Tesco Personal Finance PLC

OB Standards

Implement Open Data v2.2		tbc
Implement Read/Write API Specification v3.1	09 Aug 2019	Deployed 3.1.1 in August 2019
Implement Customer Experience Guidelines v1.1	09 Aug 2019
Implement App-to-App Redirection	iOS - December 2019 Android - january 2020	App to App Redirection will be supported for iOS users from 8^th December 2019. Support for Android users is planned to follow in January 2020.
Implement OB Security Profile Implementer's Draft v1.1.2	09 Aug 2019
Implement FAPI Profile Implementers Draft 2	tbc	tbc
Implement CIBA Profile Implementers Draft 1	n/a	n/a
Implement Dynamic Client Registration v1.1	n/a	n/a
Implement Dynamic Client Registration v3.1	09 Aug 2019	v3.2 implemented April 2020
Decommission Read/Write API Specification v1.x/2.x	n/a	n/a
Decommission OB Security Profile Implementer's Draft v1.x	n/a	n/a

Method of Identification

Commence support for eIDAS QWAC certificates		Update on Production Date to be provided
Commence support for eIDAS QSEAL certificates		Update on Production Date to be provided
Commence support for OBIE QWAC-like certificates		Update on Production Date to be provided
Commence support for OBIE QSEAL-like certificates		Update on Production Date to be provided
Cease support for OBIE non eIDAS-like certificates for transport		Update on Production Date to be provided
Cease support for OBIE non eIDAS-like certificates for signing		Update on Production Date to be provided
Support for MTLS token endpoint authentication		Update on Production Date to be provided
Support for private_key_jwt token endpoint authentication	n/a
Cease support for client id and client secret token endpoint authentication	n/a

Implementation

Directory?	Open Banking
Location of Well Known Endpoints?	OB Technical Directory and OB Implementation Guide
API Standard Implemented?	Open Banking
Name of Account Holder Implementation Date?	Completed - 09 Aug 2019	Name of account holder is returned via the party endpoint
Date of Current eIDAS Implementation?		MTLS
Current Certificates used for Identification?
Current Certificates used for Transport?	OB Transport (non-eIDAS-like)
Current Certificates used for Signing?	OB Signing (non-eIDAS-like)
Date of Future eIDAS Implementation?	No future update currently planned.
Future Certificates used for Identification?
Future Certificates used for Transport?
Future Certificates used for Signing?
Major Milestones	SCA is already in place at log in for the existing Online and Mobile channels and was in place pre-PSD2.	Production date for SCA in the Open Banking channel to be provided.
Brand(s)
Security Profile?	Open Banking Security Profile - Implementer's Draft v1.1.2
Security Profile Certification?	Submitted for certification and awaiting response.
CIBA	No
Using Open Banking as your eIDAS Trust Framework?	Yes
Are you caching the Directory?	No
Transaction IDs	No	No transaction IDs provided in transaction response, consistent with online/mobile channels.

Customer Journey

Implementing Customer Experience Guidelines?	Yes
Current CEG Version?	1.2
Next CEG Version?	tbc
Next Version Implementation Date	tbc
Implementing Bespoke User Journeys?	No	Closely aligned to CEG v1.2
Implementing App to App?	Yes
App to App Implementation Date?	tbc
Options on 90 day re-authentication?	Yes	Re authentication will be required after 90 days. Will also be required in scenarios that imply risk and therefore SCA is deemed appropriate by Tesco Bank.
Support Embedded Flow?	No

PSD2

Dispute Management System?	Yes
FCA Adjustment Period - Maintaining Screen Scraping?	Yes
Seeking Fallback Exemption?	Exemption Granted - 09 Oct 2019
Adjusted or Fallback Interface?	No
Adjusted or Fallback URL?	N/A
Contact Email or Phone Number?	apisupport@tescobank.com
Dev Portal URL?	https://developer.tescobank.com/
Test Facility Implementation Date?	14 Mar 2019
Production Interface Implementation Date?	09 Aug 2019
Contingency Measures		N/A as exemption obtained.
Article 10 - Maximum time period after authentication?	5 minutes for those endpoints NOT covered by an exemption (i.e. direct debits, beneficiaries etc.) and 90 days if exempt.
Article 10 - Endpoints exempt of SCA	Accounts, Balances, Transactions (< 90 days)	Resources covered (delete as appropriate): Accounts, Balances, Transactions, ~~Beneficiaries, Direct Debits, Standing Orders, Products, Offers, Parties, Scheduled Payments, Statements~~
Authentication Method - Open Banking Channel (Browser)?	Knowledge – Password & Security Number. Possession – Device or OTP. Inherence – n/a
Authentication Method - Open Banking Channel (APP)?	Knowledge – Password & Security Number. Possession – Device or OTP. Inherence – Fingerprint / Face Recognition
Authentication Method - Private Channel (Browser)?	Knowledge – Password & Security Number. Possession – Device or OTP. Inherence – n/a
Authentication Method - Private Channel (APP)?	Knowledge – Password & Security Number. Possession – Device or OTP. Inherence – Fingerprint / Face Recognition
Authentication Method Implementation Date (Open Banking Channel)?	09 Aug 2019
Authentication Method Implementation Date (Private Channel)?		SCA is already in place at log in for the existing Online and Mobile channels and was in place pre-PSD2.
SCA Implementation Date?	SCA is already in place at log in for the existing Online and Mobile channels and was in place pre-PSD2.	Production date for SCA in the Open Banking channel to be provided.
SCA Scope? (will it inhibit non PSD2 accounts)	Yes	Will impact ISAs, Fixed Rate Savers, Loans Will not impact Mortgage and Insurance

Key Implementations

High Cost Credit	Tesco - HCC - Nov 19.xlsx

After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header	-We will support Option 1	10 Sep 2019 Functional Certificate (PIS): Tesco Personal Finance 2019