| Table of Contents | ||||
|---|---|---|---|---|
|
1. Version Control
Version | Date | Description of Changes |
Bahrain OBF v1.0.0 | 28th Oct 2020 | Initial Release |
2. Overview
The Account and Transaction API Profile describes the flows and common functionalities for the Accounts and Transaction API, which allows an Account Information Service Provider ('AISP') to:
Register an intent to retrieve account information by creating an "account access consent". This registers the data "permissions" and historical period allowed for transactions/statements - that the user/customer has consented to provide to the AISP
Subsequently, retrieve account and transaction data
Retrieve product specific information from ASPSP
2.1 Chapter Overview
This chapter (Account Information Services) consists of the following parts:
...
Alternative Flows: Rules for alternative flows
2.2 Resources
Each of the Account and Transaction API resources are documented in the Resources and Data Models / AISP area of the specification. Each resource is documented with:
Endpoints
The API endpoints available for the resource
Data Model
Resource definition
UML diagram
Permissions as they relate to accessing the resource
Data dictionary - which defines fields, re-usable classes, mandatory (1..1) or conditional (0..1)
Usage Examples
3. Basics
3.1 Overview
The figure below provides a general outline of an account information request and flow using the Account Info APIs.
...
3.1.1 Steps
Step 1: Request Account Information
...
This is carried out by making a GET request the relevant resource
The unique AccountId(s) that are valid for the account-access-consents will be returned with a call to GET /accounts. This will always be the first call once an AISP has a valid access token
3.1.2 Sequence Diagram
...
*CIBA - Client Initiated Backchannel Authentication
3.2 Idempotency
The API endpoints for creating account-access-consents resources are not idempotent.
If a time-out error occurs - then an AISP can create a new account-access-consents resource - rather than try with the same resource.
3.3 Release Management
This section overviews the release management and versioning strategy for the Account and Transaction API.
3.3.1 Account Access Consent
3.3.1.1 POST
An AISP must not create a Consent on a newer version, and use it on a previous version
E.g., A ConsentId for an account-access-consents created in v3, must not be used to access v2 endpoints
3.3.1.2 GET
An AISP must not access a Consent on an older version, via the Id for a Consent created in a newer version:
E.g., An account-access-consents created in v3 accessed via v2 account-request
An ASPSP must allow a Consent to be accessed in a newer version
An ASPSP must ensure Permissions set associated with a Consent are unchanged when accessed in a different version:
E.g., An account-request created in v2 will have the same details when accessed via v2 and v3 (as an account-access-consents)
An ASPSP must ensure a Consent's fields are unchanged when accessed in a different version
An ASPSP may allow expired Consents to be accessed in a newer version
An ASPSP may choose to populate new fields introduced in a resource from previous version sensible defaults (if mandatory) or not populate at all (if not mandatory):
E.g., OBAccountAccessConsentResponse /Data/StatusUpdateDateTime introduced in v2 accessed with v1 AccountRequestId can be populated with Last accessed date time, if not already available in the system of records
3.3.1.3 PATCH
An AISP must not patch a Consent on an older version, via an Id for a Consent created in a newer version:
E.g., An account-access-consents is created in v3, and request PATCH on v2
An ASPSP must support patching a Consent from a previous version via a newer version:
E.g., An account-request is created in v2, and request PATCH on v3
3.3.2 Account Information Resources
3.3.2.1 GET
An AISP may use a token that is bound to a Consent in a previous version, to access an endpoint of a newer version
An AISP may use an Id for a Consent created in a previous version to retrieve Account Information resources in a newer version:
E.g., AccountRequestId from v2 can be used as ConsentId in v3, to GET /accounts
An AISP must not use an Id for a Consent from a newer version to access Account Information resources in a previous version:
E.g., ConsentId for an account-access-consents created in v3, must not be used to access v2 Account Information endpoints
An ASPSP must allow an AISP to use an Id for a Consent from a previous version to access Account Information resource endpoints in a newer version:
E.g., AccountRequestId created in v2 must be allowed to access Account Information resource endpoints in v3
An ASPSP must reject the request to access a resource, for which a Consent's Permissions set does not permit
An ASPSP may choose to populate new fields introduced in a resource from previous version sensible defaults (if mandatory) or not populate at all:
E.g., OBAccountAccessConsentResponse /Data/StatusUpdateDateTime introduced in Version2 accessed with V1 AccountRequestId can be populated with Last accessed date time, if not already available in the system of records
4.Security & Access Control
4.1 Scopes
The access tokens required for accessing the Account Info APIs must have the following scope:
accounts: Ability to read Accounts information
4.2 Grants Types
AISPs must use a client credentials grant to obtain a token to access the account-access-consents resource. In the specification, this grant type is referred to as "Client Credentials".
AISPs must use an authorisation code grant using a redirect or decoupled flow to obtain a token to access all other resources. In the specification, this grant type is referred to as "Authorisation Code").
4.3 Consent Authorisation
The AISP must create an account-access-consents resource through a POST operation. This resource indicates the consent that the AISP claims it has been given by the user/customer to retrieve account and transaction information. At this stage, the consent is not yet authorised as the ASPSP has not yet verified this claim with the user/customer.
...
Permissions | Endpoints | Business Logic | Data Cluster Description |
ReadAccountsBasic | /accounts |
| Ability to read basic account information |
ReadAccountsDetail | /accounts | Access to additional elements in the payload | Ability to read account identification details |
ReadBalances | /balances |
| Ability to read all balance information |
ReadBeneficiariesBasic | /beneficiaries |
| Ability to read basic beneficiary details |
ReadBeneficiariesDetail | /beneficiaries | Access to additional elements in the payload | Ability to read account identification details for the beneficiary |
ReadDirectDebits | /direct-debits |
| Ability to read all direct debit information |
ReadTransactionsBasic | /transactions | Permissions must also include at least one of:
| Ability to read basic transaction information |
ReadTransactionsDetail | /transactions | Access to additional elements in the payload Permissions must also include at least one of:
| Ability to read transaction data elements which may hold silent party details |
ReadTransactionsCredits | /transactions | Access to credit transactions. Permissions must also include one of:
| Ability to read only credit transactions |
ReadTransactionsDebits | /transactions | Access to debit transactions. Permissions must also include one of:
| Ability to read only debit transactions |
ReadStatementsBasic | /statements |
| Ability to read basic statement details |
ReadStatementsDetail | /statements | Access to additional elements in the payload Access to download the statement file (if the ASPSP makes this available). | Ability to read statement data elements which may leak other information about the account |
ReadSupplementaryAccountInfo | /supplementary-account-info |
| Ability to read all product information relating to the account |
ReadOffers | /offers |
| Ability to read all offer information |
ReadParty | /accounts/{AccountId}/party |
| Ability to read party information on the account owner |
ReadPartyCustomer | /party |
| Ability to read party information on the user/customer logged in |
ReadFutureDatedPaymentsBasic | /future-dated-payments |
| Ability to read basic statement details |
ReadFutureDatedPaymentsDetail | /future-dated-payments | Access to additional elements in the payload |
|
ReadPAN | All API endpoints where PAN is available as a structured field | Request to access to PAN in the clear | Request to access PAN in the clear across the available endpoints. If this permission code is not in the account-access-consents, the AISP will receive a masked PAN. While an AISP may request to access PAN in the clear, an ASPSP may still respond with a masked PAN if:
|
4.3.1.1.a Detail Permissions
The additional elements that are granted for "Detail" permissions are listed in this section.
...
Example behaviour of the Permissions for the ReadAccountsBasic and ReadAccountsDetail codes is as follows:
...
4.3.1.1.b Reversing Entries
It is expected that transactions will be returned in the payload irrespective of whether they are reversing entries, as long as the user/customer has provided consent for that type of transaction.
...
If the user/customer has provided permission for ReadTransactionsDebits, the ASPSP must include all debits, including credit reversals.
4.3.1.2 Transaction To/From Date Time
The TransactionToDateTime and the TransactionFromDateTime specify the period for consented transaction and/or statement history. Both the fields are optional and one may be specified without the other.
...
The AISP must be restricted to accessing statements which are completely within this period when accessing the statements resource.
4.3.2 Account Access Consent Status
The Account Access Consent resource may have one of the following status codes after authorisation has taken place:
S. No. | Status | Description |
1 | Authorised | The account-access-consents has been successfully authorised |
2 | Rejected | The account-access-consents has been rejected |
3 | Revoked | The account-access-consents has been revoked via the AISP interface |
4.3.3 Consent Re-authentication
Account Access Consents are long-lived consents.
...
An AISP and the user/customer may have multiple consents at any point in time.
4.4 Consent Revocation
A user/customer may revoke consent for accessing account information at any point in time.
...
The AISP must cease to access the APIs at that point
The AISP must call the PATCH operation on the account-access-consents resource (before confirming consent revocation with the user/customer) as soon as is practically possible, to indicate to the ASPSP that the user/customer has revoked consent
4.5 Access Revocation
A user/customer may revoke AISP's access directly with the ASPSP, via the access dashboard. In such a situation:
The ASPSPs must revoke the access token provided to the AISP
The status of the account-access-consents must remain unchanged and the AISP must be allowed to request user/customer to re-authenticate the same account-access-consents resource
Upon successful re-authentication by user/customer, an ASPSP may issue new authorisation code and subsequently new access token to the AISP
4.6 Changes to Selected Account(s)
The user/customer must select the accounts to which the consent should be applied at the point of consent authorisation.
...
In these scenarios, only the affected account is removed from the list of selected accounts. The ASPSP must not revoke authorisation to other accounts.
5.Data Model
5.1 Using Meta to identify Available Transaction Period
For Accounts & Transaction APIs, the Meta section in API responses may contain two additional fields to indicate the date range for which data has been returned.
...
|
|---|
5.2 Enumerations
5.2.1 Static Enumerations
Code Class | Name | Definition |
OBAccountStatusCode | Enabled | Account can be used for its intended purpose |
OBAccountStatusCode | Disabled | Account cannot be used for its intended purpose, either temporarily or permanently |
OBAccountStatusCode | Deleted | Account cannot be used any longer |
OBAccountStatusCode | ProForma | Account is temporary and can be partially used for its intended purpose. The account will be fully available for use when the account servicer has received all relevant documents |
OBAccountStatusCode | Pending | Account change is pending approval |
OBAddressTypeCode | Business | Address is the business address |
OBAddressTypeCode | Correspondence | Address is the address where correspondence is sent |
OBAddressTypeCode | DeliveryTo | Address is the address to which delivery is to take place |
OBAddressTypeCode | MailTo | Address is the address to which mail is sent |
OBAddressTypeCode | POBox | Address is a postal office (PO) box |
OBAddressTypeCode | Postal | Address is the complete postal address |
OBAddressTypeCode | Residential | Address is the home address |
OBAddressTypeCode | Statement | Address is the address where statements are sent |
OBBalanceTypeCode | ClosingAvailable | Closing balance of amount of money that is at the disposal of the account owner on the date specified |
OBBalanceTypeCode | ClosingBooked | Balance of the account at the end of the pre-agreed account reporting period. It is the sum of the opening booked balance at the beginning of the period and all entries booked to the account during the pre-agreed account reporting period |
OBBalanceTypeCode | ClosingCleared | Closing balance of amount of money that is cleared on the date specified |
OBBalanceTypeCode | Expected | Balance, composed of booked entries and pending items known at the time of calculation, which projects the end of day balance if everything is booked on the account and no other entry is posted |
OBBalanceTypeCode | ForwardAvailable | Forward available balance of money that is at the disposal of the account owner on the date specified |
OBBalanceTypeCode | Information | Balance for informational purposes |
OBBalanceTypeCode | InterimAvailable | Available balance calculated in the course of the account servicer's business day, at the time specified, and subject to further changes during the business day. The interim balance is calculated on the basis of booked credit and debit items during the calculation time/period specified |
OBBalanceTypeCode | InterimBooked | Balance calculated in the course of the account servicer's business day, at the time specified, and subject to further changes during the business day. The interim balance is calculated on the basis of booked credit and debit items during the calculation time/period specified |
OBBalanceTypeCode | InterimCleared | Cleared balance calculated in the course of the account servicer's business day, at the time specified, and subject to further changes during the business day |
OBBalanceTypeCode | OpeningAvailable | Opening balance of amount of money that is at the disposal of the account owner on the date specified |
OBBalanceTypeCode | OpeningBooked | Book balance of the account at the beginning of the account reporting period. It always equals the closing book balance from the previous report |
OBBalanceTypeCode | OpeningCleared | Opening balance of amount of money that is cleared on the date specified |
OBBalanceTypeCode | PreviouslyClosedBooked | Balance of the account at the previously closed account reporting period. The opening booked balance for the new period has to be equal to this balance. Usage: the previously booked closing balance should equal (inclusive date) the booked closing balance of the date it references and equal the actual booked opening balance of the current date |
OBCreditDebitCode | Credit | Operation is a credit |
OBCreditDebitCode | Debit | Operation is a debit |
OBEntryStatusCode | Booked | Booked means that the transfer of money has been completed between account servicer and account owner. Usage: Status Booked does not necessarily imply finality of money as this depends on other factors such as the payment system used, the completion of the end- to-end transaction and the terms agreed between account servicer and owner. Status Booked is the only status that can be reversed |
OBEntryStatusCode | Pending | Booking on the account owner's account in the account servicer's ledger has not been completed. Usage: this can be used for expected items, or for items for which some conditions still need to be fulfilled before they can be booked. If booking takes place, the entry will be included with status Booked in subsequent account report or statement. Status Pending cannot be reversed |
OBEntryStatusCode | Interimpending | Booking on the account owner’s account is complete but may be reversed due to other factors such as payment system failure, non completion of end-to-end transaction, etc. |
OBExternalAccountSubTypeCode | ChargeCard | Account sub-type is a Charge Card |
OBExternalAccountSubTypeCode | CreditCard | Account sub-type is a Credit Card |
OBExternalAccountSubTypeCode | CurrentAccount | Account sub-type is a Current Account |
OBExternalAccountSubTypeCode | EWallet | Account sub-type is an E-Wallet |
OBExternalAccountSubTypeCode | Loan | Account sub-type is a Loan |
OBExternalAccountSubTypeCode | Mortgage | Account sub-type is a Mortgage |
OBExternalAccountSubTypeCode | PrePaidCard | Account sub-type is a PrePaid Card |
OBExternalAccountSubTypeCode | Savings | Account sub-type is a Savings |
OBExternalAccountSubTypeCode | Deposit | Account sub-type is a Deposit/Investment account |
OBExternalAccountTypeCode | Business | Account type is for business |
OBExternalAccountTypeCode | Personal | Account type is for personal |
OBExternalCardAuthorisationTypeCode | ConsumerDevice | Card authorisation was via a Consumer Device Cardholder Verification Method (CDCVM) |
OBExternalCardAuthorisationTypeCode | Contactless | Card authorisation was via Contactless |
OBExternalCardAuthorisationTypeCode | None | No card authorisation was used |
OBExternalCardAuthorisationTypeCode | PIN | Card authorisation was via PIN |
OBExternalCardSchemeTypeCode | AmericanExpress | AmericanExpress scheme |
OBExternalCardSchemeTypeCode | Diners | Diners scheme |
OBExternalCardSchemeTypeCode | JCB | JCB scheme |
OBExternalCardSchemeTypeCode | MasterCard | MasterCard scheme |
OBExternalCardSchemeTypeCode | VISA | VISA scheme |
OBExternalLimitTypeCode | Available | The amount of credit limit available to the account holder |
OBExternalLimitTypeCode | Credit | The amount of a credit limit that has been agreed with the account holder |
OBExternalLimitTypeCode | Emergency | The amount of an arranged lending limit that can be borrowed on top of pre-agreed lending, that has been agreed with the account holder |
OBExternalLimitTypeCode | Pre-Agreed | The amount of an arranged lending limit that has been agreed with the account holder |
OBExternalLimitTypeCode | Temporary | The amount of a temporary lending limit that has been agreed with the account holder |
OBExternalOfferTypeCode | BalanceTransfer | Offer is a balance transfer |
OBExternalOfferTypeCode | LimitIncrease | Offer is a limit increase |
OBExternalOfferTypeCode | MoneyTransfer | Offer is a money transfer |
OBExternalOfferTypeCode | Other | Offer is of other type |
OBExternalOfferTypeCode | PromotionalRate | Offer is a promotional rate |
OBExternalPartyTypeCode | Delegate | Party that has delegated access |
OBExternalPartyTypeCode | Joint | Party is a joint owner of the account |
OBExternalPartyTypeCode | Sole | Party is a sole owner of the account |
OBExternalFutureDateTypeCode | Arrival | Future Dated payment date is specified as the arrival date for the recipient |
OBExternalFutureDateTypeCode | Execution | Future Dated payment date is specified as the execution date |
OBExternalStandingOrderStatusCode | Active | The standing order is active |
OBExternalStandingOrderStatusCode | Inactive | The standing order is inactive |
OBExternalStatementTypeCode | AccountClosure | Final account closure statement |
OBExternalStatementTypeCode | AccountOpening | First statement provided for an account |
OBExternalStatementTypeCode | Annual | Annual statement report |
OBExternalStatementTypeCode | Interim | Adhoc or customised statement period |
OBExternalStatementTypeCode | RegularPeriodic | Regular pre-agreed reporting statement |
5.2.2 ISO Enumerations
These following ISO Enumerations are used in the Account APIs.
ISO Data Type | Fields | ISO Enumeration Values URL |
Min3Max4Text | MerchantCategoryCode | |
ActiveOrHistoricCurrencyCode | Currency * | |
CountryCode | Country ** | |
ExternalBankTransactionFamilyCode | BankTransactionCode/Code | |
ExternalBankTransactionSubFamilyCode | BankTransactionCode/SubCode |
5.2.3 Namespaced Enumerations
The enumerated values specified by Open Banking are documented in Swagger specification.
6. Swagger Code
The swagger code file for the Sharing Transaction History/ Account Information and Sharing Product Details APIs can be accessed at this link.
...