Page Comparison

As of the 14^th of March, TPPs with eIDAS certificates who have registered with the Open Banking Implementation Entity and are onboarding with OBWAC/OBSEAL or QWAC/QSEAL certificates, can continue to use manual onboarding via the developer portal. Using this method, the TPP logs onto the developer portal with their Open Banking credentials and can create an application to onboard. This will ensure the TPP can continue to use their existing application on the developer portal that any associated live customer consents will have been created under. If a TPP has an eIDAS certificate, and wants to onboard directly with us, this is possible via our Dynamic Client Registration.

OBWAC / QWAC

Future Delivery Items:

Future Delivery Items:

• CEG v3.1.5 (Agency Arrangement) from 30 Sep 2020
• Waiver 007 (Payment and Event Notification Signing) from 14 Aug 2020 
• No changes are needed before this date.
Once this is completed, it’s important to note validation will be completed against all Payment requests against v3.1.4 or higher and all /POST event-subscriptions requests. To avoid failures you must 06 Oct 2020 Sandbox and 15 Oct 2020 Production

• Key points for TPP awareness and action;

  • All payment requests in Sandbox and Production (as appropriate) must not include the b64 claim in the header.
  • Your requests will fail if they include the b64 claim after this date.
  Message Signing functionality for payment requests will also be available in our TPP Sandbox environment from 27 Jul 2020 
  • Changes at TPP side to enable sending JWS signature in Payment requests (as per Waiver specs; 3.1.4 & above) can be made any time before 15^th October – if the change is not made by this date then your requests will fail
  • Changes at TPP side to validate JWS signature in Barclays’ payment response can only be made after 15^th October
• P7 Phase 2 (Non-SIP) Refunds (Payments v3.1.4) from 30 Nov 2020
• AIS v3.1.6 (CASS) from 30 Nov 2020

Relevant AIS / PIS / CoF journeys supported for following payment account types:

• Current Accounts (Personal and Business)
• Current Accounts (Corporate)
• Savings Accounts (Personal and Business)
• Personal Credit Cards (Barclaycard)
• Corporate Credit Cards
• Currency Accounts (Personal and Business)
• Currency Accounts (Corporate)
• Pingit E-Wallets

See https://developer.barclays.com/ for additional information relating to end point coverage

Note that Account Holder Name for PCA / BCA / Pingit customers is available through PARTIES end point and through ACCOUNTS end point for Barclaycard UK, Barclaycard Commercial Payment and Barclays Corporate customers

IMPORTANT INFORMATION

In order to complete Open Banking journeys, you will need to establish the Identity Provider (IDP) authentication method for your implementation.

An IDP is a system to authenticate and gain permission from an end user - such as a customer, to access their resources e.g. their account data. For Open Banking, this is used to authenticate the customer providing the consent to the Third Party.

Examples of an IDP in Open Banking includes Barclays app (Personal and Business Banking customers) and iPortal (Barclays Corporate clients), but we have a number of methods depending on the customer type and digital channel that they use. This needs to be considered in your development.

The latest OpenID configuration (OIDC) URLs available are shown below

TPPs are reminded that latest URLS MUST be used and where a legacy URL is still being used then TPP MUST migrate to URLs below

• Personal Banking - https://oauth.tiaa.barclays.com/BarclaysPersonal/.well-known/openid-configuration
• Business Banking* - https://oauth.tiaa.barclays.com/BarclaysBusiness/.well-known/openid-configuration
• Barclays Wealth - https://oauth.tiaa.barclays.com/BarclaysWealth/.well-known/openid-configuration
• Barclaycard UK - https://oauth.tiaa.barclays.com/BarclaycardUK/.well-known/openid-configuration
• Barclaycard Commercial Payments - https://oauth.tiaa.barclays.com/BCP/.well-known/openid-configuration
• Barclays Corporate* - https://oauth.tiaa.barclays.com/BarclaysCorporate/.well-known/openid-configurationPingit - https://oauth.tiaa.barclays.com/Pingit/.well-known/openid-configuration

Note - some Business Banking clients will require the Corporate Banking IDP as they use Corporate Banking services to fulfil their business requirements and some Corporate clients will require the Business Banking IDP as they use Business Banking services to fulfil their business requirements

Currently Open Banking Security Profile

FAPI 2 rules enforced from 31st July other than use of PRIVATE KEY JWT

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

• The request object must contain an exp claim

• You must use PS256 algorithms to create the request Object signing

• You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

• You must use private_key_jwt instead of client secret authentication

• You must receive ID tokens with PS256 signing algorithms

• You must use “response type=code id_token

• We’ll populate the acr claim in the ID token by default