Our Open Banking APIs

We want to make sure third-party developers can easily register their applications with us and access the standardised industry-wide Open Banking APIs (Application Programming Interfaces) we've helped to create.

The sections below provide information on the Open Banking APIs that Nationwide has implemented. These APIs provide a secure, coherent set of capabilities that you can use within your applications to deliver value to customers. 


Discovery and Application Registration

The Open Banking specification for enrolling with the directory (Directory Specification) and then registering with Account Servicing Payment Service Providers (ASPSPs), like Nationwide, is available on the central Open Banking website.

Nationwide supports the following to enable discovery and registration for Open Banking with us:

Use of this functionality is described in the ‘Discover ASPSP .well-known URLs’ section of the Directory Specification.

  • Use of this functionality is described in the ‘Register an application with an ASPSP using APIs’ section of the Directory Specification.
  • Nationwide only supports application onboarding via APIs and does not provide this capability via a manual process.

For more information, please see our Getting started page.


Security

The detailed Open Banking specification for the security model (Security Profile) is available on the central Open Banking website

Nationwide supports the following to set up and enable secure use of Open Banking functionality:

Enable customer to confirm a payment or account information request.

Get access token required to invoke APIs.

Supporting information for registration and security:

Your client ID and secret that you use to access our APIs are important credentials which must be kept securely within your organisation, and must not be shared with other parties or lost.

We require Transport Layer Security Mutual Authentication (TLS MA) to all Nationwide API endpoints except:
/.well-known
/authorize

Nationwide supports the RS256 algorithm for any signed JWTs provided by a Third Party. OIDC tokens that Nationwide provide will be signed using the RS256 algorithm.

Note: JSON = JavaScript Object Notation, JWT = JSON Web Token, OIDC = OpenID Connect.

Where security authorisation has expired, a new intent is required to ensure continued access to the account information. Nationwide will not allow an intent to be confirmed again.

Before an intent is confirmed by a customer, it is not available to be deleted by a third party.

Token life spans are as follows:


  • Authorization code (AISP and PISP): 10 minutes, not reusable – as per OAUTH2 specification
  • Access Token (Client Credentials Grant): 60 minutes
  • Access Token (For Single AISP Intent ID): 30 minutes
  • Refresh Token (For Single AISP Intent ID): ~90 days expected (multi-use Refresh Token)
  • Access Token (For Single Immediate Payment): 24 hours – but payment submission only accepted within 1 hour of customer authorisation
  • ID Tokens for an Intent ID (AISP and PISP): 30 minutes

Please note these are not fixed and will change over time.

In addition to the response codes detailed in the Open Banking API specifications, we will return the following exception code:
- HTTP 503 (services unavailable or too busy).


Account and Transaction API

Detailed Open Banking specifications for the Account and Transaction API that is available to Account Information Service Providers (AISPs) are available on the Open Banking website.


Nationwide supports the following to enable you to securely access account and transaction data:

Create a new account-request resource.

Delete an existing account-request resource.

GET accounts to which customer has allowed access.

Implemented GET APIs to retrieve account information resources for a specific account are:

  • GET /accounts/{AccountId}
  • GET /accounts/{AccountId}/balances
  • GET /accounts/{AccountId}/beneficiaries
  • GET /accounts/{AccountId}/direct-debits
  • GET /accounts/{AccountId}/scheduled-payments
  • GET /accounts/{AccountId}/standing-orders
  • GET /accounts/{AccountId}/transactions
  • GET /accounts/{AccountId}/product

We do not currently support optional APIs for retrieving the status of account-requests or for bulk requests across a customer's accounts.

Supporting information on Open Banking Account and Transaction API:

We will return transaction data for up to 15 months prior to the date of an account information data request.

Nationwide are not currently supporting the splitting up of response messages into pages, pagination. We currently support the sharing of a file size up to a maximum of 10MB as a response message. If, in rare circumstances, you receive an exception message after requesting a large set of data, you can look to request the data for a series of narrower date ranges. 

If Nationwide receives more than four requests for data where the customer is not present from a third party within a 24hr period, we will process requests on the understanding that the third party (AISP) has obtained consent from the customer to request data more frequently.

Periodically customers will need to be re-authenticated so we can continue to share their data with third parties, e.g. once every 90 days. This will involve creating a new intent and the customer having to insert authentication details again.


Payment API

Detailed Open Banking specifications for the Payment Initiation API that is available to Payment Initiation Service Providers (PISPs) are available on the Open Banking website.

Nationwide supports the following to enable you to securely process payments and check the status of a submitted payment:

We do not currently support the optional API for retrieving the status of payment at the point of initiation.

Nationwide will accept single immediate payments made via Open Banking which will be executed via the Faster Payments Scheme. 

Nationwide's faster payment limit for current accounts is a maximum of £10,000 when paying non-Nationwide accounts, credit cards and mortgages. This limit rises to £5,000,000 for an internal transfer.

Some data field lengths within the Open Banking payment API specifications exceed the equivalent data field lengths within the Faster Payment scheme. If the data provided within any of these fields via the API(s) exceeds the maximum length permitted within the relevant Faster Payment field(s), we will reject the payment rather than attempt to truncate the data.

Nationwide will only allow payment values in GBP, with one or two decimal places as per ISO20022.

As Nationwide Open Banking payments are all single immediate payments third parties must submit the payment for execution within 1 hour after a customer's authentication.

In the event of a TPP receiving a timeout following the presentation of a payment for execution post customer authentication, please be aware that Nationwide will have received and may have already processed the payment. The payment submission status API is available to confirm the latest status of a recent payment.

The payment submission status API can be accessed at any time after the payment has been set up. Up to 24 hours after customer authentication, the access token granted after authentication can be used, but after 24 hours a new client credentials access token must be obtained.

Getting help