OB versus FAPI profile
On 23 August 2018, OBIE's Technical Design Authority (TDA) agreed a decision to switch from the Open Banking Security Profile to the Financial Grade API (FAPI) Profile. Due to the tight timelines of the CMA Order and PSD2/RTS, several ASPSPs were unable to support this switch prior to 14 September 2019. As such OBIE agreed to continue support for both the Open Banking Security Profile and the related Conformance Tool for a period of time to allow ASPSPs to migrate to the FAPI Profile, and for these ASPSPs to allow TPPs to also make this migration.
As such, OBIE will continue to support the Open Banking Security Profile and the related Conformance Tool until 14 September 2019, and will continue to issue and publish related Conformance Certificates until this time. After 14 September 2019, OBIE will mark the Open Banking Security Profile and the Conformance Tool as 'archived' and will no longer accept requests for related Conformance Certificates.
OBIE encourages all ASPSPs to make the switch to FAPI as soon as possible, and to apply for a related Conformance Certificate direct from the Open ID Foundation.
An OBIE Security Profile Conformance Certificate allows an Implementer to demonstrate that they have successfully implemented either of the following security profiles:
- Open Banking Security Profile using the Open Banking Security Profile Conformance Tool (available till 14 Sep 2019).
- Dynamic Client Registration (DCR) Profile using the Dynamic Client Registration Conformance Tool (due end June 2019).
Please visit the Open ID Foundation for certificates relating to the Financial Grade API (FAPI) Profile and Client Initiated Backchannel Authentication (CIBA) Profile. The FAPI Profile is intended to replace the Open Banking Security Profile, and therefore an Implementer will not normally need to apply for certification for both profiles at the same time.
Pre-requisites
For Open Banking Security Profile Conformance Certificates:
- Although the Implementer may download and run tests locally, Conformance Certificates will only be issued when the tests have been run and evidence supplied using the hosted version of the Open Banking Security Profile Conformance Tool .
- The Implementer must have implemented the Open Banking Security Profile and use the Conformance Tool to test their implementation.
- The Implementer must use the latest or most recent previously published version of the Conformance Tool.
- The Implementer must ensure that all sensitive information (e.g. private keys and authorisation headers) are redacted or removed prior to submission to OBIE.
- OBIE will not normally publish new versions of the tool more frequently than every two weeks.
- The tool will which generate a file which includes:
- List of all tests run.
- For each test run, a description, pass/fail flag, and link to the relevant specification reference.
- The Implementer must also complete a signed attestation form to confirm that all evidence submitted is accurate and has not been altered in any way.
Number of Conformance Certificates needed
It is up to each Implementer as to how many Conformance Certificates they apply for.
For ASPSPs, each Conformance Certificate covers one base URL (e.g. api.bank.com). This URL may include multiple brands and/or products, based on the same Security Profile. It is up to the Implementer to ensure they have run and submitted sufficient tests which cover all relevant brands/products as part of their Conformance Certification Request.
An ASPSP may have other brands/products on separate base URLs which have the exact same functionality, and may decide to declare that these bands/products are also covered by a single Conformance Certificate. However OBIE will only publish the Conformance Certificate based on the single base URL submitted by the Implementer.
Conformance Certificates
Expired Certificates
Please see previous/expired certificates here Open Banking Security Profile Conformance