Known Specification Issues

Known issues with the latest versions of Open Banking specifications are detailed here. For each release, we have included a table that shows the issue and also any impact and/or mitigation.

This page is NOT concerned with issues relating to the implementation of the specifications (either by an ASPSP or a TPP) or for documentation and guides, but ONLY for the actual specifications. In many cases, these issues have already been fixed in a release candidate for the next version, which is available to all registered users in the Open Banking Collaboration Space

To report any other issues, please log via the Open Banking Service Desk.

 Read/Write API v3.1.8
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Open

For VRPs, the section on Events (https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/vrp-profile.html#event-notifications) states that 

In any such situation where an account linked to avrp-consentcan no longer be used, temporarily or permanently, to make payments, the ASPSP must inform the TPP using events.

The specification should be modified to read:

In any such situation where an account linked to a vrp-consent can no longer be used, temporarily or permanently, to make payments, the ASPSP should inform the TPP using events.


VRPASPSPApr-2021 OBSD-25276 - Getting issue details... STATUS Reported in TDA

CDRW-3937 - Getting issue details... STATUS


Open



In the Domestic VRPs - v3.1.8 spec data model it says:

Reference (0..1)
RemittanceInformation. Reference
Unique reference, as assigned by the creditor, to unambiguously refer to the payment transaction. The PISP must populate this with the same value as specified in the ControlParameters.Reference field of the consent.

The field does not exist

Spec should be updated to read "The PISP must populate this with the same value as specified in the `Data.Initiation.RemittanceInformation.Reference`"

VRPASPSPMay-2021 OBSD-23244 - Getting issue details... STATUS
OpenRejected code is not listed in https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/account-and-transaction-api-profile.html#static-enumerations for rejected Code to be addedAISASPSPMay-2021 OBSD-23512 - Getting issue details... STATUS
OpenThe action to be taken for Access Revocation (See https://openbankinguk.github.io/read-write-api-site3/v3.1.8/profiles/account-and-transaction-api-profile.html#access-revocation) is not clear due to the use of the term "may"

Change the statement:

A PSU may revoke AISP's access directly with the ASPSP, via the access dashboard. In such a situation:

  • The ASPSPs may revoke/expire the access token provided to the AISP.

to read:

...

  • The ASPSP must take the necessary action to revoke access e.g. by revoking/expiring the access token provided to the AISP.
AISASPSPJune-2021 OBSD-23823 - Getting issue details... STATUS
OpenThe response object specified for the payment details endpoint is incorrect

Change the Endpoints table Response Object entry  for payment-details

OBDomesticVRPRequestDetailResponse

to read

OBDomesticVRPDetails


VRP

ASPSPJuly-2021 OBSD-24689 - Getting issue details... STATUS
Open

Errata fixes to VRP example 2 and example 3 

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#examples-of-periodic-limits

Change Example 2 from

 to


Change Example 3 from

 to

VRPTPPJuly-2021 OBSD-24907 - Getting issue details... STATUS CDRW-4036 - Getting issue details... STATUS
Open

Errata fix to update resources and data models page for VRP - https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/

Update VRP Resources and Data Models page to include all VRP endpoints including resource compatibility with version 3.1.8 and 3.1.9VRPTPPAug-2021

OBSD-25460 - Getting issue details... STATUS

OBSD-26172 - Getting issue details... STATUS



Open

Errata fix to update enumerations for VRP - https://openbankinguk.github.io/read-write-api-site3/v3.1.8/references/namespaced-enumerations.html

VRP

TPP

ASPSP

Aug-2021

Jul-2021

OBSD-25446 - Getting issue details... STATUS

OBSD-25088 - Getting issue details... STATUS


Open

Errata fix to update State model table to remove "Expired" status

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#state-model---vrp-consents

VRPASPSPAug-2021 OBSD-25600 - Getting issue details... STATUS
Open

Errata fix to update permissions in Transactions API 

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/aisp/Transactions.html#permission-codes

Update Permissions section to include ReadTransactionsCredits and ReadTransactionsDebitsAISPTPPAug-2021 OBSD-25715 - Getting issue details... STATUS
Open

Clarification on 

PeriodType=Fortnight

PeriodAlignment=Calendar

ValidToDateTime

https://openbankinguk.github.io/read-write-api-site3/v3.1.8/resources-and-data-models/vrp/domestic-vrp-consents.html#obdomesticvrpcontrolparameters

Clarification on the below combination -

PeriodType=Fortnight

PeriodAlignment=Calendar

To refrain from implementing this combination, as the ISO calendar does not support or provide any guidance on when a fortnight should start.

Clarification on time part in the consent -

ValidFromDateTime

ValidToDateTime

The consent period starts and ends at midnight - effectively the time element of the date should be disregarded in computing the date range and pro-rating.

VRPASPSPAug-2021 OBSD-25599 - Getting issue details... STATUS
 Read/Write API v3.1.7
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Open

For file payments, the OBWriteFileResponse3/Data/Debtor/Name field only allows a single value. 

Guidance or changes are required for what should be done in situations where the file payments are made from multiple debtor accounts

To be confirmed following completion of FCA consultation on Debtor Name/Account fields

PISASPSPMar-2021 OBSD-22139 - Getting issue details... STATUS
 Read/Write API v3.1.6
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Fixed

This property is documented to be a class of type ‘OBBranchAndFinancialInstitutionIdentification6’.

This is incorrect and it should be ‘OBCashAccountCreditor3’.

Addressed in v3.17

PISTPPJun-2020 OBSD-16647 - Getting issue details... STATUS CDRW-3428 - Getting issue details... STATUS
Fixed

In the Domestic-Standing-Orders section, the ‘OBDomesticStandingOrder3’ class includes the ‘CreditorAccount’ property.

This property is documented to be a class of type ‘OBBranchAndFinancialInstitutionIdentification6’, although the fields documented beyond that (in CreditorAccount path) are not.

Addressed in v3.17PISTPPJun-2020

OBSD-16647 - Getting issue details... STATUS


CDRW-3428 - Getting issue details... STATUS
Fixed

Transaction Identifier. A unique identifier for the transaction. ASPSPs *may *populate this field with the x-fapi-transaction-id of the api operation that lead to the change, or populate it with the same value as jti. 

This should read x-fapi-interaction-id instead of x-fapi-transaction-id

Addressed in v3.17AISTBC Jul-2020 OBSD-16818 - Getting issue details... STATUS CDRW-3448 - Getting issue details... STATUS
FixedThe POST endpoint is listed in the Endpoints table, but no further documentation is providedAddressed in v3.17PISTPPJul-2020

OBSD-16778 - Getting issue details... STATUS

CDRW-3449 - Getting issue details... STATUS
FixedDocument styling an formatting issueAddressed in v3.17AISInternalJul-2020

OBSD-15322 - Getting issue details... STATUS

CDRW-3445 - Getting issue details... STATUS
FixedThe Version History format for 3.1.5 and 3.1.6 is presented in different stylesAddressed in v3.17GeneralInternalJul-2020NA (Reported internally) CDRW-3446 - Getting issue details... STATUS
FixedAdditional examples to be addedAddressed in v3.17GeneralASPSPJul-2020Reported by email CDRW-3485 - Getting issue details... STATUS
FixedIncorrect field size for ReferencePaymentId field in  SCA Support DataAddressed in v3.17PISPASPSPJul-2020 OBSD-17345 - Getting issue details... STATUS CDRW-3500 - Getting issue details... STATUS
FixedBank Transaction Code size field is not in sync between specifications and swaggerAddressed in v3.17AISPASPSPJun-2020 OBSD-16489 - Getting issue details... STATUS CDRW-3503 - Getting issue details... STATUS
FixedFor the CASS status, "NotSwitched" is spelt incorrectly in one instance Addressed in v3.17AISPASPSPAug-2020 OBSD-17586 - Getting issue details... STATUS CDRW-3517 - Getting issue details... STATUS
FixedInconsistent description of "CreationDate"Addressed in v3.17PISPASPSPSep-2020 OBSD-18538 - Getting issue details... STATUS CDRW-3679 - Getting issue details... STATUS
FixedIncorrect example for CountrySubdivisionAddressed in v3.17PISPASPSPSep-2020 OBSD-18590 - Getting issue details... STATUS CDRW-3682 - Getting issue details... STATUS
 Read/Write API v3.1.5
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed OBSD-15311 - Getting issue details... STATUS Errata

Incorrect multiplicity for OBRisk1/DeliveryAddress/CountrySubDivision


The occurence is specified as 0..2 instead of 0..1

This will be fixed in v3.1.6

FixedNAClarificationBehaviour when a incorrectly formatted ISO Date is provided in a request is not clearly defined

Clarify that when an ASPSP receives a request with an incorrectly formatted date, it may respond with a status code of 400 Bad Request and an error code of UK.OBIE.Field.InvalidDate.

This will be fixed in v3.1.6
Fixed OBSD-12579 - Getting issue details... STATUS ClarificationThe txn claim for OBEventNotification2 is optional in the SET standard, but mandatory in the OBIE standard.
Clarify the usage of the txn claim in the standard.
 Dynamic Client Registration v3.3
Status
Details
Impact/Mitigation
AreaReporterReported

Service Desk Ticket Number

(OBIE access only)

Work Item Ticket Number

(OBIE Access Only)

Open

The enumeration for application_type has incorrect values

This will be fixed in a forthcoming release.

GeneralTPPAug-2020 OBSD-17624 - Getting issue details... STATUS CDRW-3518 - Getting issue details... STATUS
 Dynamic Client Registration v3.2
Status
Ref
Type
Issue
Details
Impact/Mitigation
Open
Minor Bug

The regex pattern for uuidv4 specified for the jti field is incorrect in the specification.

As per the UUID specification (https://tools.ietf.org/html/rfc4122#section-3):

1 The hexadecimal values "a" through "f" are output as lower case characters and are case insensitive on input.


This has been fixed in the swagger file for v3.2.

The specification will be corrected in the next version.

 Read/Write API Version 3.1.4
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed
Minor BugIncorrect cardinality in RefundAccount.Name

https://github.com/OpenBankingUK/read-write-api-docs-pub/commit/788eb1f5261177a49e8afaee7f9e52a19c5bda52

Fixed in v3.1.5

Fixed
Minor BugAmount regular expression was incorrecthttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/cfdba4047b9cbea9982051e9b821fc48adb916eb

Fixed in v3.1.5

Old regex will not accept amounts without a decimal point

Fixed
Minor BugBroken links in "Usage Examples" index filehttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/e763fe34669c5968708504e7c9d3a9299ec1f27e

Cosmetic changes only.

Fixed in Version 3.1.5

Fixed
Minor BugUML diagrams for International Payments used incorrect re-usable class versionshttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/e763fe34669c5968708504e7c9d3a9299ec1f27eFixed in Version 3.1.5
 Read/Write API Version 3.1.1 - 3.1.3
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed
ErrataImprovements to Event Notifications

https://github.com/OpenBankingUK/read-write-api-docs-pub/commit/85addb6bd4ef06f78c600a28d4ef2be5c3a5ab1f

These have been fixed in Version 3.1.4

Fixed
Minor BugInconsistencies in class and URL names.https://github.com/OpenBankingUK/read-write-api-docs-pub/commit/ba4abc36b60b89da48b980586be2d72e0bdb9c35These have been fixed in Version 3.1.4
Fixed
Minor BugErrors in markdown causing poor rendering on some environementshttps://github.com/OpenBankingUK/read-write-api-docs-pub/commit/c36a270434203b3727afed34a74e6567dd7d8163

Cosmetic changes only.

These have been fixed in Version 3.1.4

 DCR API Ver 3.1
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed OBSD-12892 - Getting issue details... STATUS Minor Bugsoftware_id field length and pattern is not correct (^[0-9a-zA-Z]{1,18}$). It should be 22 characters( fixed in V3.2 onwards)

We're having issues with dynamic client registration. The validation for the "iss" field in the OBRegistrationRequest1 object (in DCR v3.1) is as follows:

^[0-9a-zA-Z]{1,18}$

The guidance for this is as follows:

For SSAs issued by the OB Directory, this must be the software_id

But the software_id issued in the OB directory is 22 characters in length so is not valid according to the spec. I've noticed the 3.2 registration spec does allow for this length, but most banks don't support this registration version yet. We can register with banks that don't validate this or banks that implement the 3.2 spec, but by the looks of our registration attempts Nationwide validates the length and doesn't implement the 3.2 spec. I'd imagine there are more banks in a similar position. How do you suggest working around this issue in the mean time?

banks must provide a workaround for. The customer must contact Nationwide directly for support. If he/she is not getting the required support, he/she should raise a new ticket complaining about Nationwide and OBIE Central Testing team will get involved.


This has been fixed in V3.2

 Read/Write API Ver 3.0
Status
Ref
Type
Issue
Details
Impact/Mitigation
Fixed

OBSD-4642 - Getting issue details... STATUS

ErrataR/W Spec Parent Page mentions application/json as the only permitted value for Content-Type



The swagger definitions for each of the APIs is correct.

The statement will be corrected in v3.1 to be accurate.

Fixed
Minor Bug

v3.0-rc3 Swagger has incorrect length for Path field in the OBError1 object.

v3.0-rc3 Swagger has incorrect length for Path field in the OBError1 object.

This should be Max500Text instead of Max40Text.

To be fixed in v3.0-rc4 of the Swagger spec.
Fixed
Minor BugThe status model for the Domestic and International Payments (Immediate) does not contain a transition from AcceptedSettlementInProcess that handles error cases.

A transition from AcceptedSettlementInProcess to Rejected should be included on the status model diagram. This would bring it back in line with the current status model in v1.1

Amend the specification in v3.1 to include a transition from AcceptedSettlementInProcess to Rejected.

Fixed
Errata

v3 RC3 International Standing Orders page - Reusable Class UML Diagram is incorrect.

v3 RC3 International Standing Orders page.

The Reusable Class describes OBInternationalStandingOrder1 but the UML diagram represents OBWriteInternationalStandingOrder1 (the consent request object).

UML DIagram for OBInternationalStandingOrder1 isn't provided in the specification.

Amend the specification in V3.1 to include the correct UML Diagram.

Fixed
OBSD-4752 - Getting issue details... STATUS
Minor BugOBActiveCurrencyAndAmount_SimpleType in the specifications is missing the Pattern:
'^\d{1,13}\.\d{1,5}$'.

Account, Payment and COF Data Dictionary in the specification does not have the pattern for OBActiveCurrencyAndAmount_SimpleType defined.

The swagger definition has the correct regex pattern.

For Consistency of the specs with swagger, it will be fixed in V3.1 specification.

Fixed


OBSD-4787 - Getting issue details... STATUS

Minor Bug"Meta" and "Links" tag in response are shown in examples but not in swagger. 

To be fixed in v3.0-rc4 of the Swagger spec.

Fixed

OBSD-4786 - Getting issue details... STATUS

Minor BugFunds Confirmation Usage Examples missing meta elementMeta is a mandatory data element in the JSON response, but is missing in the example.

Specification and Swagger spec are accurate.

Example will be fixed in V3.1 specification.

Fixed

OBSD-4785 - Getting issue details... STATUS

ErrataTypo on Products/PCA Data Model and Products/BCA Data Model pages

Fix gramattical error:

  • FeaturesAndBenefits: Further analysis is required to check whether feature and benefits sections is needed are not

Changes required in PCA Product Data Model & BCA Product Data Model.

Will be fixed in V3.1 specification.

FixedRaised by OB R/W API TeamMinor BugIncorrect type (length) for DomesticStandingOrderId and InternationalStandingOrderId.

Payment Order Ids for Standing Orders (DomesticStandingOrderId and InternationalStandingOrderId) is of the type Max128Text, while other Payment Order Ids are of type Max40Text.


The Ids should be standardised to Max40Text for consistenc

This will be fixed in  v3.0-rc4 of the Swagger spec.

The specification will be updated in v3.1

Fixed OBSD-2303 - Getting issue details... STATUS Minor BugV3 Specification specifies that Error Codes in Authorisation flow must be aligned to OAuth Error codes.Section 3.6 of the V3 RC3 specification incorrectly specifies following:

ASPSPs must respond with error response in the OAuth/OIDC flow with mandatory alignment of error codes to those specified in RFC 6749 Section 4.1.2.1

However, ASPSPs may extend the error response codes to include OIDC error responses as well.

The sentence should read:

It must be changed to the following, to include a reference to OIDC Error Codes:

ASPSPs must respond with error response in the Authorisation flow with mandatory alignment of error codes to those specified in Section 3.1.2.6 Authentication Error Response of OIDC Core specification.

This will be updated in v3.1

FixedRaised by OB R/W API TeamMinor BugDetails for PUT operations are not provided in Request Headers and HTTP Status codes sections.

The R/W Ver 3.0 specifications introduced a PUT operation for ASPSP Event Notification specification.

The Request Headers and HTTP Status Codes for PUT operations should be explicity defined.

The Request Headers for PUT operations are the same as those for POST operations.

The HTTP Codes for PUT operations are the same as those for DELETE operations.

The tables will be updated in v3.1 to reflect the above.

FixedRaised by OB R/W API TeamErrata'Process for verifying a signature' mislabels Step 2 as Step 1.

It will be fixed in V3.1 specification.

FixedRaised by OB R/W API TeamMinor BugIn The 'Steps' section on the Payments specification, the description for Step 4 should be generalised for redirect as well as decoupled journeys


It should be made clear that step 4 occurs when authorisation is complete. This would apply in both the redirect and decoupled flows.

It will be fixed in V3.1 specification.

FixedCDRW-2373Minor BugIncorrect Usage ExamplesSelf Links in Usage Examples don’t Contain NamespaceIt will be fixed in V3.1 specification.
FixedCDRW-2372Minor BugIncorrect Usage ExamplesMissing idempotency key on Standing Order ExamplesIt will be fixed in V3.1 specification.
FixedCDRW-2583Minor BugIncorrect Usage ExamplesIncorrect Usage Example for Bulk TransactionsIt will be fixed in V3.1 specification.
FixedCDRW-2408ErrataSwagger files  - ProductType field missingThe ProductType field was inadvertently left out of the swagger files for the product end-pointsProductType re-introduced. Will be fixed. v3.1
FixedCDRW-2423ErrataIncorrect field size for PurposeCodeThe PurposeCode field for international payments is of the incorrect length (35 chars rather than the ISO enum size of 4 chars)It will be fixed in V3.1 specification.
FixedCDRW-2409Minor BugGrammar FixFixed multiple instances of poor grammar and lapses of typographical diligence.It will fix be in v3.1 specification.
FixedCDRW-2582ErrataTransaction permissions not specifiedTransaction Permissions Errata (Debtor/Creditor Agent Inconsistency)It will be fixed in V3.1 specification.
FixedCDRW-2585ClarificationCommon base-url for all resourcesState that the base-url must be the same for all resourcesIt will be fixed in V3.1 specification.
FixedCDRW-2584ClarificationImprove definition of CurrencyOfTransfer
It will be fixed in V3.1 specification.
FixedCDRW-2671ErrataIncorrect data type for iat and toe claimsThe iat and toe claims are specified as strings.These should be numeric (in keeping with the defintion of iat in the JWT RFC)It will be fixed in V3.1 specification.
Open OBSD-15311 - Getting issue details... STATUS Errata

Incorrect multiplicity for OBRisk1/DeliveryAddress/CountrySubDivision

The occurence is specified as 0..2 instead of 0..1This will be fixed in v3.1.6


 Read/Write API v1.1

Read/Write API v1.1

References:

This version of the Read/Write API Specification will be supported by all CMA9 ASPSPs from 13 Jan 2018. The following table details known issues with this version of the specification.

StatusRefTypeIssueDetailsImpact/Mitigation
ClosedCDRW-928Minor bugSecurity Profile / Signing: Ensure we have got B64Enc v/s B64URLEnc.

In the security profile, step 3 "Form the payload to be signed " provides an example that Base64 encodes JOSE header and json. Similarly the signature that is computed in Step 4 of the documentation is highlighted in the example as Base64 encoded formatted.

The RFC 7515 states that the header and json is encoded in Base64URL format and not Base64.

The security profile should be updated to match RFC 7515.

ASPSPs and TPPs should be advised in the documentation to follow the RFC in this case.

Fixed in v3

ClosedCDRW-929Minor bugLinks format in swagger and example on Confluence doesn't match.

The Links object in the swagger contains fields with format as URI and this can be absolute URI but the examples on confluence take in values as relative URI

The standard for sending links to the consumer should be absolute URI.

ASPSPs and TPPs should be advised in the documentation to use absolute URIs. 

Fixed

OpenTBCMinor clarificationOB Security Profile has been incorrectly interpreted by an ASPSP.Clarification to reflect that TPPs are NOT required to pass ACR values in either the requested acr_values string or inside the request object to address a possible mis-interpretation. This is a MAY and not a MUST as already stated in v1.1.0 of the specification.

No impact as long as ASPSPs and TPPs follow the existing spec.

Wording will be made clearer/more explicit in next release.

Security Profile Implementation Guide to be updated and published

Closed

TBCMinor clarificationSecurity Profile: Clarity on use of MA-TLS with OIDC well-known end-point.Clarification to reflect that an ASPSP's OIDC well-known end-point MUST NOT use TLS-MA. The end-point SHOULD use TLS.

No impact on ASPSPs and TPPs that have followed the existing specification. Wording will be improved and made more explicit in the next release.

Fixed Security Profile 1.1.2

ClosedTBCMinor bugDirectory: The mechanism that OB uses to calculate x5t does not meet specification.

Any participant attempting to check certificates fingerprints against the x5t parameter will find validation errors.

​As a result of this issue, the kid field for all JWK's in the OB stores do not confirmed to the published specification where OB committed to keeping the "kid" the same as the "x5t". 

Potential impact on participants that rely on x5t being correct in order to accept a jwk as valid. Any participant that is following the OB specification and dynamically calculating the appropriate kid to use when creating JWT's will reject all messages from TPPs.

OB will implement a workaround for effected participants at start of managed rollout, and implement a permanent fix and update the specifications asap after 13 Jan.

Fixed

ClosedTBCMinor clarificationUpdate Security Profile page in Confluence to align to version in BitbucketThe master version of the Security Profile is held in Bitbucket. The Confluence page has not been kept up to date with changes to the master, and requires a cut-and-paste to align. 

The differences are non-normative, and the master is linked in the Confluence page, but these changes should be reflected for completeness.

All references are now link to the bitbucket.

Fixed

ClosedTBCMinor clarificationSecurity Profile: Clarity on the use of ciphers for the PSU facing Authorization end-pointClarification to reflect that the ASPSP's are free to support a more expansive list of TLS Ciphers on the Authorization Server Endpoint than is explicitly supported by the FAPI Read Write Security Profile section 8.6 

The differences are non TPP or ASPSP impacting as this clarification item is related to ASPSP → PSU communication link only. Will require collaboration with the OIDF FAPI Working Group. https://bitbucket.org/openid/fapi/issues/129/tls-cipher-restrictions-should-be-relaxed

Fixed Security Profile 1.1.2

ClosedTBCMedium Implementation bugDirectory Services: The x5t and x5t256 values of the JWKS files are being calculated incorrectly.There's an implementation defect in the way the x5t and x5t256 values of the JWKS files are being calculated. As a result, any participant relying on these values to correlate to the corresponding certificate will not be able to match the two values. The x5c and x5u values are correct and do match the public keys in the JWK.

Only one participant so far has called this out as an impacting issue however a process has been put in place to address any JWKs manually that are utilised by a TPP. A code change will be delivered to correct this generation process as soon as possible and existing JWKS entries will be updated.

Fixed

ClosedTBCMinor specification issueOpen Banking Security Profile: The KID for each JWK in the JWKS store isn't being calculated in the way that was indicated.The specification for KID calculation indicates that "OBIE will keep the KID's the same as the x5t". The implementation hasn't followed this intention. The way KID is currently being calculated is the SHA1 of the JWK instead of the SHA1 of the DER Encoded Certificate.

Open Banking will not change the way KIDs are calculated but will update the specifications to reference the way KID is being generated.

Fixed in directory spec

ClosedTBCMinor specification issueRead/Write API Specifications: Beneficiaries endpoint does not cater for all international benficiariesThe current beneficiaries endpoint only allows for beneficiaries which have a sort code and account number or IBAN. Some international beneficiaries are identified by other local identification schemes.

Some ASPSPs will not be able to share all details for some international beneficiaries. The specification will be updated to cater for this in the next release, as a non-breaking change.

Fixed

OpenTBCMinor specification issue

Security profile: Spec not clear that query parameters in the authorize url should be url-encoded

The examples that are referred too were created as part of the “security profile implementation guide”. They don’t appear in the security profile in bit bucket. They should be updated / corrected to reflect url encoding as per oidc cores examples.

Some ASPSPs may mis-interpret the specification. The examples will be updated in due course to make things clearer.

Security Profile Implementation Guide to be updated and published

ClosedCDRW-1206Minor clarificationInconsistency between Payments and Account specification should a ASPSP reject the request with a 403 if x-fapi-financial-id is invalid.

Accounts v1,1 seems to have dropped the following line from the spec inadvertently.

"If the value does not match the expected value (based on the Client ID or network certificate of the caller, the ASPSP must reject the request with a 403 (Not Authorized) status code." This is in response to https://openbanking.atlassian.net/browse/OBSD-2643

Some ASPSP have already misinterpreted the specification and don't validate this header.

Fixed

 Read/Write API v2.0

Read/Write API v2.0

References:

This version of the Read/Write API Specification will be supported by all CMA9 ASPSPs from 7 September 2018 for CMA Order in-scope accounts. The following table details known issues with this version of the specification.

Status
Ref
Type
Issue
Details
Impact/Mitigation
ClosedOBSD-4103ErrataOB Statements - Endpoint section specifies Filtering for wrong endpoints

Filtering word should be removed from the Endpoints table for:

  • GET /accounts/{AccountId}/statements/{StatementId} (Row#2)
  • GET /accounts/{AccountId}/statements/{StatementId}/transactions (Row#4)

Non-breaking change. The Swagger is correct for this issue, but the documentation has specified filtering on endpoints that should not apply filtering.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCBugOB Statements - filters missing in Swagger spec.

Filtering on statement dates is in the specification for:

  • GET /accounts/{AccountId}/statements
  • GET /statements

However - these are missing from the Swagger spec.

Non-breaking change. TPPs may expect the ability to filter on dates to identify statements. However, this functionality is missing from the Swagger spec.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCErrata

Usage Guidance Errata

For Party Endpoint:

Usage Examples for Account Owner and Authorised User - have been documented incorrectly.

Errata. Non-breaking change.

Will be fixed in v2.1.

Has been fixed in v3.0

ClosedTBCBug

Transactions Object Bug

Transactions object using the wrong currency exchange object.

In v3, we have fixed this with the CurrencyExchange object replacing the EquivalentAmount object to describe currency exchange.

Breaking change to replace the CurrencyExchange object.

ASPSPs cannot represent currency exchange information until this fix is applied.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCErrata

Address Code-LIst Errata

Updated ISO 20022 OBAddressTypeCode code from "DeliverTo" to "DeliveryTo"

Errata. Non-breaking change.

Will be fixed in v2.1

Has been fixed in v3.0

ClosedTBCRequested enhancements

Requested Enumerations for Use Cases

  • Enumeration definitions updated for:
    • Balance/Type - InterimCleared, OpeningCleared, ClosingCleared
    • StatementAmount/Type - PendingTransactionsBalance
    • StatementFee/Type - ForeignCashTransaction
    • CardInstrument/AuthorisationType - ConsumerDevice

Will not be included in v2.1 as fix.

Has been fixed in v3.0

ClosedOBSD-3833Bug/party endpoint AddressLine - mismatch between spec and Swagger

AddressLine in Swagger is specified as a string.

However - in the data dictionary is 0..5

Non-breaking change.

Will be fixed in v2.1

Has been fixed in v3.0

 Open Data API v2.1

Open Data API v2.1

References:

This version of the Open Data Specification will be supported by all CMA9 ASPSPs from 13 Jan 2018 and replaces v1.x. The following table details known issues with this version of the specification.

StatusRefTypeIssueDetailsImpact/Mitigation
Open

OD-803

Enhancement
Products: Need to split ServicingAccessChannel by individual services.
A request was made that AccessChannel be split in to:-
I) SalesAccessChannel - channel(s) by which a product may be sold to a customer
ii) ServicingAccessChannel - channel(s) by which an existing customer may obtain 1 or more services for a particular product.

Minor impact.

Will be updated in v2.2.

ClosedOD-826Minor bugRegular Expressions (Regex), that are required to constrain values entered in to fields to a certain pattern, should be in the data dictionary as well as the Swagger. Regex in Swagger is hard coded and there are a number of discrepancies (amount and rate fields) where these are limited to 2DP. They should be 3DP.

ASPSPs will only be able to specify amount and rates to 2 decimal places.

Has been fixed in v2.2.0-rc1.

ClosedOD-845Minor bug

OverdraftFeeApplicableRange section is a modelling error and should be removed from the PCA design.

OverdraftFeeApplicableRange doesn't appear in the Design at all but does appear in the swagger.

This is an optional field, so no impact.

Has been fixed in v2.2.0-rc1.

Open

OD-855

Enhancement
PCA, BCA: Minimum Arranged Overdraft Amount.

Some banking products require an account holder to take an Arranged Overdraft of at least £x, or else a bank will not process an Arranged Overdraft request.

This is potentially useful information. If, for example, an accountholder has an Arranged Overdraft of £100 currently, and a banking product that they're interested in taking requires a minimum Arranged Overdraft of £200, then they would not be able to switch their current account.

Minor impact.

Will be updated in v2.2.

ClosedOD-856Minor bug

All Notes fields should have a consistent cardinality 0..*

In some places cardinality is 0..1 and these should all be 0..n to allow multiple notes.

ASPSPs will have to combine notes into one field rather than separate fields.

Has been fixed in v2.2.0-rc1

ClosedOD-857Minor bugThe Max256Type datatype was not correctly generated in the Swagger files.Swagger is a string but GFEG defines 256 characters. Swagger should be changes to 256.

No impact.

Has been fixed in v2.2.0-rc1

ClosedOD-883Minor bug3 missing fee category codes.

FeeCategoryType1Code list is missing the following fields

'Auto', 
'FX' ,
'Investigation'

ASPSP can select other and chose one of these for now. No impact.

Has been fixed in v2.2.0-rc1

ClosedOD-884BugFix the way that mandatory field restrictions are generated by the Swagger generation script.Swagger contains required tag in the wrong place, which makes the Java Json Validator https://www.jsonschemavalidator.net/ fail.

ASPSPs cannot validate using Java Json Validator, but will have to use OB Json Validation tool instead.

Has been fixed in v2.2.0-rc1

Open
OD-973
Minor bug
PCA, BCA, SMELoan and CCC amend spelling mistake in the codelist

There are a number of spelling mistakes in code lists (e.g. CoreProduct/ LoanApplicationFeeChargeType enumeration "NoLoanApplicationFee" is incorrectly spelt "NoLoanApplicatioFee" in swagger).


TPPs may see some values with spelling mistakes.

Will be fixed in v2.2.

Open

OD-978

Enhancement
Enhance the Fee and charges Cap so that it can be linked with the any Fee Type.

Where there are tiered fees and charges, the current design only allows the ASPSP to use one cap across the tiers.

../OtherFeesAndCharges/FeeChargeCap unable to explicitly link to a ../OtherFeesAndCharges/FeeCharge Detail


ASPSPs can use notes field to specify complex caps. This item requires a decision as to whether it may be included in a future release.
Open

OD-979

Minor bug
Make the identification field optional for all section except Product ID
Some ID fields in PCA (e.g. <Product>MarketingState/Identification) are mandatory and should be optional to be consistent with BCA, SMELoans, CCC.


ASPSPs will have to populate with some value (e.g. 0).

Will be fixed in v2.2.

Open

OD-980

Minor bug
Restriction on regular expression for Residency Included field should be removed.
For specifying the countries for which the PCA products are available/restricted to use the field ResidencyIncluded, current specification specifies it's DataType as OB_CodeMnemonic with a fixed length of 4. However, to correctly specify data values in this field, the correct DataType restriction should allow length of up to 4 and NOT fixed at 4. e.g. The value on this is expected to be 'UK' or 'EU', which would error out with the specification supplied.

ASPSPs will have to pad out the field (e.g. with spaces).

Will be fixed in v2.2.

Open

OD-981

Minor bug
Check the possibility of changing the optional or mandatory fields as an array rather than objects.
For any fields where cardinality is 0..1, the swagger defines this as an object. For 1..1 and 1..n the swagged defines this as an array. Ideally these should all be arrays.

No impact.

Will be fixed in v2.2.

Open

OD-986

Minor bug
Missing 'Other' code from Fee Type under overdraft fee charge details and cap section.
In PCA and BCA schema the FeeType Enum in the OverDraftFeesCharges of overdraftTierSet and OverDraftTierBand are missing the "Other" value in both OverdraftFeeChargeCap and OverdraftFeeChargeDetail.

ASPSPs can only specify fee types using the standard code list. Minor impact, as code lists are fairly comprehensive.

Will be fixed in v2.2.

Open

OD-997

Enhancement
Add "Academic Term" in period code list.

The current code list options for:

OpenBankingPCA/Brand/PCA/PCAMarketingState/StateTenurePeriod

should be extended to include: AcademicTerm.

Some ASPSPs may have to use Monthly, Quarterly, Yearly for now. Minor impact.

Will be updated in v2.2.

Open
OD-1010
Minor bug
Remove the example reference url link from the base of the API URI

Current URLs for V1.2 and the Swagger which implies a different configuration.

Current example: https://openapi.nationwide.co.uk/open-banking/v1.2/atms

Our assumption is we would just change the version number however Swagger suggests a new part of the URL is being added:

“/reference-implementation/open-banking/v2.1”

ASPSPs should remove/replace 'reference-implementation' with their own URI. Minor impact.

Will be fixed in 2.2.