Nationwide Building Society

OB Standards

Implement Open Data v2.2	Live
Implement Read/Write API Specification v3.1	14 Jun 2019
Implement Customer Experience Guidelines v1.1	Mobile 14 Mar 2019 Browser 14 Jun 2019
Implement App-to-App Redirection	14 Mar 2019
Implement OB Security Profile Implementer's Draft v1.1.2	19 Feb 2019
Implement FAPI Profile Implementers Draft 2
Implement CIBA Profile Implementers Draft 1	N/A
Implement Dynamic Client Registration v1.1	Live
Implement Dynamic Client Registration v3.1	14 Jun 2019
Decommission Read/Write API Specification v1.x/2.x	AIS v1.1 31st October 2019	Planning to decommission v1 APIs in end of October once TPPs have completed migration.
Decommission OB Security Profile Implementer's Draft v1.x	Complete

Method of Identification

Commence support for eIDAS QWAC certificates	Q1 2020
Commence support for eIDAS QSEAL certificates	Q1 2020
Commence support for OBIE QWAC-like certificates	14 Sep 2019
Commence support for OBIE QSEAL-like certificates	14 Sep 2019
Cease support for OBIE non eIDAS-like certificates for transport
Cease support for OBIE non eIDAS-like certificates for signing
Support for MTLS token endpoint authentication		14 Sep 2019 TBC
Support for private_key_jwt token endpoint authentication		14 Sep 2019 TBC
Cease support for client id and client secret token endpoint authentication	14 Sep 2019

Implementation

Directory?	Open Banking
Location of Well Known Endpoints?	OB Technical Directory
API Standard Implemented?	Open Banking
Name of Account Holder Implementation Date?	14 June 2019 (single account holder) November 2019 (multiples account holders)
Supported identification method?	Current view is OBWAC/OBSEAL via agency arrangement Client Secret until Sep 2019, then MTLS as the token auth method
Major Milestones	V3.1 14 June 2019 Offers endpoint target date 14 Sep 2019	(Inc Other Products, API Updates, API Deprecations, etc)
Security Profile?
Security Profile Certification?		Security Profile Certificate: Nationwide 2019
CIBA	No
Using Open Banking as your eIDAS Trust Framework?	Yes
Are you caching the Directory?	Yes
Transaction IDs	March 2019 - Option 1 Supported	ASPSPs provide a Unique, Immutable TransactionID from their core system

Customer Journey

Implementing Customer Experience Guidelines?	Yes
Implementing Bespoke User Journeys?	No
Implementing App to App?	Yes
App to App Implementation Date?	End March 2019
Options on 90 day re-authentication?	OBIE Standard until 13 September, then in line with A10 SCA RTS.
Support Embedded Flow?	No

PSD2

Dispute Management System?	Yes
FCA Adjustment Period - Maintaining Screen Scraping?	Yes
Seeking Fallback Exemption?	Exemption Granted - 12 Jul 2019
Adjusted or Fallback Interface?	None at present
Adjusted or Fallback URL?
Contact Email or Phone Number?	NationwideOpenBanking@nationwide.co.uk
Dev Portal URL?	www.nationwidedeveloper.co.uk
Test Facility Implementation Date?	13 Mar 2019
Production Interface Implementation Date?	13 Mar 2019
Contingency Measures		N/a as Nationwide has obtained its exemption
Article 10 - Maximum time period after authentication?		When Strong Customer Authentication (SCA) is completed, you will be able to access all account information the customer has agreed they can access during the initial session (1 hour duration). For subsequent requests we will support requests for accounts, balances and for up to 90 days history of transactions data for 90 days following the authentication (provided the customer has allowed access for this period to the TPP)
Article 10 - Endpoints exempt of SCA	14th September 2019	Once initial SCA has been completed you will be able to access the following account information endpoints without SCA (provided the customer has allowed access on an enduring basis to the TPP) GET /Accounts GET /accounts/{AccountId} GET /accounts/{AccountId}/balances GET /accounts/{AccountId}/transactions Access to accounts endpoints allows retrieval of the AccountId to call balance and transaction endpoints
Authentication Method - Open Banking Channel (Browser)?	Redirect auth using SCA method that aligns with digital channels.
Authentication Method - Open Banking Channel (APP)?	App to App auth using SCA method that aligns with digital channels.
Authentication Method - Private Channel (Browser)?	As they stand today with further auth methods that may be delivered in the future
Authentication Method - Private Channel (APP)?	As they stand today with further auth methods that may be delivered in the future
Authentication Method Implementation Date (Open Banking Channel)?	Methods detailed are currently live in production
Authentication Method Implementation Date (Private Channel)?	Methods detailed are currently live in production
SCA Implementation Date?	14 Sep 2019 TBC (See Notes)	We are planning to implement updated IB authentication screens w/c 9^th September. These will provide members the choice to authenticate using SCA access methods (Card Reader or IB Passnumber and OTP) or maintain access (including via screenscrapers) by continuing to use non-SCA methods of authentication (memorable data). The new log-in screens will also now require members to enter their date of birth. In line with the FCA’s six-month adjustment period we intend to gradually remove the ability of our members to utilise non-SCA methods over this time period as TPPs make the transition to open banking APIs. These changes will also be reflected in our OB browser authentication screens.
SCA Scope? (will it inhibit non PSD2 accounts)	SCA will be delivered to cover the requirements of Reg 100 PSRs