This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Third Party Provider Onboarding for UK

Owned by Former user (Deleted)
Last updated: Oct 12, 2020
3 min read

TPP onboarding is the process of registering a TPP with an ASPSP. The TPPs go through an in-depth verification during this process to make sure that the financial data and the applications are secured. This can be a manual or an automated process. The bank/ASPSP decides the TPP onboarding method.

The bank has to implement a proper TPP Onboarding process in its banking system. This registration process:

    • Validates if the TPP is authorised by a competent authority
    • Validates the TPP's information (TPP role, TPP ID, application type, and request issuance time) See the full list of request parameters that must be validated according to the specification.
    • Allows accessing the banking APIs

For TPP Onboarding, the Open Banking Implementation Entity (OBIE) of the UK suggests the following processes:

Signup Workflow

In this method, you can configure workflows to approve TPPs who signup and the applications that are registered.

Examples of Signup workflow

  1. The ASPSP requests TPP information using a customised signup form during the signup process. 
  2. The ASPSP requests basic information of the TPP during the signup process and lets the TPPs try out the production/sandbox environment. The ASPSP requests more details during the (production/sandbox) application access key generation process.

In both of these scenarios, the ASPSPs will approve the TPP based on its information and let the applications use the APIs.

  • To configure signup workflow, use the Business Process profile of WSO2 Enterprise Integrator with the WSO2 Open Banking solution. For more information, see Using the Signup Workflow for UK.

Dynamic Client Registration

Dynamic Client Registration (DCR) is introduced by OBIEWith the Open Banking OpenID Dynamic Client Registration API, TPPs can register with ASPSPs in a seamless and a fully automated basis. 

  • To use DCR, a TPP has to register at a competent authority (Open Banking Directory) and obtain SSA and relevant certificates. 

    Software Statement Assertion (SSA)

    A software statement that is signed by its issuer is referred to as an SSA. An SSA is represented as a JSON Web Signature (JWS). An SSA is unique for an application and contains metadata of the client to be created. It also ensures that the TPP is trusted and is allowed to consume banking APIs and provide services.

  • The TPP submits the SSA to an ASPSP to create OAuth clients that are registered with the ASPSP. 
  • WSO2 Open Banking supports Dynamic Client Registration (DCR) API.
  • DCR API supersedes the OpenID Connect (OIDC) Dynamic Client Registration profile.

The diagram below shows the flow of the dynamically registering a client application. 

The TPPs need to obtain the Software Statement Assertion (SSA) from a directory solution provided by OBIE. For example, Open Banking Directory. The DCR API v3.2 consist of POST, GET, PUT and DELETE endpoints. These endpoints rely on the Client Credential Grant Type and TLS Mutual Authentication for authenticating the TPP. For information, see Dynamic Client Registration v3.2.