Expand | ||||
---|---|---|---|---|
| ||||
|
Version | 1.12 |
---|---|
Publication Date | 31 Oct |
Classification | Public |
1. Introduction
...
Prior to updating their Production Environment in the API Hub, LFIs must run two sets of tests in their Pre-Production and Production Environments:
Using the API Hub Testing Tool to test their integration with the API Hub.
Using the API Hub Sandbox Postman Collection to test that a TPP can successfully call all API endpoints defined in the Standards. LFIs can either do this using their own TPP credential from the Trust Framework, or they can partner with a TPP to run these end to end tests. Tests must be executed for each API endpoint relevant to LFI deployment as set out in this template:
View file name LFI Customer-Facing API Functional Checklist V1.0.xlsx
Once all tests have been passed, the LFI must submit evidence (a test report in any format agreed between the LFI and Nebras, along with the above functional checklist) to Nebras, so that Nebras can validate.
Nebras will then confirm acceptance for the LFI to exit Pre-Production.
LFIs must rerun both sets of tests in their Production Environment and resubmit test reports to Nebras prior to go-live.
LFIs must rerun both sets of tests and resubmit results whenever they implement any new version of the Standards or whenever they make any substantive changes to their integration with the API Hub. These retests must be conducted in both their Pre-Production Environment and again in their Production Environment before go-live each time.
...
As stated above, the OIDF’s Conformance Suite is currently being has been enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, each TPP must obtain a Each TPP must obtain a Relying Parties (RP) certification for their application(s) in accordance with the UAE FAPI 2.0 security profile. TPPs must renew this certification during their implementation of each major new version of the Standards.
...
Note |
---|
After running tests, all used data, including public and private keys of certificates and client data from the test, will be made available in the ecosystem, visible to other participants and subject to audit. Therefore, if an institution opts to perform the certification in a productive environment, it must be aware and responsible for revoking the certificates used during the tests and for obtaining any required customer consent. |
To request certification from the OIDF, TPPs should consult the instructions at the following address: https://openid.net/certification/op_steps-for-conformance-certification-submission/.
TPPs must inform Nebras immediately on receipt of a FAPI Certification from OIDF. This is an exit criteria from the API Hub Sandbox.
...
TPPs must engage with at least one LFI to test and validate they can successfully call all API resources/endpoints relevant to their business model in the LFI’s Production Environment.
LFIs can either provide the TPP with test user accounts in their Production Environment or agree with the TPP to use volunteer (e.g. friends and family) users to enable end-to-end testing.
TPPs must provide evidence to Nebras of such testing, so that Nebras can validate and approve the TPP app meets all requirements in the Standards.
This testing must be conducted prior to go-live, for each major new version of the TPP app and/or the implementation of any new version of the Standards.
4. Production Proving Phase
4.1 Buddying Phase
In this phase, a "buddying" process will be used to pair up TPPs and LFIs to ensure their systems align with each other’s functionality and data expectations. Each TPP must work with their assigned LFI to ensure the integration is functioning as expected in a production environment.
TPP's Responsibility: The TPP will validate their connectivity to the LFI's system, check the authentication protocols, and ensure that all services are accessible in the production environment. They will test endpoints for their ability to make requests and receive correct responses.
LFI's Responsibility: The LFI will confirm that it can handle the TPP’s requests, properly mapping data fields and responding with appropriate responses. This includes confirming that the data returned to the TPP is in the correct format and meets quality standards (such as accuracy, timeliness, and completeness).
4.2 Confirmation and Validation
Once the buddying phase confirms that the systems are connected and functioning correctly, a formal confirmation process will be implemented. This will involve a detailed review of the data exchanged between TPPs and LFIs to ensure compliance with required standards.
Data Quality Assurance: Both parties will assess the quality of the data being exchanged. This includes ensuring that the data provided by the LFI is accurate, complete, and timely. The TPP will test that the data is usable for the intended purposes (such as account information, transaction history, or payment initiation).
Test Scenarios: The TPP will conduct a series of functional tests, verifying that the data sent by the LFI is consistent with the data expected, ensuring no discrepancies. The tests will cover all use cases and will include error scenarios to verify how the systems handle issues like missing data or failed requests.
Functional Certification Comparison: During this process, the TPP will compare the current system’s behaviour with the certification results from previous functional certification. This will allow them to confirm that the system still meets all the necessary functional criteria.
4.3 Data Quality Verification
Throughout the production proving process, it is crucial to ensure that the data quality remains appropriate for its intended use. The TPP will evaluate the following:
Completeness: All relevant data fields should be filled with the correct information.
Accuracy: The data received must match the expected values, with no discrepancies or errors.
Timeliness: The data should be provided within the expected timeframes, ensuring real-time or near-real-time processing where applicable.
Usability: The TPP will verify that the data provided can be effectively used in the intended business processes, ensuring that there are no issues with interpreting or processing the data.
By ensuring that both the TPP and LFI systems meet these standards, the production proving process will ensure that all services are fully operational.