Implement OB Security Profile Implementer's Draft v1.1.2
September 2019
Implement FAPI Profile Implementers Draft 2
September 2019
Implement CIBA Profile Implementers Draft 1
N/A
Implement Dynamic Client Registration v1.1
Implement Dynamic Client Registration v3.1
Decommission Read/Write API Specification v1.x/2.x
Decommission OB Security Profile Implementer's Draft v1.x
Article 10 SCA Exemption (for 90 days)
For article 10 we are only going with the 90 days re-authentication but not restrictions on payment types (DDs, SOs) or data for more than 90 days away.
Please note: We do not display statements
Method of Identification
Will be implemented in line with PSD2 deadline.
Commence support for eIDAS QWAC certificates
14 Sept 2019
Commence support for eIDAS QSEAL certificates
N/A
Commence support for OBIE QWAC-like certificates
14 Sept 2019
Commence support for OBIE QSEAL-like certificates
14 Sept 2019
Cease support for OBIE non eIDAS-like certificates for transport
N/A
Presently supported. Pending stabilisation of eIDAS and confirmation with TPPs in order to plan ceasing the support
Cease support for OBIE non eIDAS-like certificates for signing
N/A
Presently supported. Pending stabilisation of eIDAS and confirmation with TPPs in order to plan ceasing the support
Support for MTLS token endpoint authentication
Support for private_key_jwt token endpoint authentication
Cease support for client id and client secret token endpoint authentication
For Production Well Known Endpoint, we are presently starting our Managed Roll-out phase. Please contact us for further information.
API Standard Implemented?
Open Banking v3.1
Name of Account Holder Implementation Date?
TBC (see notes)
This optional field has not been implemented yet but is planned for some time in the future.
Supported identification method?
MTLS available. eIDAS QWAC/QSEAL. EIDAS certificates will be validated using the OBIE directory
Major Milestones
Version 3.1 was implemented in June 2019 and no other version are planned before we go live in September 2019.
(Inc Other Products, API Updates, API Deprecations, etc)
FAPI Compliant?
Yes
CIBA
No
Using Open Banking as your eIDAS Trust Framework?
Yes
Are you caching the Directory?
No
Transaction IDs
We are supporting: ASPSPs provide a Unique, Immutable TransactionID from their core system
Customer Journey
Implementing Customer Experience Guidelines?
Yes
Implementing Bespoke User Journeys?
Yes (see notes)
Our payment journeys currently follow the exact journey as customer would get in their online banking. The Customer Experience Guidelines says they payment journeys should be 2 step. We will not be introducing the 2 step journeys until October 2019.
Implementing App to App?
N/A
App to App Implementation Date?
Options on 90 day re-authentication?
90 Days
A TPP can re-authentication any time up until the expiry date. The customer will be made to re-authenticate every 90 days otherwise access to the data will be removed.
Support Embedded Flow?
No
PSD2
Dispute Management System?
Yes
System implementation in line with OBIE implementation dates.
FCA Adjustment Period - Maintaining Screen Scraping?
For Production URL, we are presently starting our Managed Roll-out phase. Please contact us for further information.
Test Facility Implementation Date?
Production Interface Implementation Date?
Authentication Method - Open Banking Channel (Browser)?
Username, password and PAC (PAC is PIN code). The customer also has to do another factor using either a card & reader or a push notification to their mobile.
Authentication Method - Open Banking Channel (APP)?
Username, password and PAC (PAC is a PIN code). The customer also has to do another factor using either a card & reader or a push notification to their mobile.
Authentication Method - Private Channel (APP)?
N/A
N/A, as the mobile app is currently not in scope.
Authentication Method Implementation Date (Open Banking Channel)?
14 Sept 2019
Authentication Method Implementation Date (Private Channel)?
14 Sept 2019
SCA Implementation Date?
SCA Scope? (will it inhibit non PSD2 accounts)
No (see notes)
No. All Open Banking relevant accounts, e.g. private current accounts, commercial current accounts, debit and credit card accounts and currency accounts. Non PSD2 accounts are not exposed.