This Section applies to ASPSPs that have implemented OB Standards
Page Properties
icon
false
id
TC-OB Standards
Which date are you planning on implementing the SCA reauthentication exemption?
Barclays will implement Article 10A as part of a phased roll out completing by 27th September 2022
Barclays will implement Article 10A by 27th September 2022
What is your approach to token management to enable application of the reauthentication exemption?(see link to FCA guidance)
see notes
Any AIS consents created after Barclays implementation date for UK accounts will no longer require re-authentication every 90 days
Any consents that require re-authentication before September 2022 will remain valid for 90 days
For any AIS consents created with an expiry date, the access expiry date will be aligned to the expiry date provided
Where consent has been revoked, re-authentication cannot be managed by the third party and a new consent will be required
For EU accounts re-authentication every 90 days will still be required
As there is a divergence in the regulatory requirement for UK and EU accounts, where a client has both UK and EU accounts they will no longer be able to include them in one consent and will be required to set up separate consents
For any existing consents that include both UK & EU accounts post the Barclays implementation date, you will be required to set up separate new consents for each jurisdiction
There are no changes to Barclays current implementation of Access Tokens. Third parties should continue to pass OAuth credentials in a Get Access Token call. In response, the Barclays authorisation server issues an access token, reuse the access token until it expires. When it expires, you can get a new token. When requesting new access token, we recommend a 75 second minimum configuration as the connection timeout
Article 10A - Endpoints exempt of SCA-RTS
Accounts
Transactions (90days)
Balances
Standing orders
Direct debits
Beneficiaries
Products
Offers
Parties
Scheduled Payments
Statements
Article 10A - Endpoints not exempt of SCA-RTS
Transactions (more than 90days)
Standing orders
Direct debits
Beneficiaries
Products
Offers
Parties
Scheduled Payments
Statements
Article 10A - Maximum time period after authentication
Please specify the time period in minutes
SCA-RTS implementation status(updated by OBIE PS team only)
Status
colour
Green
title
Implemented
Panel
titleColor
Black
borderStyle
dashed
title
Security Profile
Page Properties
id
ID-Production
-Which Security profile have you Implemented or planning to implement?
(Lowest version = Current, Highest version = Planned)
OB Security Profile (Legacy)
FAPI
Other (Please define)
Security Profile - Next Planned Version Implementation Date
CIBA Profile - Implemented or planning to implement
(Lowest version = Current, Highest version = Planned)
None
CIBA
CIBA FAPI Profile
Plans to be confirmed
CIBA Profile - Next Planned Version Implementation Date
TBC
Security Profile Certification date?
October 2020
Token Endpoint Authentication Methods Supported
client_secret_post
client_secret_basic
client_secret_jwt
tls_client_auth
Private_key_jwt
Planned date to Cease support for client id and client secret token endpoint authentication
Client secret authentication is not supported
TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2
The request object must contain an exp claim which we recommend to be set to (current time + 5 minutes)
You must use PS256 algorithms to create the request Object signing
You must use private_key_jwt instead of client secret authentication
You must receive ID tokens with PS256 signing algorithms
You must use “response type=code id_token
We’ll populate the acr claim in the ID token by default
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
eIDAS QWAC
eIDAS QSealC
OB legacy (obtransport, obsigning)
OBWAC
OBSeal
Other (Please define)
eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's.
-Have you Implemented OB Standards?
Yes
No
Open Data - Which version have you Implemented?
None
V2.2
V2.3
V2.4
Read/Write API Specification Implemented or planning to implement
(Lowest version = Current, Highest version = Planned)
V3.0
V3.1
V3.1.1
V3.1.2
V3.1.3
V3.1.4
V3.1.5
V3.1.6
V3.1.7
V3.1.8
V3.1.9
V3.1.10
V3.1.11
V4.0
Read/Write API - Which date are you planning to implement your latest version?
Have you implemented v4.0 information flows, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Dynamic Client Registration - Which version have you Implemented or planning to implement?
(Lowest version = Current, Highest version = Planned)
None
V3.1
V3.2
V3.3
We have not implemented DCR for Open Banking, but rather we have implemented DCR for COP onboarding to v3.2 specification.
DCR - Which date are you planning to implement your latest version?
TBC
Have you implemented Trusted beneficiaries, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Have you implemented Reverse Payments, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Implemented for domestic and international payments.
Have you implemented ECA Standard?
Already Implemented
Planning to implement
Not planning to implement
Implementation plans under assessment, timeline tbc
ECA Implementation details
N/A
Have you implemented Bulk/File Payments?
Already Implemented
Planning to implement
Not planning to implement
Have you implemented VRP – Sweeping, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Currently engaged in the managed roll out.
Have you Have you implemented VRP non-Sweeping, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
PISP - Single Payment Limit
£
(Account and Product dependent) Detail available in FAQ's and Barclays Developer Portal
PISP - Daily Payment Limit
£
(Account and Product dependent) Detail available in FAQ's and Barclays Developer Portal
How many months of transaction do you provide?
(Account and Product dependent) Detail available in FAQ's and Barclays Developer Portal
Are you planning to implement TRIs(Transactional Risk Indicator enhancements included in v3.1.10), if so, implementation date?
September 15th 2022.
What is your approach to Implementing TRIs?
Accept payload with TRI fields – Process all fields
Accept payload with TRI fields – Ignore all fields
Reject payload with TRI fields – Error back to TPP
Accept payload with TRI fields – Process few fields (Provide list of accepted fields)
Panel
borderStyle
dashed
title
SCA-RTS 90-day reauth Implementation
Page Properties
id
SCA-RTS
Channel
Payment Type
Payment Sub Type
New/Existing Beneficiary
Limit Type
Personal
Premier
Business
OLB
Third Party Immediate FPS
ITPFT
Existing
Txn Limit
50000
50000
50000
OLB
Third Party Immediate FPS
ITPFT
Existing
Daily Limit
50000
100000
100000
OLB
Third Party Immediate FPS
ITPFT
New
Txn Limit
50000
50000
50000
OLB
Third Party Immediate FPS
ITPFT
New
Daily Limit
50000
100000
100000
B.APP
Third Party Immediate FPS
ITPFT
Existing
Txn Limit
30000
30000
50000
B.APP
Third Party Immediate FPS
ITPFT
Existing
Daily Limit
30000
30000
50000
B.APP
Third Party Immediate FPS
ITPFT
New
Txn Limit
30000
30000
30000
B.APP
Third Party Immediate FPS
ITPFT
New
Daily Limit
30000
30000
30000
How many months of transaction do you provide?
(Account and Product dependent) Detail available in FAQ's and Barclays Developer Portal
Have you implemented TRIs (Transactional Risk Indicators), if not, date planned to Implement?
Implemented in September 2022.
What is your approach to Implementing TRIs?
Accept payload with TRI fields – Process all fields
Accept payload with TRI fields – Ignore all fields
Reject payload with TRI fields – Error back to TPP
Accept payload with TRI fields – Process few fields (Provide list of accepted fields)
Panel
borderStyle
dashed
title
SCA-RTS 90-day reauth Implementation
Page Properties
id
SCA-RTS
Which date are you planning on implementing the SCA reauthentication exemption?
Completed September 2022
What is your approach to token management to enable application of the reauthentication exemption?(see link to FCA guidance)
see notes
Any AIS consents created after Barclays implementation date for UK accounts will no longer require re-authentication every 90 days
Any consents that require re-authentication before September 2022 will remain valid for 90 days
For any AIS consents created with an expiry date, the access expiry date will be aligned to the expiry date provided
Where consent has been revoked, re-authentication cannot be managed by the third party and a new consent will be required
For EU accounts re-authentication every 90 days will still be required
As there is a divergence in the regulatory requirement for UK and EU accounts, where a client has both UK and EU accounts they will no longer be able to include them in one consent and will be required to set up separate consents
For any existing consents that include both UK & EU accounts post the Barclays implementation date, you will be required to set up separate new consents for each jurisdiction
There are no changes to Barclays current implementation of Access Tokens. Third parties should continue to pass OAuth credentials in a Get Access Token call. In response, the Barclays authorisation server issues an access token, reuse the access token until it expires. When it expires, you can get a new token. When requesting new access token, we recommend a 75 second minimum configuration as the connection timeout
Article 10A - Endpoints exempt of SCA-RTS
Accounts
Transactions (90days)
Balances
Standing orders
Direct debits
Beneficiaries
Products
Offers
Parties
Scheduled Payments
Statements
Article 10A - Endpoints not exempt of SCA-RTS
Transactions (more than 90days)
Standing orders
Direct debits
Beneficiaries
Products
Offers
Parties
Scheduled Payments
Statements
Article 10A - Maximum time period after authentication
Please specify the time period in minutes
SCA-RTS implementation status(updated by OBL PS team only)
Status
colour
Green
title
Implemented
Panel
titleColor
Black
borderStyle
dashed
title
Customer JourneySecurity Profile
Page Properties
id
TCID-CJProduction
-
What is your approach to Implementing OBIE Customer Experience Guidelines (CEG)?
(tick all that apply)
Already Implemented
Planning to implement or upgrade
Not planning to implement CEG
Which version have you implemented or planning to implement
Which Security profile have you Implemented or planning to implement?
(Lowest version = Current,
Highest
Highest version = Planned)
V3.1.2
V3.1.3
V3.1.4
V3.1.5
V3.1.6
V3.1.7
V3.1.8
V3.1.9
V3.1.10
Which date are you planning to implement your latest CEG version?
TBC
Redirection Model
App to App redirection
Decoupled authentication
Embedded Flow
Bespoke User Journeys
OB Security Profile (Legacy)
FAPI (ID2)
FAPI 1 Advanced
Other (Please define)
Security Profile - Next Planned Version Implementation Date
CIBA Profile - Implemented or planning to implement
(Lowest version = Current, Highest version = Planned)
None
CIBA
CIBA FAPI Profile
Plans to be confirmed
CIBA Profile - Next Planned Version Implementation Date
TBC
Security Profile Certification date?
November 2022
Token Endpoint Authentication Methods Supported
client_secret_post
client_secret_basic
client_secret_jwt
tls_client_auth
Private_key_jwt
Planned date to Cease support for client id and client secret token endpoint authentication
Client secret authentication is not supported
TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 1.0 Advanced
The request object must contain an exp claim which we recommend to be set to (current time + 5 minutes)
The request object must contain a nbf claim which we recommend to be set to (current time - 5 minutes)
You must use PS256 algorithms to create the request Object signing
You must use private_key_jwt instead of client secret authentication
You must receive ID tokens with PS256 signing algorithms
You must use “response type=code id_token
We’ll populate the acr claim in the ID token by default
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
eIDAS QWAC
eIDAS QSealC
OB legacy (obtransport, obsigning)
OBWAC
OBSeal
Other (Please define)
eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's.
Panel
titleColor
Black
borderStyle
dashed
title
PSD2
Page Properties
id
TC-PSD2
-Which Directory are you using as your Trust Framework?
Open Banking
Are you caching the Directory?
Yes
Transaction IDs Supported
March 2019 - Option 3 Supported
Are you enrolled to Dispute Management System?
Yes
No
Are you Seeking Fallback Exemption?
Yes
No
Article 10 - Maximum time period after authentication
No restrictions applied other than SCA at Auth and Re-Auth
Article 10 - Endpoints exempt of SCA
None
Major Milestones
Delivered Items:
P2 2WR / Event Notification API since
AIS / PIS / COF v3.1.4 since
P7 Phase 1 (SIP) Refunds (Payments v3.1.4) since
P7 Phase 2 (Non-SIP) Refunds (Payments v3.1.4) from
P9 Payment Status since -Changes may need to be made by TPP to cater for additional statuses as per OBIE specifications -in some instances, TPPs will need to call the Payment Status endpoint to ensure they have the latest view
CEG v3.1.5 (Agency Arrangement) from
Waiver 007 (Payment and Event Notification Signing) from
Key points for TPP awareness and action;
All payment requests in Sandbox and Production (as appropriate) must not include the b64 claim in the header.
Your requests will fail if they include the b64 claim after this date.
Changes at TPP side to enable sending JWS signature in Payment requests (as per Waiver specs; 3.1.4 & above) can be made any timebefore 26thOctober– if the change is not made by this date then your requests will fail
Changes at TPP side to validate JWS signature in Barclays’ payment response can only be madeafter 26thOctober
AIS v3.1.6 (CASS) from
AIS / PIS / COF v3.1.7 - No changes implemented
3.1.8 - No changes implemented
Future Delivery Items:
Other deliverables to be aligned with CMA roadmap for 2021
3.1.8 (Sweeping)
dashed
title
Customer Journey
Page Properties
id
TC-CJ
-What is your approach to Implementing OBL Customer Experience Guidelines (CEG)?
(tick all that apply)
Already Implemented
Planning to implement or upgrade
Not planning to implement CEG
Which version have you implemented or planning to implement?
(Lowest version = Current, Highest version = Planned)
V3.1.2
V3.1.3
V3.1.4
V3.1.5
V3.1.6
V3.1.7
V3.1.8
V3.1.9
V3.1.10
V3.1.11
V4.0
Which date are you planning to implement your latest CEG version?
TBC
Redirection Model
App to App redirection
Decoupled authentication
Embedded Flow
Bespoke User Journeys
Panel
titleColor
Black
borderStyle
dashed
title
PSD2
Page Properties
id
TC-PSD2
-Which Directory are you using as your Trust Framework?
Open Banking
Are you caching the Directory?
Yes
Transaction IDs Supported
March 2019 - Option 3 Supported
Are you Seeking Fallback Exemption?
Yes
No
Article 10 - Maximum time period after authentication
No restrictions applied other than SCA at Auth and Re-Auth
Article 10 - Endpoints exempt of SCA
None
Major Milestones
Relevant AIS / PIS / CoF journeys supported for following payment account types:
Note that Account Holder Name for PCA / BCA customers is available through PARTIES end point and through ACCOUNTS end point for Barclaycard UK, Barclaycard Commercial Payment and Barclays Corporate customers
IMPORTANT INFORMATION
In order to complete Open Banking journeys, you will need to establish the Identity Provider (IDP) authentication method for your implementation.
An IDP is a system to authenticate and gain permission from an end user - such as a customer, to access their resources e.g. their account data. For Open Banking, this is used to authenticate the customer providing the consent to the Third Party.
Examples of an IDP in Open Banking includes Barclays app (Personal and Business Banking customers) and iPortal (Barclays Corporate clients), but we have a number of methods depending on the customer type and digital channel that they use. This needs to be considered in your development.
The latest OpenID configuration (OIDC) URLs available are shown below
TPPs are reminded that latest URLS MUST be used and where a legacy URL is still being used then TPP MUST migrate to URLs below
Note - some Business Banking clients will require the Corporate Banking IDP as they use Corporate Banking services to fulfil their business requirementsandsome Corporate clients will require the Business Banking IDP as they use Business Banking services to fulfil their business requirements
Brand guidance
View file
name
Open Banking guidelines for Barclaycard.pdf
height
150
View file
name
Open Banking guidelines for Barclays.pdf
height
150
View file
name
Barclays logos.zip
height
150
View file
name
Barclaycard logos.zip
height
150
Use of the Barclays logo is not permitted for marketing purposes
The Barclays logo can be used for the purposes of identifying and distinguishing, within AIS and/or PIS, Barclays as the source of our Read-only Data and Read/Write Data
The Barclays logo can also appear in webpages or other materials for the purpose of displaying that the service can connect to Barclays, however this should only be done in conjunction with logos of other major banks.
There should be no specific identification of Barclays in isolation and no suggestion that Barclays in any way endorses or is partnered with your solution.
