Introduction
At IESG on 21 March 2019, a question was raised about 'resilience challenges with PIS' use cases and 'how this could be measured'. The Implementation Trustee set an action for TDA to address the issue of resilience and report back to IESG. In parallel, TDA had already been looking at a number of other issues which were causing loss of access for TPPs.
There were also a number of other related issues being raised at the same time in various forums (including the TDA, API Forum, Testing Working Group and the EBA Working Group) relating to overall ecosystem resilience, including dependencies on the directory, lack of consistent approach to implementation, drop off rates during authentication and overall lack of functionality. Therefore, when TDA members were asked to comment on resilience, a number of these other issues were raised as being equally, if not more, important for certain use cases. TDA members have thus contributed to create a long list of these issues.
This paper is a collation of these issues, and for each, details on the route causes, impact (on the end PSU), mitigating actions and the current status. The paper also includes a number of recommendations.
Ecosystem resilience
While the overall ecosystem has a dependency on the OBIE Directory, the impact is low if this is not available for periods of time, as ASPSPs must not block access to authorised TPPs based solely on Directory outages and should cache (locally in their systems) any critical directory services, especially if they chose to rely on the data from these to be highly available and/or validated for every API call.
When considering the availability and performance of an ASPSP's dedicated interface, there is a clear expectation to ensure the provision of functional KPIs that are matched with the best KPIs across the direct customer interfaces. If this is not the case, this could impact a TPPs ability to access the PSU's payment account, resulting in a disruption of payment services being provided to the PSU. Even if the ASPSP is meeting its regulatory obligations consideration should be given to the needs to a well-functioning ecosystem and the needs of the other participants who will be impacted by poorly performing APIs regardless of regulatory compliance.
Issues
This list of issues is not in itself designed to create additional regulatory requirements, but rather sets out a number mitigating actions for each which are either labelled as a must (typically because there is a corresponding regulatory requirement which has been referenced below) or a should (where this is a recommendation from OBIE). Most, if not all, of these issues exist in other EU markets; however the scope is the UK ecosystem at this time.
There are also a number of risks which are not covered here. Perhaps the biggest of these is the lack of availability of eIDAS certificates, and the lack of a consistent approach to how ASPSPs will accept and validate these. OBIE is currently conducting research on this topic to understand this risk and whether this is potentially an issue to be added to this list.
Ref | Category | Issue | Description and Route Cause(s) | PSU Impact | Mitigating Action(s) | Current Status |
---|---|---|---|---|---|---|
1 | Availability and performance | API traffic is throttled/rate limited | ASPSP rate limits API requests for individual or groups of TPPs (e.g. to x requests per second) due to one or more of the following limitations:
| More likely to be an issue for AIS use cases where the AISP requests large batches of transaction data 4 times every day for a large number of PSUs. If this happens, the TPP may not be able to update their systems, and may thus not be able to meet their SLAs for one or more of their PSUs. PIS use cases are more likely to have at most a similar traffic profile to existing direct online payments, where PSU is present and authenticating each payment. |
| At least one ASPSP is doing this currently. Several ASPSPS are currently using cloud based API infra and several are planning to implement cloud data lakes. |
2 | Lack of API availability | ASPSP's API is not be available at any point of time due to either:
It is important to note that downtime of the API may still occur if the API platform itself is available, but one or more downstream systems is not available or working correctly. | Lack of availability of an API, will effect a TPPs service and could cause detriment to the end PSU. This is particularly critical for PIS services, as PSUs cannot. If the TPP is aware in advance, they can minimise this detriment by adapting their platform and potentially offering alternative services to the PSU. If this is unplanned or planned but the TPP is not aware, then the TPP will not be able to take steps to reduce this detriment. |
| Latest CMA9 availability was an average of 97% in May 2019, with a range of 90-100%. See https://www.openbanking.org.uk/providers/account-providers/api-performance/. OBIE expects this level to improve by Sep 2019. | |
3 | API is slow to respond | ASPSP's API takes a long time to respond to requests either:
| Less likely to be an issue for AIS use cases, as APIs will almost always be faster than screen scraping. PIS use cases require fast response times so the PISP can notify the PSU in real time. However, since most PIS payloads are small, this is also less likely to be an issue. Some CBPII use cases require a confirmation of funds in under 500ms. |
| Latest CMA9 stats are showing an average response time of 900ms in May 2019, with a range of 500-1000ms. See https://www.openbanking.org.uk/providers/account-providers/api-performance/. There is no indication this is likely to change significantly by Sep 2019. | |
4 | API error rate is high | API responds to valid API requests with high error rates either:
This should not be considered an issue where the error message is the correct response, i.e. due to an incorrectly formatted TPP request. | Will impact the ability of TPPs to offer effective services to PSUs. |
| Latest CMA9 stats are showing an error rate of 2.8% May 2019. See https://www.openbanking.org.uk/providers/account-providers/api-performance/. There is no indication this is likely to change significantly by Sep 2019. | |
5 | APSPS is slow to respond to TPP issues | ASPSP does not respond to TPP issues in a timely manner (e.g. taking several days or even weeks), due to lack of effective service desk offering for TPPs. | Likely to delay TPPs migrating PSUs and/or bringing new services to market, and hence delay benefits for the PSUs. |
| Several TPPs have reported lengthy delays in ASPSP response times to issues raised. This is being tracked at TWG, and OBIE expects the situation to improve by Sep 2019. | |
6 | Implementation | API is not working as per the OBIE standard | ASPSP publishes an API which does not (fully) conform to the OBIE standard due to one or more of the following reasons:
This lack of conformance can equally apply to the Security Profile, API Specifications (inc. DCR), CEG or OGs. | Will create difficulties for TPPs to integrate with APIs and delay their ability to launch services to PSUs. Even more of an issue if these deviations are not documented and/or large deviations from the standard. |
| Several ASPSPs have certificated to the OBIE Security Profile, not the Functional or CEG certification. These are requirements for CMA9 and expected to be completed before Sep 2019. See latest status Conformance Certification Service. |
7 | ASPSPs (across EU and globally) have not all followed the same standard | ASPSPs do not implement APIs which work the same as other ASPSPs, because either:
| With c6000 ASPSPs across the EU and c25,000 globally, there will likely be fragmentation for TPPs entering the market. This in turn could limit the ability of TPPs to offer services which benefit PSUs. | In addition to the above actions (for #6):
| Several TPPs (including the large tech giants) have voiced their concern. However there are now c100 TSPs in the OBIE ecosystem, and many of these offer services specifically to solve this problem. OBIE has been working with other market initiatives and standards bodies to understand and address differences where possible. | |
8 | API introduces a breaking change | ASPSP introduces a change to an API at any time which causes a lack of connection or failure in TPP service due to either:
This is most likely to apply to either the Security Profile or API Specifications. | TPPs will incur (significant) costs to keep on top of such changes and be unable to launch stable services with PSUs of ASPSPs where this is an issue. | In addition to the above actions (for #6):
| Many ASPSPs still introducing breaking changes to fix conformance issues and meet their deadlines for Sep 2019. OBIE expects there to be more stability from Sep 2019 onwards. | |
9 | ASPSP loses record of PSU account-access-consent | ASPSP makes a change in their system which results in losing the record of account-access-consent for one or more PSUs, where the PSU has NOT revoked consent at the TPP NOR access at the ASPSP. This could be for one or more of the following reasons:
| PSUs will be required to go through a full authentication journey with the ASPSP, including account selection. This will likely cause drop off in usage of TPP services and potential detriment to PSUs. |
| To date, at least one ASPSP has incorrectly implemented 90 day re-auth. Over the last 6 months two have made changes resulting in lost/invalidated access tokens. | |
10 | API has data quality issues | API appears to be working correctly as per specification, but some data is either:
| TPP may present an inaccurate analysis to its PSU based on the inccorect information provided, which could have a negative impact on the customer and the service offering provided. Will be difficult for TPPs and ASPSPs to identify if this is happening, which could result in delays to resolution. |
| OBIE is tracking any reported issues via the service desk and at TWG. | |
11 | OBIE standard is ambiguous | ASPSPs have interpreted the OBIE Standard in different ways due to:
| ASPSPs likely to implement APIs which work differently, which could cause limit/slow take-up by TPPs and, in turn, delay services for PSUs. Potentially this could introduce breaking changes in the future which may disrupt services for PSUs. |
| See Known Specification Issues This is being continually tracked, and each subsequent version of the Standard is more robust. | |
12 | Certificates and directory services | ASPSP stops supporting OB Certs | ASPSPs that currently accept OB certs may decide to stop supporting them and require TPPs to switch over to use eIDAS certs for:
| If an ASPSP requires TPP to switch from OB to eIDAS certs, this is a breaking change, as all previous access tokens will be invalidated. PSUs will be required to go through full authentication journey, including account selection. As above, this will cause drop off in usage of TPP services and potential detriment to PSUs. |
| Currently all CMA9 and most other ASPSPs in OBIE ecosystem support OB certs. All are planning to also support eIDAS certs. It is not currently known how many ASPSPs will require TPPs to only use eIDAS certs. |
13 | ASPSP's or TPP's NCA Auth Number changes | Any regulated party's NCA authorisation number may change due to:
| If any party's NCA number changes, then any of their eIDAS certificate(s) would no longer be valid and would need to be revoked. This is likely to have the same effect as above, and would result in PSU's being forced to go through a full authentication journey. |
| This has happed in the past with at least one ASPSPs due to a change in legal structure. | |
14 | OBIE directory services not available | OBIE directory services are not available due to:
| ASPSPs and TPPs may not be able to enrol during any outages, which could delay introduction of services for PSUs. ASPSPs may not be able to validate the regulatory status of TPPs during outages or if the status check service is not working using the Directory. |
| Some ASPSPs have not been caching critical directory services in the past, which has resulted in outages in their APIs. Some ASPSPs have not allowed access to TPPs because they have not been able to check the regulatory status of TPPs using the Directory. OBIE believes these incidents are now much less likely to happen. | |
15 | SCA | SCA journey introduces too much friction | ASPSP introduces additional steps during authentication because they:
| Too much friction will significantly reduce take-up of services by PSU, especially relating to PIS. |
| Most ASPSPs following OBIE Standard are working to follow CEGs in this regard by Sep 2019. App-app is a requirement under the CMA Order and is being implemented by all CMA9. Few ASPSPs are likely to implement decoupled by Sep 2019. Initial reports from PISPs indicate an average failure or drop-off rate of over 50% and in some cases as much as 80%. |
16 | 90 day re-authentication introduces too much friction | As per the RTS Art 10 exemption, ASPSPs require the PSU to re-authenticate at least every 90 days for the AISP to continue to access their account. | This re-authentication acts as a reminder to PSUs that they are still allowing an AISP to access their account. However, there are several scenarios where this extra friction may result in PSUs losing access to useful/important services (e.g. PFMs, Accounting Software and Sweeping). |
| A number of TPPs have reported significant drop off (i.e. PSUs abandoning the service) when this re-authentication is required every 90 days. At least one ASPSP has not implemented the shorter journey as per the OBIE Standard. As ASPSPs improve their SCA journeys, OBIE expects this drop off to improve. | |
17 | No SCA exemption for AIS | ASPSP does not allow a 90 day exemption under RTS Art 10. This may be because the ASPSP either:
| ASPSP will require the PSU to authenticate for every account request from an AISP. This will make any ongoing service (e.g. PFM, Accounting Software or Sweeping) effectively unusable. |
| At least one ASPSP in EU has stated they will not support the Art. 10 SCA exemption in their dedicated interface. OBIE are not aware of any ASPSPs in UK who are taking this stance. However, any ASPSPs implementing a fallback are unlikely to be able to support this SCA exemption. | |
18 | No SCA exemption for PIS | ASPSP does not support any of the allowable SCA exemptions for payments in their direct channel and accordingly these are also not available for PISP payments, for example:
| ASPSP will require the PSU to authenticate every payment with SCA, which will likely introduce additional friction (versus alternative payment methods) and limit the take-up of PISP services for these use cases. |
| It is not known how many ASPSPs are supporting SCA exemptions for PIS use cases for Sep 2019. OBIE is working with a number of participants to test VRP propositions under the FCA Regulatory Sandbox in the 2019 cohort. | |
19 | Functionality | Lack of immutable transaction ID | ASPSP does not provide a unique and immutable identifier for each transaction record in the GET transactions endpoint because:
| Without an immutable transaction ID, AISPs face a number of challenges, including:
This in turn could limit the accuracy of AIS services, and potentially result in misleading PSUs. |
| OBIE has asked all ASPSPs to update their entry in the OBIE Transparency calendar with this information. The majority of CMA9 have committed to provide a solution by Sep 2019, see /wiki/spaces/DZ/pages/1010074155. |
20 | Lack of account holder name(s) for AIS | ASPSP does not provide the name of account holder(s) to AISPs in the Account and Transaction API. | Without the name of the account holder(s) many AIS use cases (e.g. application for lending products) are less useful than current solutions (e.g. paper statements or screen scraping). This could limit the value and adoption of such services by PSUs. |
| Currently not all ASPSPs are providing this. It is expected that most, if not all, will be providing this by Sep 2019. | |
21 | Lack of a meaningful payment status | ASPSP does not provide a status for each payment beyond the immediate response to PISP's POST for the payment resource, which is often 'Pending'. This is because the ASPSPs either:
| It is not expected for the PISP to receive a status of 'Accepted Settlement Complete' (i.e. payment has been received in the payee account) as many online channels do not inform the PSU of the execution of payments. However, if the PISP does not receive a status of 'Accepted Settlement in Progress' (i.e. payment has been debited from the PSU's account) they will not be able to inform the PSU (and/or merchant) that the payment order has been accepted by the ASPSP. This will limit the value/utility of many PIS use cases. |
| OBIE have further updated the standard (in v3.1.2) to include status codes for all payment types through to execution. Currently several ASPSPs are not providing a RESTful response, and all subsequent GET requests to the payment resource only return a status of 'Pending'. |
Agree actions
The UK ecosystem is still young, especially regarding the introduction and take-up of PISP services. Therefore these issues should be subject to continual updates and regular review. The following actions were agreed by the Implementation Trustee at IESG on 25 July 2019:
- These issues should be made public on the OBIE Developer Zone. All of these issues are well known, widely reported, and complete transparency is the best way to encourage positive remedial actions.
- Actions and status should be tracked as a standing agenda item at TDA, and escalated to IESG where relevant.
- All participants should continue to report specific issues (e.g. relating to a specific TPP-ASPSP integration) to OBIE via a service desk ticket.
Regulatory references
(1) RTS -SCA
- Article 32(2): "Account servicing payment service providers that have put in place a dedicated interface shall define transparent key performance indicators and service level targets, at least as stringent as those set for the interface used by their payment service users both in terms of availability and of data provided in accordance with Article 36. Those interfaces, indicators and targets shall be monitored by the competent authorities and stress-tested."
- Article 32(3): Account servicing payment service providers that have put in place a dedicated interface shall ensure that this interface does not create obstacles to the provision of payment initiation and account information services. Such obstacles, may include, among others, preventing the use by payment service providers referred to in Article 30(1) of the credentials issued by account servicing payment service providers to their customers, imposing redirection to the account servicing payment service provider's authentication or other functions, requiring additional authorisations and registrations in addition to those provided for in Articles 11, 14 and 15 of Directive (EU) 2015/2366, or requiring additional checks of the consent given by payment service users to providers of payment initiation and account information services.
- Article 33(5): For this purpose, account servicing payment service providers shall ensure that the payment service providers referred to in Article 30(1) can be identified and can rely on the authentication procedures provided by the account servicing payment service provider to the payment service user. Where the payment service providers referred to in Article 30(1) make use of the interface referred to in paragraph 4 they shall:
(2) EBA Guidelines on the exemption from Contigency Mechansim
Guideline 2: Service level, availability and performance
2.1. The ASPSP should define key performance indicators (KPIs) and service level targets, including
for problem resolution, out of hours support, monitoring, contingency plans and maintenance
for its dedicated interface, that are at least as stringent as those for the interface(s) made
available to its own payment service users (PSUs) for directly accessing their payment accounts online.
(3) EBA Guidelines on the exemption from Contigency Mechansim - Commentary
Ref 1 "...The EBA is of the view that the dedicated interface should not be compared with the ‘equivalent’ customer interface, given that the data and availability of the dedicated interface should be the same regardless of the channel used by the PSU for accessing the services of the AISP or the PISP. Instead, the EBA believes that, in accordance with Article 32(2) of the RTS, if the ASPSP offers more than one customer interface and has different KPIs and service level targets for the said customer interfaces, the KPIs and service level targets for the dedicated interface should match the best of the KPIs and service level targets across all the interfaces made available by the ASPSP to its PSUs for directly accessing their payment accounts online..."
(4) FCA Approach Document
17.33 For AIS,we expect ASPSPs to make the same information available to a customer via an AISP as would be available to the customer if they accessed their account online directly with the ASPSP...To give some examples,we would expect the following sorts of information
- information relating to the account, including the name(s) of the account holder(s) and the account number;