Implement OB Security Profile Implementer's Draft v1.1.2
Implement FAPI Profile Implementers Draft 2
Implement CIBA Profile Implementers Draft 1
Implement Dynamic Client Registration v1.1
Implement Dynamic Client Registration v3.1
Decommission Read/Write API Specification v1.x/2.x
Decommission OB Security Profile Implementer's Draft v1.x
Method of Identification
Commence support for eIDAS QWAC certificates
Commence support for eIDAS QSEAL certificates
Commence support for OBIE QWAC-like certificates
Commence support for OBIE QSEAL-like certificates
Cease support for OBIE non eIDAS-like certificates for transport
Cease support for OBIE non eIDAS-like certificates for signing
Support for MTLS token endpoint authentication
Support for private_key_jwt token endpoint authentication
Cease support for client id and client secret token endpoint authentication
Implementation
Directory?
Open Banking
Location of Well Known Endpoints?
OB Technical Directory
API Standard Implemented?
Open Banking
Sandbox Environment – App Creation by TPP and after TBUK Approval
Production Environment – App Creation by TPP and after TBUK Approval
Name of Account Holder Implementation Date?
N/A
Supported identification method?
MTLS with eIDAS Certificates
Major Milestones
-
Security Profile?
Security Profile Certification?
CIBA
No
Using Open Banking as your eIDAS Trust Framework?
No
Are you caching the Directory?
No
Transaction IDs
ASPSPs provide a Unique, Immutable TransactionID from their core system
ASPSPs generate a Unique TransactionID from a set of Immutable fields
ASPSPs specify field(s) for TPP to generate a Unique Transaction Identifier
ASPSPs provide neither a TransactionID nor the method by which TPPs can generate one
Customer Journey
Implementing Customer Experience Guidelines?
Yes
Implementing Bespoke User Journeys?
No
Implementing App to App?
Yes
App to App Implementation Date?
N/A
Options on 90 day re-authentication?
90 day Re-Authentication
In line with RTS (If customer logs in after 90 days then they will be prompted to re-authenticate for Consent.)
Support Embedded Flow?
No
PSD2
Dispute Management System?
TBC
FCA Adjustment Period - Maintaining Screen Scraping?
Seeking Fallback Exemption?
Yes
Adjusted or Fallback Interface?
No
Adjusted or Fallback URL?
N/A
Contact Email or Phone Number?
Dev Portal URL?
Test Facility Implementation Date?
June 2019
Production Interface Implementation Date?
October 2019
Contingency Measures
Please specify the location of the guidance that explains your strategy and plans for when your dedicated interface is unavailable. This should be a URL to your dev portal or artefact that provides TPPs with the information they require
Article 10 - Maximum time period after authentication?
Please specify how long the AISP has from the time when they receive the access token (after PSU authentication). This is the period the AISP must submit their first request before SCA will be re-applied to endpoints NOT exempt of SCA under Article 10. ASPSPs should consider that this timeline is consistent with the time limit applied by the ASPSP in the existing online PSU interface (i.e. before the PSU is logged out)
Article 10 - Endpoints exempt of SCA
Please specify which AIS endpoints will be exempt from SCA under Article 10. (delete as appropriate): Accounts, Balances, Transactions, Beneficiaries, Direct Debits, Standing Orders, Products, Offers, Parties, Scheduled Payments, Statements
Authentication Method - Open Banking Channel (Browser)?
Credentials + OTP
Authentication Method - Open Banking Channel (APP)?