Frequently Asked Questions

If you're a 'third party provider' (TPP), we've created a list of our most commonly asked questions and their answers. They're focussed on Open Banking and may help you get what you need, before contacting us. We'll try to keep these as up-to-date as possible.

General

Open Banking is a reform, called for by the Competitions & Market Authority (CMA), which mandates Santander and the eight other largest current account providers (CMA9) to securely share customer account data and initiate payments with registered third party providers (TPPs) provided the customer has given their consent.

Please find more information at Open Banking

Open Data

These Open Data APIs allow API providers (e.g. banks, building societies and ATM providers) to develop API endpoints for products, branches and ATMs data which can then be accessed by anyone.

 

Account & Transactions

These read/write APIs provide the ability for approved/authorised account information service providers (AISPs) to access a customer’s (payment service user, PSU) account and transaction information for domestic business current accounts (BCAs) and personal current accounts (PCAs), only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk/ 

 

Payment Initiation

These read/write APIs provide the ability for authorised payment initiation service providers (PISPs) to initiate domestic payments, setup new domestic scheduled payments & domestic standing orders, only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk

 

 Confirmation of Funds

Ths read/write API allow a Card Based Payment Instrument Issuer ('CBPII') to make a request to confirm funds are available. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk

A TPP, Third Party Provider, can perform the following roles once they are registered with their National Competent Authority (NCA):

Account Information Service Provider (AISP)

Payment Initiation Service Provider (PISP)

Technical Service Provider (TSP)

Card Based Payment Instrument Issuer (CBPII)

Yes we do! Below are links to our European Developer Portals and where you can find more information on PSD2 APIs:

Santander Spain 

Santander Poland

Santander Portugal 

Santander Germany

Santander Norway

Santander Sweden

Read/Write APIs

As a TPP, in order to access our Read/Write APIs, you need to be enrolled with Open Banking (Enrolling Onto Open Banking Guide) and registered with the Financial Conduct Authority (FCA) or a National Competent Authority (NCA), as either an AISP and/or PISP, TSP or CBPII.

This will then enable you to access our APIs through the Santander Developer Portal

 Yes, Santander have a test facility (Sandbox) available through our Developer Portal. This will be made available in March 2019.

Check out our Get Started guide for a step by step guide on how to start testing with our Sandbox APIs.

We do not yet have test accounts available for testing with our Live APIs.

In Sandbox, however, we will have a set of test scenarios for production-like testing.

The following banking account types are available in our Live & Sandbox APIs:

 

Santander Personal / Cahoot

Current accounts

Savings accounts (determined payment accounts under PSD2)

Credit card accounts

 

Santander Business

Current accounts

Savings accounts (determined payment accounts under PSD2)

Credit card accounts

 

Santander Corporate & Commercial

Sterling & non-Sterling Current accounts*

Sterling Savings accounts (determined payment accounts under PSD2)

 

*Non-sterling accounts are only available for Account & Transactions APIs at this moment in time

For more information on our implementation you can go to Open Banking’s Developer Zone and check out our:

 

Implementation Guide - A guide containing the technical detail of our implementation (including which fields/endpoints we support and much more).

 

Transparency Calendar - A calendar containing all the key dates and implementation information that you will need to know before and whilst you are connected to our APIs.

There are full specifications provided by OBIE available on their Developer Zone from which we’ve built our APIs.

For help on how to on-board to the Santander Developer Portal check out our Getting Started guide.

As a TPP who is using our Account and Transactions API, you are able to filter transactions based on the BookingDateTime whereby you will only receive transactions between the period specified in the request (e.g. fromBookingDateTime=2019-04-19T00:00:00&toBookingDateTime=2021-04-19T23:59:59)

If you decide not to include a filter in the request we will respond with transactions from a default time period of the last 30 days. 

Response Codes

Check that you are using the correct network certificate signed by Open Banking to establish the TLS MA connection

(1) Make sure you have registered your SSA in Santander Developer Portal and the subscription of the Accounts Service Provider API and/or Payments Service Provider API is approved by Santander

 

(2) Make sure you are following client_secret_post for the OIDC calls

 

(3) Make sure you are sending client_id & client_secret as part of x-www-form-urlencoded body parameter

Network Support

Answer (1)

Make sure you are using the correct Public Certificate for Transport provided by Open Banking. Check this by copying the .pem format of the certificate and open in a notepad software application . If you open the file it should allow you to review the contents of the fields inside of the certificate. Here you should be able to identify the Critical Extensions Fields: Key Usage and Enhanced Key Usage.

The Enhanced Key Usage should contain two properties, these being Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2)

Answer (2)

We permit a number of ciphers allowed on both the token and authorisation endpoint listed below. Please ensure you are not using an incorrect or disallowed cipher.

Cipher Suite

OpenSSL Cipher Naming

KeyExch.

Encryption

Bits

Cipher Suite Name (RFC Naming Convention)

[0xc02f]

ECDHE-RSA-AES128-GCM-SHA256

ECDH

AESGCM

128

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

[0xc030]

ECDHE-RSA-AES256-GCM-SHA384

ECDH

AESGCM

256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 [0x9e]DHE-RSA-AES128-GCM-SHA256

DH

AESGCM

128

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 [0x9f]DHE-RSA-AES256-GCM-SHA384

DH

AESGCM

256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Answer (3)

Make sure you have loaded your Root and Intermediate Open Banking Certificates into your Truststore/Keystore. Depending on what application you are using, you must ensure the application knows to trust the certificate by referring to the Trustore, as most applications will by default not trust a certificate unless it has been signed and added to these stores

Answer (4)

Make sure you have checked that you are using a valid certificate and it has not expired. By converting the certificate from .pem format to .crt, you can check the valid to and valid from fields. Alternatively, check if the Certificate is not revoked. Certificates can be checked using the Serial Number field contained in the certificate and checked against the Open Banking Certificate Revoked List: http://ob.trustis.com/production/issuingca.crl to confirm or alternatively, you may use the JWKS keystore https://keystore.openbanking.org.uk/<YourOrgID>/<YourOrgID>.jwks and check whether the certificate you are using is within the list.

Answer (5)

Try to diagnose the SSL connection using a network analyser (such as Wireshark) to observe the SSL handshake pattern.

You should see the following pattern in the 'Info' Column if using a software package such as Wireshark:

 

Client Hello

Server Hello

Certificate, Server Key Exchange, Certificate Request, Server Hello Done

Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

Change Cipher Spec (If required)

Encrypted Handshake Message

Application Data

For connections to the openbanking-ma.santander.co.uk domain, clients must have ensured the following has taken place:

 

(1) The TPP has registered with Open Banking Directory

(2) The TPP has obtained signed Transport Certificates from Open Banking

(3) The TPP has registered and on-boarded with Santander (https://developer.santander.co.uk) and received a valid set of Client Credentials

(4) The TPP has an appropriate software application to enable the connection to our domain to test the API, e.g. Postman or using Curl commands

This may be because the firewall on the domain - openbanking-ma.santander.co.uk is currently blocking your IP address from attempting to connect to our servers. Please contact us and provide your public IP address and the time you attempted to make the connection to allow investigations into the problem

Didn't answer your question?

Send us a message