Known Specification Issues

Known issues with the latest versions of Open Banking specifications are detailed here. For each release, we have included a table that shows the issue and also any impact and/or mitigation.

This page is NOT concerned with issues relating to the implementation of the specifications (either by an ASPSP or a TPP) or for documentation and guides, but ONLY for the actual specifications. In many cases, these issues have already been fixed in a release candidate for the next version, which is available to all registered users in the Open Banking Collaboration Space

To report any other issues, please log via the Open Banking Service Desk.

 Read/Write API v3.1.10
Ref_No
Status
Details
Impact/Mitigation
Fix in VersionAreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

v3110_KI1Open
  1. VRPType is missing in OBDomesticVRPRequest

2. Usage examples are not showing VRPType selected

  1. Errata fix to  OBDomesticVRPRequest - UML Diagram and Table to add field VRPType (1..1)
    https://openbankinguk.github.io/read-write-api-site3/v3.1.10/resources-and-data-models/vrp/domestic-vrps.html#obdomesticvrprequest
  2. Errata fix to usage examples to add VRPType in Data block
    https://openbankinguk.github.io/read-write-api-site3/v3.1.10/references/usage-examples/vrp-usage-examples.html#post-domestic-vrps



Specs, Swagger, FCS in v3.1.11VRPOBIE Internal reviewMay-2022N/A CDRW-4134 - Getting issue details... STATUS
v3110_KI2Open

Errata fix to change VRPType from string to array in usage examples for domestic-vrp-consents

Errata fix to usage examples 
https://openbankinguk.github.io/read-write-api-site3/v3.1.10/references/usage-examples/vrp-usage-examples.html#post-domestic-vrp-consents

Specs, Swagger, FCS in v3.1.11VRPASPSPMay-2022Case 00022980 CDRW-4133 - Getting issue details... STATUS
v3110_KI3Open

Errata fix where the field is incorrectly named as BeneficiaryPaymentDetailsPrepopulatedIndicator

 

Errata fix to change field BeneficiaryPaymentDetailsPrepopulatedIndicator to BeneficiaryPrepopulatedIndicator 

https://openbankinguk.github.io/read-write-api-site3/v3.1.10/profiles/read-write-data-api-profile.html#json-error-response


Specs,  FCS in v3.1.11

Swagger-Not required

TRIASPSPApr-2022Case - 00022753
v3110_KI4Open

Errata fix where the field is incorrectly named as ContractPresentInidicator

Errata fix to change field ContractPresentInidicator to ContractPresentIndicator

https://openbankinguk.github.io/read-write-api-site3/v3.1.10/profiles/payment-initiation-api-profile.html#obrisk1

Specs, Swagger, FCS in v3.1.11TRIASPSPJune 2022

Case-00024791


Case-00025004


 Dynamic Client Registration v3.3
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Open

The enumeration for application_type has incorrect values

This will be fixed in a forthcoming release.

GeneralTPPAug-2020 OBSD-17624 - Getting issue details... STATUS CDRW-3518 - Getting issue details... STATUS
Open

The endpoint should be GET not POST

https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html#endpoints

"POST /register/{ClientId}" should be "GET /register/{ClientId}"

This will be fixed in a forthcoming release.

GeneralTPPAug-2020 OBSD-17490 - Getting issue details... STATUS CDRW-3519 - Getting issue details... STATUS
 Read/Write API v3.1.9
Ref_No
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

v319_KI1Closed

For AISP: OBReadConsent1:

UML diagrams are incorrectly showing the Permissions field as 0..1 in version 3.1.7 onwards

  1. Fix UML diagram in v3.1.8 and v3.1.7 to reflect  Permissions 1..*


VRPASPSPOct-2021 OBSD-26532 - Getting issue details... STATUS
v319_KI2Closed

3. VRP Domestic VRP Response

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrps.html#obdomesticvrpresponse

  1. Fix UML diagram to reflect  Instructed amount field as 1..1 in below objects
    1. OBDomesticVRPInstruction

    2. OBDomesticVRPRequest

    3. OBDomesticVRPResponse

  2. Update swagger


VRPASPSPSep-2021 OBSD-26140 - Getting issue details... STATUS
v319_KI3Closed

Changes removed are struck out and added are in blue

  1. Update state model diagram to remove the status.
  2. Update below table under state model - vrp consents section


Status

Status Description

1

AwaitingAuthorisation

The consent resource is awaiting PSU authorisation.

2

Rejected

The consent resource has been rejected.

3

Authorised

The consent resource has been successfully authorised.

4

Revoked

The consent resource has been revoked by the PSU, via ASPSP's  online channel .

3. Update swagger

VRPASPSPSep-2021 OBSD-26142 - Getting issue details... STATUS
v319_KI4Closed

Fix in section to remove 'Revoked' status

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#obdomesticvrpconsentresponse

Changes removed are struck out and added are in blue

Name

Path

Definition

Type

Data (1..1)

Data



ConsentId (1..1)

Data. ConsentId

Unique identification as assigned by the ASPSP to uniquely identify the consent resource.

Max128Text

Data. ReadRefundAccount (0..1)

Data. ReadRefundAccount

Indicates whether the RefundAccount object should be included in the response

Yes No

CreationDateTime (1..1)

Data. CreationDateTime

Date and time at which the resource was created.

ISODateTime

Status (1..1)

Data. Status

Specifies the status of the resource in code form.

Authorised AwaitingAuthorisation Rejected Revoked Expired

StatusUpdateDateTime (1..1)

Data. StatusUpdateDateTime

Date and time at which the resource status was updated.

ISODateTime

ControlParameters (1..1)

Data. ControlParameters

The control parameters under which this VRP must operate

OBDomesticVRPControlParameters

Initiation (1..1)

Data. Initiation

The parameters of the VRP consent that should remain unchanged for each payment under this VRP

OBDomesticVRPInitiation

DebtorAccount (0..1)

Data.DebtorAccount

The approved DebtorAccount that the payment can be made from. THhe value must be populated for GET responses once the consent is approved.

OBCashAccountDebtorWithName

Risk (1..1)

Risk

The consent payload is sent by the initiating party to the ASPSP. It is used to request a consent to move funds from the debtor account to a creditor.

OBRisk







v319_KI5Closed

Fix to section - Consent revocation

https://openbankinguk.github.io/read-write-api-site3/v3.1.9/profiles/vrp-profile.html#consent-revocation


A PSU may revoke consent for initiation of any future payment orders, by revoking the authorisation of VRP Consent, at any point in time.

The PSU may request the TPP to revoke the consent that it has authorised. If consent is revoked with the TPP:

  • The TPP must cease to initiate any future payment orders or Funds Confirmations using the VRP Consent.
  • The TPP must call the DELETE operation on the VRP Consent resource to indicate to the ASPSP that the PSU has revoked consent.

The PSU may revoke the VRP Consent access via ASPSP's online channel. If the consent access is revoked via ASPSP:

  • The ASPSP must immediately update the VRP Consent resource status to Revoked.
  • The ASPSP must fail any future payment order request using the ConsentId,  with the Status Revoked.
  • The ASPSP must make a Notification Event available for the TPP to poll/deliver Real-Time Event Notification for the event - consent-authorization-access-revoked.
  • The ASPSP must take the necessary action to revoke access e.g. by revoking/expiring the access token provided to the PISP.
  • The status of the domestic-vrp-consents must remain unchanged and the PISP must be allowed to request PSU to re-authenticate the same domestic-vrp-consents resource.
  • Upon successful re-authentication by PSU, an ASPSP may issue new authorization code and subsequently new access token to the PISP.
v319_KI5aClosed

Fix to enums for event notifications related to revocation

https://openbankinguk.github.io/read-write-api-site3/v3.1.9/references/namespaced-enumerations.html#obeventtype1code

Introduce a new enum UK.OBIE.Consent-Access-Revoked for access revoked at ASPSP keeping UK.OBIE.Consent-Authorization-Revoked for backward compatibility

EventsOBIE Internal reviewFeb-2022
CDRW-4114 - Getting issue details... STATUS
v319_KI6Closed

Fix to UML on Debtor Account

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#obdomesticvrpconsentresponse

Note: The field is marked as optional to address the scenario when a/c selection happens at ASPSP. The debtor account must be provided in the GET response after the PSU has selected the a/c at the ASPSP and the consent is approved.

  • Update UML diagram to make DebtorAccount block option in OBDomesticVRPConsentResponse block.


VRPASPSPSep-2021

OBSD-26403 - Getting issue details... STATUS



v319_KI7Closed
  1. Fix UML diagram & table (where relevant) to reflect MaximumIndividualAmount as 1..1 and  PeriodicLimits field as 1..* in below objects
    1. OBDomesticVRPControlParameters

    2. OBDomesticVRPConsentRequest

    3. OBDomesticVRPConsentResponse

  2. Update swagger
VRPASPSPSep-2021 OBSD-26188 - Getting issue details... STATUS
v319_KI8Closed

Clarification on Additional control parameters-

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/vrp-profile.html#payment-restrictions

Changes removed are struck out and added are in blue

Payment Restrictions

The standard provides a set of control parameters that may be specified as part of the VRP Consent. These control parameters set limits for the payment orders that can be created by the TPP for a given VRP.

In addition to the control parameters defined in this standard ASPSPs may implement additional control parameters, limits and restrictions for non-sweeping VRPs.

These restrictions should be documented on ASPSP's developer portal

VRPASPSPOct-2021 OBSD-26664 - Getting issue details... STATUS
v319_KI9Closed
  1. Change to remove CreditorAgent as it is not applicable to domestic payments and move PostalAddress block under OBDomesticVRPInstruction block as CreditorPostalAddress

2. Change to remove CreditorAgent from OBDomesticVRPInitiation as it is not applicable to domestic payments and move PostalAddress block under OBDomesticVRPInitiation block as CreditorPostalAddress

  1. Update OBDomesticVRPInstruction to remove CreditorAgent block and move PostalAddress under OBDomesticVRPInstruction as CreditorPostalAddress
  2. Update OBDomesticVRPInitiation to remove CreditorAgent block and move PostalAddress under OBDomesticVRPInitiation as CreditorPostalAddress

CreditorPostalAddress (0..1)

0..1

CreditorPostalAddress

Information that locates and identifies a specific address, as defined by postal services.

OBPostalAddress6

  • Change to UML
  • Change to Data dictionary table
  • Change to Swagger
VRPASPSPOct-2021 OBSD-26669 - Getting issue details... STATUS
v319_KI10Closed

Change 1) Update 

OBVRPFundsConfirmationRequest to make Reference field optional

OBVRPFundsConfirmationResponse to make Reference field optional

  • Change to UML

  • Change to Data dictionary table

  • Change to Swagger

Change 2) Update

OBVRPFundsConfirmationRequest to make Data block mandatory 

OBVRPFundsConfirmationResponse to make Data block mandatory 

  • Change to UML

  • Change to Swagger

VRPASPSP

Oct-2021

Nov 2021

OBSD-27535 - Getting issue details... STATUS
v319_KI11ClosedFix to examples -Example 1, 2,3,4 to flatten Amount and currencyVRPASPSPNov 2021 OBSD-27653 - Getting issue details... STATUS
v319_KI12ClosedFix to include Payments in the scope of event notificationVRPASPSPNov 2021 OBSD-27921 - Getting issue details... STATUS
v319_KI13Closed

Link to Event Notification is broken

Fix links in v319 and v318

https://openbankinguk.github.io/read-write-api-site3/v3.1.9/resources-and-data-models/event-notifications/domestic-vrp-consents.html

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/event-notifications/domestic-vrp-consents.html

GeneralOB InternalJan 2022

v319_KI14Closed

Errata fix to include this attribute for non-sweeping only and hence optional field for sweeping 

https://openbankinguk.github.io/read-write-api-site3/v3.1.9/resources-and-data-models/vrp/domestic-vrp-consents.html#obdomesticvrpcontrolparameters

Add an array PSUInteractionTypes to enable the PISP to capture 'Customer not in an active session' and 'Customer in an active session' at the consent level.

https://openbankinguk.github.io/read-write-api-site3/v3.1.9/resources-and-data-models/vrp/domestic-vrps.html#obdomesticvrprequest

Add PSUInteractionTypes to enable the PISP to specify the specific value from the PSUInteractionTypes defined at the consent level

Add missing attributes to capture PSUInteractionTypes as per VRP requirement

  • Change to UML

  • Change to Data dictionary table

  • Change to Swagger


//Consent
{ PSUInteractionTypes: ['InSession','OffSession'] }

//payment
{ PSUInteractionType: 'InSession' }

VRPASPSPJan 2022 OBSD-28494 - Getting issue details... STATUS
v319_KI15ClosedChange resource group of VRP endpoints to existing PISP resource group 
  • Changes to the Open API specification for VRP (update server URI path)
  • Changes to the URLs in usage examples
  • Changes to Functional Conformance Suite (FCS)
  • Changes to Model Bank
VRPASPSPJan 2022

/wiki/spaces/WOR/pages/2302083154

CDRW-4126 - Getting issue details... STATUS


 Read/Write API v3.1.8
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Fixed

For VRPs, the section on Events (https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/vrp-profile.html#event-notifications) states that 

In any such situation where an account linked to avrp-consentcan no longer be used, temporarily or permanently, to make payments, the ASPSP must inform the TPP using events.

The specification should be modified to read:

In any such situation where an account linked to a vrp-consent can no longer be used, temporarily or permanently, to make payments, the ASPSP should inform the TPP using events.


VRPASPSPApr-2021 OBSD-25276 - Getting issue details... STATUS Reported in TDA

CDRW-3937 - Getting issue details... STATUS


Fixed



In the Domestic VRPs - v3.1.8 spec data model it says:

Reference (0..1)
RemittanceInformation. Reference
Unique reference, as assigned by the creditor, to unambiguously refer to the payment transaction. The PISP must populate this with the same value as specified in the ControlParameters.Reference field of the consent.

The field does not exist

Spec should be updated to read "The PISP must populate this with the same value as specified in the `Data.Initiation.RemittanceInformation.Reference`"

VRPASPSPMay-2021 OBSD-23244 - Getting issue details... STATUS
FixedRejected code is not listed in https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/account-and-transaction-api-profile.html#static-enumerations for rejected Code to be addedAISASPSPMay-2021 OBSD-23512 - Getting issue details... STATUS
FixedThe action to be taken for Access Revocation (See https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/account-and-transaction-api-profile.html#access-revocation) is not clear due to the use of the term "may"

Change the statement:

A PSU may revoke AISP's access directly with the ASPSP, via the access dashboard. In such a situation:

  • The ASPSPs may revoke/expire the access token provided to the AISP.

to read:

...

  • The ASPSP must take the necessary action to revoke access e.g. by revoking/expiring the access token provided to the AISP.
AISASPSPJune-2021 OBSD-23823 - Getting issue details... STATUS
FixedThe response object specified for the payment details endpoint is incorrect

Change the Endpoints table Response Object entry  for payment-details

OBDomesticVRPRequestDetailResponse

to read

OBDomesticVRPDetails


VRP

ASPSPJuly-2021 OBSD-24689 - Getting issue details... STATUS
Fixed

Errata fixes to VRP example 2 and example 3 

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#examples-of-periodic-limits

Change Example 2 from

 to


Change Example 3 from

 to

VRPTPPJuly-2021 OBSD-24907 - Getting issue details... STATUS CDRW-4036 - Getting issue details... STATUS
Fixed

Errata fix to update resources and data models page for VRP - https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/

Update VRP Resources and Data Models page to include all VRP endpoints including resource compatibility with version 3.1.8 and 3.1.9VRPTPPAug-2021

OBSD-25460 - Getting issue details... STATUS

OBSD-26172 - Getting issue details... STATUS



Fixed

Errata fix to update enumerations for VRP - https://openbankinguk.github.io/read-write-api-site3/v3.1.8/references/namespaced-enumerations.html

VRP

TPP

ASPSP

Aug-2021

Jul-2021

OBSD-25446 - Getting issue details... STATUS

OBSD-25088 - Getting issue details... STATUS


Fixed

Errata fix to update State model table to remove "Expired" status

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#state-model---vrp-consents

VRPASPSPAug-2021 OBSD-25600 - Getting issue details... STATUS
Fixed

Errata fix to update permissions in Transactions API 

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/aisp/Transactions.html#permission-codes

Update Permissions section to include ReadTransactionsCredits and ReadTransactionsDebitsAISPTPPAug-2021 OBSD-25715 - Getting issue details... STATUS
Fixed

Clarification on 

PeriodType=Fortnight

PeriodAlignment=Calendar

ValidToDateTime

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#obdomesticvrpcontrolparameters

Clarification on the below combination -

PeriodType=Fortnight

PeriodAlignment=Calendar

To refrain from implementing this combination, as the ISO calendar does not support or provide any guidance on when a fortnight should start.

Clarification on time part in the consent -

ValidFromDateTime

ValidToDateTime

The consent period starts and ends at midnight - effectively the time element of the date should be disregarded in computing the date range and pro-rating.

VRPASPSPAug-2021 OBSD-25599 - Getting issue details... STATUS
 Read/Write API v3.1.7
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Fixed

For file payments, the OBWriteFileResponse3/Data/Debtor/Name field only allows a single value. 

Guidance or changes are required for what should be done in situations where the file payments are made from multiple debtor accounts

To be confirmed following completion of FCA consultation on Debtor Name/Account fields

PISASPSPMar-2021 OBSD-22139 - Getting issue details... STATUS
 Read/Write API v3.1.6
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Fixed

This property is documented to be a class of type ‘OBBranchAndFinancialInstitutionIdentification6’.

This is incorrect and it should be ‘OBCashAccountCreditor3’.

Addressed in v3.17

PISTPPJun-2020 OBSD-16647 - Getting issue details... STATUS CDRW-3428 - Getting issue details... STATUS
Fixed

In the Domestic-Standing-Orders section, the ‘OBDomesticStandingOrder3’ class includes the ‘CreditorAccount’ property.

This property is documented to be a class of type ‘OBBranchAndFinancialInstitutionIdentification6’, although the fields documented beyond that (in CreditorAccount path) are not.

Addressed in v3.17PISTPPJun-2020

OBSD-16647 - Getting issue details... STATUS


CDRW-3428 - Getting issue details... STATUS
Fixed

Transaction Identifier. A unique identifier for the transaction. ASPSPs *may *populate this field with the x-fapi-transaction-id of the api operation that lead to the change, or populate it with the same value as jti. 

This should read x-fapi-interaction-id instead of x-fapi-transaction-id

Addressed in v3.17AISTBC Jul-2020 OBSD-16818 - Getting issue details... STATUS CDRW-3448 - Getting issue details... STATUS
FixedThe POST endpoint is listed in the Endpoints table, but no further documentation is providedAddressed in v3.17PISTPPJul-2020

OBSD-16778 - Getting issue details... STATUS

CDRW-3449 - Getting issue details... STATUS
FixedDocument styling an formatting issueAddressed in v3.17AISInternalJul-2020

OBSD-15322 - Getting issue details... STATUS

CDRW-3445 - Getting issue details... STATUS
FixedThe Version History format for 3.1.5 and 3.1.6 is presented in different stylesAddressed in v3.17GeneralInternalJul-2020NA (Reported internally) CDRW-3446 - Getting issue details... STATUS
FixedAdditional examples to be addedAddressed in v3.17GeneralASPSPJul-2020Reported by email CDRW-3485 - Getting issue details... STATUS
FixedIncorrect field size for ReferencePaymentId field in  SCA Support DataAddressed in v3.17PISPASPSPJul-2020 OBSD-17345 - Getting issue details... STATUS CDRW-3500 - Getting issue details... STATUS
FixedBank Transaction Code size field is not in sync between specifications and swaggerAddressed in v3.17AISPASPSPJun-2020 OBSD-16489 - Getting issue details... STATUS CDRW-3503 - Getting issue details... STATUS
FixedFor the CASS status, "NotSwitched" is spelt incorrectly in one instance Addressed in v3.17AISPASPSPAug-2020 OBSD-17586 - Getting issue details... STATUS CDRW-3517 - Getting issue details... STATUS
FixedInconsistent description of "CreationDate"Addressed in v3.17PISPASPSPSep-2020 OBSD-18538 - Getting issue details... STATUS CDRW-3679 - Getting issue details... STATUS
FixedIncorrect example for CountrySubdivisionAddressed in v3.17PISPASPSPSep-2020 OBSD-18590 - Getting issue details... STATUS CDRW-3682 - Getting issue details... STATUS
 Read/Write API v3.1.5
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed OBSD-15311 - Getting issue details... STATUS Errata

Incorrect multiplicity for OBRisk1/DeliveryAddress/CountrySubDivision


The occurence is specified as 0..2 instead of 0..1

This will be fixed in v3.1.6

FixedNAClarificationBehaviour when a incorrectly formatted ISO Date is provided in a request is not clearly defined

Clarify that when an ASPSP receives a request with an incorrectly formatted date, it may respond with a status code of 400 Bad Request and an error code of UK.OBIE.Field.InvalidDate.

This will be fixed in v3.1.6
Fixed OBSD-12579 - Getting issue details... STATUS ClarificationThe txn claim for OBEventNotification2 is optional in the SET standard, but mandatory in the OBIE standard.
Clarify the usage of the txn claim in the standard.
 Dynamic Client Registration v3.2
Status
Ref
Type
Issue
Details
Impact/Mitigation
Open
Minor Bug

The regex pattern for uuidv4 specified for the jti field is incorrect in the specification.

As per the UUID specification (https://tools.ietf.org/html/rfc4122#section-3):

1 The hexadecimal values "a" through "f" are output as lower case characters and are case insensitive on input.


This has been fixed in the swagger file for v3.2.

The specification will be corrected in the next version.

 Read/Write API Version 3.1.4
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed
Minor BugIncorrect cardinality in RefundAccount.Name

https://github.com/OpenBankingUK/read-write-api-docs-pub/commit/788eb1f5261177a49e8afaee7f9e52a19c5bda52

Fixed in v3.1.5

Fixed
Minor BugAmount regular expression was incorrecthttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/cfdba4047b9cbea9982051e9b821fc48adb916eb

Fixed in v3.1.5

Old regex will not accept amounts without a decimal point

Fixed
Minor BugBroken links in "Usage Examples" index filehttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/e763fe34669c5968708504e7c9d3a9299ec1f27e

Cosmetic changes only.

Fixed in Version 3.1.5

Fixed
Minor BugUML diagrams for International Payments used incorrect re-usable class versionshttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/e763fe34669c5968708504e7c9d3a9299ec1f27eFixed in Version 3.1.5
 Read/Write API Version 3.1.1 - 3.1.3
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed
ErrataImprovements to Event Notifications

https://github.com/OpenBankingUK/read-write-api-docs-pub/commit/85addb6bd4ef06f78c600a28d4ef2be5c3a5ab1f

These have been fixed in Version 3.1.4

Fixed
Minor BugInconsistencies in class and URL names.https://github.com/OpenBankingUK/read-write-api-docs-pub/commit/ba4abc36b60b89da48b980586be2d72e0bdb9c35These have been fixed in Version 3.1.4
Fixed
Minor BugErrors in markdown causing poor rendering on some environementshttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/c36a270434203b3727afed34a74e6567dd7d8163

Cosmetic changes only.

These have been fixed in Version 3.1.4

 DCR API Ver 3.1
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed OBSD-12892 - Getting issue details... STATUS Minor Bugsoftware_id field length and pattern is not correct (^[0-9a-zA-Z]{1,18}$). It should be 22 characters( fixed in V3.2 onwards)

We're having issues with dynamic client registration. The validation for the "iss" field in the OBRegistrationRequest1 object (in DCR v3.1) is as follows:

^[0-9a-zA-Z]{1,18}$

The guidance for this is as follows:

For SSAs issued by the OB Directory, this must be the software_id

But the software_id issued in the OB directory is 22 characters in length so is not valid according to the spec. I've noticed the 3.2 registration spec does allow for this length, but most banks don't support this registration version yet. We can register with banks that don't validate this or banks that implement the 3.2 spec, but by the looks of our registration attempts Nationwide validates the length and doesn't implement the 3.2 spec. I'd imagine there are more banks in a similar position. How do you suggest working around this issue in the mean time?

banks must provide a workaround for. The customer must contact Nationwide directly for support. If he/she is not getting the required support, he/she should raise a new ticket complaining about Nationwide and OBIE Central Testing team will get involved.


This has been fixed in V3.2

 Read/Write API Ver 3.0
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed

OBSD-4642 - Getting issue details... STATUS

ErrataR/W Spec Parent Page mentions application/json as the only permitted value for Content-Type



The swagger definitions for each of the APIs is correct.

The statement will be corrected in v3.1 to be accurate.

Fixed
Minor Bug

v3.0-rc3 Swagger has incorrect length for Path field in the OBError1 object.

v3.0-rc3 Swagger has incorrect length for Path field in the OBError1 object.

This should be Max500Text instead of Max40Text.

To be fixed in v3.0-rc4 of the Swagger spec.
Fixed
Minor BugThe status model for the Domestic and International Payments (Immediate) does not contain a transition from AcceptedSettlementInProcess that handles error cases.

A transition from AcceptedSettlementInProcess to Rejected should be included on the status model diagram. This would bring it back in line with the current status model in v1.1

Amend the specification in v3.1 to include a transition from AcceptedSettlementInProcess to Rejected.

Fixed
Errata

v3 RC3 International Standing Orders page - Reusable Class UML Diagram is incorrect.

v3 RC3 International Standing Orders page.

The Reusable Class describes OBInternationalStandingOrder1 but the UML diagram represents OBWriteInternationalStandingOrder1 (the consent request object).

UML DIagram for OBInternationalStandingOrder1 isn't provided in the specification.

Amend the specification in V3.1 to include the correct UML Diagram.

Fixed
OBSD-4752 - Getting issue details... STATUS
Minor BugOBActiveCurrencyAndAmount_SimpleType in the specifications is missing the Pattern:
'^\d{1,13}\.\d{1,5}$'.

Account, Payment and COF Data Dictionary in the specification does not have the pattern for OBActiveCurrencyAndAmount_SimpleType defined.

The swagger definition has the correct regex pattern.

For Consistency of the specs with swagger, it will be fixed in V3.1 specification.

Fixed


OBSD-4787 - Getting issue details... STATUS

Minor Bug"Meta" and "Links" tag in response are shown in examples but not in swagger. 

To be fixed in v3.0-rc4 of the Swagger spec.

Fixed

OBSD-4786 - Getting issue details... STATUS

Minor BugFunds Confirmation Usage Examples missing meta elementMeta is a mandatory data element in the JSON response, but is missing in the example.

Specification and Swagger spec are accurate.

Example will be fixed in V3.1 specification.

Fixed

OBSD-4785 - Getting issue details... STATUS

ErrataTypo on Products/PCA Data Model and Products/BCA Data Model pages

Fix gramattical error:

  • FeaturesAndBenefits: Further analysis is required to check whether feature and benefits sections is needed are not

Changes required in PCA Product Data Model & BCA Product Data Model.

Will be fixed in V3.1 specification.

FixedRaised by OB R/W API TeamMinor BugIncorrect type (length) for DomesticStandingOrderId and InternationalStandingOrderId.

Payment Order Ids for Standing Orders (DomesticStandingOrderId and InternationalStandingOrderId) is of the type Max128Text, while other Payment Order Ids are of type Max40Text.


The Ids should be standardised to Max40Text for consistenc

This will be fixed in  v3.0-rc4 of the Swagger spec.

The specification will be updated in v3.1

Fixed OBSD-2303 - Getting issue details... STATUS Minor BugV3 Specification specifies that Error Codes in Authorisation flow must be aligned to OAuth Error codes.Section 3.6 of the V3 RC3 specification incorrectly specifies following:

ASPSPs must respond with error response in the OAuth/OIDC flow with mandatory alignment of error codes to those specified in RFC 6749 Section 4.1.2.1

However, ASPSPs may extend the error response codes to include OIDC error responses as well.

The sentence should read:

It must be changed to the following, to include a reference to OIDC Error Codes:

ASPSPs must respond with error response in the Authorisation flow with mandatory alignment of error codes to those specified in Section 3.1.2.6 Authentication Error Response of OIDC Core specification.

This will be updated in v3.1

FixedRaised by OB R/W API TeamMinor BugDetails for PUT operations are not provided in Request Headers and HTTP Status codes sections.

The R/W Ver 3.0 specifications introduced a PUT operation for ASPSP Event Notification specification.

The Request Headers and HTTP Status Codes for PUT operations should be explicity defined.

The Request Headers for PUT operations are the same as those for POST operations.

The HTTP Codes for PUT operations are the same as those for DELETE operations.

The tables will be updated in v3.1 to reflect the above.

FixedRaised by OB R/W API TeamErrata'Process for verifying a signature' mislabels Step 2 as Step 1.

It will be fixed in V3.1 specification.

FixedRaised by OB R/W API TeamMinor BugIn The 'Steps' section on the Payments specification, the description for Step 4 should be generalised for redirect as well as decoupled journeys


It should be made clear that step 4 occurs when authorisation is complete. This would apply in both the redirect and decoupled flows.

It will be fixed in V3.1 specification.

FixedCDRW-2373Minor BugIncorrect Usage ExamplesSelf Links in Usage Examples don’t Contain NamespaceIt will be fixed in V3.1 specification.
FixedCDRW-2372Minor BugIncorrect Usage ExamplesMissing idempotency key on Standing Order ExamplesIt will be fixed in V3.1 specification.
FixedCDRW-2583Minor BugIncorrect Usage ExamplesIncorrect Usage Example for Bulk TransactionsIt will be fixed in V3.1 specification.
FixedCDRW-2408ErrataSwagger files  - ProductType field missingThe ProductType field was inadvertently left out of the swagger files for the product end-pointsProductType re-introduced. Will be fixed. v3.1
FixedCDRW-2423ErrataIncorrect field size for PurposeCodeThe PurposeCode field for international payments is of the incorrect length (35 chars rather than the ISO enum size of 4 chars)It will be fixed in V3.1 specification.
FixedCDRW-2409Minor BugGrammar FixFixed multiple instances of poor grammar and lapses of typographical diligence.It will fix be in v3.1 specification.
FixedCDRW-2582ErrataTransaction permissions not specifiedTransaction Permissions Errata (Debtor/Creditor Agent Inconsistency)It will be fixed in V3.1 specification.
FixedCDRW-2585ClarificationCommon base-url for all resourcesState that the base-url must be the same for all resourcesIt will be fixed in V3.1 specification.
FixedCDRW-2584ClarificationImprove definition of CurrencyOfTransfer
It will be fixed in V3.1 specification.
FixedCDRW-2671ErrataIncorrect data type for iat and toe claimsThe iat and toe claims are specified as strings.These should be numeric (in keeping with the defintion of iat in the JWT RFC)It will be fixed in V3.1 specification.
Open OBSD-15311 - Getting issue details... STATUS Errata

Incorrect multiplicity for OBRisk1/DeliveryAddress/CountrySubDivision

The occurence is specified as 0..2 instead of 0..1This will be fixed in v3.1.6


 Read/Write API v1.1

Read/Write API v1.1

References:

This version of the Read/Write API Specification will be supported by all CMA9 ASPSPs from 13 Jan 2018. The following table details known issues with this version of the specification.

StatusRefTypeIssueDetailsImpact/Mitigation
ClosedCDRW-928Minor bugSecurity Profile / Signing: Ensure we have got B64Enc v/s B64URLEnc.

In the security profile, step 3 "Form the payload to be signed " provides an example that Base64 encodes JOSE header and json. Similarly the signature that is computed in Step 4 of the documentation is highlighted in the example as Base64 encoded formatted.

The RFC 7515 states that the header and json is encoded in Base64URL format and not Base64.

The security profile should be updated to match RFC 7515.

ASPSPs and TPPs should be advised in the documentation to follow the RFC in this case.

Fixed in v3

ClosedCDRW-929Minor bugLinks format in swagger and example on Confluence doesn't match.

The Links object in the swagger contains fields with format as URI and this can be absolute URI but the examples on confluence take in values as relative URI

The standard for sending links to the consumer should be absolute URI.

ASPSPs and TPPs should be advised in the documentation to use absolute URIs. 

Fixed

OpenTBCMinor clarificationOB Security Profile has been incorrectly interpreted by an ASPSP.Clarification to reflect that TPPs are NOT required to pass ACR values in either the requested acr_values string or inside the request object to address a possible mis-interpretation. This is a MAY and not a MUST as already stated in v1.1.0 of the specification.

No impact as long as ASPSPs and TPPs follow the existing spec.

Wording will be made clearer/more explicit in next release.

Security Profile Implementation Guide to be updated and published

Closed

TBCMinor clarificationSecurity Profile: Clarity on use of MA-TLS with OIDC well-known end-point.Clarification to reflect that an ASPSP's OIDC well-known end-point MUST NOT use TLS-MA. The end-point SHOULD use TLS.

No impact on ASPSPs and TPPs that have followed the existing specification. Wording will be improved and made more explicit in the next release.

Fixed Security Profile 1.1.2

ClosedTBCMinor bugDirectory: The mechanism that OB uses to calculate x5t does not meet specification.

Any participant attempting to check certificates fingerprints against the x5t parameter will find validation errors.

​As a result of this issue, the kid field for all JWK's in the OB stores do not confirmed to the published specification where OB committed to keeping the "kid" the same as the "x5t". 

Potential impact on participants that rely on x5t being correct in order to accept a jwk as valid. Any participant that is following the OB specification and dynamically calculating the appropriate kid to use when creating JWT's will reject all messages from TPPs.

OB will implement a workaround for effected participants at start of managed rollout, and implement a permanent fix and update the specifications asap after 13 Jan.

Fixed

ClosedTBCMinor clarificationUpdate Security Profile page in Confluence to align to version in BitbucketThe master version of the Security Profile is held in Bitbucket. The Confluence page has not been kept up to date with changes to the master, and requires a cut-and-paste to align. 

The differences are non-normative, and the master is linked in the Confluence page, but these changes should be reflected for completeness.

All references are now link to the bitbucket.

Fixed

ClosedTBCMinor clarificationSecurity Profile: Clarity on the use of ciphers for the PSU facing Authorization end-pointClarification to reflect that the ASPSP's are free to support a more expansive list of TLS Ciphers on the Authorization Server Endpoint than is explicitly supported by the FAPI Read Write Security Profile section 8.6 

The differences are non TPP or ASPSP impacting as this clarification item is related to ASPSP → PSU communication link only. Will require collaboration with the OIDF FAPI Working Group. https://bitbucket.org/openid/fapi/issues/129/tls-cipher-restrictions-should-be-relaxed

Fixed Security Profile 1.1.2

ClosedTBCMedium Implementation bugDirectory Services: The x5t and x5t256 values of the JWKS files are being calculated incorrectly.There's an implementation defect in the way the x5t and x5t256 values of the JWKS files are being calculated. As a result, any participant relying on these values to correlate to the corresponding certificate will not be able to match the two values. The x5c and x5u values are correct and do match the public keys in the JWK.

Only one participant so far has called this out as an impacting issue however a process has been put in place to address any JWKs manually that are utilised by a TPP. A code change will be delivered to correct this generation process as soon as possible and existing JWKS entries will be updated.

Fixed

ClosedTBCMinor specification issueOpen Banking Security Profile: The KID for each JWK in the JWKS store isn't being calculated in the way that was indicated.The specification for KID calculation indicates that "OBIE will keep the KID's the same as the x5t". The implementation hasn't followed this intention. The way KID is currently being calculated is the SHA1 of the JWK instead of the SHA1 of the DER Encoded Certificate.

Open Banking will not change the way KIDs are calculated but will update the specifications to reference the way KID is being generated.

Fixed in directory spec

ClosedTBCMinor specification issueRead/Write API Specifications: Beneficiaries endpoint does not cater for all international benficiariesThe current beneficiaries endpoint only allows for beneficiaries which have a sort code and account number or IBAN. Some international beneficiaries are identified by other local identification schemes.

Some ASPSPs will not be able to share all details for some international beneficiaries. The specification will be updated to cater for this in the next release, as a non-breaking change.

Fixed

OpenTBCMinor specification issue

Security profile: Spec not clear that query parameters in the authorize url should be url-encoded

The examples that are referred too were created as part of the “security profile implementation guide”. They don’t appear in the security profile in bit bucket. They should be updated / corrected to reflect url encoding as per oidc cores examples.

Some ASPSPs may mis-interpret the specification. The examples will be updated in due course to make things clearer.

Security Profile Implementation Guide to be updated and published

ClosedCDRW-1206Minor clarificationInconsistency between Payments and Account specification should a ASPSP reject the request with a 403 if x-fapi-financial-id is invalid.

Accounts v1,1 seems to have dropped the following line from the spec inadvertently.

"If the value does not match the expected value (based on the Client ID or network certificate of the caller, the ASPSP must reject the request with a 403 (Not Authorized) status code." This is in response to https://openbanking.atlassian.net/browse/OBSD-2643

Some ASPSP have already misinterpreted the specification and don't validate this header.

Fixed

 Read/Write API v2.0

Read/Write API v2.0

References:

This version of the Read/Write API Specification will be supported by all CMA9 ASPSPs from 7 September 2018 for CMA Order in-scope accounts. The following table details known issues with this version of the specification.

Status
Ref
Type
Issue
Details
Impact/Mitigation
ClosedOBSD-4103ErrataOB Statements - Endpoint section specifies Filtering for wrong endpoints

Filtering word should be removed from the Endpoints table for:

  • GET /accounts/{AccountId}/statements/{StatementId} (Row#2)
  • GET /accounts/{AccountId}/statements/{StatementId}/transactions (Row#4)

Non-breaking change. The Swagger is correct for this issue, but the documentation has specified filtering on endpoints that should not apply filtering.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCBugOB Statements - filters missing in Swagger spec.

Filtering on statement dates is in the specification for:

  • GET /accounts/{AccountId}/statements
  • GET /statements

However - these are missing from the Swagger spec.

Non-breaking change. TPPs may expect the ability to filter on dates to identify statements. However, this functionality is missing from the Swagger spec.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCErrata

Usage Guidance Errata

For Party Endpoint:

Usage Examples for Account Owner and Authorised User - have been documented incorrectly.

Errata. Non-breaking change.

Will be fixed in v2.1.

Has been fixed in v3.0

ClosedTBCBug

Transactions Object Bug

Transactions object using the wrong currency exchange object.

In v3, we have fixed this with the CurrencyExchange object replacing the EquivalentAmount object to describe currency exchange.

Breaking change to replace the CurrencyExchange object.

ASPSPs cannot represent currency exchange information until this fix is applied.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCErrata

Address Code-LIst Errata

Updated ISO 20022 OBAddressTypeCode code from "DeliverTo" to "DeliveryTo"

Errata. Non-breaking change.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCRequested enhancements

Requested Enumerations for Use Cases

  • Enumeration definitions updated for:
    • Balance/Type - InterimCleared, OpeningCleared, ClosingCleared
    • StatementAmount/Type - PendingTransactionsBalance
    • StatementFee/Type - ForeignCashTransaction
    • CardInstrument/AuthorisationType - ConsumerDevice

Will not be included in v2.1 as fix.

Has been fixed in v3.0

ClosedOBSD-3833Bug/party endpoint AddressLine - mismatch between spec and Swagger

AddressLine in Swagger is specified as a string.

However - in the data dictionary is 0..5

Non-breaking change.

Will be fixed in v2.1

Has been fixed in v3.0

 Open Data API v2.1

Open Data API v2.1

References:

This version of the Open Data Specification will be supported by all CMA9 ASPSPs from 13 Jan 2018 and replaces v1.x. The following table details known issues with this version of the specification.

StatusRefTypeIssueDetailsImpact/Mitigation
Open

OD-803

Enhancement
Products: Need to split ServicingAccessChannel by individual services.
A request was made that AccessChannel be split in to:-
I) SalesAccessChannel - channel(s) by which a product may be sold to a customer
ii) ServicingAccessChannel - channel(s) by which an existing customer may obtain 1 or more services for a particular product.

Minor impact.

Will be updated in v2.2.

ClosedOD-826Minor bugRegular Expressions (Regex), that are required to constrain values entered in to fields to a certain pattern, should be in the data dictionary as well as the Swagger. Regex in Swagger is hard coded and there are a number of discrepancies (amount and rate fields) where these are limited to 2DP. They should be 3DP.

ASPSPs will only be able to specify amount and rates to 2 decimal places.

Has been fixed in v2.2.0-rc1.

ClosedOD-845Minor bug

OverdraftFeeApplicableRange section is a modelling error and should be removed from the PCA design.

OverdraftFeeApplicableRange doesn't appear in the Design at all but does appear in the swagger.

This is an optional field, so no impact.

Has been fixed in v2.2.0-rc1.

Open

OD-855

Enhancement
PCA, BCA: Minimum Arranged Overdraft Amount.

Some banking products require an account holder to take an Arranged Overdraft of at least £x, or else a bank will not process an Arranged Overdraft request.

This is potentially useful information. If, for example, an accountholder has an Arranged Overdraft of £100 currently, and a banking product that they're interested in taking requires a minimum Arranged Overdraft of £200, then they would not be able to switch their current account.

Minor impact.

Will be updated in v2.2.

ClosedOD-856Minor bug

All Notes fields should have a consistent cardinality 0..*

In some places cardinality is 0..1 and these should all be 0..n to allow multiple notes.

ASPSPs will have to combine notes into one field rather than separate fields.

Has been fixed in v2.2.0-rc1

ClosedOD-857Minor bugThe Max256Type datatype was not correctly generated in the Swagger files.Swagger is a string but GFEG defines 256 characters. Swagger should be changes to 256.

No impact.

Has been fixed in v2.2.0-rc1

ClosedOD-883Minor bug3 missing fee category codes.

FeeCategoryType1Code list is missing the following fields

'Auto', 
'FX' ,
'Investigation'

ASPSP can select other and chose one of these for now. No impact.

Has been fixed in v2.2.0-rc1

ClosedOD-884BugFix the way that mandatory field restrictions are generated by the Swagger generation script.Swagger contains required tag in the wrong place, which makes the Java Json Validator https://www.jsonschemavalidator.net/ fail.

ASPSPs cannot validate using Java Json Validator, but will have to use OB Json Validation tool instead.

Has been fixed in v2.2.0-rc1

Open
OD-973
Minor bug
PCA, BCA, SMELoan and CCC amend spelling mistake in the codelist

There are a number of spelling mistakes in code lists (e.g. CoreProduct/ LoanApplicationFeeChargeType enumeration "NoLoanApplicationFee" is incorrectly spelt "NoLoanApplicatioFee" in swagger).


TPPs may see some values with spelling mistakes.

Will be fixed in v2.2.

Open

OD-978

Enhancement
Enhance the Fee and charges Cap so that it can be linked with the any Fee Type.

Where there are tiered fees and charges, the current design only allows the ASPSP to use one cap across the tiers.

../OtherFeesAndCharges/FeeChargeCap unable to explicitly link to a ../OtherFeesAndCharges/FeeCharge Detail


ASPSPs can use notes field to specify complex caps. This item requires a decision as to whether it may be included in a future release.
Open

OD-979

Minor bug
Make the identification field optional for all section except Product ID
Some ID fields in PCA (e.g. <Product>MarketingState/Identification) are mandatory and should be optional to be consistent with BCA, SMELoans, CCC.


ASPSPs will have to populate with some value (e.g. 0).

Will be fixed in v2.2.

Open

OD-980

Minor bug
Restriction on regular expression for Residency Included field should be removed.
For specifying the countries for which the PCA products are available/restricted to use the field ResidencyIncluded, current specification specifies it's DataType as OB_CodeMnemonic with a fixed length of 4. However, to correctly specify data values in this field, the correct DataType restriction should allow length of up to 4 and NOT fixed at 4. e.g. The value on this is expected to be 'UK' or 'EU', which would error out with the specification supplied.

ASPSPs will have to pad out the field (e.g. with spaces).

Will be fixed in v2.2.

Open

OD-981

Minor bug
Check the possibility of changing the optional or mandatory fields as an array rather than objects.
For any fields where cardinality is 0..1, the swagger defines this as an object. For 1..1 and 1..n the swagged defines this as an array. Ideally these should all be arrays.

No impact.

Will be fixed in v2.2.

Open

OD-986

Minor bug
Missing 'Other' code from Fee Type under overdraft fee charge details and cap section.
In PCA and BCA schema the FeeType Enum in the OverDraftFeesCharges of overdraftTierSet and OverDraftTierBand are missing the "Other" value in both OverdraftFeeChargeCap and OverdraftFeeChargeDetail.

ASPSPs can only specify fee types using the standard code list. Minor impact, as code lists are fairly comprehensive.

Will be fixed in v2.2.

Open

OD-997

Enhancement
Add "Academic Term" in period code list.

The current code list options for:

OpenBankingPCA/Brand/PCA/PCAMarketingState/StateTenurePeriod

should be extended to include: AcademicTerm.

Some ASPSPs may have to use Monthly, Quarterly, Yearly for now. Minor impact.

Will be updated in v2.2.

Open
OD-1010
Minor bug
Remove the example reference url link from the base of the API URI

Current URLs for V1.2 and the Swagger which implies a different configuration.

Current example: https://openapi.nationwide.co.uk/open-banking/v1.2/atms

Our assumption is we would just change the version number however Swagger suggests a new part of the URL is being added:

“/reference-implementation/open-banking/v2.1”

ASPSPs should remove/replace 'reference-implementation' with their own URI. Minor impact.

Will be fixed in 2.2.