Versions Compared

Old Version 65

changes.mady.by.user Sam Blackaby

Saved on

compared with

New Version Current

changes.mady.by.user Rachael Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Credit Card Accounts (AIS): 14 Aug 2019

App-to-app: 27 Aug 2019

Corporate Customers >6.5m 12 Sept 2019

Savings Accounts: 13 Sept 2019

Cahoot Accounts: 13 Sept 2019

CHAPS Payments 13 Sept 2019

Dynamic Registration: TBC

CBPII Endpoints 14 Sept 2019

International Payments 14 Sept 2019

Credit Card Accounts (PIS): 29 Oct 2019

HCCR Update - In order to display  balance amount in accordance with the HCCR regulation Santander will add the Balance Including Pending and Overdraft Remaining elements in the JSON response for all balance requests for applicable Retail and Business accounts. Deployment date 10th December 2019

3.1.5 AIS is scheduled for launch 30/08/20.

Corporate functionality for Batch and BACS is due for end of July & Multi-Authorisation for end of September. If you or your Corporate customers want to access these services beforehand please contact openbankingAPI@santander.co.uk and we will discuss our contingency mechanism with you.

(Inc Other Products, API Updates, API Deprecations, etc)

The customer balance including the overdraft will be sent in the JSON file as type 'InterimAvailable'.The remaining overdraft will be returned to TPPs in the JSON file as a creditline item and mapped as follows:

OBCreditLine1

OBReadBalance1/Data/Balance/CreditLine/Included - this item will be set to "false".

OBReadBalance1/Data/Balance/CreditLine/Type - set to "Available"

OBReadBalance1/Data/Balance/CreditLine/Amount/Amount - set to the amount of the Overdraft Remaining

OBReadBalance1/Data/Balance/CreditLine/Amount/Currency - set to the currency code of the account balance

The creditline items for Pre-Agreed will remain as is but the item OBReadBalance1/Data/Balance/CreditLine/Included will be set to "false"

Panel
titleColorBlack
borderStyledashed
titleOB Standards
Brand(s)Security Profile?OB Standards Security Profile compliantProgressing to be compliant with the FAPI Profile supplied by the OpenID Foundation. Security Profile Certification?Yes (for OB Standards)

CIBA

NoUsing Open Banking as your eIDAS Trust Framework?YesAre you caching the Directory?YesTransaction IDs

Option 1 Supported

ALL Accounts (except Credit Cards) - Live

Credit Card Accounts -  Live 

ASPSPs provide a Unique, Immutable TransactionID from their core system

Panel

This Section applies to ASPSPs that have implemented OB Standards

Page Properties
iconfalse
idTC-OB Standards-Production
Implement Open Data v2.2 Please note we intend to depreciate v 2.1 as of 17th January 2020 (3 month notice has been issued)
Implement Read/Write API Specification v3.1 
Implement Customer Experience Guidelines v1.1

  

Sandbox full consent journey doesn’t form part of RTS scope.  Prodn - deployments staggered weekly from 1st March to end of April.
Implement App-to-App Redirection Live in Production
Implement OB Security Profile Implementer's Draft v1.1.2 Implement FAPI Profile Implementers Draft 2TBC - Currently undertaking a infrastructure migration and as such our provisional target is to be FAPI compliant in our new Sandbox towards the end of 2020 / early 2021.Implement CIBA Profile Implementers Draft 1N/AImplement Dynamic Client Registration v1.1N/AImplement Dynamic Client Registration v3.1TBC


-Have you Implemented OB Standards?
  •  Yes
  •  No

Open Data - Which version have you Implemented?
  •  None
  •  V2.2
  •  V2.3
  •  V2.4

Read/Write API Specification Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  V3.0
  •  V3.1
  •  V3.1.1
  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8
  •  V3.1.9
  •  V3.1.10
  •  V3.1.11
No plans to implement v3.1.11 
Read/Write API - Which date are you planning to implement your latest version?PIS V3.1.10 Now live 21st March 2023

Dynamic Client Registration - Which version have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  None
  •  V3.1
  •  V3.2
  •  V3.3
Dynamic registration implementation is in progress. Date TBC
Decommission Read/Write API Specification v1.x/2.xTBCDecommission date for v1 AIS Production (v1 not supported in sandbox) will be triggered when less than 5% usage. Currently 7.5%
Decommission OB Security Profile Implementer's Draft v1.xTBCNeed to understand security profiles - Eidas/Fapi & CIBA - dates not currently known
Panel
borderStyledashed
titleMethod of Identification
Page Properties
idID-Production
Commence support for eIDAS QWAC certificates13th Sept 2019PROD rollout ready to progress with TPP's - no certs yet received
Commence support for eIDAS QSEAL certificates
Not supported
We do not plan on supporting QSEALs.

Commence support for OBIE QWAC-like certificates

LiveCurrently already supporting these certificates
Commence support for OBIE QSEAL-like certificatesLiveCurrently already supporting these certificates
Cease support for OBIE non eIDAS-like certificates for transport30th June 2021Cease support for OBIE non eIDAS-like certificates for signing30th June 2021Support for MTLS token endpoint authenticationAlready LiveSupport for private_key_jwt token endpoint authenticationN/A
Cease support for client id and client secret token endpoint authenticationTBCFollowing discussion with OBIE, agreed not to stop supporting Client Secret for all certificate types pending stabilisation of eIDAS. Date TBC.
Panel
titleColorWhite
titleBGColor#6180c3
borderStyledashed
titlePost Brexit Certificate Implementation
Page Properties
idStandards-Production
PRE-BREXIT - Certificates Accepted (until 31st Dec 2020)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
POST-BREXIT TRANSITION - Certificates Accepted (1st Jan 2021 - 30th Jun 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 
Only change is to remove support of OB legacy certificates. 
Planned Implementation Date to Satisfy FCA's Post Transition

30th June 2021

TPP PSU Migration Outcomes Supported

N/A - We support client_secret_post

Certificate is not bound to consent so no migration is required other than to use a compliant certificate.

If a TPP needs any support in this process please contact us at openbankingAPI@santander.co.uk
POST-BREXIT Certificate Implementation Status (updated by OBIE IES team)

Status
colourGreen
titleREADY

  • Ready – ASPSP accept eIDAS certs and OB Certs(OBWAC/OBSeal)
Panel
borderStyledashed
titleImplementation
Page Properties
idTC-IMP

Directory?

Open Banking

Location of Well Known Endpoints?

OB Technical Directory

API Standard Implemented?

Open Banking

Name of Account Holder Implementation Date?

Completed -  Date of Current eIDAS Implementation? Current Certificates used for Identification?OB Transport + ClientID + Secret
OBWAC
QWAC		Current Certificates used for Transport?OB Transport
OBWAC
QWAC		Current Certificates used for Signing?OB Signing
OBSEAL		Date of Future eIDAS Implementation?

No future update currently planned.

Future Certificates used for Identification?Future Certificates used for Transport?Future Certificates used for Signing?

Major Milestones

DCR - Which date are you planning to implement your latest version?TBC

Have you implemented Trusted beneficiaries, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented Reverse Payments, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented ECA Standard?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

ECA Implementation details

N/A

Contact: [enter contact details for the relevant person(s) at your organisation]

[You can use this space to provide your status with respect to the Standard]

Have you implemented Bulk/File Payments?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Have you implemented VRP – Sweeping, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 
Sweeping MRO now complete and exit criteria met. PIS v3.1.9 which includes Sweeping now open to all TPPs to subscribe

Have you implemented VRP non-Sweeping, if not date planned to Implement?

  •  Already Implemented
  •  Planning to implement
  •  Not planning to implement 

Plans still to be determined on VRP post Sweeping go live and 3.1.10 90 day changes - will be subject to individual TPP/ASPSP contracts

PISP - Single Payment Limit

£25,000 Retail

£100,000 Business

£250,000 Corporate

Standard FP limits can be found here - https://www.fasterpayments.org.uk/about-us/personal-transaction
PISP - Daily Payment Limit

£100,000 Retail

Business & Corp - No Limit

Standard FP limits can be found here - https://www.fasterpayments.org.uk/about-us/personal-transaction
How many months of transaction do you provide?24 months
Are you planning to implement TRIs(Transactional Risk Indicator enhancements included in v3.1.10), if so, implementation date?Yes - 23rd March 2023Now Live
What is your approach to Implementing TRIs?
  •  Accept payload with TRI fields – Process all fields
  •  Accept payload with TRI fields – Ignore all fields
  •  Reject payload with TRI fields – Error back to TPP
  •  Accept payload with TRI fields – Process few fields (Provide list of accepted fields)  




Panel
borderStyledashed
titleSCA-RTS 90-day reauth Implementation


Page Properties
idSCA-RTS


Which date are you planning on implementing the SCA reauthentication exemption?

As of 23/06 our refresh token will have a 2 year expiry and we will not enforce re-auth from this point.

What is your approach to token management to enable application of the reauthentication exemption? (see link to FCA guidance)

We have recently published our approach to supporting the 90 day Re-auth RTS Changes and FAQ's to guide TPP's preparations

Santander| Approach to 90 Day Re-auth realignment under 3.1.10


The following briefing outlines the approach that Santander UK is taking to assist in the changes to Open Banking Re-Authorisations as a result of the OBIE 3.1.10 Instructions. We have also created some FAQ’s to answer different user cases and situations TPP’s may find themselves, depending on their own preparations for the changed processes. We hope we have been able to come up with a flexible approach which put the TPP in control of the transition, and we will be able to support you if you are ready straight away, or if you need more time to complete your changes ahead of the 30th September cut-off date.


Currently Santander UK issues AIS Refresh tokens to TPP’s which come with a 1 Year expiry date, from the point of creation of the initial consent, and have previously carried out an annual refresh to extend these tokens for an additional year. (Last refresh exercise was completed in July 2021).


We are proposing to complete another annual refresh of these tokens from 13th – 23rd June. This means that any TPP that calls for data with a current refresh token during that time period, will be given a new refresh token to use. We have extended the length of this token to 2 years. For example, a token that is refreshed on 20th June 2022, will have an expiry date of 19th June 2024. We therefore strongly recommend that you call for data at least once during the refresh period, to extend the life of all of your refresh tokens.


Question – Why are Santander not issuing unlimited Refresh Tokens at this time?
Answer – Santander is currently in the process of planning a re-platforming of our Open Banking solution from On-Prem to a Cloud based solution, this is expected to take 6-12 months to plan and implement, at that time existing consents and tokens will need to be re-issued. Current tokens will therefore last for the remaining expected life of our On-Prem solution.


Question – If as a TPP I call for data multiple times during the refresh window (13th to 23rd June 2022) what happens?
Answer – Each time you call during this refresh window, a new token will be issued, and replace the old refresh token – the last call you make during that window will therefore be the last token you should use going forward.


Question – What happens if I do not call for data during the refresh window (13th to 23rd June 2022)?
Answer – Your existing refresh token will not be updated and will therefore expire based on its current expiry date. After expiry, you will receive error messages 401 and data will not be shared for that customer. We therefore recommend that you ensure all Refresh tokens that are active during the Refresh Window to give you the maximum length of life.


Question – What happens for a new Token associated to a new Customer Consent?
Answer – From 13th June, for any new consent set up, you will be issued with a new refresh token valid for 2 years from date of issue.


Question – What happens if we set an expiry date within a Consent?
Answer – Your RT will expire on the date set within the Consent as it would today and subsequently would require a brand new Consent. To take advantage of the extended RT you will need to set up a Consent without an expiry date.


90 Day Re-Authorisation

From 13th June, you will now effectively be in charge of Re-authorisations for Santander customers, and whether you need to redirect customers to Santander for an SCA or not. Santander will not enforce the Re-auth journey from this point onwards and we are extending the application of the re-auth exemption for an extended period up to 30th September to allow you time to make your changes. (In the cases where a customer has revoked consent via our consent dashboard and wishes to re-authorise the original consent – that journey will remain unchanged.)


Question – I am a TPP and we are not yet ready to support the 90-day re-auth changes by 13th June?
Answer – If you are not ready, please continue to use your current 90-day re-auth journey process with the SCA handoff to Santander, which will still be available for you to use. Santander will not force the re-auth journey during this time.


Question – I am a TPP and we are ready to support the 90-day re-auth changes by 13th June?
Answer – If you are ready, please follow your revised process for TPP only Re-auth, and there is no need from this point to handoff to Santander or inform us of the Re-Auth switch. Santander will not reinforce the re-auth journey as the new rules effectively apply.


Question – Are Santander planning to communicate these changes to Customers?
Answer – No, with 150+ TPP’s connected to us for AIS services we have seen that there are various states of readiness across the TPP community, and we have decided to let each TPP control the messages/narrative and timelines in these changes, and with the above arrangements tried to give you the widest possible amount of time, and flexibility to complete the transition.


Question – Will I be able to test with the Sandbox environment?
Answer – No, the sandbox issues a new consent with each test/visit and will not support this one-off transition as outlined above.


Question – If I have questions or need support with the Santander solution where can I go?
Answer – If we haven’t answered your questions with the above, please feel free to contact Santander via a Salesforce ticket, and we will be happy to support you with any queries you may have.

Article 10A - Endpoints exempt of SCA-RTS
  •  

    Accounts

  •  

    Transactions (90days)

  •  

    Balances

  •  

    Standing orders

  •  

    Direct debits

  •  

    Beneficiaries

  •  

    Products

  •  

    Offers

  •  

    Parties

  •  

    Scheduled Payments

  •  

    Statements


Article 10A - Endpoints not exempt of SCA-RTS
  •  

    Transactions (more than 90days)

  •  

    Standing orders

  •  

    Direct debits

  •  

    Beneficiaries

  •  

    Products

  •  

    Offers

  •  

    Parties

  •  

    Scheduled Payments

  •  

    Statements


Article 10A - Maximum time period after authentication

Access Token - 10 mins

Refresh Token - 2 years currently, will move to long-lived once platform transition complete in 2023

Please specify the time period in minutes
SCA-RTS implementation status (updated by OBIE PS team only)

Status
colourGreen
titleImplemented





Panel
titleColorBlack
borderStyledashed
titleSecurity Profile


Page Properties
idID-Production


-Which Security profile have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  OB Security Profile (Legacy)
  •  FAPI
  •  Other (Please define) 

Security Profile - Next Planned Version Implementation DateFAPI - August 2021
CIBA Profile - Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  •  None
  •  CIBA
  •  CIBA FAPI Profile

CIBA Profile - Next Planned Version Implementation Date
 N/A

Security Profile Certification date?
 N/A

Token Endpoint Authentication Methods Supported
  •  
    client_secret_post
  •  
    client_secret_basic
  •  
    client_secret_jwt
  •  
    tls_client_auth
  •  Private_key_jwt
To support tls_client_auth when once FAPI compliant (August 2021).
Planned date to Cease support for client id and client secret token endpoint authentication

August 2021


POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  •  eIDAS QWAC
  •  eIDAS QSealC
  •  OB legacy (obtransport, obsigning)
  •  OBWAC
  •  OBSeal
  •  Other (Please define) 




Panel
titleColorBlack
borderStyledashed
titleCustomer Journey


Page Properties
idTC-CJ


-What is your approach to Implementing OBIE Customer Experience Guidelines

?Yes

(CEG)?

(tick all that apply)

  •  Already Implemented
  •  Planning to implement or upgrade
  •  Not planning to implement CEG
Santander designs are looking to adhere to CEG but are also accounting for other regulatory commitments that fit outside of the CEG
Current CEG Version?Next CEG Version?v3.1.5Next Version Implementation DateDecember 2020

Implementing Bespoke User Journeys?

No

Implementing App to App?

YesApp to App Implementation Date? 

Options on 90 day re-authentication?

90 day re-authentication

Support Embedded Flow?

No

Which version have you implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  •  V3.1.2
  •  V3.1.3
  •  V3.1.4
  •  V3.1.5
  •  V3.1.6
  •  V3.1.7
  •  V3.1.8
  •  V3.1.9
  •  V3.1.10
  •  V3.1.11

Which date are you planning to implement your latest CEG version?TBC
Redirection Model
  •  App to App redirection
  •  Decoupled authentication
  •  Embedded Flow
  •  Bespoke User Journeys




Panel
titleColorBlack
borderStyledashed
titlePSD2


Dispute Management System?
Page Properties
idTC-PSD2


Yes

FCA Adjustment Period - Maintaining Screen Scraping?YesAdjustment period now closed. Screen-scraping is no longer available. 

Seeking Fallback Exemption?

YesGranted exemption for Retail May 2020. Temporary solution for Corporate pending the delivery of payment types (see Major Milestones for more information). 

Adjusted or Fallback Interface?

NoGranted exemption for Retail May 2020. Temporary solution for Corporate pending the delivery of payment types (see Major Milestones for more information). 
Adjusted or Fallback URLN/AContact Email or Phone Number

Business/Technical: openbankingAPI@santander.co.uk

Dev Portal URL?

https://developer.santander.co.uk

https://sandbox-developer.santander.co.uk/sanuk/external-sandbox/

Test Facility Implementation Date?

 Production Interface Implementation Date?

AIS

V1  DEPRECATED

V2  DEPRECATED

V3.1  DEPRECATED

V3.1.2 13 Sept 2019

PIS

V1  DEPRECATED

V3.1  

CoF

V3.1.2 13 Sept 2019

Contingency MeasuresScreen scraping access remained until Q1 2020 for those TPP's who had not yet launched API Open Banking services - as per SCA deferment guidance from the FCA. For Contingency Measure please see Major Milestones section above.
-Which Directory are you using as your Trust Framework?Open Banking
Are you caching the Directory?Yes
Transaction IDs Supported

Option 1 Supported

ALL Accounts (including Credit Cards) - Live

ASPSPs provide a Unique, Immutable TransactionID from their core system

Are you enrolled to Dispute Management System?

  •  Yes
  •  No

Are you Seeking Fallback Exemption?

  •  Yes
  •  No


Article 10 - Maximum time period after authentication
?

SCA Scope? (will it inhibit non PSD2 accounts)

Yes - Non PSD2 accounts will not be accessible where new SCA login is launched/usedPSD2 Payment Accounts will continue to be accessible via our Open Banking API's
90 daysSee above for details of the transition plans for the recent FCA changes to the RTS/Article10 and what TPP's need to do to prepare.
Article 10 - Endpoints exempt of SCA

Accounts, Balances, Transactions, Beneficiaries, Direct Debits, Standing Orders, Products, Offers, Parties, Scheduled Payments, Statements

We are continuing to allow Customer non present access to these data endpoints as long as a valid consent token exists.

Authentication Method - Open Banking Channel (Browser)?

Retail & Business – OTP

Corporate – Hard token

Authentication Method - Open Banking Channel (APP)?

Retail – Biometric OR Security Number, AND Device Binding

Authentication Method - Private Channel (Browser)?

Retail & Business – OTP

Corporate – Hard Token

Authentication Method - Private Channel (APP)?

Retail – OTP

Authentication Method Implementation Date (Open Banking Channel)?

Live

Authentication Method Implementation Date (Private Channel)?

Live

SCA Implementation Date?

SCA Login for Retail - Completed 15th June

SCA Login for Cahoot - To be completed end of July

SCA Login for Corporate - To be completed end of July

Major Milestones




Brand(s)

Santander

Cahoot





Panel
titleColorBlack
borderStyledashed
titleASPSP Dev Portal and Contact Details


Page Properties
idTC-C


Location of Well Known Endpoints

OB Technical Directory

Modified Customer Interface URL (if applicable)



Dev Portal URL

https://developer.santander.co.uk


Test Facility URLhttps://sandbox-developer.santander.co.uk/sanuk/external-sandbox/
Brand Landing Pages URLhttps://www.figma.com/proto/UvZ9dvaT4mwDHAwfLcAkOB/Master?type=design&node-id=83-6389&t=wNbTE64aS8soLWdA-1&scaling=scale-down&page-id=0%3A1&starting-point-node-id=83%3A6389&mode=design
  • The Santander logo can be used solely for the purposes of identifying and distinguishing, within AIS and/or PIS (and in relation to UK accounts), Santander as the source of your Read-only Data and Read/Write Data
  • There should be no suggestion that Santander in any way endorses or is partnered with your solution
  • Use of the Santander logo is not permitted for marketing or promotional purposes

ASPSP Support Desk Email or Phone Number

(including queries about consent success rates) 

Business/Technical: openbankingAPI@santander.co.uk




Panel
titleColorBlack
borderStyledashed
titleKey Implementations


Page Properties
idTC-HCC


Error Codes
View file
nameSantander Error Codes.xlsx
height250

High Cost Credit

Santander - HCC.xlsx

The customer balance including the overdraft will be sent in the JSON file as type 'InterimAvailable'.The remaining overdraft will be returned to TPPs in the JSON file as a creditline item and mapped as follows:

OBCreditLine1

OBReadBalance1/Data/Balance/CreditLine/Included - this item will be set to "false".

OBReadBalance1/Data/Balance/CreditLine/Type - set to "Available"

OBReadBalance1/Data/Balance/CreditLine/Amount/Amount - set to the amount of the Overdraft Remaining

OBReadBalance1/Data/Balance/CreditLine/Amount/Currency - set to the currency code of the account balance

The creditline items for Pre-Agreed will remain as is but the item OBReadBalance1/Data/Balance/CreditLine/Included will be set to "false"

View file
nameSantander - HCC.xlsx
height250

Page Properties
idTC-W7
After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header

Option 1 -

Post the W007 expiry we will reinstate the signature validation. This means that if a TPP comes in with a B64 in the “crit” or as its own header “b64” it will need to be set to "false" otherwise it will error and fail the validation. We also plan to accept not sending the b64 claim also as description in Option 2).

 

This has been changed due to not meeting the v3.1.4 PIS specifications in time for June 16th. Once we are ready with v3.1.4 PIS we will announce the change to Option 2 (if a TPP comes in with a b64 in the “crit” or as its own header “b64” we will error and fail the validation.)