Santander UK PLC

OB Standards

This Section applies to ASPSPs that have implemented OB Standards

-Have you Implemented OB Standards?
  • Yes
  • No

Open Data - Which version have you Implemented?
  • None
  • V2.2
  • V2.3
  • V2.4

Read/Write API Specification Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  • V3.0
  • V3.1
  • V3.1.1
  • V3.1.2
  • V3.1.3
  • V3.1.4
  • V3.1.5
  • V3.1.6
  • V3.1.7
  • V3.1.8
  • V3.1.9
  • V3.1.10

Read/Write API - Which date are you planning to implement your latest version?PIS V3.1.10 End October 2022Note: Any TPP subscribed to PIS v3.1.9 will be automatically upgraded to PIS v3.1.10 at the end of October

Dynamic Client Registration - Which version have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  • None
  • V3.1
  • V3.2
  • V3.3
Dynamic registration implementation is in progress. Date TBC
DCR - Which date are you planning to implement your latest version?TBC

Have you implemented Trusted beneficiaries, if not date planned to Implement?

  • Already Implemented
  • Planning to implement
  • Not planning to implement 

Have you implemented Reverse Payments, if not date planned to Implement?

  • Already Implemented
  • Planning to implement
  • Not planning to implement 

Have you implemented ECA Standard?

  • Already Implemented
  • Planning to implement
  • Not planning to implement 

ECA Implementation details

N/A

Contact: [enter contact details for the relevant person(s) at your organisation]

[You can use this space to provide your status with respect to the Standard]

Have you implemented Bulk/File Payments?

  • Already Implemented
  • Planning to implement
  • Not planning to implement 

Have you implemented VRP – Sweeping, if not date planned to Implement?

  • Already Implemented
  • Planning to implement
  • Not planning to implement 
Sweeping MRO now complete and exit criteria met. PIS v3.1.9 which includes Sweeping now open to all TPPs to subscribe

Have you implemented VRP non-Sweeping, if not date planned to Implement?

  • Already Implemented
  • Planning to implement
  • Not planning to implement 

Plans still to be determined on VRP post Sweeping go live and 3.1.10 90 day changes - will be subject to individual TPP/ASPSP contracts

PISP - Single Payment Limit

£25,000 Retail

£100,000 Business

£250,000 Corporate

Standard FP limits can be found here - https://www.fasterpayments.org.uk/about-us/personal-transaction
PISP - Daily Payment Limit

£100,000 Retail

Business & Corp - No Limit

Standard FP limits can be found here - https://www.fasterpayments.org.uk/about-us/personal-transaction
How many months of transaction do you provide?24 months
Are you planning to implement TRIs(Transactional Risk Indicator enhancements included in v3.1.10), if so, implementation date?Yes - End November
What is your approach to Implementing TRIs?
  • Accept payload with TRI fields – Process all fields
  • Accept payload with TRI fields – Ignore all fields
  • Reject payload with TRI fields – Error back to TPP
  • Accept payload with TRI fields – Process few fields (Provide list of accepted fields)  

SCA-RTS 90-day reauth Implementation

Which date are you planning on implementing the SCA reauthentication exemption?

As of 23/06 our refresh token will have a 2 year expiry and we will not enforce re-auth from this point.

What is your approach to token management to enable application of the reauthentication exemption? (see link to FCA guidance)

We have recently published our approach to supporting the 90 day Re-auth RTS Changes and FAQ's to guide TPP's preparations

Santander| Approach to 90 Day Re-auth realignment under 3.1.10


The following briefing outlines the approach that Santander UK is taking to assist in the changes to Open Banking Re-Authorisations as a result of the OBIE 3.1.10 Instructions. We have also created some FAQ’s to answer different user cases and situations TPP’s may find themselves, depending on their own preparations for the changed processes. We hope we have been able to come up with a flexible approach which put the TPP in control of the transition, and we will be able to support you if you are ready straight away, or if you need more time to complete your changes ahead of the 30th September cut-off date.


Currently Santander UK issues AIS Refresh tokens to TPP’s which come with a 1 Year expiry date, from the point of creation of the initial consent, and have previously carried out an annual refresh to extend these tokens for an additional year. (Last refresh exercise was completed in July 2021).


We are proposing to complete another annual refresh of these tokens from 13th – 23rd June. This means that any TPP that calls for data with a current refresh token during that time period, will be given a new refresh token to use. We have extended the length of this token to 2 years. For example, a token that is refreshed on 20th June 2022, will have an expiry date of 19th June 2024. We therefore strongly recommend that you call for data at least once during the refresh period, to extend the life of all of your refresh tokens.


Question – Why are Santander not issuing unlimited Refresh Tokens at this time?
Answer – Santander is currently in the process of planning a re-platforming of our Open Banking solution from On-Prem to a Cloud based solution, this is expected to take 6-12 months to plan and implement, at that time existing consents and tokens will need to be re-issued. Current tokens will therefore last for the remaining expected life of our On-Prem solution.


Question – If as a TPP I call for data multiple times during the refresh window (13th to 23rd June 2022) what happens?
Answer – Each time you call during this refresh window, a new token will be issued, and replace the old refresh token – the last call you make during that window will therefore be the last token you should use going forward.


Question – What happens if I do not call for data during the refresh window (13th to 23rd June 2022)?
Answer – Your existing refresh token will not be updated and will therefore expire based on its current expiry date. After expiry, you will receive error messages 401 and data will not be shared for that customer. We therefore recommend that you ensure all Refresh tokens that are active during the Refresh Window to give you the maximum length of life.


Question – What happens for a new Token associated to a new Customer Consent?
Answer – From 13th June, for any new consent set up, you will be issued with a new refresh token valid for 2 years from date of issue.


Question – What happens if we set an expiry date within a Consent?
Answer – Your RT will expire on the date set within the Consent as it would today and subsequently would require a brand new Consent. To take advantage of the extended RT you will need to set up a Consent without an expiry date.


90 Day Re-Authorisation

From 13th June, you will now effectively be in charge of Re-authorisations for Santander customers, and whether you need to redirect customers to Santander for an SCA or not. Santander will not enforce the Re-auth journey from this point onwards and we are extending the application of the re-auth exemption for an extended period up to 30th September to allow you time to make your changes. (In the cases where a customer has revoked consent via our consent dashboard and wishes to re-authorise the original consent – that journey will remain unchanged.)


Question – I am a TPP and we are not yet ready to support the 90-day re-auth changes by 13th June?
Answer – If you are not ready, please continue to use your current 90-day re-auth journey process with the SCA handoff to Santander, which will still be available for you to use. Santander will not force the re-auth journey during this time.


Question – I am a TPP and we are ready to support the 90-day re-auth changes by 13th June?
Answer – If you are ready, please follow your revised process for TPP only Re-auth, and there is no need from this point to handoff to Santander or inform us of the Re-Auth switch. Santander will not reinforce the re-auth journey as the new rules effectively apply.


Question – Are Santander planning to communicate these changes to Customers?
Answer – No, with 150+ TPP’s connected to us for AIS services we have seen that there are various states of readiness across the TPP community, and we have decided to let each TPP control the messages/narrative and timelines in these changes, and with the above arrangements tried to give you the widest possible amount of time, and flexibility to complete the transition.


Question – Will I be able to test with the Sandbox environment?
Answer – No, the sandbox issues a new consent with each test/visit and will not support this one-off transition as outlined above.


Question – If I have questions or need support with the Santander solution where can I go?
Answer – If we haven’t answered your questions with the above, please feel free to contact Santander via a Salesforce ticket, and we will be happy to support you with any queries you may have.

Article 10A - Endpoints exempt of SCA-RTS
  • Accounts

  • Transactions (90days)

  • Balances

  • Standing orders

  • Direct debits

  • Beneficiaries

  • Products

  • Offers

  • Parties

  • Scheduled Payments

  • Statements


Article 10A - Endpoints not exempt of SCA-RTS
  • Transactions (more than 90days)

  • Standing orders

  • Direct debits

  • Beneficiaries

  • Products

  • Offers

  • Parties

  • Scheduled Payments

  • Statements


Article 10A - Maximum time period after authentication

Access Token - 10 mins

Refresh Token - 2 years currently, will move to long-lived once platform transition complete in 2023

Please specify the time period in minutes
SCA-RTS implementation status (updated by OBIE PS team only)

IMPLEMENTED


Security Profile


-Which Security profile have you Implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  • OB Security Profile (Legacy)
  • FAPI
  • Other (Please define) 

Security Profile - Next Planned Version Implementation DateFAPI - August 2021
CIBA Profile - Implemented or planning to implement

(Lowest version = Current, Highest version = Planned)

  • None
  • CIBA
  • CIBA FAPI Profile

CIBA Profile - Next Planned Version Implementation Date
 N/A

Security Profile Certification date?
 N/A

Token Endpoint Authentication Methods Supported
  • client_secret_post
  • client_secret_basic
  • client_secret_jwt
  • tls_client_auth
  • Private_key_jwt
To support tls_client_auth when once FAPI compliant (August 2021).
Planned date to Cease support for client id and client secret token endpoint authentication

August 2021


POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  • eIDAS QWAC
  • eIDAS QSealC
  • OB legacy (obtransport, obsigning)
  • OBWAC
  • OBSeal
  • Other (Please define) 


Customer Journey

-What is your approach to Implementing OBIE Customer Experience Guidelines (CEG)?

(tick all that apply)

  • Already Implemented
  • Planning to implement or upgrade
  • Not planning to implement CEG
Santander designs are looking to adhere to CEG but are also accounting for other regulatory commitments that fit outside of the CEG

Which version have you implemented or planning to implement?

(Lowest version = Current, Highest version = Planned)

  • V3.1.2
  • V3.1.3
  • V3.1.4
  • V3.1.5
  • V3.1.6
  • V3.1.7
  • V3.1.8
  • V3.1.9
  • V3.1.10

Which date are you planning to implement your latest CEG version?TBC
Redirection Model
  • App to App redirection
  • Decoupled authentication
  • Embedded Flow
  • Bespoke User Journeys

PSD2
-Which Directory are you using as your Trust Framework?Open Banking
Are you caching the Directory?Yes
Transaction IDs Supported

Option 1 Supported

ALL Accounts (including Credit Cards) - Live

ASPSPs provide a Unique, Immutable TransactionID from their core system

Are you enrolled to Dispute Management System?

  • Yes
  • No

Are you Seeking Fallback Exemption?

  • Yes
  • No


Article 10 - Maximum time period after authentication90 daysSee above for details of the transition plans for the recent FCA changes to the RTS/Article10 and what TPP's need to do to prepare.
Article 10 - Endpoints exempt of SCA

Accounts, Balances, Transactions, Beneficiaries, Direct Debits, Standing Orders, Products, Offers, Parties, Scheduled Payments, Statements

We are continuing to allow Customer non present access to these data endpoints as long as a valid consent token exists.
Major Milestones




Brand(s)

Santander

Cahoot


ASPSP Dev Portal and Contact Details

Location of Well Known Endpoints

OB Technical Directory

Modified Customer Interface URL (if applicable)



Dev Portal URL

https://developer.santander.co.uk


Test Facility URLhttps://sandbox-developer.santander.co.uk/sanuk/external-sandbox/
Brand Landing Pages URL
[You can use this space to explain your guidance on using Brand logos]

ASPSP Support Desk Email or Phone Number

(including queries about consent success rates) 

Business/Technical: openbankingAPI@santander.co.uk
Key Implementations
Error Codes

High Cost Credit

Santander - HCC.xlsx

The customer balance including the overdraft will be sent in the JSON file as type 'InterimAvailable'.The remaining overdraft will be returned to TPPs in the JSON file as a creditline item and mapped as follows:

OBCreditLine1

OBReadBalance1/Data/Balance/CreditLine/Included - this item will be set to "false".

OBReadBalance1/Data/Balance/CreditLine/Type - set to "Available"

OBReadBalance1/Data/Balance/CreditLine/Amount/Amount - set to the amount of the Overdraft Remaining

OBReadBalance1/Data/Balance/CreditLine/Amount/Currency - set to the currency code of the account balance

The creditline items for Pre-Agreed will remain as is but the item OBReadBalance1/Data/Balance/CreditLine/Included will be set to "false"