your reservation system, departure control system and passenger management system. It then processes this data, and transmits it in the format and timing that the PIU in your destination country requires. Through our close relationships with PIUs and continual monitoring, we ensure that the data you send is always up to date and complies with states’ requirements.
See how Streamlane works for transport operators
Streamlane’s easy to integrate and use platform means you can:
- Collect and share all API PNR data in the right format, every time
- Avoid system interoperability issues or sending data in the wrong format
- Avoid delays, confusion or misunderstandings
- Never manually enter or send data again
- Save significant amounts of time communicating with PIUs in new destination countries – Streamlane does it all for you
Our platform conforms to the highest data privacy and security standards, and we continually monitor and test the platform to ensure it meets the highest standards and continues to be GDPR compliant. Oure experienced support teams are also able to answer any questions, help you set up your process, and even offer customisations of the system so it meets your exact needs.
If you need to collect and share API PNR data with the passenger information unit in a destination country, Streamlane can help. Contact us today to learn more about our services, and learn how you can achieve API PNR compliance.