Conformance Certification Service
Open Banking Limited (hereafter known as OBIE) provide a suite of Conformance Tools to help Implementers (which includes Account Providers, Third-Party Providers, Vendors and Technical Service Providers) test that they have implemented each part of the OBIE Standard correctly.
OBIE offers a Conformance Certification Service to allow Implementers to use these tools to self-attest, so that OBIE can then validate and publish a Conformance Certificate. These Conformance Certificates can be used by Implementers as evidence to the ecosystem (including Regulators) that they have followed the OBIE Standard correctly.
Initially, the focus is to enable ASPSPs to use these Conformance Certificates as evidence that they have followed the OBIE Standard without deviation when applying to their National Competent Authority (NCA) for an exemption from a contingency mechanism.
The details of this service do not form part of any contract but explain the process and how OBIE expects Implementers to engage. Implementers should be aware that these details may be updated by OBIE from time to time. Details of any changes will be set out in the Version Control section below.
1. Version control
Version | Date | Author | Comments |
---|---|---|---|
1.0 | OBIE | Initial baselined version | |
1.1 | OBIE | Minor update to include further clarity of difference between OBIE and OIDF security profile conformance | |
1.2 | OBIE | Update to the range of Conformance Tools and Certificates available | |
1.3 | OBIE | Update to the range of Conformance Tools and Certificates available (DCR) |
2. Overview
The following table shows the range of Conformance Tools and Conformance Certificates that are offered by OBIE.
The Conformance Tools are all available under the MIT Open Licence without charge. Implementers can purchase any of the Certification Services listed below.
It is up to each Implementer to determine which endpoints, data fields, functionality, brands, products and unique tests need to be covered by each Conformance Certificate. OBIE will validate and publish Conformance Certificates based on the information provided by the Implementer. For example, each ASPSP will need to determine the number of dedicated interfaces that it has in consultation with the NCA. It is entirely between the NCA and each ASPSP as to what is considered a dedicated interface. It is then up to the ASPSP to decide which Conformance Certificates it would like to support its application(s) to the NCA for an exemption.
Type | Conformance Certificates | Fee per Conformance Certificate | Number of Conformance Certificates needed |
---|---|---|---|
Security Profile Conformance | Financial Grade API (FAPI) Conformance Certificates * | See https://openid.net/certification/fees/ | One per base URL (e.g. api.bank.com). |
Client-Initiated Backchannel Authentication (CIBA) Conformance Certificates * | See https://openid.net/certification/fees/ | One per base URL (e.g. api.bank.com). | |
Functional Conformance | Functional Conformance Certificates: AIS | £1,000 | One per base URL (e.g. api.bank.com). |
Functional Conformance Certificates: PIS | £1,000 | One per base URL (e.g. api.bank.com). | |
Functional Conformance Certificates: CBPII | £1,000 | One per base URL (e.g. api.bank.com). | |
Dynamic Client Registration Conformance | Dynamic Client Registration Conformance Certificates | £1,000 | One per base URL (e.g. api.bank.com). |
Customer Experience Guidelines Conformance | Customer Experience Guidelines Conformance Certificates | Price on application | One per branded set of customer journeys. |
Included in the above fee for each Conformance Certificate, OBIE will provide a limited amount of support during UK office hours to help the Implementer use the Conformance Tool(s) and complete the submission process. This will not include detailed technical support in implementing any element of the OBIE Standard. This does not require, nor is not dependent on any other Support Service which may be purchased separately from OBIE.
*Please visit the Open ID Foundation for Financial Grade API (FAPI) and Client Initiated Backchannel Authentication (CIBA) Certificates.
3. How to get a Conformance Certificate
Though the process differs slightly by Conformance Certificate type, the general process is as follows:
- Implementer downloads relevant Conformance Tool or Checklist and completes all required tests.
- Implementer signs relevant order form (including agreeing terms and conditions and payment terms) to order a Conformance Certificate.
Implementer purchases a Conformance Certification Service from OBIE via the Service Desk Conformance Certification Order Form
- OBIE validates Conformance Certificate Request.
- Implementer uploads all required supporting evidence.
- OBIE will provide support to the Implementer during the validation period, as detailed above.
- OBIE publishes Conformance Certificate and notifies Implementer.
Once a Conformance Certificate has been published by OBIE, no further support will be provided to the Implementer and the Certificate Request will be marked as ‘Closed’.
To re-apply for the same Conformance Certificate, or to request a new Conformance Certificate, the Implementer will need to sign a new order form to re-start the above process.
Conformance Certificates for ASPSP implementations will only be published based on production (“live”) environments. The Conformance Tools can be run against pre-production environments and if an Implementer wishes to purchase a Conformance Certificate for pre-production or testing/sandbox environments this can be discussed bilaterally with OBIE, based on the costs and service levels as stated above.
4. Validation of Conformance Certificate Requests
Each Conformance Certificate requires different evidence to be submitted to OBIE, the detail of which is provided in the relevant pages accessible from the table above.
For the Functional and Security Profile Conformance Certificates, the Conformance Tools run automated tests once the tools are configured by the relevant Implementer, producing a set of binary results (pass/fail). OBIE will review both the results of the tests, and also the tests run by the Implementer. OBIE will not provide support to resolve failures in any of these tests as part of the Conformance Certification Service.
For the CEG, video evidence and a completed CEG Checklist will be submitted by the applicant which will be reviewed and assessed by the Office of the Trustee. The cost of this service is more than for other Conformance Certificates as it requires more manual review given the subjective nature of applications. For CEG Conformance Certificates OBIE anticipate more dialogue during the review process, and will support this.
5. Publication of Conformance Certificates
OBIE provides an online platform where these Conformance Certificates and supporting material are published and can be viewed and/or downloaded by other Participants and Regulators (including NCAs). This service can thus be used by ASPSPs as supporting evidence in their application to their NCA for an exemption from the provision of a contingency mechanism.
OBIE will publish Conformance Certificates marked with one of the following two statuses:
- CERTIFIED Conformance Certificates will only be marked as ‘Certified’ if Implementers conform completely to all required or mandatory elements of the relevant OBIE Standard. If an Implementer also conforms to recommendations or optional elements of the relevant OBIE Standard, then these will also be marked on the relevant Conformance Certificate, e.g. meeting the OBIE recommended benchmarks for performance and availability.
- PARTIAL If an Implementer only partially conforms, i.e. fails one or more test(s) or does not complete all required/mandatory elements, then they can still request OBIE to publish the results which will show where the Implementer has deviated from the relevant OBIE Standard. The Conformance Certificate will be published but with a status of ‘Partial’.
The issuance and publication of Conformance Certificates are at the sole discretion of OBIE.
6. Renewal and revocation
Conformance Certificates published by OBIE will have no fixed expiry date, however, they will be clearly marked as to which version of the relevant OBIE Standard they apply to.
If the Implementer makes any changes to their API interface which would cause a change in the Conformance Certificate status, for example introducing a new version of the OBIE Standard which includes a breaking change for TPPs, the Implementer should re-apply for a new Conformance Certificate, and, if so, will need to sign a new order form and pay the relevant fee to purchase this.
If any information provided by the Implementer changes, or is discovered to be inaccurate, the Implementer must immediately notify OBIE to request that the Conformance Certificate is revoked.
OBIE may also revoke a Conformance Certificate at any time at its absolute discretion.
Once a Conformance Certificate is revoked, it cannot be re-instated.
OBIE will maintain a publicly available online record of all revoked Conformance Certificates.
7. Managing disputes
Disputes or complaints raised by the Implementer will be subject to the following conditions:
- The Implementer must have followed the process as defined in section 3 above, including the purchase of a Conformance Certification Service and submission of a Conformance Certificate Request with all required evidence.
- As defined in section 5 above, OBIE will publish the Conformance Certificate with a status of ‘Certified’ (for 100% Conformance) or ‘Partial’ (if requested by the Implementer).
- The decision to grant a status of ‘Certified’ or ‘Partial’ will rest solely with OBIE.
- Where the Implementer does not agree with the status granted by OBIE, OBIE will provide support to discuss the results and help the Implementer with the submission process within the limits of the level of support offered for each type of Conformance Certificate as defined in section 2 above.
- If it can be demonstrated that the dispute is due to an error or omission in the relevant Conformance Tool or Checklist provided by OBIE, then OBIE will fix the error and allow the Implementer to re-test and re-submit the Conformance Certificate Request at no additional cost to the Implementer.
- If not, then OBIE’s decision will be final.
Disputes or complaints from other Participants who disagree with the issuance of a particular Conformance Certificate will be subject to the following conditions:
- The Participant must be enrolled with OBIE as either an ASPSP or TPP.
- The Participant must raise a ticket via the OBIE Service Desk and provide evidence to challenge the issuance.
- OBIE will make an assessment and, as defined in section 6 above, OBIE may ask the Implementer to revoke an existing Conformance Certificate and/or re-apply for a new Conformance Certificate. In extreme circumstances, OBIE may revoke the Conformance Certificate.
OBIE will not respond to disputes or complaints relating to Conformance Certificates issued/published by any other entity (e.g. the Open ID Foundation), and these must be raised with the relevant entity directly.
8. Need help?
Implementers who have purchased a Certification Service can get support relating to this Service via the OBIE Service Desk. All Participants who have Support Services included as part of their Services with OBIE can also get general support via the OBIE Service Desk.
© Open Banking Limited 2019 | https://www.openbanking.org.uk/open-licence | https://www.openbanking.org.uk