Open Banking Security Profile Conformance
This page lists previous certifications relating to the now deprecated Open Banking Security Profile.
Please see Security Profile Conformance for current certifications.
Previous guidance
An OBIE Security Profile Conformance Certificate allows an Implementer to demonstrate that they have successfully implemented the Open Banking Security Profile using the Open Banking Security Profile Conformance Tool (available till 14 Sep 2019).
Please visit the Open ID Foundation for certificates relating to the Financial Grade API (FAPI) Profile and Client Initiated Backchannel Authentication (CIBA) Profile. The FAPI Profile is intended to replace the Open Banking Security Profile, and therefore an Implementer will not normally need to apply for certification for both profiles at the same time.
Pre-requisites
For Open Banking Security Profile Conformance Certificates:
Although the Implementer may download and run tests locally, Conformance Certificates will only be issued when the tests have been run and evidence supplied using the hosted version of the Open Banking Security Profile Conformance Tool .
The Implementer must have implemented the Open Banking Security Profile and use the Conformance Tool to test their implementation.
The Implementer must use the latest or most recent previously published version of the Conformance Tool.
The Implementer must ensure that all sensitive information (e.g. private keys and authorisation headers) are redacted or removed prior to submission to OBIE.
OBIE will not normally publish new versions of the tool more frequently than every two weeks.
The tool will which generate a file which includes:
List of all tests run.
For each test run, a description, pass/fail flag, and link to the relevant specification reference.
The Implementer must also complete a signed attestation form to confirm that all evidence submitted is accurate and has not been altered in any way.
Number of Conformance Certificates needed
It is up to each Implementer as to how many Conformance Certificates they apply for.
For ASPSPs, each Conformance Certificate covers one base URL (e.g. api.bank.com). This URL may include multiple brands and/or products, based on the same Security Profile. It is up to the Implementer to ensure they have run and submitted sufficient tests which cover all relevant brands/products as part of their Conformance Certification Request.
An ASPSP may have other brands/products on separate base URLs which have the exact same functionality, and may decide to declare that these bands/products are also covered by a single Conformance Certificate. However OBIE will only publish the Conformance Certificate based on the single base URL submitted by the Implementer.
Open Banking Security Profile Certifications (version 3 of the OBIE Standard)
The following certifications relate to the OBIE API Specification v3.0 and the Open Banking Security Profile Implementer's Draft v1.1.2. These are based on the OB Conformance Tool v2.0.6 (released 12 Sep 2018).
Open Banking Security Profile Certifications (version 2 of the OBIE Standard)
The following certifications relate to the OBIE API Specification v2.x and the Open Banking Security Profile Implementer's Draft v1.1.2. These are based on the OB Conformance Tool v2.0.x.
ASPSP/Brand | Security Profile Version | Suite Version | Client Authentication Type | Response Type | Date | Submission | Status | #Failed | Notes (including mitigations for any failures) |
|---|
ASPSP/Brand | Security Profile Version | Suite Version | Client Authentication Type | Response Type | Date | Submission | Status | #Failed | Notes (including mitigations for any failures) |
|---|---|---|---|---|---|---|---|---|---|
AIB Group (UK) p.l.c. / First Trust Bank | v1.1.2 | v2.0.6 | client secret basic | code id_token | Sep 18, 2018 | Pass | 0 | ||
Bank of Ireland | v1.1.2 | v2.0.6 | client secret basic | code id_token | Nov 26, 2018 | Pass | 0 | ||
Barclays | See Notes | Known issue(s) in current implementation:
Planned fix and certification date: March 2019 (waiting for vendor upgrade). | |||||||
Danske | v1.1.2 | v2.0.6 | client secret post | code id_token | Jan 23, 2019 | Pass | |||
HSBC / Retail Banking and Wealth Management | v1.1.2 | v2.0.4 | client secret basic | code, code id_token | Sep 10, 2018 | Pass | 0 | ||
HSBC / Commercial banking | v1.1.2 | v2.0.4 | client secret basic | code, code id_token | Sep 10, 2018 | Pass | 0 | ||
HSBC / First Direct Bank | v1.1.2 | v2.0.4 | client secret basic | code, code id_token | Sep 10, 2018 | Pass | 0 | ||
HSBC / Marks and Spencer Bank | v1.1.2 | v2.0.4 | client secret basic | code, code id_token | Sep 10, 2018 | Pass | 0 | ||
Lloyds Bank | See Notes | Known issue(s) in current implementation::
| |||||||
Nationwide | See Notes | Known issue(s) in current implementation:
Planned fix and certification date: TBC | |||||||
RBS | v1.1.2 | v2.0.4 | mtls | code, code id_token | Dec 14, 2018 | Pass | |||
Santander | v1.1.2 | v2.0.4 | client secret basic | code, code id_token | Oct 11, 2018 | Pass | |||
Ping Identity (Platform Vendor) | v1.1.2 | v2.0.2 | mtls, private key, client secret basic, client secret post | code, code id_token | Aug 17, 2018 | Pass | 0 | ||
Authlete (Platform Vendor) | v1.1.2 | v2.0.4 | mtls | code id_token | Aug 29, 2018 | Pass | 0 | ||
Ozone (Mock Bank) | v1.1.2 | v2.0.6 | client secret basic, client secret post, private key | code, code id_token | Sep 17, 2018 | Pass | 0 | See O3-Ozone | |
Forgerock (Platform Vendor / Mock Bank) | v1.1.2 | v2.0.6 | client secret basic, client secret post, private key | code id_token | Sep 19, 2018 | Pass | 0 | See https://backstage.forgerock.com/knowledge/openbanking/home | |
Ostia Software Solutions | v1.1.2 | v2.0.6 | client secret basic | code id_token | Jan 16, 2019 | Pass | 0 | ||
WSO2 | v1.1.2 | v2.0.6 | mtls, private key, client secret basic, client secret post | code, code id_token | Jan 29, 2019 | Pass | 0 |
Key |
|---|
Key | |
|---|---|
ASPSP | OP tests |
TPP | RP tests |
Vendor/TSP | OP and/or RP tests |
Pass | Pass with no failures |
Provisional | One or more failures where there is an agreed (by standards body or regulator) workaround/mitigation |
Fail | One or more failures where there is no agreed workaround/mitigation |
Open Banking Security Profile Certifications (version 1 of the OBIE Standard)
The following certifications relate to the OBIE API Specification v1.x and the Open Banking Security Profile Implementer's Draft v1.1.x. These are based on the OB Conformance Tool v1.1.x.
ASPSP/Brand | Security Profile Version | Suite Version | Client Authentication Type | Response Type | Date | Submission | Status | #Warning | #Failed | Notes |
|---|
ASPSP/Brand | Security Profile Version | Suite Version | Client Authentication Type | Response Type | Date | Submission | Status | #Warning | #Failed | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
AIB Group (UK) p.l.c. / First Trust Bank | v1.1.1 | v1.1.7 | Client secret basic | code id_token | Feb 23, 2018 | Pass | 1 | 0 | ||
Bank of Ireland | ||||||||||
Barclays | v1.1.1 | v1.1.10 | client secret basic, client secret post | code | Jul 5, 2018 | Provisional | 2 | 2 | scope not present in token response -> Agreed with OBIE that it is not a breaking defect · This is a limitation of the current software version for the platform, and will be resolved in the next release.. Error from account request endpoint (406 Error) -> Expected Error because of incorrect values in Headers (Swagger v/s FAPI standards) · We currently check for application/json being present within the headers only as a strict interpretation as per Swagger / OBIE specifications and not to the FAPI standard | |
Danske | ||||||||||
HSBC | v1.1.2 | v1.1.11 | Client secret basic | code, code id_token | Apr 30, 2018 |
© Open Banking Limited 2019 | https://www.openbanking.org.uk/open-licence | https://www.openbanking.org.uk