ASPSPs should conduct stress testing of their API interface as follows:Environments: Stress testing does not need to take place on the testing facility. However, stress testing should either be conducted on the production interface (and underlying production systems) and/or staging/pre-production systems which have similar infrastructure, so there can be certainty that the test results will represent what will happen in a real-word scenario.
Realistic scenarios and loads: Testing should cover a range of realistic test cases and be for realistic duration and at realistic volumes, based on predicted volumes in six months’ time. The actual data used for these tests is not relevant (i.e. whether this is test or production data), since this must not be disclosed in any test results submitted. Testing should take place from external networks which replicate the usage patterns expected in the real-world (e.g. from third party applications).
Availability and frequency: A separate facility for stress testing does not need to be permanently available. However, stress testing should be conducted at least every six months and also in any of the following cases:
- Prior to application to the NCA for an exemption.
- In the event of any failures or reduction of service levels below those required regarding performance and availability KPIs.
- In the event of any infrastructure or implementation changes (e.g. release of new API versions), which may affect performance.
- In the event of any significant increase in predicted usage volumes.