An OBIE Security Profile Conformance Certificate allows an Implementer to demonstrate that they have successfully implemented the Open Banking Security Profile using the Open Banking Security Profile Conformance Tool (available till 14 Sep 2019).
Please visit the Open ID Foundation for certificates relating to the Financial Grade API (FAPI) Profile and Client Initiated Backchannel Authentication (CIBA) Profile. The FAPI Profile is intended to replace the Open Banking Security Profile, and therefore an Implementer will not normally need to apply for certification for both profiles at the same time.
For Open Banking Security Profile Conformance Certificates:
- Although the Implementer may download and run tests locally, Conformance Certificates will only be issued when the tests have been run and evidence supplied using the hosted version of the Open Banking Security Profile Conformance Tool .
- The Implementer must have implemented the Open Banking Security Profile and use the Conformance Tool to test their implementation.
- The Implementer must use the latest or most recent previously published version of the Conformance Tool.
- The Implementer must ensure that all sensitive information (e.g. private keys and authorisation headers) are redacted or removed prior to submission to OBIE.
- OBIE will not normally publish new versions of the tool more frequently than every two weeks.
- The tool will which generate a file which includes:
- List of all tests run.
- For each test run, a description, pass/fail flag, and link to the relevant specification reference.
- The Implementer must also complete a signed attestation form to confirm that all evidence submitted is accurate and has not been altered in any way.
It is up to each Implementer as to how many Conformance Certificates they apply for.
For ASPSPs, each Conformance Certificate covers one base URL (e.g. api.bank.com). This URL may include multiple brands and/or products, based on the same Security Profile. It is up to the Implementer to ensure they have run and submitted sufficient tests which cover all relevant brands/products as part of their Conformance Certification Request.
An ASPSP may have other brands/products on separate base URLs which have the exact same functionality, and may decide to declare that these bands/products are also covered by a single Conformance Certificate. However OBIE will only publish the Conformance Certificate based on the single base URL submitted by the Implementer.