Versions Compared

Version Old Version 12 New Version Current
Changes made by

Praveen Ponnumony

Sriram Tumuluri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
titleColorBlack
borderStyledashed
titleOB Standards

This Section applies to ASPSPs that have implemented OB Standards

Implement
Page Properties
iconfalse
idTC-OB Standards-Production
Implement Open Data v2.2September 2018


-Have you Implemented OB Standards?
  •  Yes
  •  No

Open Data - Which version have you Implemented?
  •  None
  •  V2.2
  •  V2.3
  •  V2.4

Read/Write API Specification

v3.1
March - August 2019Implement Customer Experience Guidelines v1.1March 2019Implement App-to-App RedirectionFor Mobile Banking customers:
IOS - September 2019
Android - September 2019		Implement OB Security Profile Implementer's Draft v1.1.2N/A - Our assumption is that the conformance side of security profile was replaced with the FAPI conformance.Implement FAPI Profile Implementers Draft 2September 2019Implement CIBA Profile Implementers Draft 1N/AImplement Dynamic Client Registration v1.1September 2019Implement Dynamic Client Registration v3.1Due in 2020Decommission Read/Write API Specification v1.x/2.x

 v1.1 (AIS Only)

Decommission OB Security Profile Implementer's Draft v1.xN/A
Panel
borderStyledashed
titleMethod of Identification
Page Properties
idID-Production
Commence support for eIDAS QWAC certificatesCommence support for eIDAS QSEAL certificates
 

Commence support for OBIE QWAC-like certificates

Commence support for OBIE QSEAL-like certificatesCease support for OBIE non eIDAS-like certificates for transportCease support for OBIE non eIDAS-like certificates for signingSupport for MTLS token endpoint authenticationSupport for private_key_jwt token endpoint authenticationCease support for client id and client secret token endpoint authentication
Panel
titleColorWhite
titleBGColor#6180c3
borderStyledashed
titlePost Brexit Certificate Implementation
POST-BREXIT Certificate Implementation Status (updated by OBIE IES team)
Page Properties
idStandards-Production
PRE-BREXIT - Certificates Accepted (until 31st Dec 2020)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
POST-BREXIT TRANSITION - Certificates Accepted (1st Jan 2021 - 30th Jun 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
Planned Implementation Date to Satisfy FCA's Post TransitionTPP PSU Migration Outcomes Supported

Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  V3.0
  •  V3.1
  •  V3.1.1
  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8
  •  V3.1.9
  •  V3.1.10
  •  V3.1.11
  •  V4.0

Lowest Version – 3.1.10


Highest Version – 3.1.11


Planning to implement V4.0 mandated standards by end of Q1 2025

Read/Write API - Which date are you planning to implement your latest version?

3.1.11 Functional Conformance 

3.1.11 Functional Conformance , 4.0 in development (may be FAPI & ISO20022 compliance)

Planning to implement V4.0 mandated standards by end of Q1 2025

Have you implemented v4.0 information flows, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Dynamic Client Registration - Which version have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  None
  •  V3.1
  •  V3.2
  •  V3.3

BoA V3.3


Already implemented compliance with 3.3
DCR - Which date are you planning to implement your latest version?
Already Implemented

Have you implemented Trusted beneficiaries, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 
Already Implemented

Have you implemented Reverse Payments, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented ECA Standard?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 
Already Implemented our own customer API

ECA Implementation details


Customer API documentation - Bank of APIs

Have you implemented Bulk/File Payments?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented VRP – Sweeping, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 
VRP Sweeping MRO exited on 21st Sept, and now available to TPPs

Have you implemented VRP non-Sweeping, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

VRP non-Sweeping Delivered – 10th Dec 2021

PISP - Single Payment LimitVariable £5k - £50k ( dependent on customer type i.e. Personal/Premier/Business) see BOAPI links for further information

FAQs | Bank of APIs

PISP - Daily Payment LimitVariable £5k - £50k ( dependent on customer type i.e. Personal/Premier/Business) see BOAPI links for further informationFAQs | Bank of APIs
How many months of transaction do you provide?
  • Up to 7 years Personal
  • Up to 11 months Commercial
  • Currently 6m Credit Cards
Have you implemented TRIs (Transactional Risk Indicators), if not, date planned to Implement?Already implemented

Implemented Q2,2023


What is your approach to Implementing TRIs?
  •  Accept payload with TRI fields – Process all fields
  •  Accept payload with TRI fields – Ignore all fields
  •  Reject payload with TRI fields – Error back to TPP
  •  Accept payload with TRI fields – Process few fields (Provide list of accepted fields)  
Payment Context code, Contract Present Indicator, Beneficiary Payment details pre-populated indicator, Payee Account Name, Beneficiary Account Type, Merchant Customer Identification , Delivery Address , Merchant Category Code, Payment Purpose Code




Panel
borderStyledashed
titleSCA-RTS 90-day reauth Implementation


Page Properties
idTCSCA-IMP

Directory?

Open Banking

Location of Well Known Endpoints?

OB Technical Directory

OB directory/dev portal and OB DevZOne pages

API Standard Implemented?

Open Banking

Name of Account Holder Implementation Date?

Live (See Notes)

We are already returning Account name as per the definition in 3.1.1 as that is what is being displayed in our own channels.
We do not show the name of the party (ie customer) in our own channel so we are not mandated to return this information.

Date of Current eIDAS Implementation? From 1 September 2019 Open Banking (OB) ETSI-Format certificates are supported in parallel with legacy OB certificates.Current Certificates used for Identification?OB Transport + ClientID + SecretCurrent Certificates used for Transport?OB Transport / OBWACCurrent Certificates used for Signing?OB Signing / OBSEALDate of Future eIDAS Implementation? From 14 March 2020, eIDAS certificates will be required for identification of new Third Party Providers with ‘certificate switching’ (i.e. use of OB ETSI-Format certificates)
supported. Existing OB ecosystem Third Party Providers must hold a valid eIDAS certificate on the OB Directory.		Future Certificates used for Identification?OB Transport + ClientID + Secret + OBSEAL/QSEALFuture Certificates used for Transport?

OBWAC / QWAC

Future Certificates used for Signing?OBSEAL / QSEAL

Major Milestones

V1.1 deprecation  
V3.1 roadmap

SEPA MTS Bulk / Batch Payments - Q1 2020

Bulk / Batch Payments: SEPA MTS Q1 2020

Bulk / Batch Payments (All payment types) Q1 2020

P2 Two Way Notice of Revocation - Q1 2020

P8 SCA Exemptions - Q1 2020

API specification v3.1.4 & CEG v3.1.4 - Q1 2020

Uplift to PS256 encryption standard - Q2 2020

P15 Access Dashboards - Q2 2020

Brand(s)Security Profile?Open BankingSecurity Profile Certification?NoWe are conformant against the OB standards and the errors that are viewed in the logs are outside of the requirements

CIBA

NoUsing Open Banking as your eIDAS Trust Framework?YesAre you caching the Directory?NoDirectory Caching will be delivered by 24 February 2020 as part of PSD2 onboardingTransaction IDsYes - August 2019Transaction id's are provided against each booked transaction that are returned on the transactions endpoint
Panel
RTS


Which date are you planning on implementing the SCA reauthentication exemption?


Already Implemented - 8th September 2022

What is your approach to token management to enable application of the reauthentication exemption? (see link to FCA guidance)

NatWest Group tokens are already long-lived and not linked to the 90-day re-auth. trigger. 

Example approach:
Issue a long-lived refresh token during one final SCA, with refresh token rotation implemented.

NatWest Group tokens are already long-lived and not linked to the 90-day re-auth. trigger

Article 10A - Endpoints exempt of SCA-RTS
  •  

    Accounts

  •  

    Transactions (90days)

  •  

    Balances

  •  

    Standing orders

  •  

    Direct debits

  •  

    Beneficiaries

  •  

    Products

  •  

    Offers

  •  

    Parties

  •  

    Scheduled Payments

  •  

    Statements


Article 10A - Endpoints not exempt of SCA-RTS
  •  

    Transactions (more than 90days)

  •  

    Standing orders

  •  

    Direct debits

  •  

    Beneficiaries

  •  

    Products

  •  

    Offers

  •  

    Parties

  •  

    Scheduled Payments

  •  

    Statements


Article 10A - Maximum time period after authentication
Please specify the time period in minutes
SCA-RTS implementation status (updated by OBL PS team only)

Status
colourGreen
titleImplemented

12/08/2022




Panel
titleColorBlack
borderStyledashed
titleSecurity Profile


Page Properties
idID-Production


-Which Security profile have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  OB Security Profile (Legacy)
  •  FAPI (ID2)
  •  FAPI 1 Advanced
  •  Other (Please define) 
Planning to implement FAPI 1 Advanced by end of Feb, 2025
Security Profile - Next Planned Version Implementation Date
N/A
CIBA Profile - Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  None
  •  CIBA
  •  CIBA FAPI Profile

CIBA Profile - Next Planned Version Implementation Date
N/A
Security Profile Certification date?


Originally Certified  - Oct 2020

Re-Certification -  31st Jan 2022
Token Endpoint Authentication Methods Supported
  •  
    client_secret_post
  •  
    client_secret_basic
  •  
    client_secret_jwt
  •  
    tls_client_auth
  •  Private_key_jwt

Planned date to Cease support for client id and client secret token endpoint authentication


N/A
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 




Panel
titleColorBlack
borderStyledashed
titleCustomer Journey


No
Page Properties
idTC-CJ


-What is your approach to Implementing OBL Customer Experience Guidelines

?
YesCurrent CEG Version?Next CEG Version?Next Version Implementation Date

Implementing Bespoke User Journeys?

Yes (for NWI Personal - Gibraltar)YesApp to App Implementation Date?

NWI Personal (Gibraltar) -  

Options on 90 day re-authentication?

Yes

For article 10 we are only going with the 90 days re-authentication but not restrictions on payment types (DDs, SOs) or data for more than 90 days away.
Please note: We do not display statements

Support Embedded Flow?

(CEG)?

(tick all that apply)

  •  Already Implemented
  •  Planning to implement or upgrade
  •  Not planning to implement CEG

Already implemented 3.1.11

Which version have you implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8
  •  V3.1.9
  •  V3.1.10
  •  V3.1.11
  •  V4.0

Lowest – 3.1.9

Highest – 3.1.11 

Planning to implement V4.0 mandated standards by end of Q1 2025

Which date are you planning to implement your latest CEG version?September 2022 (v3.1.10)
Redirection Model
  •  App to App redirection
  •  Decoupled authentication
  •  Embedded Flow
  •  Bespoke User Journeys


  • App to App redirection
  • Browser Redirection




Panel
titleColorBlack
borderStyledashed
titlePSD2


As per manual implementation. System implementation in line with OBIE implementation dates
Page Properties
idTC-PSD2

Dispute Management System?

Yes
rbs-sca
Contingency Measures
Panel


FCA Adjustment Period - Maintaining Screen Scraping?FDATA WhitelistedFDATA to 13 Match 2020

Seeking Fallback Exemption?

YesRBS will be applying for all Brands under CMA order and against additional franchises and brands including RBSI, UBROI

Adjusted or Fallback Interface?

NoAdjusted or Fallback URL?N/AContact Email or Phone Number?
~APIServiceDesk@rbs.com
Dev Portal URL?https://www.bankofapis.com/

Test Facility Implementation Date?

 Production Interface Implementation Date? 
-Which Directory are you using as your Trust Framework?The Open Banking Directory
Are you caching the Directory?The static data such as client IDs are cashed, but not certificates and keys.
Transaction IDs Supported

Transaction IDs are supported, please refer to:

3.1.6 Transaction Endpoint Documentation - Bank of APIs

Are you Seeking Fallback Exemption?

  •  Yes
  •  No

No, already received exemption.

Article 10 - Maximum time period after authentication
?
N/ARBSG are adopting Article 10 Exemption for 90 day reauthentication, no further restrictions are being applied under Article 10
Article 10 - Endpoints exempt of SCA

N/A

RBSG are adopting Article 10 Exemption for 90 day reauthentication, no further restrictions are being applied under Article 10

Authentication Method - Open Banking Channel (Browser)?

RedirectCustomer Identification Number + Partial password + Partial pin

Authentication Method - Open Banking Channel (APP)?

Redirect

App to App Facial or Fingerprint recognition
In the absence of the above being enabled on customers device.
Customer Identification Number + Partial password + Partial pin

Authentication Method - Private Channel (Browser)?

MTLS / private_key_jwt

Authentication Method - Private Channel (APP)?

TLS / private_key_jwt

Authentication Method Implementation Date (Open Banking Channel)?

Browser -  

App - See 'App to App Implementation Date?'

Authentication Method Implementation Date (Private Channel)?

 

SCA Implementation Date?

See Calendar Page

SCA Scope? (will it inhibit non PSD2 accounts)

See Calendar Page
Anchorrbs-sca
Options to implement the FCA guidance on “exception circumstances” SCA are currently being evaluated.e 10
Major Milestones

Exited MRO 21st Sept 2022


Brand(s)NatWest, Ulster Bank Northern Ireland, RBS




SCA
Panel
titleColorBlack
borderStyledashed
title
ASPSP Dev Portal and Contact Details


SCA

SCA @ Login

Steps:

Customers can use biometrics (as per the setup
of their device/customer preference) or passcode

Device binding will run in the background during
authentication

Page Properties
idTC-
C


Deliveries of these SCA solutions will continue across the rest of 2019 will some delivered in Q1 2020

Customer Journey stage

Mobile (Direct Channel)

E-banking (Direct Channel)

 Bankline (Direct Channel & Open Banking)eQ (Direct Channel & Open Banking)Open Banking BrowserOpen Banking App to App
Logging in to identify themselves as a customer and gain access to in scope accounts

SCA @ Login

Steps:

Customer ID Plus Partial PIN Password Plus Device Profiling

SCA @ Login

Steps:
Customer and User IDs Plus Partial Password And using Card And PIN for Challenge and Response

Customer & User IDs Plus Password in full AND two memorable random characters

SCA @ Login

Steps:

Customer IDs Plus Partial PIN Password AND Device Profiling

SCA @ Login

 Steps:

Customers can use biometrics (as per the setup of their device/customer preference) or passcode

Device binding will run in the background
during authentication

Making a payment from in scope accounts

No further SCA required for payments to trusted beneficiaries.

SCA via card and reader required for payments
above low value payment limit to non trusted
beneficiaries.

SCA for payments to non-trusted beneficiaries

Further SCA required for Payments using Card and PIN for Challenge and ResponsePayments using Card and PIN for Challenge and Response

Step up to One Time
Passcode or Card & Reader
for payments

No further SCA required for payment

LIVELIVEQ1 2020LIVENovember 2020LIVE

Location of Well Known Endpoints

Consent Confirmation Support – Authorisation Servers Explained – Bank of APIs

Modified Customer Interface URL (if applicable)

n/a
Dev Portal URLhttps://www.bankofapis.com/
Test Facility URLhttps://bankofapis.com/sandbox
Brand Landing Pages URLhttps://www.bankofapis.com/ -Bottom of the page for the logos. Images attached here for ease

Logos


  • Natwest - Image AddedImage Added


  • RBS - Image Added , Image Added


  • UBN - Image AddedImage Added


ASPSP Support Desk Email or Phone Number

(including queries about consent success rates) 

https://rbsgroupapiservicedesk.spectrumhosting.net/plugins/servlet/desk/portal/1Please visit help & updates page to raise a service desk ticket




Panel
titleColorBlack
borderStyledashed
titleKey Implementations


TBC

Page Properties
idTC-HCC


RBSI Personal

High Cost Credit

RBS - HCC.xlsxRBS - HCC.xlsxDelivered in 2020

View file
nameRBSI Personal - HCC.xlsx
height250

Page Properties
idTC-W7

After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header