Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
outlinetrue
stylenone

...

VersionDateAuthorComments
3.0 OB R/W API Team

This is the baseline version. No change from RC3.

Swagger URLs  have been updated to point to the latest stable version.

3.1-draft1 OB R/W API Team

This is the initial draft version for 3.1.

Errata

  • Grammatical Fixes
3.1-draft2 OB R/W API TeamNo Change
3.1-draft3 OB R/W API Team

Draft 3 Changes:

  • Namespaced Enumerations are moved to a separate page
  • Removed obsolete Static Enumeration - OBExternalFinancialInstitutionIdentification2Code, OBExternalAccountIdentification2Code, OBExternalAccountIdentification3Code from the list
  • Fixed the wrongly listed OBExternalLimitType2Code, it must be OBExternalLimitType1Code - no change in values
  • Swagger Specification links updated
3.1-draft4 OB R/W API Team

Draft 4 Changes:

  • Added CreditorAgent and DebtorAgent to ReadTransactionsDetail permission.
  • Updated class names in Permissions table
  • Added a section "ISO enumerations" for fields which are using ISO defined enumeration
  • Swagger Specification links updated
3.1-RC1 OB R/W API Team

RC1 Changes:

  • Swagger Specification links updated
3.1OB R/W API Team

Version 3.1 final release.

No changes from Version 3.1 RC1.

Swagger updated to latest release candidate

Overview

This specification describes the Account Information and Transaction API flows and payloads.

...

GET

  • An AISP must not access a Consent on an older version, via the Id for a Consent created in a newer version:
    • E.g., An account-access-consent created in v3 accessed via v2 account-request.
  • An ASPSP must allow a Consent to be accessed in a newer version.
  • An ASPSP must ensure Permissions set associated with a Consent are unchanged when accessed in a different version:
    • E.g., An account-request created in v2 will have the same details when accessed via v2 and v3 (as an account-access-consent).
  • An ASPSP must ensure a Consent's fields are unchanged when accessed in a different version.
  • An ASPSP may allow expired Consents to be accessed in a newer version.
  • An ASPSP may choose to populate new fields introduced in a resource from previous version sensible defaults (if mandatory) or not populate at all (if not mandatory):
    • E.g., OBReadResponse1/Data/StatusUpdateDateTime introduced in v2 accessed with v1 AccountRequestId can be populated with Last accessed date time, if not already available in the system of records.

...

Account Information Resources

GET

  • An AISP may use a token that is bound to a Consent in a previous version, to access an endpoint of a newer version.
  • An AISP may use an Id for a Consent created in a previous version to retrieve Account Information resources in a newer version:
    • E.g., AccountRequestId from v2 can be used as ConsentId in v3, to GET /accounts.
  • An AISP must not use an Id for a Consent from a newer version to access Account Information resources in a previous version:
    • E.g., ConsentId for an account-access-consent created in v3, must not be used to access v2 Account Information endpoints.
  • An AISP must not use an Id for a Consent from a previous version to access a resource introduced in a newer version (as the Consent will not have Permissions required to access the new resource).
  • An ASPSP must allow an AISP to use an Id for a Consent from a previous version to access Account Information resource endpoints in a newer version:
    • E.g., AccountRequestId created in v2 must be allowed to access Account Information resource endpoints in v3.
  • An ASPSP must reject the request to access a resource, for which a Consent's Permissions set does not permit.
  • An ASPSP may choose to populate new fields introduced in a resource from previous version sensible defaults (if mandatory) or not populate at all:
    • E.g., OBReadResponse1/Data/StatusUpdateDateTime introduced in Version2 accessed with V1 AccountRequestId can be populated with Last accessed date time, if not already available in the system of records.

...

AISPs must use a client credentials grant to obtain a token to access the account-access-consents resource. In the specification, this grant type is referred to as "Client Credentials".

AISPs must use an authorization code grant using a redirect or decoupled flow to obtain a token to access all other resources. In the specification, this grant type is referred to as "Authorization Code".

...

PermissionsEndpointsBusiness LogicData Cluster Description
ReadAccountsBasic

/accounts

/accounts/{AccountId}


Ability to read basic account information
ReadAccountsDetail

/accounts

/accounts/{AccountId}

Access to additional elements in the payloadAbility to read account identification details
ReadBalances

/balances

/accounts/{AccountId}/balances


Ability to read all balance information
ReadBeneficiariesBasic

/beneficiaries

/accounts/{AccountId}/beneficiaries


Ability to read basic beneficiary details
ReadBeneficiariesDetail

/beneficiaries

/accounts/{AccountId}/beneficiaries

Access to additional elements in the payloadAbility to read account identification details for the beneficiary
ReadDirectDebits

/direct-debits

/accounts/{AccountId}/direct-debits


Ability to read all direct debit information
ReadStandingOrdersBasic

/standing-orders

/accounts/{AccountId}/standing-orders


Ability to read basic standing order information
ReadStandingOrdersDetail

/standing-orders

/accounts/{AccountId}/standing-orders

Access to additional elements in the payloadAbility to read account identification details for beneficiary of the standing order
ReadTransactionsBasic

/transactions

/accounts/{AccountId}/transactions

/accounts/{AccountId}/statements/{StatementId}/transactions

Permissions must also include at least one of:

  • ReadTransactionsCredits
  • ReadTransactionsDebits

Ability to read basic transaction information

ReadTransactionsDetail

/transactions

/accounts/{AccountId}/transactions

/accounts/{AccountId}/statements/{StatementId}/transactions

Access to additional elements in the payload

Permissions must also include at least one of

  • ReadTransactionsCredits
  • ReadTransactionsDebits

Ability to read transaction data elements which may hold silent party details

ReadTransactionsCredits

/transactions

/accounts/{AccountId}/transactions

/accounts/{AccountId}/statements/{StatementId}/transactions

Access to credit transactions.

Permissions must also include one of:

  • ReadTransactionsBasic
  • ReadTransactionsDetail
Ability to read only credit transactions
ReadTransactionsDebits

/transactions

/accounts/{AccountId}/transactions

/accounts/{AccountId}/statements/{StatementId}/transactions

Access to debit transactions.

Permissions must also includeone of:

  • ReadTransactionsBasic
  • ReadTransactionsDetail
Ability to read only debit transactions
ReadStatementsBasic

/statements

/accounts/{AccountId}/statements


Ability to read basic statement details
ReadStatementsDetail

/statements

/accounts/{AccountId}/statements

/accounts/{AccountId}/statements/{StatementId}/file

Access to additional elements in the payload

Access to download the statement file (if the ASPSP makes this available).

Ability to read statement data elements which may leak other information about the account
ReadProducts

/products

/accounts/{AccountId}/product


Ability to read all product information relating to the account
ReadOffers

/offers

/accounts/{AccountId}/offers


Ability to read all offer information
ReadParty/accounts/{AccountId}/party
Ability to read party information on the account owner.
ReadPartyPSU/party
Ability to read party information on the PSU logged in.
ReadScheduledPaymentsBasic

/scheduled-payments

/accounts/{AccountId}/scheduled-payments


Ability to read basic statement details
ReadScheduledPaymentsDetail

/scheduled-payments

/accounts/{AccountId}/scheduled-payments

Access to additional elements in the payload
ReadPANAll API endpoints where PAN is available as a structured fieldRequest to access to PAN in the clear

Request to access PAN in the clear across the available endpoints. 

If this permission code is not in the account-access-consent, the AISP will receive a masked PAN.

While an AISP may request to access PAN in the clear, an ASPSP may still respond with a masked PAN if:

  • The ASPSP does not display PAN in the clear in existing online channels
  • The ASPSP takes a legal view to respond with only the masked PAN

...

Permission - Detail CodesData Element NameOccurrenceXPath
ReadAccountsDetailAccount0..1OBReadAccount3/Data/Account/Account
ReadAccountsDetailServicer0..1OBReadAccount3/Data/Account/Servicer
ReadBeneficiariesDetailCreditorAgent0..1OBReadBeneficiary3/Data/Beneficiary/CreditorAgent
ReadBeneficiariesDetailCreditorAccount0..1OBReadBeneficiary3/Data/Beneficiary/CreditorAccount
ReadStandingOrdersDetailCreditorAgent0..1OBReadStandingOrder4/Data/StandingOrder/CreditorAgent
ReadStandingOrdersDetailCreditorAccount0..1OBReadStandingOrder4/Data/StandingOrder/CreditorAccount
ReadTransactionsDetailTransactionInformation0..1OBReadTransaction4/Data/Transaction/TransactionInformation
ReadTransactionsDetailBalance0..1OBReadTransaction4/Data/Transaction/Balance
ReadTransactionsDetailMerchantDetails0..1OBReadTransaction4/Data/Transaction/MerchantDetails
ReadTransactionsDetailCreditorAgent0..1OBReadTransaction4/Data/Transaction/CreditorAgent
ReadTransactionsDetailCreditorAccount0..1

OBReadTransaction4/Data/Transaction/CreditorAccount

ReadTransactionsDetailDebtorAgent0..1OBReadTransaction4/Data/Transaction/DebtorAgent
ReadTransactionsDetailDebtorAccount0..1OBReadTransaction4/Data/Transaction/DebtorAccount
ReadStatementsDetailStatementAmount0..*OBReadStatement1/Data/Statement/StatementAmount
ReadScheduledPaymentsDetailCreditorAgent0..1OBReadScheduledPayment2/Data/ScheduledPayment/CreditorAgent
ReadScheduledPaymentsDetailCreditorAccount0..1OBReadScheduledPayment2/Data/ScheduledPayment/CreditorAccount

In addition the ReadStatementsDetail is required to access the statement file download via: /accounts/{AccountId}/statements/{StatementId}/file

...

  • The camt.052 header section and trailer sections have been removed as these are not required for a RESTful API.
  • Resources have been identified and payload structures have been designed for these resources rather than a full message (i.e., camt.052) that encompasses all resources in a report format. This has meant we have designed separate endpoints and payloads to cover:
    • accounts
    • balances
    • beneficiaries
    • direct-debits
    • offers
    • party
    • products
    • standing-orders
    • statements
    • transactions
    • scheduled-payments
  • New payloads have been designed for beneficiaries, direct-debits, standing-orders, and products resources as these are not in the ISO 20022 standard (or the camt.052 message).
  • A DateTime element has been used instead of a complex choice element of Date and DateTime (across all API endpoints). Where time elements do not exist in ASPSP systems, the expectation is the time portion of the DateTime element will be defaulted to 00:00:00+00:00.
  • Variations for the accounts structure include: 
    • Standardised inline with the Payment API account structures.
    • Contains elements to identify an account Nickname, SecondaryIdentification.
  • Variations for the balances structure include:
    • Adding a Type into the CreditLine section to allow for multiple credit line types affecting the available balance.
    • DateTime element has been specified instead of a complex choice of Date and DateTime.
  • Variations for the transactions structure include:

    • Renaming "entry" to "transaction" for consistency as this is the language used in the CMA Order and PSD2.

    • DateTime elements used instead of a complex choice of Date and DateTime.

    • Flattening of the structure for BankTransactionCode and ProprietaryBankTransactionCode.

    • Additional information for an AddressLine, MerchantDetails and a running Balance.

...

The Swagger Specification for Account Information APIs can be downloaded from the following links: