Frequently Asked Questions
If you're a 'third party provider' (TPP), we've created a list of our most commonly asked questions and their answers. They're focussed on Open Banking and may help you get what you need, before contacting us. We'll try to keep these as up-to-date as possible.
General
Open Banking is a reform, called for by the Competitions & Market Authority (CMA), which mandates Santander and the eight other largest current account providers (CMA9) to securely share customer account data and initiate payments with registered third party providers (TPPs) provided the customer has given their consent.
Please find more information at Open Banking
Open Data
These Open Data APIs allow API providers (e.g. banks, building societies and ATM providers) to develop API endpoints for products, branches and ATMs data which can then be accessed by anyone.
Account & Transactions
These read/write APIs provide the ability for approved/authorised account information service providers (AISPs) to access a customer’s (payment service user, PSU) account and transaction information for domestic business current accounts (BCAs) and personal current accounts (PCAs), only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk/
Payment Initiation
These read/write APIs provide the ability for authorised payment initiation service providers (PISPs) to initiate domestic payments, setup new domestic scheduled payments & domestic standing orders, only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk
Confirmation of Funds
Ths read/write API allow a Card Based Payment Instrument Issuer ('CBPII') to make a request to confirm funds are available. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk
A TPP, Third Party Provider, can perform the following roles once they are registered with their National Competent Authority (NCA):
- Account Information Service Provider (AISP)
- Payment Initiation Service Provider (PISP)
- Technical Service Provider (TSP)
- Card Based Payment Instrument Issuer (CBPII)
Read/Write APIs
As a TPP, in order to access our Read/Write APIs, you need to be enrolled with Open Banking (Enrolling Onto Open Banking Guide) and registered with the Financial Conduct Authority (FCA) or a National Competent Authority (NCA), as either an AISP and/or PISP, TSP or CBPII.
This will then enable you to access our APIs through the Santander Developer Portal
Yes, Santander have a test facility (Sandbox) available through our Developer Portal. This will be made available in March 2019.
Check out our Get Started guide for a step by step guide on how to start testing with our Sandbox APIs.
We do not yet have test accounts available for testing with our Live APIs.
In Sandbox, however, we will have a set of test scenarios for production-like testing.
The following banking account types are available in our live APIs:
- Personal current accounts
- Business current accounts
- Corporate current account (single authorisation and less than £6.5 million turnover)
In addition to the above banking account there are more account types available in our Sandbox environment:
- Banking accounts (non-sterling)
- Savings accounts (sterling and non-sterling)
- Credit Card accounts
Yes, you can find our implementation guide for on Open Banking’s Developer Zone.
There are full specifications provided by OBIE available on their Developer Zone from which we’ve built our APIs.
For help on how to on-board to the Santander Developer Portal check out our Getting Started guide.
Response Codes
- Make sure you have registered your SSA in Santander Developer Portal and the subscription of the Accounts Service Provider API and/or Payments Service Provider API is approved by Santander
- Make sure you are following client_secret_post for the OIDC calls
- Make sure you are sending client_id & client_secret as part of x-www-form-urlencoded body parameter
Check that you are using the correct network certificate signed by Open Banking to establish the TLS MA connection
Network Support
For connections to the openbanking-ma.santander.co.uk domain, clients must have ensured the following has taken place:
- The TPP has registered with Open Banking Directory
- The TPP has obtained signed Transport Certificates from Open Banking
- The TPP has registered and on-boarded with Santander (https://developer.santander.co.uk) and received a valid set of Client Credentials
- The TPP has an appropriate software application to enable the connection to our domain to test the API, e.g. Postman or using Curl command
This may be because the firewall on the domain - openbanking-ma.santander.co.uk is currently blocking your IP address from attempting to connect to our servers. Please contact us and provide your public IP address and the time you attempted to make the connection to allow investigations into the problem
Answer (1)
Make sure you are using the correct Public Certificate for Transport provided by Open Banking. Check this by copying the .pem format of the certificate and open in a notepad software application . If you open the file it should allow you to review the contents of the fields inside of the certificate. Here you should be able to identify the Critical Extensions Fields: Key Usage and Enhanced Key Usage.
The Enhanced Key Usage should contain two properties, these being Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2)
Answer (2)
We permit a number of ciphers allowed on both the token and authorisation endpoint listed below. Please ensure you are not using an incorrect or disallowed cipher.
Cipher Suite | OpenSSL Cipher Naming | KeyExch. | Encryption | Bits | Cipher Suite Name (RFC Naming Convention) |
[0xc02f] | ECDHE-RSA-AES128-GCM-SHA256 | ECDH | AESGCM | 128 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
[0xc030] | ECDHE-RSA-AES256-GCM-SHA384 | ECDH | AESGCM | 256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
[0x9e] | DHE-RSA-AES128-GCM-SHA256 | DH | AESGCM | 128 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
[0x9f] | DHE-RSA-AES256-GCM-SHA384 | DH | AESGCM | 256 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
Answer (3)
Make sure you have loaded your Root and Intermediate Open Banking Certificates into your Truststore/Keystore. Depending on what application you are using, you must ensure the application knows to trust the certificate by referring to the Trustore, as most applications will by default not trust a certificate unless it has been signed and added to these stores
Answer (4)
Make sure you have checked that you are using a valid certificate and it has not expired. By converting the certificate from .pem format to .crt, you can check the valid to and valid from fields. Alternatively, check if the Certificate is not revoked. Certificates can be checked using the Serial Number field contained in the certificate and checked against the Open Banking Certificate Revoked List: http://ob.trustis.com/production/issuingca.crl to confirm or alternatively, you may use the JWKS keystore https://keystore.openbanking.org.uk/<YourOrgID>/<YourOrgID>.jwks and check whether the certificate you are using is within the list.
Answer (5)
Try to diagnose the SSL connection using a network analyser (such as Wireshark) to observe the SSL handshake pattern.
You should see the following pattern in the 'Info' Column if using a software package such as Wireshark:
- Client Hello
- Server Hello
- Certificate, Server Key Exchange, Certificate Request, Server Hello Done
- Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
- Change Cipher Spec (If required)
- Encrypted Handshake Message
- Application Data
Didn't answer your question?