Guidance when implementing the Standard

Where any part of the Open Banking Standard (API Specifications, Security Profiles, Customer Experience Guidelines and Checklist and Operational Guidelines and Checklist) is being implemented by either an ASPSP or a TPP, the following categorisation is applied:

Mandatory (required in all cases)

Functionality, customer experience and operational guidelines marked as ‘Mandatory’, ‘Required’ or ‘Must’ will be implemented in all cases for regulatory compliance and/or for the API to function and deliver essential customer outcomes.

Where relevant, these requirements are marked as Mandatory for PSD2 (for all ASPSPs) and/or the CMA Order (for CMA9 PCA/BCA accounts).

For functionalities and endpoints:
• An ASPSP must implement an endpoint that is marked Mandatory.
• An ASPSP must implement functionality that is marked Mandatory.
For fields:
• A TPP must specify the value of a Mandatory field.
• An ASPSP must process a Mandatory field when provided by the TPP in an API request.
• An ASPSP must include meaningful values for Mandatory fields in an API response.

Conditional (required in some cases)

Functionality, customer experience and operational guidelines marked as ‘Conditional’ may also need to be implemented in some cases for regulatory compliance (for example, if these are made available to the PSU in the ASPSP’s existing Online Channel).

For functionalities and endpoints:
• An ASPSP must implement functionality and endpoints marked as Conditional if these are required for regulatory compliance.
For fields:
• All fields that are not marked as Mandatory are Conditional.
• A TPP may specify the value of a Conditional field.
• An ASPSP must process a Conditional field when provided by the TPP in an API request, and must respond with an error if it cannot support a particular value of a Conditional field.
• An ASPSP must include meaningful values for Conditional fields in an API response if these are required for regulatory compliance.

Optional

Functionality, customer experience and operational guidelines marked as ‘Recommended’ or ‘Should’ are not necessarily required for regulatory compliance but should be implemented where possible to enable desired customer outcomes. Those marked as ’Optional’ or ‘Could’ may deliver further desired outcomes.
For functionalities and endpoints:
• An ASPSP may implement an Optional endpoint.
• An ASPSP may implement Optional functionality.
For fields:
• There are no Optional fields.
• For any endpoints which are implemented by an ASPSP, the fields are either Mandatory or Conditional.

Notes
• If an ASPSP has deviated from implementing functionality classified as mandatory or conditional (where applicable) and is seeking an exemption, they will need to explain this divergence to their NCA.
• ASPSPs must make documentation available to TPPs (e.g. on their developer portals) to which ‘Conditional’ / ‘Optional’ endpoints and fields are implemented for any given implementation of the specification.