Versions Compared

Version Old Version 52 New Version Current
Changes made by

Adam Pretlove (Unlicensed)

Jason Bown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
titleColorBlack
borderStyledashed
titleOB Standards

This Section applies to ASPSPs that have implemented OB Standards

TBC - No Plans
Page Properties
iconfalse
idTC-OB Standards-Production
Implement Open Data v2.2COMPLETEImplement Read/Write API Specification v3.1COMPLETEImplement Customer Experience Guidelines v1.1COMPLETEImplement App-to-App RedirectionCOMPLETEImplement OB Security Profile Implementer's Draft v1.1.2COMPLETE
Implement FAPI Profile Implementers Draft 2

Phased migration to FAPI 2 by Q1 2020

Update 22/05 - TPPs are reminded that notifications were sent in December 2019 / March 2020 that Barclays would enforce FAPI rules from 31st March 2020. This was delayed due to COVID however there are still some TPPs that have not migrated and so we request that this is completed as soon as possible. If there are issues / blockers then please reach out to the team.

Implement CIBA Profile Implementers Draft 1TBCPlans to be confirmed
Implement Dynamic Client Registration v1.1Not Delivered
Implement Dynamic Client Registration v3.1TBCPlans to be confirmed
Decommission Read/Write API Specification v1.x/2.xPlans to decommission AIS v1 / v2 in May - however this has been delayed due to COVIDDecommission OB Security Profile Implementer's Draft v1.x


-Have you Implemented OB Standards?

  •  Yes
  •  No

Open Data - Which version have you Implemented?

  •  None
  •  V2.2
  •  V2.3
  •  V2.4


Read/Write API Specification Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  V3.0
  •  V3.1
  •  V3.1.1
  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8
  •  V3.1.9
  •  V3.1.10
  •  V3.1.11
  •  V4.0

Read/Write API - Which date are you planning to implement your latest version?

Have you implemented v4.0 information flows, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Dynamic Client Registration - Which version have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  None
  •  V3.1
  •  V3.2
  •  V3.3
We have not implemented DCR for Open Banking, but rather we have implemented DCR for COP onboarding to v3.2 specification.
DCR - Which date are you planning to implement your latest version?TBC

Have you implemented Trusted beneficiaries, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented Reverse Payments, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 
Implemented for domestic and international payments. 

Have you implemented ECA Standard?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 
Implementation plans under assessment, timeline tbc

ECA Implementation details


N/A

Have you implemented Bulk/File Payments?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented VRP – Sweeping, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented VRP non-Sweeping, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 


PISP - Single Payment Limit£


Channel

Payment Type

Payment Sub Type

New/Existing Beneficiary

Limit Type

Personal

Premier

Business

OLB

Third Party Immediate FPS

ITPFT

Existing

Txn Limit

50000

50000

50000

OLB

Third Party Immediate FPS

ITPFT

Existing

Daily Limit

50000

100000

100000

OLB

Third Party Immediate FPS

ITPFT

New

Txn Limit

50000

50000

50000

OLB

Third Party Immediate FPS

ITPFT

New

Daily Limit

50000

100000

100000

B.APP

Third Party Immediate FPS

ITPFT

Existing

Txn Limit

30000

30000

50000

B.APP

Third Party Immediate FPS

ITPFT

Existing

Daily Limit

30000

30000

50000

B.APP

Third Party Immediate FPS

ITPFT

New

Txn Limit

30000

30000

30000

B.APP

Third Party Immediate FPS

ITPFT

New

Daily Limit

30000

30000

30000






How many months of transaction do you provide?
(Account and Product dependent) Detail available in FAQ's and Barclays Developer Portal 
Have you implemented TRIs (Transactional Risk Indicators), if not, date planned to Implement?
Implemented in September 2022. 
What is your approach to Implementing TRIs?
  •  Accept payload with TRI fields – Process all fields
  •  Accept payload with TRI fields – Ignore all fields
  •  Reject payload with TRI fields – Error back to TPP
  •  Accept payload with TRI fields – Process few fields (Provide list of accepted fields)  




Panel
borderStyledashed
titleMethod of IdentificationSCA-RTS 90-day reauth Implementation


Page Properties
idIDSCA-Production
Commence support for eIDAS QWAC certificatesFrom Q1 2020Commence support for eIDAS QSEAL certificates
From Q1 2020

Commence support for OBIE QWAC-like certificates

From 14th SeptemberCommence support for OBIE QSEAL-like certificatesFrom 14th SeptemberCease support for OBIE non eIDAS-like certificates for transportNo PlansCease support for OBIE non eIDAS-like certificates for signingNo PlansSupport for MTLS token endpoint authenticationNo PlansSupport for private_key_jwt token endpoint authenticationJune 2019
Cease support for client id and client secret token endpoint authenticationNo PlansBarclays suggests TPPs to use Private Key JWT but won’t stop the support for client id and secret
Panel
borderStyledashed
titleImplementation

v3.1 –  

v3.1.1 –  

Implementation of all AIS / PIS / CoF end points COMPLETE

Page Properties
idTC-IMP

Directory?

Open Banking

Location of Well Known Endpoints?

OB Technical Directory

API Standard Implemented?

Open Banking

Name of Account Holder Implementation Date?

Completed - September 2019Date of Current eIDAS Implementation?September 2019Current Certificates used for Identification?OB Transport + ClientID + Secret
OBWAC		Current Certificates used for Transport?OB Transport / OBWACCurrent Certificates used for Signing?OB Signing / OBSEALDate of Future eIDAS Implementation?March 2020

As of the 14th of March, TPP’s will be able to onboard via two routes with Barclays inclusive of, uploading QWAC and QSEAL certificates directly to the OB directory, and will be required to use existing manual / BDN APP to onboarding using the SSA generated on OB directory. The second route is to directly onboard to Barclays by invoking the Barclays Dynamic Client Registration APIs using eIDAS certificates. Please refer to Barclays Developer Network for further information on Barclays implementation of DCR.

Future Certificates used for Identification?OBWAC / QWACFuture Certificates used for Transport?

OBWAC / QWAC

Future Certificates used for Signing?OBSEAL / QSEAL

Major Milestones

RTS


Which date are you planning on implementing the SCA reauthentication exemption?

Completed September 2022


What is your approach to token management to enable application of the reauthentication exemption? (see link to FCA guidance)

see notes
  • Any AIS consents created after Barclays implementation date for UK accounts will no longer require re-authentication every 90 days
  • Any consents that require re-authentication before September 2022 will remain valid for 90 days
  • For any AIS consents created with an expiry date, the access expiry date will be aligned to the expiry date provided
  • Where consent has been revoked, re-authentication cannot be managed by the third party and a new consent will be required
  • For EU accounts re-authentication every 90 days will still be required
  • As there is a divergence in the regulatory requirement for UK and EU accounts, where a client has both UK and EU accounts they will no longer be able to include them in one consent and will be required to set up separate consents
  • For any existing consents that include both UK & EU accounts post the Barclays implementation date, you will be required to set up separate new consents for each jurisdiction
  • There are no changes to Barclays current implementation of Access Tokens.  Third parties should continue to pass OAuth credentials in a Get Access Token call.  In response, the Barclays authorisation server issues an access token, reuse the access token until it expires. When it expires, you can get a new token. When requesting new access token, we recommend a 75 second minimum configuration as the connection timeout
Article 10A - Endpoints exempt of SCA-RTS
  •  

    Accounts

  •  

    Transactions (90days)

  •  

    Balances

  •  

    Standing orders

  •  

    Direct debits

  •  

    Beneficiaries

  •  

    Products

  •  

    Offers

  •  

    Parties

  •  

    Scheduled Payments

  •  

    Statements


Article 10A - Endpoints not exempt of SCA-RTS
  •  

    Transactions (more than 90days)

  •  

    Standing orders

  •  

    Direct debits

  •  

    Beneficiaries

  •  

    Products

  •  

    Offers

  •  

    Parties

  •  

    Scheduled Payments

  •  

    Statements


Article 10A - Maximum time period after authentication
Please specify the time period in minutes
SCA-RTS implementation status (updated by OBL PS team only)

Status
colourGreen
titleImplemented





Panel
titleColorBlack
borderStyledashed
titleSecurity Profile


Page Properties
idID-Production


-Which Security profile have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  OB Security Profile (Legacy)
  •  FAPI (ID2)
  •  FAPI 1 Advanced
  •  Other (Please define) 

Security Profile - Next Planned Version Implementation Date

CIBA Profile - Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  None
  •  CIBA
  •  CIBA FAPI Profile
Plans to be confirmed
CIBA Profile - Next Planned Version Implementation Date
 TBC

Security Profile Certification date?

November 2022


Token Endpoint Authentication Methods Supported
  •  
    client_secret_post
  •  
    client_secret_basic
  •  
    client_secret_jwt
  •  
    tls_client_auth
  •  Private_key_jwt

Planned date to Cease support for client id and client secret token endpoint authentication

Client secret authentication is not supported

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 1.0 Advanced

  • The request object must contain an exp claim which we recommend to be set to (current time + 5 minutes)

  • The request object must contain a nbf claim which we recommend to be set to (current time - 5 minutes)

  • You must use PS256 algorithms to create the request Object signing

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default

POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
  • eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's. 




Panel
titleColorBlack
borderStyledashed
titleCustomer Journey


Page Properties
idTC-CJ


-What is your approach to Implementing OBL Customer Experience Guidelines (CEG)?

(tick all that apply)

  •  Already Implemented
  •  Planning to implement or upgrade
  •  Not planning to implement CEG

Which version have you implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8
  •  V3.1.9
  •  V3.1.10
  •  V3.1.11
  •  V4.0

Which date are you planning to implement your latest CEG version?TBC
Redirection Model
  •  App to App redirection
  •  Decoupled authentication
  •  Embedded Flow
  •  Bespoke User Journeys




PSD2
Panel
titleColorBlack
borderStyledashed
titlePSD2

Support Embedded Flow?

No
Panel
borderStyledashed
title


Page Properties
idTC-PSD2


See
-Which Directory are you using as your Trust Framework?Open Banking
Are you caching the Directory?Yes
Transaction IDs SupportedMarch 2019 - Option 3 Supported

Are you Seeking Fallback Exemption?

  •  Yes
  •  No


Article 10 - Maximum time period after authenticationNo restrictions applied other than SCA at Auth and Re-Auth
Article 10 - Endpoints exempt of SCA

None


Major Milestones



Relevant AIS / PIS / CoF journeys supported for following payment account types:

  • Current Accounts (Personal and Business)
  • Current Accounts (Corporate)
  • Savings Accounts (Personal and Business)
  • Personal Credit Cards (Barclaycard)
  • Corporate Credit Cards
  • Currency Accounts (Personal and Business)
  • Currency Accounts (Corporate)

Pingit E-Wallets

  • Please see Note for Important Information *

Future Delivery Dates

P2 2WR / Event Notification API – NOW LIVE since 

P7 Refunds (Payments v3.1.4) – 

P9 Payment Status – Phased changes to Payment Statuses from  - in some instances, TPPs will need to call the Payment Status endpoint to ensure they have the latest view

Waiver 007 (Payment Signing, v3.1.4) –  - No changes are needed before this date.  Once this is completed, it’s important to note validation will be completed against all v3 payment requests, to avoid payment failures you’ll need to make your changes from our implementation date


See https://developer.barclays.com/ for additional information relating to end point coverage

Note that Account Holder Name for PCA / BCA

/ Pingit customers

customers is available through PARTIES end point and through ACCOUNTS end point for Barclaycard UK, Barclaycard Commercial Payment and Barclays Corporate customers


IMPORTANT INFORMATION

In order to complete Open Banking journeys, you will need to establish the Identity Provider (IDP) authentication method for your implementation.

An IDP is a system to authenticate and gain permission from an end user - such as a customer, to access their resources e.g. their account data. For Open Banking, this is used to authenticate the customer providing the consent to the Third Party.

Examples of an IDP in Open Banking includes Barclays app (Personal and Business Banking customers) and iPortal (Barclays Corporate clients), but we have a number of methods depending on the customer type and digital channel that they use. This needs to be considered in your development.

The latest OpenID configuration (OIDC) URLs available are shown below

TPPs are reminded that latest URLS MUST be used and where a legacy URL is still being used then TPP MUST migrate to URLs below

/.well-known/openid-configurationPingit - https://oauth.tiaa.barclays.com/Pingit

Note - some Business Banking clients will require the Corporate Banking IDP as they use Corporate Banking services to fulfil their business requirements and some Corporate clients will require the Business Banking IDP as they use Business Banking services to fulfil their business requirements


Brand
(s)
Security Profile?

Currently Open Banking Security Profile

Phased migration to FAPI 2 by Q1 2020

Update 22/05 - TPPs are reminded that notifications were sent in December 2019 / March 2020 that Barclays would enforce FAPI rules from 31st March 2020. This was delayed due to COVID however there are still some TPPs that have not migrated and so we request that this is completed as soon as possible. If there are issues / blockers then please reach out to the team.Security Profile Certification?Yes

CIBA

TBC - No plansUsing Open Banking as your eIDAS Trust Framework?TBCAre you caching the Directory?Transaction IDsMarch 2019 - Option 3 Supported3 (longer term commitment to option 1)
Panel
borderStyledashed
titleCustomer Journey
Page Properties
idTC-CJ

Implementing Customer Experience Guidelines?

Yes

Current CEG Version?v3.1.2Next CEG Version?v3.1.5Next Version Implementation DateSeptember 2020

Implementing Bespoke User Journeys?

No

Implementing App to App?

YesApp to App Implementation Date?Live

Options on 90 day re-authentication?

90 day re-authentication required across all Open Banking flows
guidance
View file
nameOpen Banking guidelines for Barclaycard.pdf
height150
View file
nameOpen Banking guidelines for Barclays.pdf
height150
View file
nameBarclays logos.zip
height150
View file
nameBarclaycard logos.zip
height150
  • Use of the Barclays logo is not permitted for marketing purposes
  • The Barclays logo can be used for the purposes of identifying and distinguishing, within AIS and/or PIS, Barclays as the source of our Read-only Data and Read/Write Data
  • The Barclays logo can also appear in webpages or other materials for the purpose of displaying that the service can connect to Barclays, however this should only be done in conjunction with logos of other major banks.
  • There should be no specific identification of Barclays in isolation and no suggestion that Barclays in any way endorses or is partnered with your solution.




Panel
titleColorBlack
borderStyledashed
titleASPSP Dev Portal and Contact Details


Dev Portal URLs

SCA compliant digital channel logon

Page Properties
idTC-PSD2

Dispute Management System?

YesFCA Adjustment Period - Maintaining Screen Scraping?Yes

Seeking Fallback Exemption?

Yes

Adjusted or Fallback Interface?

NoAdjusted or Fallback URL?N/AContact Email or Phone Number?BarclaysAPISupport@barclayscorp.com
C


Location of Well Known Endpoints

https://developer.barclays.com/open-banking

Modified Customer Interface URL (if applicable)



Dev Portal URLhttps://developer.barclays.com/open-banking
Test Facility
Implementation Date?
 Production Interface Implementation Date? Contingency MeasuresBarclays are aligned to FCA adjustment period and supporting the phased migration of Screen Scraping by TPPsArticle 10 - Maximum time period after authentication?No restrictions applied other than SCA at Auth and Re-AuthArticle 10 - Endpoints exempt of SCANone

Authentication Method - Open Banking Channel (Browser)?

SCA compliant digital channel logon

Authentication Method - Open Banking Channel (APP)?

SCA compliant digital channel logon

Authentication Method - Private Channel (Browser)?

Authentication Method - Private Channel (APP)?

SCA compliant digital channel logon

Authentication Method Implementation Date (Open Banking Channel)?

Live

Authentication Method Implementation Date (Private Channel)?

Live

SCA Implementation Date?

Live

Note - Barclays are aligned to FCA adjustment period and supporting the phased migration of Screen Scraping by TPPs

SCA Scope? (will it inhibit non PSD2 accounts)

NoScope of Open Banking flows limited to PSD2 accounts only
URL

https://sandbox.api.barclays:443/open-banking/v3.1/sandbox/aisp

https://sandbox.api.barclays:443/open-banking/v3.1/sandbox/cbpii

https://sandbox.api.barclays:443/open-banking/v3.1/sandbox/pisp


Brand Landing Pages URLPlease see above 'Brand Guidance'

ASPSP Support Desk Email or Phone Number

(including queries about consent success rates) 

BarclaysOpenBankingQueries@barclayscorp.com




Panel
titleColorBlack
borderStyledashed
titleKey Implementations


Option 2 under Waiver 007 (Payment Signing, v3.1.4) implementation –  

No changes are needed before this date.  Once this is completed, it’s important to note validation will be completed against all v3 payment requests, to avoid payment failures you’ll need to make your changes from our implementation date

Page Properties
idTC-HCC


High Cost Credit

Barclays - HCC.xlsx

View file
nameBarclays - HCC.xlsx
height250

Page Properties
idTC-W7

After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header