Management Information Reporting In Open banking UK Spec

[Source: https://www.istockphoto.com/]

Medium is here to share our stories. So here is our story where I try to give you some basic idea about MI reporting in UK spec. So let’s begin our conversation. 😉

Hey, friend Why banks need this MI Reporting?

The simple answer is it's compulsory to report Management Information data to OBIE.

Wait... What is Management Information data?

There is a set of data which is defined by OBIE as management information data. By analyzing those data OBIE can get a full view about how that particular bank engage with open banking concept. That engagement means their performances, availability, TPP counts, PSU counts, Daily volume of users etc.

Ohh great. How do banks need to do the reporting? There should be a specific way right? Otherwise, that will be a mess. 😜

Yes, there is a specific template to report data that has been published by OBIE. There they have included 7 main topics to report data. Those are,

1. Performance and Availability
2. Response Outliers
3. Auth Efficacy
4. PSU Adoption
5. Payments Adoption
6. TPP Volumes
7. Daily Volumes

Wait wait…… What do those areas mean? You keep telling a list 😞

Ohh sorry friend let me explain. As I said there are 7 topics.

1. Performance and Availability — Here OBIE is mainly focusing on the availability of endpoints provided by time and their response times. They have divided the day to two main time zones namely Core Hours (6.00–00.00) and Non-Core hours (00.00–12.00) are requesting this data separately in these periods. Also, they are taking the mean value of response payloads here.
2. Response Outliers — Here they ask banks to report slowest of 50 endpoints per day.
3. Auth Efficacy — Here OBIE is requiring the data about the authentication and authorisation per authentication type, API type per month.
4. PSU Adoption- In this section banks need to report data about the PSUs that have registered with them. This included new registrations and total registrations per month and per the category of Retail or Business.
5. Payments Adoption — Here OBIE focus on getting payment data. There they have more specifically tried to get data about single domestic payments.
6. TPP volumes — Here OBIE asks banks to publish data about the TPP registrations per month, deregistrations per month and total no of TPPs monthly. They have specifically asked about AISPs, PISPs and CBPIIs here.
7. Daily Volumes — In this section banks need to publish data about API endpoint calls daily. Here OBIE ask details like Succesfulls API calls count, Rejected API calls count, Multi auth calls.

How do banks know about Exact requirement? I mean the data to publish under the categories? Is there any sub-points.

Yes, there are sub-points. As I mentioned before there is a template. Let me show you a sample template.

This is the template that banks need to report data under the Daily Volumes category.

Ohh there is a lot ☹️

Wait friend be patient. It’s easy 😀

To understand that template OBIE have given a data dictionary. There they have given documentation explaining all the points. For example, you can see under API calls rejected status there is 10.7/10.8. If you go to data dictionary under that 10.7 and 10.8 they have described what are the data bank needs to include in that column.

Now I know your next question what is ASPSP brand ID and Endpoint ID and how do I know that? I’m correct, right? 😀

In the directory itself includes separate lists of ASPSP band ID and Endpoint IDs. simply ASPSP brand ID is OBIE is given an ID to the bank. And Endpoint ID is that OBIE has given a number to call endpoints. For example, POST /Domestic-payment-consent endpoints ID is 29.

Can you explain it more, please? With a use case?

Yeah sure.

Let’s say there is a user called USER_OF_APP that uses a TPP named MY_BANKING_APP and that USER_OF_APP wants to do a payment.

“USER_OF_APP will ask his MY_BANKING_APP to do a payment for him. Then the first APP will call banks payments API endpoint of POST /domestic-payment-consent. Then the bank will generate a consent ID for TPP app and the user will be redirected to a login page to get the user’s consent. Let’s assume there is 2 step authentication process and after successful authentication, the user will be redirected to consent page where he can give his consent to the payment. And he gave the consent and did the payment.”

Now let’s break down scenario like this.

1. There was a POST /domestic-payment-consent call by TPP
2. There was 2 step authentication process
3. There was a consent given by the user.

Now let’s look at what are the details that Bank needs to report under the above scenario with respect to the categories I told you before.

• Report date — The date that the scenario happened
• ASPSP brand ID — The ID which was given to the bank by OBIE
• Endpoint ID — Here we had POST /domestic-payment-consent call and ID is 29. So this should be reported under endpoint ID 29.
• PCA/ BCA- whether the account of paying Personal current account or Business
• Successful API calls — Here we got call successful. So the response needs to be 201. so successful count under 29 endpoint ID needs to up by one.
• Failed with 4xx code — If we get a response code of 4xx we need to update the count.
• Failed with 5xx code — If we get a response code of 5xx we need to update the count.
• API calls rejected — if a call rejected we need to update the count
• TPP calling API — Here we have called the endpoint by MY_BANKING_APP TPP if the TPP is not called this endpoint in this day we need to update the count
• API calls not authorised by the user — Here in our scenario user gave the consent but if he did not give the consent and rejected we need to add the count by one here
• API calls authorised but not consumed — Here user gave the consent and he did the payment. If he did not proceed with the payment we need to add here.
• Multi Auth — Here this is a single owner scenario and if there were 2 or more users we need to check the status and add it accordingly.

I know now it’s getting boring :) So will not explain all other scenarios like how we need to report authentication steps and etc. But if you have more Qs I am willing to answer. 😀

Bye 👋