Conformance Service and Tools

Conformance Certification Service Overview

Open Banking Limited provide a suite of Conformance Tools to help Implementers (which includes Account Providers, Third-Party Providers, Vendors and Technical Service Providers) test that they have implemented each part of the OBIE Standard correctly.

Open Banking Limited (OBIE) offers a Conformance Certification Service to allow Implementers to use these tools to self-attest, so that OBIE can then validate and publish a Conformance Certificate. These Conformance Certificates can be used by Implementers as evidence to the ecosystem (including Regulators) that they have followed the OBIE Standard correctly.

Initially, the focus is to enable ASPSPs to use these Conformance Certificates as evidence that they have followed the OBIE Standard without deviation when applying to their National Competent Authority (NCA) for an exemption from a contingency mechanism.

The details of this service do not form part of any contract but explain the process and how OBIE expects Implementers to engage. Implementers should be aware that these details may be updated by OBIE from time to time. Details of any changes will be set out in the Version Control section below.

1. Version control

VersionDateAuthorComments
1.026 Apr 2019OBIEInitial baselined version
1.110 Jul 2019OBIEMinor update to include further clarity of difference between OBIE and OIDF security profile conformance
1.207 Oct 2019OBIEUpdate to the range of Conformance Tools and Certificates available
1.326 Nov 2019OBIEUpdate to the range of Conformance Tools and Certificates available (DCR)

2. Overview

The following table shows the range of Conformance Tools and Conformance Certificates that are offered by OBIE.

The Conformance Tools are all available under the MIT Open Licence without charge. Implementers can purchase any of the Certification Services listed below. 

It is up to each Implementer to determine which endpoints, data fields, functionality, brands, products and unique tests need to be covered by each Conformance Certificate. OBIE will validate and publish Conformance Certificates based on the information provided by the Implementer. For example, each ASPSP will need to determine the number of dedicated interfaces that it has in consultation with the NCA. It is entirely between the NCA and each ASPSP as to what is considered a dedicated interface. It is then up to the ASPSP to decide which Conformance Certificates it would like to support its application(s) to the NCA for an exemption.

TypeConformance CertificatesFee per Conformance CertificateNumber of Conformance Certificates needed
Security Profile ConformanceFinancial Grade API (FAPI) Conformance Certificates *See https://openid.net/certification/fees/One per base URL (e.g. api.bank.com).
Client-Initiated Backchannel Authentication (CIBA) Conformance Certificates *See https://openid.net/certification/fees/One per base URL (e.g. api.bank.com).
Functional ConformanceFunctional Conformance Certificates: AIS£1,000One per base URL (e.g. api.bank.com).
Functional Conformance Certificates: PIS£1,000One per base URL (e.g. api.bank.com).
Functional Conformance Certificates: CBPII£1,000One per base URL (e.g. api.bank.com).
Dynamic Client Registration ConformanceDynamic Client Registration Conformance Certificates£1,000One per base URL (e.g. api.bank.com).
Customer Experience Guidelines ConformanceCustomer Experience Guidelines Conformance CertificatesPrice on applicationOne per branded set of customer journeys.

Included in the above fee for each Conformance Certificate, OBIE will provide a limited amount of support during UK office hours to help the Implementer use the Conformance Tool(s) and complete the submission process. This will not include detailed technical support in implementing any element of the OBIE Standard. This does not require, nor is not dependent on any other Support Service which may be purchased separately from OBIE.

*Please visit the Open ID Foundation for Financial Grade API (FAPI) and Client Initiated Backchannel Authentication (CIBA) Certificates.

3. How to get a Conformance Certificate

Though the process differs slightly by Conformance Certificate type, the general process is as follows:

  1. Implementer downloads relevant Conformance Tool or Checklist and completes all required tests.
    1. Functional Conformance Tool for AIS, PIS and CBPII
    2. Dynamic Client Registration Tool
  2. Implementer signs relevant order form (including agreeing terms and conditions and payment terms) to order a Conformance Certificate.
  3. Implementer purchases a Conformance Certification Service from OBIE via the Service Desk Conformance Certification Order Form
  4. OBIE validates Conformance Certificate Request.
  5. Implementer uploads all required supporting evidence.
  6. OBIE will provide support to the Implementer during the validation period, as detailed above.
  7. OBIE publishes Conformance Certificate and notifies Implementer.

Once a Conformance Certificate has been published by OBIE, no further support will be provided to the Implementer and the Certificate Request will be marked as ‘Closed’.

To re-apply for the same Conformance Certificate, or to request a new Conformance Certificate, the Implementer will need to sign a new order form to re-start the above process.

Conformance Certificates for ASPSP implementations will only be published based on production (“live”) environments. The Conformance Tools can be run against pre-production environments and if an Implementer wishes to purchase a Conformance Certificate for pre-production or testing/sandbox environments this can be discussed bilaterally with OBIE, based on the costs and service levels as stated above.

4. Validation of Conformance Certificate Requests

Each Conformance Certificate requires different evidence to be submitted to OBIE, the detail of which is provided in the relevant pages accessible from the table above.

For the Functional and Security Profile Conformance Certificates, the Conformance Tools run automated tests once the tools are configured by the relevant Implementer, producing a set of binary results (pass/fail). OBIE will review both the results of the tests, and also the tests run by the Implementer. OBIE will not provide support to resolve failures in any of these tests as part of the Conformance Certification Service.

For the CEG, video evidence and a completed CEG Checklist will be submitted by the applicant which will be reviewed and assessed by the Office of the Trustee. The cost of this service is more than for other Conformance Certificates as it requires more manual review given the subjective nature of applications. For CEG Conformance Certificates OBIE anticipate more dialogue during the review process, and will support this.

5. Publication of Conformance Certificates

OBIE provides an online platform where these Conformance Certificates and supporting material are published and can be viewed and/or downloaded by other Participants and Regulators (including NCAs). This service can thus be used by ASPSPs as supporting evidence in their application to their NCA for an exemption from the provision of a contingency mechanism.

OBIE will publish Conformance Certificates marked with one of the following two statuses:

The issuance and publication of Conformance Certificates are at the sole discretion of OBIE.

6. Renewal and revocation

Conformance Certificates published by OBIE will have no fixed expiry date, however, they will be clearly marked as to which version of the relevant OBIE Standard they apply to.

If the Implementer makes any changes to their API interface which would cause a change in the Conformance Certificate status, for example introducing a new version of the OBIE Standard which includes a breaking change for TPPs, the Implementer should re-apply for a new Conformance Certificate, and, if so, will need to sign a new order form and pay the relevant fee to purchase this.

If any information provided by the Implementer changes, or is discovered to be inaccurate, the Implementer must immediately notify OBIE to request that the Conformance Certificate is revoked.

OBIE may also revoke a Conformance Certificate at any time at its absolute discretion.

Once a Conformance Certificate is revoked, it cannot be re-instated.

OBIE will maintain a publicly available online record of all revoked Conformance Certificates.

7. Managing disputes

Disputes or complaints raised by the Implementer will be subject to the following conditions:

Disputes or complaints from other Participants who disagree with the issuance of a particular Conformance Certificate will be subject to the following conditions:

OBIE will not respond to disputes or complaints relating to Conformance Certificates issued/published by any other entity (e.g. the Open ID Foundation), and these must be raised with the relevant entity directly.

8. Need help?

Implementers who have purchased a Certification Service can get support relating to this Service via the OBIE Service Desk. All Participants who have Support Services included as part of their Services with OBIE can also get general support via the OBIE Service Desk.