Progressing to be compliant with the FAPI Profile supplied by the OpenID Foundation.
Security Profile Certification?
Yes (for OB Standards)
CIBA
No
Using Open Banking as your eIDAS Trust Framework?
Yes
Are you caching the Directory?
Yes
Transaction IDs
Option 1 Supported
ALL Accounts (except Credit Cards) - Live
Credit Card Accounts - Live
ASPSPs provide a Unique, Immutable TransactionID from their core system
panel
This Section applies to ASPSPs that have implemented OB Standards
Page Properties
icon
false
id
TC-OB Standards-Production
Implement Open Data v2.2
Please note we intend to depreciate v 2.1 as of 17th January 2020 (3 month notice has been issued)
Implement Read/Write API Specification v3.1
Implement Customer Experience Guidelines v1.1
Sandbox full consent journey doesn’t form part of RTS scope. Prodn - deployments staggered weekly from 1st March to end of April.
Implement App-to-App Redirection
Live in Production
Implement OB Security Profile Implementer's Draft v1.1.2
Implement FAPI Profile Implementers Draft 2
TBC - Currently undertaking a infrastructure migration and as such our provisional target is to be FAPI compliant in our new Sandbox towards the end of 2020 / early 2021.
Implement CIBA Profile Implementers Draft 1
N/A
Implement Dynamic Client Registration v1.1
N/A
Implement Dynamic Client Registration v3.1
TBC
-Have you Implemented OB Standards?
Yes
No
Open Data - Which version have you Implemented?
None
V2.2
V2.3
V2.4
Read/Write API Specification Implemented or planning to implement
(Lowest version = Current, Highest version = Planned)
V3.0
V3.1
V3.1.1
V3.1.2
V3.1.3
V3.1.4
V3.1.5
V3.1.6
V3.1.7
V3.1.8
V3.1.9
V3.1.10
V3.1.11
No plans to implement v3.1.11
Read/Write API - Which date are you planning to implement your latest version?
PIS V3.1.10 Now live 21st March 2023
Dynamic Client Registration - Which version have you Implemented or planning to implement?
(Lowest version = Current, Highest version = Planned)
None
V3.1
V3.2
V3.3
Dynamic registration implementation is in progress. Date TBC
Decommission Read/Write API Specification v1.x/2.x
TBC
Decommission date for v1 AIS Production (v1 not supported in sandbox) will be triggered when less than 5% usage. Currently 7.5%
Decommission OB Security Profile Implementer's Draft v1.x
TBC
Need to understand security profiles - Eidas/Fapi & CIBA - dates not currently known
Panel
borderStyle
dashed
title
Method of Identification
Page Properties
id
ID-Production
Commence support for eIDAS QWAC certificates
13th Sept 2019
PROD rollout ready to progress with TPP's - no certs yet received
Commence support for eIDAS QSEAL certificates
Not supported
We do not plan on supporting QSEALs.
Commence support for OBIE QWAC-like certificates
Live
Currently already supporting these certificates
Commence support for OBIE QSEAL-like certificates
Live
Currently already supporting these certificates
Cease support for OBIE non eIDAS-like certificates for transport
30th June 2021
Cease support for OBIE non eIDAS-like certificates for signing
30th June 2021
Support for MTLS token endpoint authentication
Already Live
Support for private_key_jwt token endpoint authentication
N/A
Cease support for client id and client secret token endpoint authentication
TBC
Following discussion with OBIE, agreed not to stop supporting Client Secret for all certificate types pending stabilisation of eIDAS. Date TBC.
Panel
titleColor
White
titleBGColor
#6180c3
borderStyle
dashed
title
Post Brexit Certificate Implementation
Page Properties
id
Standards-Production
PRE-BREXIT - Certificates Accepted (until 31st Dec 2020)
eIDAS QWAC
eIDAS QSealC
OB legacy (obtransport, obsigning)
OBWAC
OBSeal
Other (Please define)
POST-BREXIT TRANSITION - Certificates Accepted (1st Jan 2021 - 30th Jun 2021)
eIDAS QWAC
eIDAS QSealC
OB legacy (obtransport, obsigning)
OBWAC
OBSeal
Other (Please define)
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
eIDAS QWAC
eIDAS QSealC
OB legacy (obtransport, obsigning)
OBWAC
OBSeal
Other (Please define)
Only change is to remove support of OB legacy certificates.
Planned Implementation Date to Satisfy FCA's Post Transition
POST-BREXIT Certificate Implementation Status (updated by OBIE IES team)
Status
colour
Green
title
READY
Ready – ASPSP accept eIDAS certs and OB Certs(OBWAC/OBSeal)
Panel
borderStyle
dashed
title
Implementation
Page Properties
id
TC-IMP
Directory?
Open Banking
Location of Well Known Endpoints?
OB Technical Directory
API Standard Implemented?
Open Banking
Name of Account Holder Implementation Date?
Completed -
Date of Current eIDAS Implementation?
Current Certificates used for Identification?
OB Transport + ClientID + Secret OBWAC QWAC
Current Certificates used for Transport?
OB Transport OBWAC QWAC
Current Certificates used for Signing?
OB Signing OBSEAL
Date of Future eIDAS Implementation?
No future update currently planned.
Future Certificates used for Identification?
Future Certificates used for Transport?
Future Certificates used for Signing?
Major Milestones
Credit Card Accounts (AIS): 14 Aug 2019
App-to-app: 27 Aug 2019
Corporate Customers >6.5m 12 Sept 2019
Savings Accounts: 13 Sept 2019
Cahoot Accounts: 13 Sept 2019
CHAPS Payments 13 Sept 2019
Dynamic Registration: TBC
CBPII Endpoints 14 Sept 2019
International Payments 14 Sept 2019
Credit Card Accounts (PIS): 29 Oct 2019
HCCR Update - In order to display balance amount in accordance with the HCCR regulation Santander will add the Balance Including Pending and Overdraft Remaining elements in the JSON response for all balance requests for applicable Retail and Business accounts. Deployment date 10th December 2019
3.1.5 AIS is scheduled for launch 30/08/20.
Corporate functionality for Batch and BACS is due for end of July & Multi-Authorisation for end of September. If you or your Corporate customers want to access these services beforehand please contact openbankingAPI@santander.co.uk and we will discuss our contingency mechanism with you.
(Inc Other Products, API Updates, API Deprecations, etc)
The customer balance including the overdraft will be sent in the JSON file as type 'InterimAvailable'.The remaining overdraft will be returned to TPPs in the JSON file as a creditline item and mapped as follows:
OBCreditLine1
OBReadBalance1/Data/Balance/CreditLine/Included - this item will be set to "false".
OBReadBalance1/Data/Balance/CreditLine/Type - set to "Available"
OBReadBalance1/Data/Balance/CreditLine/Amount/Amount - set to the amount of the Overdraft Remaining
OBReadBalance1/Data/Balance/CreditLine/Amount/Currency - set to the currency code of the account balance
The creditline items for Pre-Agreed will remain as is but the item OBReadBalance1/Data/Balance/CreditLine/Included will be set to "false"
DCR - Which date are you planning to implement your latest version?
TBC
Have you implemented Trusted beneficiaries, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Have you implemented Reverse Payments, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Have you implemented ECA Standard?
Already Implemented
Planning to implement
Not planning to implement
ECA Implementation details
N/A
Contact: [enter contact details for the relevant person(s) at your organisation]
[You can use this space to provide your status with respect to the Standard]
Have you implemented Bulk/File Payments?
Already Implemented
Planning to implement
Not planning to implement
Have you implemented VRP – Sweeping, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Sweeping MRO now complete and exit criteria met. PIS v3.1.9 which includes Sweeping now open to all TPPs to subscribe
Have you implemented VRP non-Sweeping, if not date planned to Implement?
Already Implemented
Planning to implement
Not planning to implement
Plans still to be determined on VRP post Sweeping go live and 3.1.10 90 day changes - will be subject to individual TPP/ASPSP contracts
Are you planning to implement TRIs(Transactional Risk Indicator enhancements included in v3.1.10), if so, implementation date?
Yes - 23rd March 2023
Now Live
What is your approach to Implementing TRIs?
Accept payload with TRI fields – Process all fields
Accept payload with TRI fields – Ignore all fields
Reject payload with TRI fields – Error back to TPP
Accept payload with TRI fields – Process few fields (Provide list of accepted fields)
Panel
borderStyle
dashed
title
SCA-RTS 90-day reauth Implementation
Page Properties
id
SCA-RTS
Which date are you planning on implementing the SCA reauthentication exemption?
As of 23/06 our refresh token will have a 2 year expiry and we will not enforce re-auth from this point.
What is your approach to token management to enable application of the reauthentication exemption?(see link to FCA guidance)
We have recently published our approach to supporting the 90 day Re-auth RTS Changes and FAQ's to guide TPP's preparations
Santander| Approach to 90 Day Re-auth realignment under 3.1.10
The following briefing outlines the approach that Santander UK is taking to assist in the changes to Open Banking Re-Authorisations as a result of the OBIE 3.1.10 Instructions. We have also created some FAQ’s to answer different user cases and situations TPP’s may find themselves, depending on their own preparations for the changed processes. We hope we have been able to come up with a flexible approach which put the TPP in control of the transition, and we will be able to support you if you are ready straight away, or if you need more time to complete your changes ahead of the 30th September cut-off date.
Currently Santander UK issues AIS Refresh tokens to TPP’s which come with a 1 Year expiry date, from the point of creation of the initial consent, and have previously carried out an annual refresh to extend these tokens for an additional year. (Last refresh exercise was completed in July 2021).
We are proposing to complete another annual refresh of these tokens from 13th – 23rd June. This means that any TPP that calls for data with a current refresh token during that time period, will be given a new refresh token to use. We have extended the length of this token to 2 years. For example, a token that is refreshed on 20th June 2022, will have an expiry date of 19th June 2024. We therefore strongly recommend that you call for data at least once during the refresh period, to extend the life of all of your refresh tokens.
Question – Why are Santander not issuing unlimited Refresh Tokens at this time? Answer – Santander is currently in the process of planning a re-platforming of our Open Banking solution from On-Prem to a Cloud based solution, this is expected to take 6-12 months to plan and implement, at that time existing consents and tokens will need to be re-issued. Current tokens will therefore last for the remaining expected life of our On-Prem solution.
Question – If as a TPP I call for data multiple times during the refresh window (13th to 23rd June 2022) what happens? Answer – Each time you call during this refresh window, a new token will be issued, and replace the old refresh token – the last call you make during that window will therefore be the last token you should use going forward.
Question – What happens if I do not call for data during the refresh window (13th to 23rd June 2022)? Answer – Your existing refresh token will not be updated and will therefore expire based on its current expiry date. After expiry, you will receive error messages 401 and data will not be shared for that customer. We therefore recommend that you ensure all Refresh tokens that are active during the Refresh Window to give you the maximum length of life.
Question – What happens for a new Token associated to a new Customer Consent? Answer – From 13th June, for any new consent set up, you will be issued with a new refresh token valid for 2 years from date of issue.
Question – What happens if we set an expiry date within a Consent? Answer – Your RT will expire on the date set within the Consent as it would today and subsequently would require a brand new Consent. To take advantage of the extended RT you will need to set up a Consent without an expiry date.
90 Day Re-Authorisation
From 13th June, you will now effectively be in charge of Re-authorisations for Santander customers, and whether you need to redirect customers to Santander for an SCA or not. Santander will not enforce the Re-auth journey from this point onwards and we are extending the application of the re-auth exemption for an extended period up to 30th September to allow you time to make your changes. (In the cases where a customer has revoked consent via our consent dashboard and wishes to re-authorise the original consent – that journey will remain unchanged.)
Question – I am a TPP and we are not yet ready to support the 90-day re-auth changes by 13th June? Answer – If you are not ready, please continue to use your current 90-day re-auth journey process with the SCA handoff to Santander, which will still be available for you to use. Santander will not force the re-auth journey during this time.
Question – I am a TPP and we are ready to support the 90-day re-auth changes by 13th June? Answer – If you are ready, please follow your revised process for TPP only Re-auth, and there is no need from this point to handoff to Santander or inform us of the Re-Auth switch. Santander will not reinforce the re-auth journey as the new rules effectively apply.
Question – Are Santander planning to communicate these changes to Customers? Answer – No, with 150+ TPP’s connected to us for AIS services we have seen that there are various states of readiness across the TPP community, and we have decided to let each TPP control the messages/narrative and timelines in these changes, and with the above arrangements tried to give you the widest possible amount of time, and flexibility to complete the transition.
Question – Will I be able to test with the Sandbox environment? Answer – No, the sandbox issues a new consent with each test/visit and will not support this one-off transition as outlined above.
Question – If I have questions or need support with the Santander solution where can I go? Answer – If we haven’t answered your questions with the above, please feel free to contact Santander via a Salesforce ticket, and we will be happy to support you with any queries you may have.
Article 10A - Endpoints exempt of SCA-RTS
Accounts
Transactions (90days)
Balances
Standing orders
Direct debits
Beneficiaries
Products
Offers
Parties
Scheduled Payments
Statements
Article 10A - Endpoints not exempt of SCA-RTS
Transactions (more than 90days)
Standing orders
Direct debits
Beneficiaries
Products
Offers
Parties
Scheduled Payments
Statements
Article 10A - Maximum time period after authentication
Access Token - 10 mins
Refresh Token - 2 years currently, will move to long-lived once platform transition complete in 2023
Please specify the time period in minutes
SCA-RTS implementation status(updated by OBIE PS team only)
Status
colour
Green
title
Implemented
Panel
titleColor
Black
borderStyle
dashed
title
Security Profile
Page Properties
id
ID-Production
-Which Security profile have you Implemented or planning to implement?
(Lowest version = Current, Highest version = Planned)
OB Security Profile (Legacy)
FAPI
Other (Please define)
Security Profile - Next Planned Version Implementation Date
FAPI - August 2021
CIBA Profile - Implemented or planning to implement
(Lowest version = Current, Highest version = Planned)
None
CIBA
CIBA FAPI Profile
CIBA Profile - Next Planned Version Implementation Date
N/A
Security Profile Certification date?
N/A
Token Endpoint Authentication Methods Supported
client_secret_post
client_secret_basic
client_secret_jwt
tls_client_auth
Private_key_jwt
To support tls_client_auth when once FAPI compliant (August 2021).
Planned date to Cease support for client id and client secret token endpoint authentication
August 2021
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
eIDAS QWAC
eIDAS QSealC
OB legacy (obtransport, obsigning)
OBWAC
OBSeal
Other (Please define)
Panel
titleColor
Black
borderStyle
dashed
title
Customer Journey
Page Properties
id
TC-CJ
-What is your approach to Implementing OBIE Customer Experience Guidelines
?Yes
(CEG)?
(tick all that apply)
Already Implemented
Planning to implement or upgrade
Not planning to implement CEG
Santander designs are looking to adhere to CEG but are also accounting for other regulatory commitments that fit outside of the CEG
Current CEG Version?
Next CEG Version?
v3.1.5
Next Version Implementation Date
December 2020
Implementing Bespoke User Journeys?
No
Implementing App to App?
Yes
App to App Implementation Date?
Options on 90 day re-authentication?
90 day re-authentication
Support Embedded Flow?
No
Which version have you implemented or planning to implement?
(Lowest version = Current, Highest version = Planned)
V3.1.2
V3.1.3
V3.1.4
V3.1.5
V3.1.6
V3.1.7
V3.1.8
V3.1.9
V3.1.10
V3.1.11
Which date are you planning to implement your latest CEG version?
TBC
Redirection Model
App to App redirection
Decoupled authentication
Embedded Flow
Bespoke User Journeys
Panel
titleColor
Black
borderStyle
dashed
title
PSD2
Page Properties
id
TC-PSD2
Dispute Management System?
Yes
FCA Adjustment Period - Maintaining Screen Scraping?
Yes
Adjustment period now closed. Screen-scraping is no longer available.
Seeking Fallback Exemption?
Yes
Granted exemption for Retail May 2020. Temporary solution for Corporate pending the delivery of payment types (see Major Milestones for more information).
Adjusted or Fallback Interface?
No
Granted exemption for Retail May 2020. Temporary solution for Corporate pending the delivery of payment types (see Major Milestones for more information).
Screen scraping access remained until Q1 2020 for those TPP's who had not yet launched API Open Banking services - as per SCA deferment guidance from the FCA. For Contingency Measure please see Major Milestones section above.
-Which Directory are you using as your Trust Framework?
Open Banking
Are you caching the Directory?
Yes
Transaction IDs Supported
Option 1 Supported
ALL Accounts (including Credit Cards) -Live
ASPSPs provide a Unique, Immutable TransactionID from their core system
Are you enrolled to Dispute Management System?
Yes
No
Are you Seeking Fallback Exemption?
Yes
No
Article 10 - Maximum time period after authentication
?
SCA Scope? (will it inhibit non PSD2 accounts)
Yes - Non PSD2 accounts will not be accessible where new SCA login is launched/used
PSD2 Payment Accounts will continue to be accessible via our Open Banking API's
90 days
See above for details of the transition plans for the recent FCA changes to the RTS/Article10 and what TPP's need to do to prepare.
The Santander logo can be used solely for the purposes of identifying and distinguishing, within AIS and/or PIS (and in relation to UK accounts), Santander as the source of your Read-only Data and Read/Write Data
There should be no suggestion that Santander in any way endorses or is partnered with your solution
Use of the Santander logo is not permitted for marketing or promotional purposes
The customer balance including the overdraft will be sent in the JSON file as type 'InterimAvailable'.The remaining overdraft will be returned to TPPs in the JSON file as a creditline item and mapped as follows:
OBCreditLine1
OBReadBalance1/Data/Balance/CreditLine/Included - this item will be set to "false".
OBReadBalance1/Data/Balance/CreditLine/Type - set to "Available"
OBReadBalance1/Data/Balance/CreditLine/Amount/Amount - set to the amount of the Overdraft Remaining
OBReadBalance1/Data/Balance/CreditLine/Amount/Currency - set to the currency code of the account balance
The creditline items for Pre-Agreed will remain as is but the item OBReadBalance1/Data/Balance/CreditLine/Included will be set to "false"
View file
name
Santander - HCC.xlsx
height
250
Page Properties
id
TC-W7
After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header
Option 1 -
Post the W007 expiry we will reinstate the signature validation. This means that if a TPP comes in with a B64 in the “crit” or as its own header “b64” it will need to be set to "false" otherwise it will error and fail the validation. We also plan to accept not sending the b64 claim also as description in Option 2).
This has been changed due to not meeting the v3.1.4 PIS specifications in time for June 16th. Once we are ready with v3.1.4 PIS we will announce the change to Option 2 (if a TPP comes in with a b64 in the “crit” or as its own header “b64” we will error and fail the validation.)