Versions Compared

Version Old Version 77 New Version 78
Changes made by

Callum Flaherty

Praveen Ponnumony

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

h

detailsMethod of Identification
Panel
titleColorBlack
borderStyledashed
titleOB Standards
borderStyledashed
title

This Section applies to ASPSPs that have impletemented OB Standards


Implement
Info
iconfalse
idStandards-Production


Implement Open Data v2.2COMPLETE
Have you Implemented OB Standards?
  •  Yes
  •  No

Open Data - Which version have you Implemented?
  •  None
  •  V2.2
  •  V2.3
  •  V2.4

Read/Write API Specification

v3.1		COMPLETECurrent implementation - R/W v3.1.6
Implement Customer Experience Guidelines v1.1COMPLETECurrent implementation - CEG v3.1.5
Implement App-to-App RedirectionCOMPLETEImplement OB Security Profile Implementer's Draft v1.1.2COMPLETE
Implement FAPI Profile Implementers Draft 2

COMPLETE

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

  • The request object must contain an exp claim

  • You must use PS256 algorithms to create the request Object signing

  • You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default

Implement CIBA Profile Implementers Draft 1TBCPlans to be confirmed
Implement Dynamic Client Registration v1.1Not Delivered
Implement Dynamic Client Registration v3.1TBCPlans to be confirmed
Decommission Read/Write API Specification v1.x/2.x

Plans to decommission AIS v1 / v2 in May however this has been delayed due to COVID.

Plans to decommission PIS v1 on November 23rd 2020. 

Decommission OB Security Profile Implementer's Draft v1.xTBC - No Plans
Panel

Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  V3.0
  •  V3.1
  •  V3.1.1
  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8

Read/Write API - Which date are you planning to implement your latest version?

Dynamic Client Registration - Which version have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  None
  •  V3.1
  •  V3.2
  •  V3.3
Plans to be confirmed
DCR - Which date are you planning to implement your latest version?TBC

Have you implemented Trusted beneficiaries, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented Reverse Payments, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

PISP - Single Payment Limit£
PISP - Daily Payment Limit£
How many months of transaction do you provide?




Panel
titleColorBlack
borderStyledashed
titleSecurity Profile


See section below for details of future cert support model and dates
Page Properties
idID-Production


Commence support for eIDAS QWAC certificatesFrom Q1 2020
Commence support for eIDAS QSEAL certificates
From Q1 2020

Commence support for OBIE QWAC-like certificates

From 14th September
Commence support for OBIE QSEAL-like certificatesFrom 14th September
Cease support for OBIE non eIDAS-like certificates for transportNo Plans
Cease support for OBIE non eIDAS-like certificates for signingNo Plans
Support for MTLS token endpoint authenticationNo PlansSupport for private_key_jwt token endpoint authenticationCOMPLETE

Which Security profile have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  OB Security Profile (Legacy)
  •  FAPI
  •  Other (Please define) 

Security Profile - Next Planned Version Implementation Date 
CIBA Profile - Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  None
  •  CIBA
  •  CIBA FAPI Profile
Plans to be confirmed
CIBA Profile - Next Planned Version Implementation Date
 

Security Profile Certification date?



Token Endpoint Authentication Methods Supported
  •  
    client_secret_post
  •  
    client_secret_basic
  •  
    client_secret_jwt
  •  
    tls_client_auth
  •  Private_key_jwt

Planned date to Cease support for client id and client secret token endpoint authentication
COMPLETE

Client secret authentication is no longer supported

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

  • The request object must contain an exp claim

  • You must use PS256 algorithms to create the request Object signing

  • You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default

See section below for details of future cert support model and dates





titleColor
Panel
White
titleBGColor#6180c3
borderStyledashed
titlePost Brexit Certificate Implementation


  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
Page Properties
idStandards-Production
PRE-BREXIT - Certificates Accepted (until 31st Dec 2020)


POST-BREXIT TRANSITION - Certificates Accepted (1st Jan 2021 - 30th Jun 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
  • eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's. 
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
  • eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's. 
Planned Implementation Date to Satisfy FCA's Post Transition

TBC


TPP PSU Migration Outcomes Supported (see eIDAS Migration Playbook)

Outcomes 4 and 8


POST-BREXIT Certificate Implementation Status (updated by OBIE IES team)

statusReadycolour





Greentitle
Panel
titleColor
Black
READY
Panel
borderStyledashed
titleImplementationCustomer Journey


OBSEAL / QSEAL
Page Properties
idTC-IMP

Directory?

Open Banking

Location of Well Known Endpoints?

OB Technical Directory

API Standard Implemented?

Open Banking

Name of Account Holder Implementation Date?

Completed - September 2019Date of Current eIDAS Implementation?September 2019Current Certificates used for Identification?OB Transport + ClientID + Secret
OBWAC		Current Certificates used for Transport?OB Transport / OBWACCurrent Certificates used for Signing?OB Signing / OBSEALDate of Future eIDAS Implementation?March 2020

As of the 14th of March, TPPs with eIDAS certificates who have registered with the Open Banking Implementation Entity and are onboarding with OBWAC/OBSEAL or QWAC/QSEAL certificates, can continue to use manual onboarding via the developer portal. Using this method, the TPP logs onto the developer portal with their Open Banking credentials and can create an application to onboard. This will ensure the TPP can continue to use their existing application on the developer portal that any associated live customer consents will have been created under. If a TPP has an eIDAS certificate, and wants to onboard directly with us, this is possible via our Dynamic Client Registration.

Future Certificates used for Identification?OBWAC / QWACFuture Certificates used for Transport?

OBWAC / QWAC

Future Certificates used for Signing?
CJ


What is your approach to Implementing OBIE Customer Experience Guidelines (CEG)?

(tick all that apply)

  •  Already Implemented
  •  Planning to implement or upgrade
  •  Not planning to implement CEG

Which version have you implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8

Which date are you planning to implement your latest CEG version?TBC
Redirection Model
  •  App to App redirection
  •  Decoupled authentication
  •  Embedded Flow
  •  Bespoke User Journeys

Options on 90 day re-authentication?

90 day re-authentication required across all Open Banking flows




Panel
titleColorBlack
borderStyledashed
titlePSD2


Page Properties
idTC-PSD2


Which Directory are you using as your Trust Framework?Open Banking
Are you caching the Directory?

Transaction IDs SupportedMarch 2019 - Option 3 Supported

Are you enrolled to Dispute Management System?

  •  Yes
  •  No

Are you Seeking Fallback Exemption?

  •  Yes
  •  No


Article 10 - Maximum time period after authenticationNo restrictions applied other than SCA at Auth and Re-Auth
Article 10 - Endpoints exempt of SCA

None


Major Milestones

Delivered Items:

  • P2 2WR / Event Notification API since 
  • AIS / PIS / COF v3.1.4 since 
  • P7 Phase 1 (SIP) Refunds (Payments v3.1.4) since 
  • P7 Phase 2 (Non-SIP) Refunds (Payments v3.1.4) from 
  • P9 Payment Status since  - Changes may need to be made by TPP to cater for additional statuses as per OBIE specifications - in some instances, TPPs will need to call the Payment Status endpoint to ensure they have the latest view
  • CEG v3.1.5 (Agency Arrangement) from 
  • Waiver 007 (Payment and Event Notification Signing) from 

    • Key points for TPP awareness and action;

      • All payment requests in Sandbox and Production (as appropriate) must not include the b64 claim in the header.
      • Your requests will fail if they include the b64 claim after this date.
      • Changes at TPP side to enable sending JWS signature in Payment requests (as per Waiver specs; 3.1.4 & above) can be made any time before 26th October – if the change is not made by this date then your requests will fail
      • Changes at TPP side to validate JWS signature in Barclays’ payment response can only be made after 26th October
    • AIS v3.1.6 (CASS) from 

Future Delivery Items:

  • AIS / PIS / COF v3.1.7 from 
  • Other deliverables to be aligned with CMA roadmap for 2021


Relevant AIS / PIS / CoF journeys supported for following payment account types:

  • Current Accounts (Personal and Business)
  • Current Accounts (Corporate)
  • Savings Accounts (Personal and Business)
  • Personal Credit Cards (Barclaycard)
  • Corporate Credit Cards
  • Currency Accounts (Personal and Business)
  • Currency Accounts (Corporate)


See https://developer.barclays.com/ for additional information relating to end point coverage

Note that Account Holder Name for PCA / BCA / Pingit customers is available through PARTIES end point and through ACCOUNTS end point for Barclaycard UK, Barclaycard Commercial Payment and Barclays Corporate customers


IMPORTANT INFORMATION

In order to complete Open Banking journeys, you will need to establish the Identity Provider (IDP) authentication method for your implementation.

An IDP is a system to authenticate and gain permission from an end user - such as a customer, to access their resources e.g. their account data. For Open Banking, this is used to authenticate the customer providing the consent to the Third Party.

Examples of an IDP in Open Banking includes Barclays app (Personal and Business Banking customers) and iPortal (Barclays Corporate clients), but we have a number of methods depending on the customer type and digital channel that they use. This needs to be considered in your development.

The latest OpenID configuration (OIDC) URLs available are shown below

TPPs are reminded that latest URLS MUST be used and where a legacy URL is still being used then TPP MUST migrate to URLs below

Note - some Business Banking clients will require the Corporate Banking IDP as they use Corporate Banking services to fulfil their business requirements and some Corporate clients will require the Business Banking IDP as they use Business Banking services to fulfil their business requirements


Brand(s)
Security Profile?

Currently Open Banking Security Profile

FAPI 2 rules enforced

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

  • The request object must contain an exp claim

  • You must use PS256 algorithms to create the request Object signing

  • You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default

Security Profile Certification?Yes

CIBA

TBC - No plansUsing Open Banking as your eIDAS Trust Framework?TBCAre you caching the Directory?Transaction IDsMarch 2019 - Option 3 Supported





SCA compliant digital channel logon

Scope of Open Banking flows limited to PSD2 accounts only
Panel
Panel
titleColorBlack
borderStyledashed
titleCustomer JourneyASPSP Dev Portal and Contact Details


Page Properties
idTC-CJ

Implementing Customer Experience Guidelines?

Yes

Current CEG Version?v3.1.5Next CEG Version?TBCNext Version Implementation DateTBC

Implementing Bespoke User Journeys?

No

Implementing App to App?

YesApp to App Implementation Date?Live

Options on 90 day re-authentication?

90 day re-authentication required across all Open Banking flows

Support Embedded Flow?

No
Panel
borderStyledashed
titlePSD2
Dev Portal URLs
Page Properties
idTC-PSD2


Dispute Management System?

YesFCA Adjustment Period - Maintaining Screen Scraping?Yes

Seeking Fallback Exemption?

Yes

Adjusted or Fallback Interface?

NoAdjusted or Fallback URL?N/AContact Email or Phone Number?BarclaysAPISupport@barclayscorp.com

Location of Well Known Endpoints



Modified Customer Interface URL (if applicable)



Dev Portal URLhttps://developer.barclays.com/open-banking
Test Facility
Implementation Date?		 Production Interface Implementation Date? Contingency MeasuresBarclays are aligned to FCA adjustment period and supporting the phased migration of Screen Scraping by TPPsArticle 10 - Maximum time period after authentication?No restrictions applied other than SCA at Auth and Re-AuthArticle 10 - Endpoints exempt of SCANone

Authentication Method - Open Banking Channel (Browser)?

SCA compliant digital channel logon

Authentication Method - Open Banking Channel (APP)?

SCA compliant digital channel logon

Authentication Method - Private Channel (Browser)?

Authentication Method - Private Channel (APP)?

SCA compliant digital channel logon

Authentication Method Implementation Date (Open Banking Channel)?

Live

Authentication Method Implementation Date (Private Channel)?

Live

SCA Implementation Date?

Live

SCA Scope? (will it inhibit non PSD2 accounts)

No
URL

ASPSP Support Desk Email or Phone Number

BarclaysAPISupport@barclayscorp.com




Panel
titleColorBlack
borderStyledashed
titleKey Implementations


Waiver 007 (Payment and Event Notification Signing) from 

Key points for TPP awareness and action;

  • All payment requests in Sandbox and Production (as appropriate) must not include the b64 claim in the header.
  • Your requests will fail if they include the b64 claim after this date.
  • Changes at TPP side to enable sending JWS signature in Payment requests (as per Waiver specs; 3.1.4 & above) can be made any time before 26th October – if the change is not made by this date then your requests will fail
    • Changes at TPP side to validate JWS signature in Barclays’ payment response can only be made after 26th October

    Page Properties
    idTC-HCC


    High Cost Credit

    		Barclays - HCC.xlsx

    View file
    nameBarclays - HCC.xlsx
    height250

    Page Properties
    idTC-W7

    After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header