Date raised
SummarySantander cannot support connections to Open Banking Directory over TLS MA, we will only be connecting over TLS1.2.
Policy/standard affected/wiki/spaces/DZ/pages/28737919
Duration (end date)
Approved byIE Trustee
Approved date 

Connections between Santander to Open Banking are specified below.

  1. JWKS endpoint – this is open to public anyway
  2. Open Banking IdP – used for authenticating TPP PTCs/STCs through OIDC flows.
  3. Open Banking Token Provider – to retrieve access tokens
  4. Open Banking Directory – to invoke SCIM endpoints for TPP information

Out of the above, Santander's understanding is that only point 3 and 4 need to be accessed over TLS MA. Santander is using a B2B proxy to connect to these, where we currently don’t support TLS MA.

Note: The MIT directory is allowing TLS only connections and does not support TLS MA, therefore we have not been able to test a solution from our B2B proxy which will take some weeks before we can test and support this with the Production environment.  

Risk assessmentIf OB resources are made available only on TLS MA, we cannot verify TPPs SSAs and on board them via the Access Token requests and therefore cannot stand the Developers Portal or API calls for go-live.
Mitigating controlsThe OB resource endpoints can be made available on both TLS and TLS MA including token endpoint, but this is against current policy. In addition to this, the published production endpoints support non-TLSMA connections.
Impact if refused
Financial cost (if any) £
Resource cost (if any) £