Design and Testing
The OBIE Standard
The OBIE Standard have been developed over a period of 18 months in collaboration with nine of Europe’s largest financial institutions as well as 500+ representatives from other ASPSPs, TPP communities, PSD2 and consumer stakeholder groups, and prominent fintech leaders.
The collaborative and transparent development process has involved over 50 workshops and an online feedback process, giving stakeholders the opportunity to contribute to ensure that their regulatory requirements have been considered for the widest possible coverage of business models. As such, when ASPSPs adopt the OBIE Standard without deviation, they can refer to the fact that there was extensive consultation during the development of the OBIE Standard as an additional tool to support the design and testing requirement.
In the UK, the FCA will base its assessment of whether the exemption criteria are met on a completed contingency exemption form. FCA-regulated ASPSPs are required to complete this (in particular the second half Form B1) by providing the details of functional and technical specifications that they have implemented for each relevant regulatory requirement and a corresponding summary describing how their implementation satisfies the requirement, as well as any deviations, where applicable.
We note that it is ultimately in the discretion of each NCA to determine whether or not exemption criteria are met when assessing applications for an exemption.
OBIE provides a suite of testing tools which are designed to help ASPSPs test whether or not their API interface meets the OBIE Standard. ASPSPs who use these tools will be in a good position to able to demonstrate to NCAs that they have correctly followed and implemented the OBIE Standard2.
Functional Conformance: This suite contains a large number of test cases, which cover all functional API request, response and error codes, to ensure that the API interface is conformant to the OBIE specifications for AISP, PISP and CBPII use cases. This tool also provides a mechanism by which ASPSPs can publish details of the specification of their dedicated interface.
Customer Experience Guidelines Checklist: This tool allows ASPSPs to provide evidence of conformance to the Customer Experience Guidelines.
Security Profile Conformance: This suite includes test cases for the Open Banking Security Profile and the following Open ID Foundation profiles: redirect (FAPI profile), decoupled (CIBA profile), and TPP on-boarding (Dynamic Client Registration).
Operational Guidelines Checklist: In combination with the NCA submission, ASPSPs should use this checklist to provide the NCA with a summary of the results of the testing, including the identification of weaknesses and a description of how these weaknesses have been addressed.
OBIE will also provide a certification service for each of the four areas above. This service will include OBIE’s validation that the conformance tools/checklists have been run/completed satisfactorily to indicate conformance to the OBIE Standard. While the tools can be run in a test/pre-production environment, certification will be against production environments unless otherwise agreed by OBIE.
ASPSPs who run these tools and obtain a certification against their production environment will mitigate against scenarios where the dedicated interface returns 2xx HTTP status codes, but the responses contain missing, badly formed or incorrect data.
2While running the tools successfully will produce useful evidence, an NCA may still require further evidence to ascertain whether or not an ASPSP has correctly implemented the OBIE Standard