This page lists previous certifications relating to the now deprecated Open Banking Security Profile. Please see Security Profile Conformance for current certifications.
Previous OBIE Security Profile Certifications Version 3 of the OBIE Standard The following certifications relate to the OBIE API Specification v3.0 and the Open Banking Security Profile Implementer’s Draft v1.1.2. These are based on the OB Conformance Tool v2.0.6 (released 12 Sep 2018). BrandCertificateOrg TypeProfile VersionConformance Tool VersionDate SubmittedStatusNo. of FailuresPlanned Fix DateDate Passed NationwideNationwide 2019ASPSPv1.1.2v2.0.627 Jun 2019 CERTIFIED106 Feb 2020 Tesco BankTesco Bank 2019ASPSPv1.1.2v2.0.628 Nov 2019 PARTIAL1n/a29 Nov 2019 SG Kleinwort HambrosKleinwort HambrosASPSPv1.1.2v2.0.611 Sep 2019 CERTIFIED0n/a11 Sep 2019 Lloyds BankLloyds Bank 2019ASPSPv1.1.2v2.0.601 Aug 2019 CERTIFIED1see notes below20 Aug 2019 Alpha FX Open Banking Authentication ServiceAlphaFX 2019ASPSPv1.1.2v2.0.616 Aug 2019 CERTIFIED0n/a28 Aug 2019 Danske BankDanske Bank 2019ASPSPv1.1.2v2.0.626 Jun 2019 CERTIFIED0n/a28 Jun 2019 Marks and Spencer BankHSBC / Marks & Spencer Bank 2019ASPSPv1.1.2v2.0.614 Jun 2019 CERTIFIED018 Jun 2019 First Direct BankHSBC / First Direct Bank 2019ASPSPv1.1.2v2.0.614 Jun 2019 CERTIFIED018 Jun 2019 Retail Banking and Wealth ManagementHSBC / Retail Banking & Wealth Management 2019ASPSPv1.1.2v2.0.614 Jun 2019 CERTIFIED018 Jun 2019 Commercial BankingHSBC / Commercial Banking 2019ASPSPv1.1.2v2.0.614 Jun 2019 CERTIFIED018 Jun 2019 SantanderSantander 2019ASPSPv1.1.2v2.0.616 Apr 2019 CERTIFIED0n/a03 May 2019 BarclaysBarclays 2019ASPSPv1.1.2v2.0.623 Apr 2019 CERTIFIED1see notes below10 May 2019 Yorkshire Building SocietyYorkshire Building Society 2019ASPSPv1.1.2v2.0.623 May 2019 CERTIFIED0n/a21 May 2019 Chelsea Building SocietyChelsea Building Society 2019ASPSPv1.1.2v2.0.623 May 2019 CERTIFIED0n/a21 May 2019 Version 2 of the OBIE Standard The following certifications relate to the OBIE API Specification v2.x and the Open Banking Security Profile Implementer’s Draft v1.1.2. These are based on the OB Conformance Tool v2.0.x. BrandProfile VersionSuite VersionCient Authentication TypeResponse TypeDateSubmissionStatus# FailedNotes / Mitigation for failure AIB Group (UK) p.l.c. / First Trust Bankv1.1.2v2.0.6client secret basiccode id_token18 Sep 2018 DownloadPASS0 Bank of Irelandv1.1.2v2.0.6client secret basiccode id_token26 Nov 2018 DownloadPASS0 BarclaysSEE NOTESKnown issue(s) in current implementation: • Failing. Scopes must be returned by the token endpoint. Planned fix and certification date: March 2019 (waiting for vendor upgrade). Danskev1.1.2v2.0.6client secret postcode id_token23 Jan 2019 DownloadPASS HSBC / Retail Banking and Wealth Managementv1.1.2v2.0.4client secret basiccode, code id_token10 Sep 2018 DownloadPASS0 HSBC / Commercial bankingv1.1.2v2.0.4client secret basiccode, code id_token10 Sep 2018 DownloadPASS0 HSBC / First Direct Bankv1.1.2v2.0.4client secret basiccode, code id_token10 Sep 2018 DownloadPASS0 HSBC / Marks and Spencer Bankv1.1.2v2.0.4client secret basiccode, code id_token10 Sep 2018 DownloadPASS0 Lloyds BankSEE NOTESKnown issue(s) in current implementation: • When the TPP does not pass the algorithm used to sign the request object, the Key Storage service correctly throws a 400 error but preauth service is not appending the proper error description of invalid request_object. • When the consent journey is completed an authorisation code is issued which is valid for 5 mins and should be for one-time use only, i.e., revoked once used. • When the redirect URL to consent pre-auth service includes a query parameter the journey breaks, which breaks the consent journey. The fix has been applied to the OIDC API. Planned fix and certification date: 4th Feb 2019 Known issue(s) in current implementation: • Failing ob-code-id-token-with-secret-basic-and-matls – Does not support multiple query parameters in the redirect_uri – Fix in October • Supports old TLS 1.0 and TLS 1.1 connections. • Failing matching-key-in-authorization-request-code-id-token – No screenshots. • Failing request-object-signature-algorithm-is-not-none-code-id-token – No screenshots. Planned fix and certification date: TBC RBSv1.1.2v2.0.4mtlscode, code id_token14 Dec 2018PASS Santanderv1.1.2v2.0.4client secret basiccode, code id_token11 Oct 2018 DownloadPASS Ping Identity (Platform Vendor)v1.1.2v2.0.2mtls, private key, client secret basic, client secret postcode, code id_token17 Aug 2018 PASS0Ping Identity – PSD2 & Open Banking Authlete (Platform Vendor)v1.1.2v2.0.4mtlscode id_token29 Aug 2018 DownloadPASS0See: Authlete.com/ Ozone (Mock Bank)v1.1.2v2.0.6client secret basic, client secret post, private keycode, code id_token17 Sep 2018 DownloadPASS0See: O3-Ozone Forgerock (Platform Vendor / Mock Bank)v1.1.2v2.0.6client secret basic, client secret post, private keycode id_token19 Sep 2018 DownloadPASS0See: Backstage.Forgerock.com/knowledge/openbanking/home Ostia Software Solutionsv1.1.2v2.0.6client secret basiccode id_token16 Jan 2019 DownloadPASS0See: Ostiasolutions.com WSO2v1.1.2v2.0.6mtls, private key, client secret basic, client secret postcode, code id_token29 Jan 2019 DownloadPASS0See: WSO2.com/ Version 1 of the OBIE Standard The following certifications relate to the OBIE API Specification v1.x and the Open Banking Security Profile Implementer’s Draft v1.1.x. These are based on the OB Conformance Tool v1.1.x. BrandProfile VersionSuite VersionCient Authentication TypeResponse TypeDateSubmissionStatus# Warning# FailedNotes / Mitigation for failure AIB Group (UK) p.l.c. / First Trust Bankv1.1.1v1.1.7Client secret basiccode id_token23 Feb 2018 DownloadPASS10 Bank of Ireland Barclaysv1.1.1v1.1.10client secret basic, client secret postcode05 Jul 2018 DownloadPROVISIONAL22Scope not present in token response -> Agreed with OBIE that it is not a breaking defect: • This is a limitation of the current software version for the platform, and will be resolved in the next release.. • Error from account request endpoint (406 Error) -> Expected Error because of incorrect values in Headers (Swagger v/s FAPI standards). • We currently check for application/json being present within the headers only as a strict interpretation as per Swagger / OBIE specifications and not to the FAPI standard. Danske HSBCv1.1.2v1.1.11Client secret basiccode, code id_token30 Apr 2018 DownloadPASS20 First Direct Bankv1.1.2v1.1.11Client secret basiccode, code id_token06 Jun 2018 DownloadPASS2 Marks and Spencer Bankv1.1.2v1.1.11Client secret basiccode, code id_token06 Jun 2018 DownloadPASS2 Lloyds Bankv1.1.1v1.1.9Client secret basic, client secret postcode, code id_token09 Mar 2018 DownloadPASS11NB: Platform currently unable to handle query parameters in redirect URI. To be resolved. 1 test still to be run. Non-blocking issue. Nationwidev1.1.2v1.1.9Client secret basiccode id_token28 Mar 2018 DownloadPASS11NB: Platform currently unable to handle query parameters in redirect URI. Incorrect error returned in response to access token sent as a query parameter. Both issues shortly to be resolved. Platform accepts TLS1.0&1.1 connections due to limitations in customer base. RBS Santanderv1.1.1v1.1.11client secret basiccode id_token25 May 2018 DownloadPASS10 Ozone (Mock Bank)v1.1.2v1.1.7client secret basic, client secret post, private keycode, code id_token26 Feb 2018 DownloadPASS10See: O3-Ozone Forgerock (Platform Vendor and Sandbox Provider)v1.1.2v1.1.9Private keycode, code id_token09 Mar 2018 DownloadPASS10See: https://backstage.forgerock.com/knowledge/openbanking/home Ostia Solutions (Sandbox Provider)v1.1.2v1.1.9Private keycode02 Mar 2018 DownloadPASS00See: Ostia Solutions