Open Banking Open Banking Service Levels March 2017 for ... · the Open Banking Register for the provision of ‘open data’. Open Banking would seek counsel from the relevant Regulator,

PUBLIC

Open Banking

Open Banking Service Levels March 2017 for Open Data

Date: 31st January 2017

Open Banking Service Levels March 2017 for Open Data PUBLIC

© Open Banking Limited P a g e | 2

Table of Contents 1. Service Level Overview ........................................................................................................................................ 3 2. Goals & Objectives ............................................................................................................................................... 3 3. Stakeholders......................................................................................................................................................... 3 4. Period & Review ................................................................................................................................................... 4 5. Services ................................................................................................................................................................ 5

5.1. Open Banking Service Desk Scope ............................................................................................................... 5 5.2. Participant Requirements ............................................................................................................................ 6 5.3. Open Banking Requirements ....................................................................................................................... 6 5.4. Service Assumptions .................................................................................................................................... 6

6. Service Availability ............................................................................................................................................... 7 7. Service Management ........................................................................................................................................... 8

7.1. Service Desk Availability ............................................................................................................................... 8 7.2. Change of Details ......................................................................................................................................... 8 7.3. Complaints Handling Service Levels ............................................................................................................. 9 7.4. Breach Service Levels ................................................................................................................................... 9 7.5. Withdrawal Service Levels ......................................................................................................................... 10

7.5.1 Mandatory API Providers .......................................................................................................................... 10 7.5.2 Voluntary API Provider .............................................................................................................................. 10 7.5.3 API Users ................................................................................................................................................... 10 7.5.4 Retention of Records................................................................................................................................. 10

7.6. Suspension and Exclusion Service Levels ................................................................................................... 10 7.6.1 Suspension ................................................................................................................................................ 10 7.6.2 Exclusion ................................................................................................................................................... 11

7.7. Disputes Service Levels ............................................................................................................................. 12 7.7.1 Outline of Procedure ......................................................................................................................... 12 7.7.2 Escalation of Dispute ......................................................................................................................... 12 7.7.3 Third Party Determination................................................................................................................. 12

8. Management Information Reporting .................................................................................................................. 14 9. Appendix A - Summary of Service Levels ........................................................................................................ 15



1. Service Level Overview This document represents a set of Service Levels for Open Banking between the Open Banking Implementation Entity and registered API Providers and API Users for the provisioning of services required to support and sustain ‘read only’ open banking from March 2017. This document remains valid until superseded by revised Service Levels mutually endorsed by the Operational Governance Rules and Guidelines Working Group (OGRGWG). This document details the parameters of all Open Banking services covered as they are mutually understood by the participant stakeholders.

2. Goals & Objectives The purpose of these Service Levels is to ensure that the proper elements and commitments are in place to provide consistent Service Desk support and that a delivery is provided to the registered API Participants.

The goal of these Service Levels is to obtain mutual agreement for service provision between Open Banking and Participants.

The objectives of these Service Levels are to:

Provide clear reference to service ownership, accountability, roles and/or

responsibilities.

Present a clear, concise and measurable description of service provision to the

participants.

Match perceptions of expected service provision with actual service support &

delivery.

3. Stakeholders The following Service Provider(s) and Customer(s) will be used as the basis of this document and represents the primary stakeholders associated with these open data Service Levels:

Open Banking Implementation Entity

Registered API Providers and API Users / Developers



4. Period & Review

The service levels detailed in this document are valid from March 2017 and remain valid until further notice. The Service Levels should be reviewed at a minimum once per fiscal year; however, in lieu of a review during any period specified, the current Service Levels will remain in effect. The Head of Operational Governance (Document Owner) is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the OGRGWG and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.

Open Banking Implementation Entity: Head of Operational Governance Review Period: Bi-Monthly (2 months) First Review Date: 13-05-2017 Next Review Date: 12-07-2017



5. Services

The following detailed service parameters are the responsibility of Open Banking in the ongoing support of these Service Levels.

5.1. Open Banking Service Desk Scope

The following Services are covered by this document:

Manned telephone support

Monitored email support

Open Banking website



5.2. Participant Requirements

Participant responsibilities and/or requirements in support of these Service Levels include but are not limited to:

Acceptance of Open Banking “Terms and Conditions”

Acceptance of the “Open Banking License”

Reasonable availability of Working Group and/or Participant representative(s)

when resolving a service related request or incident.

5.3. Open Banking Requirements

Open Banking responsibilities in support of these Service Levels cover:

Manned Service Desk

Managing and maintaining a “Participant” Register

Participant validation for Providers

Withdrawals

Suspensions

Exclusions

Managing Complaints

Managing Breaches

Managing Disputes

Meeting response times associated with system availability Service Levels

Appropriate notification to Participants for all scheduled maintenance activities.

5.4. Service Assumptions

Assumptions related to in-scope services and/or components include:

All Changes to services will be communicated and documented to all stakeholders, even when they may have no visible or direct impact on Participants.



6. Service Availability Effective support of the Open Banking Service Availability is to maintain consistent system Service Levels for open data from March 2017. The following Service Availability, supported by Technical Standards, has been agreed as the standard for Open Banking services:

• Each API end-point must be available 95% of the time during each 24 hour period.

• Each API end-point must return the first byte of response within 500ms for 95% of the requests.

• The response time will be measured from an external client with a network latency of at

most 50 ms (time to first byte).

• Each provider must comply with the performance and availability SLAs under a peak load of

500 requests per minute across all Open Data APIs for that provider.

• Each provider must comply with the performance and availability SLAs under a load of 15,000

requests in an 8 hour window across all Open Data APIs for that provider.

• Caching – An API provider must update the dataset within 24 hours of a related update to its website (Note: there is no specific service level on how frequently a dataset is updated, so long as it’s in sync with the Provider website)

• Versioning – API Providers must update to the current or previous version of published Open Banking Technical Standards.



7. Service Management The scope of the Open Banking Service Desk is to maintain consistent service levels for open data from March 2017. The Service Management sub-sections provide relevant details for Open Banking services.

7.1. Service Desk Availability

Coverage parameters specific to the service(s) covered in these Service Levels are as follows:

Telephone support : 08:00 to 18:00 Monday – Friday UK Time

Email support: Monitored 08:00 to 18:00 Monday – Friday UK Time

o The Service Desk will aim to fix an enquiry or complaint on first call and if the subject raised can’t be fixed, will aim to provide further guidance or additional information within 1 business day and achieve a successful close to the contact.

o A contact that starts as a query or information request may move into a breach complaint or another process after the initial investigation or triage has taken place. In these circumstances, the Service Desk would then be subject to the appropriate Service Level as detailed in the document.

o Emails received outside of office hours will be collected, however no action can be guaranteed until the next working day.

7.2. Change of Details

1. API Providers will use best endeavours to notify Open Banking of any changes to any

of their details provided within 5 business days following the date of the relevant

change

2. Open Banking will update the Central Register to reflect such updated to within

2 business days following receipt of the relevant API Provider's notification.



7.3. Complaints Handling Service Levels

1. When a complaint is raised with the Open Banking Service Desk as a result of a breach

relating to the Rules and Guidelines, T&Cs or Open Licence, receipt and logging of the

complaint will be acknowledged to the raiser within 1 business day.

2. If a registered API User goes directly to a Provider with a Complaint, they are to re-direct

the User to the Open Banking Service Desk to log the complaint for investigation.

3. The Open Banking Service Desk, in conjunction with the Head of Operational

Governance will effect a determination and a resolution plan within 5 business days, (on

a best endeavours basis).

4. The Open Banking Service Desk will advise the Participant of its determination and

communicate the decision to the Participant.

5. If deemed as valid and worthy of further investigation the Head of Operational

Governance can refer the breach complaint to the appropriate regulator or Third Party

Determination.

6. A complaint due to a breach could lead to a suspension or exclusion, dependent on

severity and determined on a case by case basis by the Head of Operational

Governance.

7.4. Breach Service Levels

1. If a registered Participant breaches the open banking standards, they are obliged

to inform the Open Banking Service Desk within 1 business day of any breach being

discovered. Notification should be by one of the Service Desk communication

mediums.

2. Where Open Banking has discovered that a Participant has breached the open

banking standards, Open Banking will invoke an investigation process and

communicate this to the API Provider via the Service Desk, with a determination of

who is deemed to be in breach within 1 business day of identifying a breach.

3. The Head of Operational Governance (as delegated by the Open Banking Trustee)

will investigate and make a determination and provide a resolution plan within

5 business days.

4. Participants who breach the Open Banking standards may be subject to guidance

set by Open Banking, for suspension and / or exclusion from the Open Banking

Register, depending on the severity of the breach.



7.5. Withdrawal Service Levels

7.5.1 Mandatory API Providers

1. Mandatory API Providers will not be permitted to withdraw from the OBS.

7.5.2 Voluntary API Provider

1. Voluntary API Provider requests for withdrawal from the Open Banking Register

must be communicated in writing to the Open Banking Service Desk.

2. The Open Banking Service Desk will acknowledge the receipt of any request from a

Participant to withdraw from the Central Register within 7 business days.

3. Voluntary API Provider removal from the Open Banking Register must be after a

minimum term of 20 business days from the receipt of the withdrawal request and

published on the Open Banking website.

7.5.3 API Users

1. If the API User has registered then Open Banking would be able to withdraw them

upon a request to be de-registered, allowing 20 business days to complete the request.

7.5.4 Retention of Records

1. Where a Participant is withdrawn from the Open Banking Register, the retention

period for records will be for 6 years for audit purposes unless subject to statutory or

regulatory change.

7.6. Suspension and Exclusion Service Levels

7.6.1 Suspension

1. Suspended Participants who are Mandatory API Providers must continue to be active on

the Open Banking Register for the provision of ‘open data’. Open Banking would seek

counsel from the relevant Regulator, e.g. CMA or FCA.

2. A participant can be suspended if they are both a Provider and a User, but could also be

suspended for one participant role and not necessary for the other role.

3. Open Banking has the authority to suspend any Voluntary API Provider or API User and

revoke the Open Banking Licence from the Open Banking Register with immediate

effect if found in breach of OBS Rules and Guidelines.



• The suspended Participant will have the right to employ the ‘Third Party

Determination’ to resolve a dispute.

4. Participants who are marked as Suspended must receive guidance and a plan for

remedial action to be taken by the OBS Head of Operational Governance up to 10

business days from the day suspension is invoked.

5. A Voluntary API Provider or API User will be reinstated at the end of a suspension period

to full participation, unless the Provider or User has not implemented a remedy, in

which case they will be excluded from participating in Open Banking.

6. Where the OBS decision is a recommendation for Exclusion, it must be communicated

to the participant as soon as the determination occurs.

7. Open Banking will hold the right to add any Suspended Entity Brand, API set or API User

linked to a website to a Suspended list for publication onto the Open Banking website

within 1 full business day of the suspension being invoked by Open Banking.

7.6.2 Exclusion

1. If a Voluntary API Provider or an API User has committed a material breach of the

Participation standards and/or conditions and, if such breach is capable of remedy, the

User will be excluded if they fail to remedy the breach condition within 5 business days

of receipt of notice of the breach.

2. Excluded participants must be flagged on the Open Banking Register with immediate

effect. The CMA9 cannot be excluded, in which case Open Banking would seek counsel

from the relevant Regulator, e.g. CMA or FCA.

3. Where the excluded Participant is a Voluntary API Provider or API User, then they must

be removed from the OBS Website for API Provider endpoints with immediate effect.

4. Any Participants with Excluded status will be notified to all other Participants of the OBS

within 1 full business day of the exclusion being in place.

5. Notification will be by publication on the Open Banking website and by email to the

participant Points of Contact on the Open Banking Register.

6. When a complainant is not satisfied by the determination of their exclusion, they will

have the right to employ the services of ‘Third Party Determination’ to resolve a dispute.

7. Open Banking will hold the right to add any Excluded Entity Brand, API set or API User

linked to a website to an Excluded list for publication onto the Open Banking website

within immediately of the exclusion being invoked by Open Banking.



7.7. Disputes Service Levels

The Dispute Resolution Procedure forms part of the Participation conditions and will apply to all registered Participants.

7.7.1 Outline of Procedure

The parties to a dispute will make an effort to resolve a dispute as follows:

1. In the first instance Participants will use their best endeavours to resolve any dispute

between themselves regarding open data.

2. Escalation of Dispute - Where disputing parties fail to resolve any dispute between

themselves, either Participant can escalate the dispute by referral to the Open Banking

Service Desk to invoke an assessment by the OBS Head of Operational Governance on a

case by case basis

3. Third Party Determination - If the Head of Operational Governance cannot make a

determination, the dispute can be referred to a third party for determination.

7.7.2 Escalation of Dispute

1. Each participant will notify Open Banking in writing of contact details (by name or role)

to who disputes will be referred.

2. Any dispute will be referred to the nominated representative of each disputing party for

assessment and resolution within 10 business days from when the dispute escalation

was initiated.

3. If any dispute is not resolved by the disputed parties, the dispute will be referred to the

OBS Head of Operational Governance within 5 business days for assessment.

4. Within 5 business days of the OBS Head of Operational Governance being appointed,

each disputing party will submit a written summary to Open Banking and to each other.

5. The assessment will take place within 10 business days of the written summaries. (The

disputing parties can agree to extend these periods at any time).

6. Where a determination cannot be made by the OBS Head of Operational Governance,

the dispute can be referred for Third Party Determination.

7.7.3 Third Party Determination

1. Where a dispute is referred to a third party for determination, the disputing parties will agree a suitably qualified third party - a Referee, within in 10 business days.



2. If the appointed Referee does not accept the appointment within 2 business days, the disputing parties will agree an alternative Referee within 5 business days.

3. Within 10 business days of a Referee accepting an appointment the disputing parties will each submit a written report on the dispute. (The disputing parties can agree to extend these periods at any time).

4. The Referee is to deliver a determination within 40 business days following submission of written reports. The Referee’s determination will be final.



8. Management Information Reporting

a) Open All of the endpoints will be connected to a service dashboard which monitors

performance Service Levels and publishes a RAG status for each endpoint based on its

behaviour.

b) Open Banking will provide an API dashboard for summary information relating to API

Usage.

c) Open Banking will produce a simple report to summarise incidents raised.

d) API Providers must retain logs of completed API calls (not requests) for 6 years.



9. Appendix A - Summary of Service Levels

Service Notification Participant

to OBS

Open Banking

Acknowledge

Action by Service

Desk

Dispute Referred

Senior PoC’s

Assessment

PoC’s Refer for OBS

Assessment

PoC Submit Written

Summary to HeadofOpGov

Determination HeadofOpGov

Determination by Referee

Breach 1 1 5

Withdrawal 7 20

Suspension Immediate 10

Exclusion Immediate 1

Complaint 1 5

Dispute Escalation

10 5 5 10

Dispute - TPD

5 10 40

Documents

Open Banking Open Banking Service Levels March 2017 for ... · the Open Banking Register for the provision of ‘open data’. Open Banking would seek counsel from the relevant Regulator,