This page lists previous certifications relating to the now deprecated Open Banking Security Profile.

Please see Security Profile Conformance for current certifications.

Open Banking Security Profile Certifications (version 3 of the OBIE Standard)

The following certifications relate to the OBIE API Specification v3.0 and the Open Banking Security Profile Implementer's Draft v1.1.2. These are based on the OB Conformance Tool v2.0.6 (released 12 Sep 2018).

Open Banking Security Profile Certifications (version 2 of the OBIE Standard)

The following certifications relate to the OBIE API Specification v2.x and the Open Banking Security Profile Implementer's Draft v1.1.2. These are based on the OB Conformance Tool v2.0.x.

ASPSP/Brand	Security Profile Version	Suite Version	Client Authentication Type	Response Type	Date	Submission	#Failed	Notes (including mitigations for any failures)
AIB Group (UK) p.l.c. / First Trust Bank	v1.1.2	v2.0.6	client secret basic	code id_token	18 Sep 2018	Download	0
Bank of Ireland	v1.1.2	v2.0.6	client secret basic	code id_token	26 Nov 2018	Download	0
Barclays								Known issue(s) in current implementation: Failing. Scopes must be returned by the token endpoint. Planned fix and certification date: March 2019 (waiting for vendor upgrade).
Danske	v1.1.2	v2.0.6	client secret post	code id_token	23 Jan 2019	Download
HSBC / Retail Banking and Wealth Management	v1.1.2	v2.0.4	client secret basic	code, code id_token	10 Sep 2018	Download	0
HSBC / Commercial banking	v1.1.2	v2.0.4	client secret basic	code, code id_token	10 Sep 2018	Download	0
HSBC / First Direct Bank	v1.1.2	v2.0.4	client secret basic	code, code id_token	10 Sep 2018	Download	0
HSBC / Marks and Spencer Bank	v1.1.2	v2.0.4	client secret basic	code, code id_token	10 Sep 2018	Download	0
Lloyds Bank								Known issue(s) in current implementation:: When the TPP does not pass the algorithm used to sign the request object, the Key Storage service correctly throws a 400 error but preauth service is not appending the proper error description of invalid request_object. When the consent journey is completed an authorisation code is issued which is valid for 5 mins and should be for one-time use only, i.e., revoked once used. When the redirect URL to consent pre-auth service includes a query parameter the journey breaks, which breaks the consent journey. The fix has been applied to the OIDC API. Planned fix and certification date: 4th Feb 2019
Nationwide								Known issue(s) in current implementation: Failing ob-code-id-token-with-secret-basic-and-matls - Does not support multiple query parameters in the redirect_uri - Fix in October Supports old TLS 1.0 and TLS 1.1 connections. Failing matching-key-in-authorization-request-code-id-token - No screenshots. Failing request-object-signature-algorithm-is-not-none-code-id-token - No screenshots. Planned fix and certification date: TBC
RBS	v1.1.2	v2.0.4	mtls	code, code id_token	14 Dec 2018
Santander	v1.1.2	v2.0.4	client secret basic	code, code id_token	11 Oct 2018	Download
Ping Identity (Platform Vendor)	v1.1.2	v2.0.2	mtls, private key, client secret basic, client secret post	code, code id_token	17 Aug 2018		0	Ping Identity - PSD2 & Open Banking
Authlete (Platform Vendor)	v1.1.2	v2.0.4	mtls	code id_token	29 Aug 2018	Download	0	See https://www.authlete.com/
Ozone (Mock Bank)	v1.1.2	v2.0.6	client secret basic, client secret post, private key	code, code id_token	17 Sep 2018	Download	0	See O3-Ozone
Forgerock (Platform Vendor / Mock Bank)	v1.1.2	v2.0.6	client secret basic, client secret post, private key	code id_token	19 Sep 2018	Download	0	See https://backstage.forgerock.com/knowledge/openbanking/home
Ostia Software Solutions	v1.1.2	v2.0.6	client secret basic	code id_token	16 Jan 2019	Download	0	See: https://www.ostiasolutions.com
WSO2	v1.1.2	v2.0.6	mtls, private key, client secret basic, client secret post	code, code id_token	29 Jan 2019	Download	0	See https://wso2.com/

Key
ASPSP	OP tests
TPP	RP tests
Vendor/TSP	OP and/or RP tests
	Pass with no failures
	One or more failures where there is an agreed (by standards body or regulator) workaround/mitigation
	One or more failures where there is no agreed workaround/mitigation

Open Banking Security Profile Certifications (version 1 of the OBIE Standard)

The following certifications relate to the OBIE API Specification v1.x and the Open Banking Security Profile Implementer's Draft v1.1.x. These are based on the OB Conformance Tool v1.1.x.

ASPSP/Brand	Security Profile Version	Suite Version	Client Authentication Type	Response Type	Date	Submission	#Warning	#Failed	Notes
AIB Group (UK) p.l.c. / First Trust Bank	v1.1.1	v1.1.7	Client secret basic	code id_token	23 Feb 2018	Download	1	0
Bank of Ireland
Barclays	v1.1.1	v1.1.10	client secret basic, client secret post	code	05 Jul 2018	Download	2	2	scope not present in token response -> Agreed with OBIE that it is not a breaking defect · This is a limitation of the current software version for the platform, and will be resolved in the next release.. Error from account request endpoint (406 Error) -> Expected Error because of incorrect values in Headers (Swagger v/s FAPI standards) · We currently check for application/json being present within the headers only as a strict interpretation as per Swagger / OBIE specifications and not to the FAPI standard
Danske
HSBC	v1.1.2	v1.1.11	Client secret basic	code, code id_token	30 Apr 2018	Download	2	0
First Direct Bank	v1.1.2	v1.1.11	Client secret basic	code, code id_token	06 Jun 2018	Download	2
Marks and Spencer Bank	v1.1.2	v1.1.11	Client secret basic	code, code id_token	06 Jun 2018	Download	2
Lloyds Bank	v1.1.1	v1.1.9	Client secret basic, client secret post	code, code id_token	09 Mar 2018	Download	1	1	NB: Platform currently unable to handle query parameters in redirect URI. To be resolved. 1 test still to be run. Non-blocking issue.
Nationwide	v1.1.2	v1.1.9	Client secret basic	code id_token	28 Mar 2018	Download	1	1	NB: Platform currently unable to handle query parameters in redirect URI. Incorrect error returned in response to access token sent as a query parameter. Both issues shortly to be resolved. Platform accepts TLS1.0&1.1 connections due to limitations in customer base.
RBS
Santander	v1.1.1	v1.1.11	client secret basic	code id_token	25 May 2018	Download	1	0
Ozone (Mock Bank)	v1.1.2	v1.1.7	client secret basic, client secret post, private key	code, code id_token	26 Feb 2018	Download	1	0	See O3-Ozone
Forgerock (Platform Vendor and Sandbox Provider)	v1.1.2	v1.1.9	Private key	code, code id_token	09 Mar 2018	Download	1	0	See https://backstage.forgerock.com/knowledge/openbanking/home
Ostia Solutions (Sandbox Provider)	v1.1.2	v1.1.9	Private key	code	02 Mar 2018	Download	0	0	See Ostia Solutions

Key
ASPSP	OP tests
TPP	RP tests
Vendor/TSP	OP and/or RP tests
	Pass with no failures
	One or more failures where there is an agreed (by standards body or regulator) workaround/mitigation
	One or more failures where there is no agreed workaround/mitigation