Operational Guidelines

Change Log

This version is:

Published 4 years ago 20 Dec 2019

A detailed list of changes from V3.1.3 to V3.1.4

Other pages in this section

A detailed list of changes from V3.1.3 to V3.1.4

Changes are indicated as follows. Copy which has been removed is struck out and copy which has been added is in blue.

ItemSection ReferenceDescription of ChangeReason for Change
Section Security
1IntroductionTo protect the confidentiality, integrity and availability of information and data in the Open Banking Ecosystem, all Participants should ensure that security is given sufficient profile and influence in their organisation and operations
in order to meet both obligations under PSD2 and data protection laws.
OBIE internal review
2Effective Information Security Management

Develop, maintain and implement an Information Security Policy, ensuring adequate resources, processes, technology, people and budget are allocated.
Regulatory Consequences: Poor information security could lead to revocation of your regulatory permissions as well as enforcement action and/ or fines arising out of data protection breaches.

Revenue Consequences:
Poor information security will compromise trust in your business , create reputational risk and could lead to adverse publicity and reduce reduction in customer take-up of your products and services.
OBIE internal review
3 Protecting Against Data Breach

Classify data and assets.  Understand what data you hold, assess the sensitivity and protect according to the threat likelihood and distinguish personal data from other confidential and classified data and impact.

Regulatory Consequences:  A data breach must be reported to the Regulator and the Information Commissioners Office. For certain types of personal data breach, this must be done within 72 hours of becoming aware (where feasible).

Data Breaches: Beware of the financial cost of a data breach: Up to €20 million or 4% of annual turnover (whichever is greater).  financial penalties that could be imposed for breaches of data protection, which could expose you to a maximum of a 4% annual worldwide turnover or 20m, whichever is greater.  

Guidance from the ICO on dealing with a data breach can be found here: 
OBIE internal review
4 Developing a Data Breach Policy & Procedure
Data Breach Policy

Amongst other policies and procedures and in accordance with data protection laws, TPPs should create a data breach policy statement and operate to the following recommended set of policies:
• Prevent: Operate regular risk assessment and risk monitoring in order to anticipate potential data threats, hazards and impacts.
OBIE internal review
5Technical Security

Always maintain the ability of the user to verify the authenticity of the site they are entering, i.e. maintain the ability to see the url URL bar/lock icon.

Practical Guide to IT Security from ICO can be found here: https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
OBIE internal review
Section Counter Fraud Measures
Fraud is defined by the Fraud Act as an act (of intent or omission) carried out with the purpose to “make a gain for himself or another” or to “cause a loss to another or to expose another to a risk of loss”.  Fraud is a significant threat to the UK Economy and poses risk to the success of open banking transactions.  Strong counter fraud prevention, detection and responses are critical to the success of Open Banking in the UK and the most effective way to achieve this is to implement an effective counter fraud strategy.
Ensuring the security of payments is at the core of PSD2. Participants are obliged to ensure that they have an established framework to manage their operational and security risks".  Participants must also be mindful of the interplay with other statutory obligations, such as ensuring the security and protection of personal data, including financial data, in accordance with data privacy laws. 

The minimisation of fraud risk within the Open Banking Ecosystem is considered of fundamental importance by the Open Banking Implementation Entity to ensure the protection of customers and the security of transactions.
Recommendations are based on the OB published and regulatory guidance together with and EBA/FCA guidance on monitoring and reporting requirements.
EBA has recently published Guidelines on ICT and security risk management which will repeal and replace the current EBA Guidelines on the security measures for operational and security risks of payment services under PSD2 which come into force on 30 June 2020.
OBIE internal review
Counter Fraud Strategy & Operations

Regulatory Consequences: High fraud levels could case lead to regulatory investigations , enforcement action, fines and / or revocation of your regulatory permissions.
OBIE internal review
Section Operational Excellence
8Issue Resolution Service Requests

As part of our continuous improvement initiative, we are also looking to automate this page. also. Information will not be shared without the ticket owner’s permission.OBIE internal review
9Dispute Management System

The ICO guidance to customers regarding complaints can be found here: https://ico.org.uk/make-a-complaint/OBIE internal review
Section Testing
The Open Banking Implementation Entity (OBIE) would like to ensure all Participants and Technical Service
Providers (TSPs) looking to operate within the Open Banking Ecosystems (Test and Live) do so in a supported manner.
OBIE internal review
The Approach
The Approach
  1. The recommended approach is based on OBIE’s published ‘Launch Support’ testing document.
  2. It is designed to help ensure that your TPP service operates effectively within the OB Open Banking Ecosystem.
  3. Supports your journey from being an entity participating in the ‘test ecosystem’ to operating in the ‘production ecosystem’.
  4. Recommends participation in OBIE test phases, as appropriate:
  5. Integration Testing.
  6. Ecosystem Testing*.
  7. First Occurrence Validation (FOV).

*TPPs obtaining QTSP issued eIDAS Test QWAC and QSEAL certificates can be uploaded onto the OBIE Sandbox Directory. Also TPPs can generate OBIE eIDAS like test OBWAC and OBSEAL certificates from the OBIE Sandbox Directory. TPPs can also generate OBWAC and OBSEAL certificates which contain eIDAS like attributes from the OBIE Directory Sandbox. ASPSP Test Facilities (Sandboxes)  are expected to support TPP registration with both certification types OBIE eIDAS like and eIDAS.  This is a mirror approach to production.
OBIE internal review
Participant Journey
OBIE internal review
Test Phase Engagement
Unregulated participants new to Open Banking
Entities new to Open Banking (including those that do not have regulatory permissions) will be encouraged to take advantage of all test phases so that they can embed and refine their Open Banking knowledge and proposition as they progress through each phase.
OBIE internal review