On the transport level, all requests to the Open Banking Service, as well as all requests sent by the Open Banking Service must be encrypted using TLS and be made over HTTPS:
- TLS 1.3 SHOULD be used;
- TLS 1.2 may be used.
- Anything below TLS 1.2 must not be used and will be refused by the Open Banking Service.
The TLS authentication method used is one-way, the server's identity is authenticated by the client. That means in requests to Open Banking Service, the Open Banking Service authenticates itself with its certificate and in case of requests from Open Banking Service to the Initiating Party, the Initiating Party authenticates itself with its certificate. Any connection without TLS encryption, such as plain http will be refused.
Mutual TLS optional
Optionally the TLS authentication can be done two-way, that means that both client and server identities are authenticated mutually. That means that both The Open Banking Service and the Initiating Party identities are authenticated, providing a higher level of security.