Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 77 Next »

h

OB Standards
Implement Open Data v2.2COMPLETE
Implement Read/Write API Specification v3.1COMPLETECurrent implementation - R/W v3.1.6
Implement Customer Experience Guidelines v1.1COMPLETECurrent implementation - CEG v3.1.5
Implement App-to-App RedirectionCOMPLETE
Implement OB Security Profile Implementer's Draft v1.1.2COMPLETE
Implement FAPI Profile Implementers Draft 2

COMPLETE

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

  • The request object must contain an exp claim

  • You must use PS256 algorithms to create the request Object signing

  • You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default

Implement CIBA Profile Implementers Draft 1TBCPlans to be confirmed
Implement Dynamic Client Registration v1.1Not Delivered
Implement Dynamic Client Registration v3.1TBCPlans to be confirmed
Decommission Read/Write API Specification v1.x/2.x

Plans to decommission AIS v1 / v2 in May however this has been delayed due to COVID.

Plans to decommission PIS v1 on November 23rd 2020. 


Decommission OB Security Profile Implementer's Draft v1.xTBC - No Plans


Method of Identification
Commence support for eIDAS QWAC certificatesFrom Q1 2020See section below for details of future cert support model and dates


Commence support for eIDAS QSEAL certificates
From Q1 2020

Commence support for OBIE QWAC-like certificates

From 14th September
Commence support for OBIE QSEAL-like certificatesFrom 14th September
Cease support for OBIE non eIDAS-like certificates for transportNo Plans
Cease support for OBIE non eIDAS-like certificates for signingNo Plans
Support for MTLS token endpoint authenticationNo Plans
Support for private_key_jwt token endpoint authenticationCOMPLETE
Cease support for client id and client secret token endpoint authenticationCOMPLETE

Client secret authentication is no longer supported

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

  • The request object must contain an exp claim

  • You must use PS256 algorithms to create the request Object signing

  • You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default

See section below for details of future cert support model and dates

Post Brexit Certificate Implementation
PRE-BREXIT - Certificates Accepted (until 31st Dec 2020)
  • eIDAS QWAC
  • eIDAS QSealC
  • OB legacy (obtransport, obsigning)
  • OBWAC
  • OBSeal
  • Other (Please define) 

POST-BREXIT TRANSITION - Certificates Accepted (1st Jan 2021 - 30th Jun 2021)
  • eIDAS QWAC
  • eIDAS QSealC
  • OB legacy (obtransport, obsigning)
  • OBWAC
  • OBSeal
  • Other (Please define) 
  • eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's. 
POST-BREXIT POST TRANSITION - Certificates Accepted (from 1st Jul 2021)
  • eIDAS QWAC
  • eIDAS QSealC
  • OB legacy (obtransport, obsigning)
  • OBWAC
  • OBSeal
  • Other (Please define) 
  • eIDAS QWAC and eIDAS QSealC will only be accepted for NON-UK based TPP's. 
Planned Implementation Date to Satisfy FCA's Post Transition

TBC


TPP PSU Migration Outcomes Supported

Outcomes 4 and 8


POST-BREXIT Certificate Implementation Status (updated by OBIE IES team)

READY


Implementation


Directory?

Open Banking

Location of Well Known Endpoints?

OB Technical Directory

API Standard Implemented?

Open Banking

Name of Account Holder Implementation Date?

Completed - September 2019

Date of Current eIDAS Implementation?September 2019

Current Certificates used for Identification?OB Transport + ClientID + Secret
OBWAC

Current Certificates used for Transport?OB Transport / OBWAC

Current Certificates used for Signing?OB Signing / OBSEAL

Date of Future eIDAS Implementation?March 2020

As of the 14th of March, TPPs with eIDAS certificates who have registered with the Open Banking Implementation Entity and are onboarding with OBWAC/OBSEAL or QWAC/QSEAL certificates, can continue to use manual onboarding via the developer portal. Using this method, the TPP logs onto the developer portal with their Open Banking credentials and can create an application to onboard. This will ensure the TPP can continue to use their existing application on the developer portal that any associated live customer consents will have been created under. If a TPP has an eIDAS certificate, and wants to onboard directly with us, this is possible via our Dynamic Client Registration.


Future Certificates used for Identification?OBWAC / QWAC

Future Certificates used for Transport?

OBWAC / QWAC



Future Certificates used for Signing?OBSEAL / QSEAL

Major Milestones

Delivered Items:

  • P2 2WR / Event Notification API since 
  • AIS / PIS / COF v3.1.4 since 
  • P7 Phase 1 (SIP) Refunds (Payments v3.1.4) since 
  • P7 Phase 2 (Non-SIP) Refunds (Payments v3.1.4) from
  • P9 Payment Status since  - Changes may need to be made by TPP to cater for additional statuses as per OBIE specifications - in some instances, TPPs will need to call the Payment Status endpoint to ensure they have the latest view
  • CEG v3.1.5 (Agency Arrangement) from 
  • Waiver 007 (Payment and Event Notification Signing) from 

    • Key points for TPP awareness and action;

      • All payment requests in Sandbox and Production (as appropriate) must not include the b64 claim in the header.
      • Your requests will fail if they include the b64 claim after this date.
      • Changes at TPP side to enable sending JWS signature in Payment requests (as per Waiver specs; 3.1.4 & above) can be made any time before 26th October – if the change is not made by this date then your requests will fail
      • Changes at TPP side to validate JWS signature in Barclays’ payment response can only be made after 26th October
    • AIS v3.1.6 (CASS) from

Future Delivery Items:

  • AIS / PIS / COF v3.1.7 from 
  • Other deliverables to be aligned with CMA roadmap for 2021


Relevant AIS / PIS / CoF journeys supported for following payment account types:

  • Current Accounts (Personal and Business)
  • Current Accounts (Corporate)
  • Savings Accounts (Personal and Business)
  • Personal Credit Cards (Barclaycard)
  • Corporate Credit Cards
  • Currency Accounts (Personal and Business)
  • Currency Accounts (Corporate)


See https://developer.barclays.com/ for additional information relating to end point coverage

Note that Account Holder Name for PCA / BCA / Pingit customers is available through PARTIES end point and through ACCOUNTS end point for Barclaycard UK, Barclaycard Commercial Payment and Barclays Corporate customers


IMPORTANT INFORMATION

In order to complete Open Banking journeys, you will need to establish the Identity Provider (IDP) authentication method for your implementation.

An IDP is a system to authenticate and gain permission from an end user - such as a customer, to access their resources e.g. their account data. For Open Banking, this is used to authenticate the customer providing the consent to the Third Party.

Examples of an IDP in Open Banking includes Barclays app (Personal and Business Banking customers) and iPortal (Barclays Corporate clients), but we have a number of methods depending on the customer type and digital channel that they use. This needs to be considered in your development.

The latest OpenID configuration (OIDC) URLs available are shown below

TPPs are reminded that latest URLS MUST be used and where a legacy URL is still being used then TPP MUST migrate to URLs below

Note - some Business Banking clients will require the Corporate Banking IDP as they use Corporate Banking services to fulfil their business requirements and some Corporate clients will require the Business Banking IDP as they use Business Banking services to fulfil their business requirements



Brand(s)


Security Profile?

Currently Open Banking Security Profile

FAPI 2 rules enforced

TPPs must align their Open Banking implementations to the following security best practices recommended under FAPI 2

  • The request object must contain an exp claim

  • You must use PS256 algorithms to create the request Object signing

  • You must use https://oauth.tiaa.barclays.com as the aud claim in the request Object

  • You must use private_key_jwt instead of client secret authentication

  • You must receive ID tokens with PS256 signing algorithms

  • You must use “response type=code id_token

  • We’ll populate the acr claim in the ID token by default


Security Profile Certification?Yes

CIBA

TBC - No plans

Using Open Banking as your eIDAS Trust Framework?TBC

Are you caching the Directory?


Transaction IDsMarch 2019 - Option 3 Supported


Customer Journey

Implementing Customer Experience Guidelines?

Yes


Current CEG Version?v3.1.5
Next CEG Version?TBC
Next Version Implementation DateTBC

Implementing Bespoke User Journeys?

No

Implementing App to App?

Yes
App to App Implementation Date?Live

Options on 90 day re-authentication?

90 day re-authentication required across all Open Banking flows

Support Embedded Flow?

No
PSD2

Dispute Management System?

Yes
FCA Adjustment Period - Maintaining Screen Scraping?Yes

Seeking Fallback Exemption?

Yes

Adjusted or Fallback Interface?

No
Adjusted or Fallback URL?N/A
Contact Email or Phone Number?BarclaysAPISupport@barclayscorp.com
Dev Portal URLshttps://developer.barclays.com/open-banking

Test Facility Implementation Date?

 
Production Interface Implementation Date? 
Contingency MeasuresBarclays are aligned to FCA adjustment period and supporting the phased migration of Screen Scraping by TPPs
Article 10 - Maximum time period after authentication?No restrictions applied other than SCA at Auth and Re-Auth
Article 10 - Endpoints exempt of SCANone


Authentication Method - Open Banking Channel (Browser)?

SCA compliant digital channel logon

Authentication Method - Open Banking Channel (APP)?

SCA compliant digital channel logon

Authentication Method - Private Channel (Browser)?

SCA compliant digital channel logon


Authentication Method - Private Channel (APP)?

SCA compliant digital channel logon

Authentication Method Implementation Date (Open Banking Channel)?

Live

Authentication Method Implementation Date (Private Channel)?

Live

SCA Implementation Date?

Live


SCA Scope? (will it inhibit non PSD2 accounts)

NoScope of Open Banking flows limited to PSD2 accounts only


Key Implementations

High Cost Credit

Barclays - HCC.xlsx

After Waiver 7 Expiry (16/06/20) option supported: Option 1 - The parameter b64 being set to FALSE OR Option 2 - The b64 claim not being in the header

Waiver 007 (Payment and Event Notification Signing) from 

  • Key points for TPP awareness and action;

    • All payment requests in Sandbox and Production (as appropriate) must not include the b64 claim in the header.
    • Your requests will fail if they include the b64 claim after this date.
    • Changes at TPP side to enable sending JWS signature in Payment requests (as per Waiver specs; 3.1.4 & above) can be made any time before 26th October – if the change is not made by this date then your requests will fail
    • Changes at TPP side to validate JWS signature in Barclays’ payment response can only be made after 26th October

  • No labels