Implementation Guide: Sainsbury's Bank PLC
- Adam Pretlove (Unlicensed)
- John McRobb (Unlicensed)
- Greg Anderson (Unlicensed)
This page has been created and maintained by the relevant ASPSP, and OBIE takes no liability for the completeness nor accuracy of this data.
Note to ASPSP: Please indicate which brands this applies to and/or duplicate this page per brand if relevant.
On-boarding
| Supports dynamic client registration (Y/N) | Y, currently using OBIE certs only |
|---|---|
| Instructions for manual on-boarding | Manual On-boarding not supported except for eIDAS see notes below. |
| OIDC .well-known endpoint | Test Facility (aka Sandbox) Production |
| Notes on testing | Follow the instructions on the Sandbox page in our developer portal to get started. For all other testing related support, raise a testing related request using the email found in the Contact Details on our developer portal Support page Behaviour is as described in “Dynamic Client Registration” section of Open Banking Client Registration specification: |
| Other on-boarding notes | In Dynamic Registration we are compliant with the OIDC spec in that the aud in the jwt is the access_token endpoint from the well known endpoints. Note this is NOT what was is in the above OB spec where its states it should be the OB orgId, We have raised the ticket OBSD-10967 with OBIE and they are intending change their spec to align with OIDC. We will continue to be OIDC compliant whilst OB catches up. ONLY private_key_jwt is supported, client_secret_post and client_secret_basic will result in an error. The only scopes supported are openid, accounts, and fundsconfirmations. Please note that the Sainsburys Bank fundsconfirmations implementation is not compliant with the OB specs, but mimics the account info to avoid PCC-DSS issues ( the customer selects the PAN based on last 4 digits in the SB authorisation screen). Sainsbury's Bank preferred support for eIDAS is via the OBIE Directory. TPP's should register their eIDAS certs with OB and this will allow them to swap out eIDAS certs for non-ETSI OB certs when conversing with Sainsbury's Bank. This is referred to as the Open Banking eIDAS Trust Framework.The benefits of this approach are that consents created prior to the introduction of eIDAS will continue to remain valid. Dynamic Registration is ONLY via non-ETSI ( OB Transport and OB Signing), eIDAS is manual ( as stated above contact our support team). Sainsburys Bank only support SSA's signed by OBIE. Note you will need to do this for BOTH the Sandbox AND Prod ( this method is not currently supported) The current list of supported QTSP's is as follows:
|
| Documentation URL |
Account Information API
| Swagger version | 3.1 |
|---|---|
| Base URI | Test Facility (aka Sandbox) https://tsob.sainsburysbank.co.uk/open-banking/v3.1/aisp Production |
| General variances to specification | Only the following permissions are supported:: ReadAccountsBasic ReadAccountsDetail ReadBalances ReadTransactionsBasic ReadTransactionsCredits ReadTransactionsDebits ReadTransactionsDetail If the TPP requests any others the POST /account-access-consents will fail with a 400 Bad Request with details of the permissions that were requested that are not supported. Transactions - For Credit Card transaction are only available for the last six months, requesting beyond this period will result in the past six months being returned. Pagination - Sainsbury's Bank are not currently supporting the splitting up of response messages into pages, pagination. We currently support the sharing of a file size up to a maximum of 10MB as a response message. If, in rare circumstances, you receive an exception message after requesting a large set of data, you can look to request the data for a series of narrower date ranges. |
API Call Limits - If Sainsbury's Bank receives more than four requests for data where the customer is not present from a third party within a 24hr period, we will process requests on the understanding that the third party (AISP) has obtained consent from the customer to request data more frequently. Re-authentication - Periodically customers will need to re-confirm that we are permitted to share their data with third parties, e.g. once every 90 days. This will involve creating a new intent and this being confirmed by the customer. Bulk Endpoints - Sainsbury's Bank does not support the bulk endpoints for account resources at this time. Optional Fields - Sainsbury's Bank will only return mandatory fields with the exception of name ahead of the 3.1.1 release. |
Ref | Area | Field | Available (Y/N) | Exception/Notes (inc details on classification codes, field limits, and field formats) |
|---|---|---|---|---|
Endpoint 1 | POST /open-banking/v3.1/aisp/account-access-consents | - | Y | Mandatory API Endpoint available |
Endpoint 2 | GET /open-banking/v3.1/aisp/account-access-consents/{ConsentId} | - | Y | Optional API Endpoint available |
Endpoint 3 | DELETE /open-banking/v3.1 /aisp/account-access-consents/{ConsentId} | - | Y | Mandatory API Endpoint available |
Endpoint 4 | GET /open-banking/v3.1/aisp/accounts | - | Y | Mandatory API Endpoint available |
Endpoint 5 | GET /open-banking/v3.1/aisp/accounts/{AccountId} | - | Y | Mandatory API Endpoint available |
Endpoint 6 | GET /open-banking/v3.1/aisp/accounts/{AccountId}/balances | - | Y | Mandatory API Endpoint available |
Endpoint 7 | GET /open-banking/v3.1/aisp/accounts/{AccountId}/beneficiaries | - | N | Mandatory API Endpoint not available |
Endpoint 8 | GET /open-banking/v3.1/aisp/accounts/{AccountId}/direct-debits | - | N | Mandatory API Endpoint not available |
Endpoint 9 | GET /open-banking/v3.1/aisp/accounts/{AccountId}/product | - | N | Conditional API Endpoint not available |
Endpoint 10 | GET /open-banking/v3.1/aisp/accounts/{AccountId}/standing-orders | - | N | Conditional API Endpoint not available |
Endpoint 11 | GET /open-banking/v3.1/aisp/accounts/{AccountId}/transactions | - | Y | Mandatory API Endpoint available Notes - see known issues:
|
Endpoint 12 | GET /open-banking/v3.1/aisp/balances | - | N | Optional API Endpoint not available |
Endpoint 13 | GET /open-banking/v3.1/aisp/beneficiaries | - | N | Optional API Endpoint not available |
Endpoint 14 | GET /open-banking/v3.1/aisp/direct-debits | - | N | Optional API Endpoint not available |
Endpoint 15 | GET /open-banking/v3.1/aisp/products | - | N | Optional API Endpoint not available |
Endpoint 16 | GET /open-banking/v3.1/aisp/standing-orders | - | N | Optional API Endpoint not available |
Endpoint 17 | GET /open-banking/v3.1/taisp/ransactions | - | N | Optional API Endpoint not available |
| Endpoint 18 | Test Facility (aka Sandbox) POST https://tsob.sainsburysbank.co.uk/sso/oauth2/realms/root/realms/general/register Production POST https://ob.sainsburysbank.co.uk/sso/oauth2/realms/root/realms/general/register | Y | Optional API Endpoint Available |
Funds Confirmation API
| Swagger version | 1.0.0 |
|---|---|
| Base URI | Test Facility (aka Sandbox) https://tsob.sainsburysbank.co.uk/open-banking/v1.0.0/cbpii (TBC availability) Production https://ob.sainsburysbank.co.uk/open-banking/v1.0.0/cbpii available |
| General variances to specification | Note that the consents endpoints ARE NOT the OB ones but mimic the account information ones to avoid the passing of PAN's. However POST /funds-confirmations is the same as v3.1 of the OB specification but uses the same versions as the rest of the SB API fro consistency. |
Currently GET /funds-confirm-consents/{ConsentId} and DELETE /funds-confirm-consents/{ConsentId} will return 422, we will look to implement these as soon after as possible, |
Ref | Area | Field | Available (Y/N) | Exception/Notes (inc details on classification codes, field limits, and field formats) |
|---|---|---|---|---|
Endpoint 1 | POST /open-banking/v1.0.0/cbpii/funds-confirm-consents | - | Y | Note this is like the account information rather than the consents ( hence difference in name) so no account (PAN) is included in this call it is bound by the customer in the Sainsburys Bank authentication pages as per account information. See the developer portal for the Open API specification. |
Endpoint 2 | GET /open-banking/v1.0.0/cbpii/funds-confirm-consents/{ConsentId} | - | Y | Note this is like the account information rather than the consents ( hence difference in name) it returns details of the consent not the cardholder name and last 4 digits as per the OB spec. See the developer portal for the Open API specification. |
Endpoint 3 | DELETE /open-banking/v1.0.0/cbpii/funds-confirm-consents/{ConsentId} | - | Y | See the developer portal for the Open API specification. |
Endpoint 4 | POST /open-banking/v1.0.0/cbpii/funds-confirmations | - | Y | Mandatory API Endpoint available |
Known Issues
We are aware of a number of issues and are working to resolve them.
General Issues
| Issue | Description |
|---|---|
Internet Explorer Incompatibility | There is a known issue that prevents successful authentication when using Internet Explorer (tested on versions 10 and 11). Until this issue is resolved please use another browser (Chrome, Edge, Firefox and Safari are supported). |
| Access Token | Currently there is an issue with existing consents which will result in a 500 ( key not found) this will be fixed in our July release, new consents are not impacted. |
API Issues
| Issue | Description |
|---|---|
Transaction Filtering by Date | Transaction filtering by date may not work in all cases. |
| account access consents | mandatory field StatusUpdateDateTime is missing |