Implementation Guide: Vanquis Bank

Announcements

Improvement
Delivery date

Production API available for integration. For more information on how to integrate with our API or to access test accounts please contact openbankingsupport@vanquisbank.co.uk

 
eIDAS certificates are now supported in our Test facility 
eIDAS certificates are now supported in Production 
Implemented Payment Initiation APIs v3.1.7 
Implemented Account Information Service APIs v3.1.8

Implemented SCA-RTC v3.1.10

Change to Production:

Improvement
Delivery date

Production API available for integration. For more information on how to integrate with our API or to access test accounts please contact openbankingsupport@vanquisbank.co.uk

 
New internally-hosted test facility available which provides closer alignment to production interface 
Allowed AISP to send expiration date in the account access consent call. 
  • As part of v3.1.10 Implementation, Vanquis will introduced a long lived refresh token of 60 years.
  • Consent will not be expire and if the consent is revoked then need to create new consent.
  • AISP/CBPII/PISP consents created after implementation of v3.1.10 will no longer require re-authentication every 90 days. The new rules in place will ask for customer reconfirmation with the TPP not ASPSP.
  • Consents issued and authorised before v3.1.10 implementation will remain valid for 90 days.
  • There are no changes to Vanquis current implementation of Access Tokens. Third parties should continue to pass OAuth credentials in a Get Access Token call.  In response, the Vanquis authorisation server issues an access token, reuse the access token until it expires. When it expires, you can get a new token.

Production and Test facility Full interface Specifications

General guidance notes:

  • For guidance on detailed documentation of the Read/Write Data API specifications please visit the appropriate section on the Open Banking Developer Zone
  • We are currently supporting version 3.1.10 for AISP, CBPII and PISP specifications of the Open Banking Standard
  • App-to-app redirection is only supported in Production not in the test facility.
  • This is reflective of the current state of Vanquis' payment service operations.
  • For all related implementation support please contact openbankingsupport@vanquisbank.co.uk
  • Dynamic Client Registration is enabled and is mandatory
  • Supported endpoint token methods: private_key_jwt
  • Supported grant types: client_credentials & authorisation_code
  • Display of data IDs (e.g. transactionid & statementid) in REST responses is enabled
  • The Open API test facility should not be used for load testing


This page has been created and maintained by the relevant ASPSP, and OBIE takes no liability for the completeness nor accuracy of this data.

Note to ASPSP: Please indicate which brands this applies to and/or duplicate this page per brand if relevant.


ASPSPVanquis Bank
BrandVanquis Bank
Date13/09/2019
Developer portal (s)

https://www.vanquis.co.uk/developer-portal


On-boarding

Supports dynamic client registration (Y/N)Yes
Instructions for manual onboardingManual on-boarding is not supported.
OIDC .well-known endpoint

Production: https://auth.openbanking.vanquis.co.uk/.well-known/openid-configuration

Test facility: https://sandbox.auth.openbanking.vanquis.co.uk/.well-known/openid-configuration

Notes on testing

Test accounts available via openbankingsupport@vanquisbank.co.uk

Other on-boarding notes

TPP's can on-board with us either directly using eIDAS certificates or using Open Banking UK Eco-system. Please follow the details below:

On-boarding via Open Banking U.K. Eco-system

  1. Register/Enroll with Open Banking
  2. Submit Software Statement Assertion to Client Registration endpoint:
    1. Productionhttps://mtls.auth.openbanking.vanquis.co.uk/connect/register
    2. Test facilityhttps://sandbox.mtls.auth.openbanking.vanquis.co.uk/connect/register
  3. Follow the instructions on https://www.vanquis.co.uk/developer-portal for help to get started.  

On-boarding Directly using eIDAS certificates

Please follow the detailed guide below

 

Documentation URL


Implementation Guide: Vanquis Bank

Tips/Notes for TPP's

Based on the recent TPP queries the following section should help third parties to connect with Vanquis Bank Open banking system.

  • For client registration we only support PS256 algorithm and NOT RS256.
  • The "aud" value varies depending on the call during the dynamic client registration and Consent flows as given in the table below.
Step

Purpose

HTTP Type

Request Url

Request Body Format

Aud value in the request Body

Expected Response

Reference Documentation or Specification

Register Client

On boarding journey for Dynamic Client Registration i.e. Register a TPP Client with Vanquis Bank

Post

Production: https://mtls.auth.openbanking.vanquis.co.uk/connect/register

Test facility: https://sandbox.mtls.auth.openbanking.vanquis.co.uk/connect/register

application/jwt

0015800001ZEc2PAAT (For NON eIDAS Registrations)

PSDGB-FCA-221156  (For eIDAS Registrations)

As per Open banking specification of security profile V3.1

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937066600/Dynamic+Client+Registration+-+v3.1

Get Access Token

Access token for

  1. Creating Consents
  2. Exchange authorization code for Data Access Token

Post

Production: https://mtls.auth.openbanking.vanquis.co.uk/connect/token

Test facility: https://sandbox.mtls.auth.openbanking.vanquis.co.uk/connect/token

X-www-form-urlencoded

Production: https://mtls.auth.openbanking.vanquis.co.uk/connect/token

Test facility: https://sandbox.mtls.auth.openbanking.vanquis.co.uk/connect/token

JWT

https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

and

https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests

Get PSU Consent

Request to redirect to Login and Consent Page in order to gain PSU consents

Get

Productionhttps://auth.openbanking.vanquis.co.uk/connect/authorize

Test facilityhttps://sandbox.auth.openbanking.vanquis.co.uk/connect/authorize

Url/Query String

Production:  https://auth.openbanking.vanquis.co.uk

Test facility:  https://sandbox.auth.openbanking.vanquis.co.uk

Authorization Code

https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthorizationEndpoint

  • "ReadAccountsBasic" is a Mandatory permission to access the accounts data even when the "ReadAccountsDetail" permission is requested.
  • "ReadTransactionsBasic" is a Mandatory permission to access the transaction data even when the "ReadTransactionsDetail" permission is requested.
  • "ReadStatementsBasic" is a Mandatory permission to access the statement data even when the "ReadStatementsDetail" permission is requested.
  • "ReadProducts" permission is NOT supported. API calls will fail if this is included in the request.
  • Transaction date range CAN NOT be in the future to access the transactions data. We only expose the last 6 months worth of transactions data.
  • Clients requesting data via MTLS end points for Sandbox (i.e. Test facility) environment should pass Client Certificates issued by Open banking Pre-production Issuer and CA.
  • Clients requesting data via MTLS end points for Production environment should pass Client Certificates issued by Open banking Production Issuer and CA.

Please note that we are continuously improving API's based on feedback, For feedback or further information please contact openbankingsupport@vanquisbank.co.uk

Our Certifications

Title

Description
Open ID (Security Conformance)
Open Banking UK (Functional Conformance)Functional Conformance

Test Account details


Account and Transaction API

Note to ASPSP: Please add a column per brand if relevant

Swagger version

We currently support version 3.1

See JSON version: https://raw.githubusercontent.com/OpenBankingUK/read-write-api-specs/v3.1.0/dist/account-info-swagger.json

See YAML version: https://raw.githubusercontent.com/OpenBankingUK/read-write-api-specs/v3.1.0/dist/account-info-swagger.yaml

Base URI

Production: https://mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1/aisp/

Test facility: https://sandbox.mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1/aisp/

General variances to specification Please see above "Tips/Notes for TPP's" section
Non-functional limitations
  • Live environment hence unsuitable for load testing
  • Transaction History - We support 6 months transaction history
  • Pagination - We do not support pagination
  • Re-authentication/Authorization - Access token lifetime is 10 minutes
  • Refresh tokens are supported, lifetime is 60years


The following endpoints are implemented and will return data where applicable

RefResourceEndpointsNotes
1Account Access Consents
  • POST /account-access-consents
  • GET /account-access-consents/{ConsentId}
  • DELETE /account-access-consents/{ConsentId}

Supported permissions are:

  • ReadAccountsBasic
  • ReadAccountsDetail
  • ReadBalances
  • ReadOffers
  • ReadStatementsBasic
  • ReadStatementsDetail
  • ReadTransactionsBasic
  • ReadTransactionsCredits
  • ReadTransactionsDebits
  • ReadTransactionsDetail

If requests are made, including non-supported permissions, the request will fail

2Accounts
  • GET /accounts
  • GET /accounts/{AccountId}

Example

Production: GET https://mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1/aisp/accounts

Test facility: GET https://sandbox.mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1/aisp/accounts

  • GET/accounts command is always required as first call to generate AccountId
3Balances
  • GET /accounts/{AccountId}/balances
  • GET /balances

 4Transactions
  • GET /accounts/{AccountId}/transactions
  • GET /transactions

 5Offers
  • GET /accounts/{AccountId}/offers
  • GET /offers

 6Statements
  • GET /accounts/{AccountId}/statements
  • GET /accounts/{AccountId}/statements/{StatementId}
  • GET /accounts/{AccountId}/statements/{StatementId}/transactions
  • GET /statements


The following table highlights endpoints which will return '404 resource not found'

Ref ResourceEndpointsNotes 
1Products
  • GET /accounts/{AccountId}/product
  • GET /products

2Party
  • GET /accounts/{AccountId}/party
  • GET /party

3

Beneficiaries

  • GET /accounts/{AccountId}/beneficiaries
  • GET /beneficiaries

4Direct Debits
  • GET /accounts/{AccountId}/direct-debits
  • GET /direct-debits

5Standing-orders
  • GET /accounts/{AccountId}/standing-orders
  • GET /standing-orders

6Scheduled payments
  • GET /accounts/{AccountId}/scheduled-payments
  • GET /scheduled-payments

7Statements
  • GET /accounts/{AccountId}/statements/{StatementId}/file
  • All other statements endpoints are implemented, only statement/file is not implemented.

Confirmation of Availability of Funds

The following endpoints are implemented and will return data where applicable

RefResourceEndpointsNotes
1Funds Confirmation Consent
  • POST /funds-confirmation-consents
  • GET /funds-confirmation-consents/{ConsentId}
  • DELETE /funds-confirmation-consents/{ConsentId}

Example

Production: POST https://mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1/cbpii/funds-confirmation-consents

Test facility: POST https://sandbox.mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1/cbpii/funds-confirmation-consents

  • Please note full 16 Digits PAN will be required to gain the consent successfully.
 2Funds Confirmation POST /funds-confirmations


Payment Initiation API

Swagger version

We currently support v.3.1.7

See JSON version: TBA

See YAML version: TBA

Base URI

Production: https://mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1.7/pisp/domestic-payments/

Test facility: https://sandbox.mtls.data.openbanking.vanquis.co.uk/open-banking/v3.1.7/pisp/domestic-payments/

General variances to specification None
Non-functional limitations
  • Environment not suitable for load testing

The following endpoints are implemented and will return data where applicable

RefResourceEndpointsNotes 
1Domestic Payments
  • POST /domestic-payment-consents
  • GET /domestic-payment-consents/{ConsentId}
  • GET /domestic-payment-consents/{ConsentId}/funds-confirmation
  • POST /domestic-payments
  • GET /domestic-payments/{DomesticPaymentId}
  • We offer Money Transfers and Balance Transfers functionality via Payment Initiation APIs.
  • OBDomestic2.LocalInstrument field in consent request and payment request is Mandatory. It must be either "UK.OBIE.MoneyTransfer" or "UK.OBIE.BalanceTransfer".
  • For Balance Transfer requests CreditorAccount.SecondaryIdentification is Mandatory. This must be the expiry date of the beneficiary card and must be in the format of MMYY e.g. March 2023 will be 0323.
  • The amount for Money/Balance Transfers must be GBP 100.00 or higher

The following table highlights endpoints which will return '404 resource not found'

Ref ResourceEndpointsNotes 
1Domestic Scheduled Payments
  • POST /domestic-scheduled-payment-consents
  • GET /domestic-scheduled-payment-consents/{ConsentId}
  • POST /domestic-scheduled-payments
  • GET /domestic-scheduled-payments/{DomesticScheduledPaymentId}

2Domestic Standing Orders
  • POST /domestic-standing-order-consents
  • GET /domestic-standing-order-consents/{ConsentId}
  • POST /domestic-standing-orders
  • GET /domestic-standing-orders/{DomesticStandingOrderId}

3International Payments
  • POST /international-payment-consents
  • GET /international-payment-consents/{ConsentId}
  • GET /international-payment-consents/{ConsentId}/funds-confirmation
  • POST /international-payments
  • GET /international-payments/{InternationalPaymentId}

 4International Scheduled Payments
  • POST /international-scheduled-payment-consents
  • GET /international-scheduled-payment-consents/{ConsentId}
  • GET /international-scheduled-payment-consents/{ConsentId}/funds-confirmation
  • POST /international-scheduled-payments
  • GET /international-scheduled-payments/{InternationalScheduledPaymentId}

5International Standing Orders
  • POST /international-standing-order-consents
  • GET /international-standing-order-consents/{ConsentId}
  • POST /international-standing-orders
  • GET /international-standing-orders/{InternationalStandingOrderPaymentId}

 6 File Payments
  • POST /file-payment-consents
  • POST /file-payment-consents/{ConsentId}/file
  • GET /file-payment-consents/{ConsentId}
  • GET /file-payment-consents/{ConsentId}/file
  • POST /file-payments
  • GET /file-payments/{FilePaymentId}
  • GET /file-payments/{FilePaymentId}/report-file


Event Notification API

The following table highlights endpoints which will return '404 resource not found'

Ref ResourceEndpointsNotes 
1Event Notification
  • POST /callback-urls
  • GET /callback-urls
  • PUT /callback-urls/{CallbackUrlId}
  • DELETE /callback-urls/{CallbackUrlId}