Frequently Asked Questions

If you're a 'third party provider' (TPP), we've created a list of our most commonly asked questions and their answers. They're focused on Open Banking and may help you get what you need, before contacting us. We'll try to keep these as up-to-date as possible.

    General

  • What is Open Banking?

    Open Banking is a reform, called for by the Competitions & Market Authority (CMA), which mandates Santander and the eight other largest current account providers (CMA9) to securely share customer account data and initiate payments with registered third party providers (TPPs) provided the customer has given their consent.

    Please find more information at Open Banking

  • What are our Open Banking APIs?

    Open Data

    These Open Data APIs allow API providers (e.g. banks, building societies and ATM providers) to develop API endpoints for products, branches and ATMs data which can then be accessed by anyone.

     

    Account & Transactions

    These read/write APIs provide the ability for approved/authorised account information service providers (AISPs) to access a customer’s (payment service user, PSU) account and transaction information for domestic business current accounts (BCAs) and personal current accounts (PCAs), only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk/ 

     

    Payment Initiation

    These read/write APIs provide the ability for authorised payment initiation service providers (PISPs) to initiate domestic payments, setup new domestic scheduled payments & domestic standing orders, only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk

     

     Confirmation of Funds

    Ths read/write API allow a Card Based Payment Instrument Issuer ('CBPII') to make a request to confirm funds are available. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk

  • What are the roles a TPP can perform?

    A TPP, Third Party Provider, can perform the following roles once they are registered with their National Competent Authority (NCA):

    Account Information Service Provider (AISP)

    Payment Initiation Service Provider (PISP)

    Technical Service Provider (TSP)

    Card Based Payment Instrument Issuer (CBPII)

  • Do any of your European brands have Developer Portals?

    Yes we do! Below are links to our European Developer Portals and where you can find more information on PSD2 APIs:

    Santander Spain 

    Santander Poland

    Santander Portugal 

    Santander Germany

    Santander Norway

    Santander Sweden

    • Read/Write APIs

  • How can I access Santander's Read/Write APIs?

    As a TPP, in order to access our Read/Write APIs, you need to be enrolled with Open Banking (Enrolling Onto Open Banking Guide) and registered with the Financial Conduct Authority (FCA) or a National Competent Authority (NCA), as either an AISP and/or PISP, TSP or CBPII.

    This will then enable you to access our APIs through the Santander Developer Portal

  • As a Third Party Provider, is there somewhere I can test prototype Open Banking Solutions?

     Yes, Santander have a test facility (Sandbox) available through our Developer Portal. This will be made available in March 2019.

    Check out our Get Started guide for a step by step guide on how to start testing with our Sandbox APIs.

  • What is the URL for Santander Open Banking OpenID Connect Implementation?

    https://openbanking.santander.co.uk/sanuk/external/open-banking/openid-connect-provider/v1/.well-known/openid-configuration

  • Do you have some Personal & Business Current Accounts test accounts available for testing?

    We do not yet have test accounts available for testing with our Live APIs.

    In Sandbox, however, we will have a set of test scenarios for production-like testing.

  • What account types are supported by Santander for Open Banking?

    The following banking account types are available in our Live & Sandbox APIs:

     

    Santander Personal / Cahoot

    Current accounts

    Savings accounts (determined payment accounts under PSD2)

    Credit card accounts

     

    Santander Business

    Current accounts

    Savings accounts (determined payment accounts under PSD2)

    Credit card accounts

     

    Santander Corporate & Commercial

    Sterling & non-Sterling Current accounts*

    Sterling Savings accounts (determined payment accounts under PSD2)

     

    *Non-sterling accounts are only available for Account & Transactions APIs at this moment in time

  • Where can I find more information about Santander's implementation?

    For more information on our implementation you can go to Open Banking’s Developer Zone and check out our:

     

    Implementation Guide - A guide containing the technical detail of our implementation (including which fields/endpoints we support and much more).

     

    Transparency Calendar - A calendar containing all the key dates and implementation information that you will need to know before and whilst you are connected to our APIs.

  • Where are the specifications you have used to build your current APIs?

    There are full specifications provided by OBIE available on their Developer Zone from which we’ve built our APIs.

  • How do I on-board to the Santander Developer Portal?

    For help on how to on-board to the Santander Developer Portal check out our Getting Started guide.

    • Response Codes

  • I am getting a 401 unauthorized response when invoking /token endpoints

    (1) Make sure you have registered your SSA in Santander Developer Portal and the subscription of the Accounts Service Provider API and/or Payments Service Provider API is approved by Santander

     

    (2) Make sure you are following client_secret_post for the OIDC calls

     

    (3) Make sure you are sending client_id & client_secret as part of x-www-form-urlencoded body parameter

  • I am getting an SSL Handshake Error when trying to invoke /token or resource endpoints.

    Check that you are using the correct network certificate signed by Open Banking to establish the TLS MA connection

    • Network Support

  • SSL Handshake Error when invoking an API on openbanking-ma.santander.co.uk

    Answer (1)

    Make sure you are using the correct Public Certificate for Transport provided by Open Banking. Check this by copying the .pem format of the certificate and open in a notepad software application . If you open the file it should allow you to review the contents of the fields inside of the certificate. Here you should be able to identify the Critical Extensions Fields: Key Usage and Enhanced Key Usage.

    The Enhanced Key Usage should contain two properties, these being Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2)

    Answer (2)

    We permit a number of ciphers allowed on both the token and authorisation endpoint listed below. Please ensure you are not using an incorrect or disallowed cipher.

    Cipher Suite

    OpenSSL Cipher Naming

    KeyExch.

    Encryption

    Bits

    Cipher Suite Name (RFC Naming Convention)

    [0xc02f]

    ECDHE-RSA-AES128-GCM-SHA256

    ECDH

    AESGCM

    128

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    [0xc030]

    ECDHE-RSA-AES256-GCM-SHA384

    ECDH

    AESGCM

    256

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

     [0x9e]DHE-RSA-AES128-GCM-SHA256

    DH

    AESGCM

    128

    		TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     [0x9f]DHE-RSA-AES256-GCM-SHA384

    DH

    AESGCM

    		256

    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    Answer (3)

    Make sure you have loaded your Root and Intermediate Open Banking Certificates into your Truststore/Keystore. Depending on what application you are using, you must ensure the application knows to trust the certificate by referring to the Trustore, as most applications will by default not trust a certificate unless it has been signed and added to these stores

    Answer (4)

    Make sure you have checked that you are using a valid certificate and it has not expired. By converting the certificate from .pem format to .crt, you can check the valid to and valid from fields. Alternatively, check if the Certificate is not revoked. Certificates can be checked using the Serial Number field contained in the certificate and checked against the Open Banking Certificate Revoked List: http://ob.trustis.com/production/issuingca.crl to confirm or alternatively, you may use the JWKS keystore https://keystore.openbanking.org.uk/<YourOrgID>/<YourOrgID>.jwks and check whether the certificate you are using is within the list.

    Answer (5)

    Try to diagnose the SSL connection using a network analyser (such as Wireshark) to observe the SSL handshake pattern.

    You should see the following pattern in the 'Info' Column if using a software package such as Wireshark:

     

    Client Hello

    Server Hello

    Certificate, Server Key Exchange, Certificate Request, Server Hello Done

    Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

    Change Cipher Spec (If required)

    Encrypted Handshake Message

    Application Data

  • I can't connect to the 'openbanking-ma.santander.co.uk domain

    For connections to the openbanking-ma.santander.co.uk domain, clients must have ensured the following has taken place:

     

    (1) The TPP has registered with Open Banking Directory

    (2) The TPP has obtained signed Transport Certificates from Open Banking

    (3) The TPP has registered and on-boarded with Santander (https://developer.santander.co.uk) and received a valid set of Client Credentials

    (4) The TPP has an appropriate software application to enable the connection to our domain to test the API, e.g. Postman or using Curl commands

  • Why am I receiving a TCP Timeout Connection Message?

    This may be because the firewall on the domain - openbanking-ma.santander.co.uk is currently blocking your IP address from attempting to connect to our servers. Please contact us and provide your public IP address and the time you attempted to make the connection to allow investigations into the problem