Frequently Asked Questions
-
General
What is Open Banking? What are our Open Banking APIs? What are the roles a TPP can perform? Do any of your European brands have Developer Portals? -
Read/Write APIs
How can I access Santander's Read/Write APIs? As a Third Party Provider, is there somewhere I can test prototype Open Banking Solutions? What is the URL for Santander Open Banking OpenID Connect Implementation? Do you have some Personal & Business Current Accounts test accounts available for testing? What account types are supported by Santander for Open Banking? Where can I find more information about Santander's implementation? Where are the specifications you have used to build your current APIs? How do I on-board to the Santander Developer Portal? -
Response Codes
I am getting a 401 unauthorized response when invoking /token endpoints I am getting an SSL Handshake Error when trying to invoke /token or resource endpoints. -
Network Support
SSL Handshake Error when invoking an API on openbanking-ma.santander.co.uk I can't connect to the 'openbanking-ma.santander.co.uk domain Why am I receiving a TCP Timeout Connection Message?
-
What is Open Banking?
Open Banking is a reform, called for by the Competitions & Market Authority (CMA), which mandates Santander and the eight other largest current account providers (CMA9) to securely share customer account data and initiate payments with registered third party providers (TPPs) provided the customer has given their consent.
Please find more information at Open Banking
-
What are our Open Banking APIs?
Open Data
These Open Data APIs allow API providers (e.g. banks, building societies and ATM providers) to develop API endpoints for products, branches and ATMs data which can then be accessed by anyone.
Account & Transactions
These read/write APIs provide the ability for approved/authorised account information service providers (AISPs) to access a customer’s (payment service user, PSU) account and transaction information for domestic business current accounts (BCAs) and personal current accounts (PCAs), only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk/
Payment Initiation
These read/write APIs provide the ability for authorised payment initiation service providers (PISPs) to initiate domestic payments, setup new domestic scheduled payments & domestic standing orders, only when the PSU grants consent. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk
Confirmation of Funds
Ths read/write API allow a Card Based Payment Instrument Issuer ('CBPII') to make a request to confirm funds are available. This API is developed according to the Open Banking Read/Write API Specifications, see https://www.openbanking.org.uk
-
What are the roles a TPP can perform?
A TPP, Third Party Provider, can perform the following roles once they are registered with their National Competent Authority (NCA):
Account Information Service Provider (AISP)
Payment Initiation Service Provider (PISP)
Technical Service Provider (TSP)
Card Based Payment Instrument Issuer (CBPII)
-
Do any of your European brands have Developer Portals?
Yes we do! Below are links to our European Developer Portals and where you can find more information on PSD2 APIs:
Santander Spain
Santander Poland
Santander Portugal
Santander Germany
Santander Norway
Santander Sweden
-
How can I access Santander's Read/Write APIs?
As a TPP, in order to access our Read/Write APIs, you need to be enrolled with Open Banking (Enrolling Onto Open Banking Guide) and registered with the Financial Conduct Authority (FCA) or a National Competent Authority (NCA), as either an AISP and/or PISP, TSP or CBPII.
This will then enable you to access our APIs through the Santander Developer Portal
-
As a Third Party Provider, is there somewhere I can test prototype Open Banking Solutions?
Yes, Santander have a test facility (Sandbox) available through our Developer Portal. This will be made available in March 2019.
Check out our Get Started guide for a step by step guide on how to start testing with our Sandbox APIs.
-
What is the URL for Santander Open Banking OpenID Connect Implementation?
-
Do you have some Personal & Business Current Accounts test accounts available for testing?
We do not yet have test accounts available for testing with our Live APIs.
In Sandbox, however, we will have a set of test scenarios for production-like testing.
-
What account types are supported by Santander for Open Banking?
The following banking account types are available in our Live & Sandbox APIs:
Santander Personal / Cahoot
Current accounts
Savings accounts (determined payment accounts under PSD2)
Credit card accounts
Santander Business
Current accounts
Savings accounts (determined payment accounts under PSD2)
Credit card accounts
Santander Corporate & Commercial
Sterling & non-Sterling Current accounts*
Sterling Savings accounts (determined payment accounts under PSD2)
*Non-sterling accounts are only available for Account & Transactions APIs at this moment in time
-
Where can I find more information about Santander's implementation?
For more information on our implementation you can go to Open Banking’s Developer Zone and check out our:
Implementation Guide - A guide containing the technical detail of our implementation (including which fields/endpoints we support and much more).
Transparency Calendar - A calendar containing all the key dates and implementation information that you will need to know before and whilst you are connected to our APIs.
-
Where are the specifications you have used to build your current APIs?
There are full specifications provided by OBIE available on their Developer Zone from which we’ve built our APIs.
-
How do I on-board to the Santander Developer Portal?
For help on how to on-board to the Santander Developer Portal check out our Getting Started guide.
-
I am getting a 401 unauthorized response when invoking /token endpoints
(1) Make sure you have registered your SSA in Santander Developer Portal and the subscription of the Accounts Service Provider API and/or Payments Service Provider API is approved by Santander
(2) Make sure you are following client_secret_post for the OIDC calls
(3) Make sure you are sending client_id & client_secret as part of x-www-form-urlencoded body parameter
-
I am getting an SSL Handshake Error when trying to invoke /token or resource endpoints.
Check that you are using the correct network certificate signed by Open Banking to establish the TLS MA connection
-
SSL Handshake Error when invoking an API on openbanking-ma.santander.co.uk
Answer (1)
Make sure you are using the correct Public Certificate for Transport provided by Open Banking. Check this by copying the .pem format of the certificate and open in a notepad software application . If you open the file it should allow you to review the contents of the fields inside of the certificate. Here you should be able to identify the Critical Extensions Fields: Key Usage and Enhanced Key Usage.
The Enhanced Key Usage should contain two properties, these being Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2)
Answer (2)
We permit a number of ciphers allowed on both the token and authorisation endpoint listed below. Please ensure you are not using an incorrect or disallowed cipher.
Cipher Suite
OpenSSL Cipher Naming
KeyExch.
Encryption
Bits
Cipher Suite Name (RFC Naming Convention)
[0xc02f]
ECDHE-RSA-AES128-GCM-SHA256
ECDH
AESGCM
128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[0xc030]
ECDHE-RSA-AES256-GCM-SHA384
ECDH
AESGCM
256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[0x9e] DHE-RSA-AES128-GCM-SHA256 DH
AESGCM
128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [0x9f] DHE-RSA-AES256-GCM-SHA384 DH
AESGCM
256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Answer (3)
Make sure you have loaded your Root and Intermediate Open Banking Certificates into your Truststore/Keystore. Depending on what application you are using, you must ensure the application knows to trust the certificate by referring to the Trustore, as most applications will by default not trust a certificate unless it has been signed and added to these stores
Answer (4)
Make sure you have checked that you are using a valid certificate and it has not expired. By converting the certificate from .pem format to .crt, you can check the valid to and valid from fields. Alternatively, check if the Certificate is not revoked. Certificates can be checked using the Serial Number field contained in the certificate and checked against the Open Banking Certificate Revoked List: http://ob.trustis.com/production/issuingca.crl to confirm or alternatively, you may use the JWKS keystore https://keystore.openbanking.org.uk/<YourOrgID>/<YourOrgID>.jwks and check whether the certificate you are using is within the list.
Answer (5)
Try to diagnose the SSL connection using a network analyser (such as Wireshark) to observe the SSL handshake pattern.
You should see the following pattern in the 'Info' Column if using a software package such as Wireshark:
Client Hello
Server Hello
Certificate, Server Key Exchange, Certificate Request, Server Hello Done
Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
Change Cipher Spec (If required)
Encrypted Handshake Message
Application Data
-
I can't connect to the 'openbanking-ma.santander.co.uk domain
For connections to the openbanking-ma.santander.co.uk domain, clients must have ensured the following has taken place:
(1) The TPP has registered with Open Banking Directory
(2) The TPP has obtained signed Transport Certificates from Open Banking
(3) The TPP has registered and on-boarded with Santander (https://developer.santander.co.uk) and received a valid set of Client Credentials
(4) The TPP has an appropriate software application to enable the connection to our domain to test the API, e.g. Postman or using Curl commands
-
Why am I receiving a TCP Timeout Connection Message?
This may be because the firewall on the domain - openbanking-ma.santander.co.uk is currently blocking your IP address from attempting to connect to our servers. Please contact us and provide your public IP address and the time you attempted to make the connection to allow investigations into the problem