The New Payments Platform (NPP) is a world-class platform for payments innovation which can turn the possibilities presented by new ideas into real progress for Australian consumers, businesses and institutions.
It’s designed to support an economy that never sleeps, never tires and never slows. The platform is managed by NPP Australia Limited (NPPA).
NPP was launched in Australia in February, 2018. NPP allows real time payments, 24/7/365, between accounts held by customers of Australian financial institutions where their financial institutions are members (i.e. “Participants”) in the NPP.
The NPP’s infrastructure has the flexibility to support multiple tailored payment products and services (“Overlay Services”) that will sit on top of the infrastructure.
NPP is designed to be inclusive, providing options for different entities to leverage the Platform’s functionality in various ways. There are five ways to access the NPP:
- NPP Participant
- Identified Institution
- Overlay Service Provider
- Connected Institution
- User of the platform
Refer to the diagram below:
Is the NPP Live?
At launch, access to the NPP was primarily available to two Participant types: 1. NPP Participant and 2. Identified Institution identified in the diagram above, with in excess of 60 banks, building societies and credit unions being able to access the platform and offer this service to their customers. The other options for accessing the NPP will become available as adoption continues.
However, testing requirements of Participants, and indeed challenges, remain beyond the successful launch of the platform. This is for a number of reasons, not least being:
- Knowledge retention amongst Participants’ NPP testing teams;
- Transition of the NPP operations to Participants’ BAU (Business as Usual) teams;
- Testing of future service adoption by Participants;
- Testing of changes to services already consumed by Participants;
- Testing of bi-yearly NPP releases. These may also include changes to the Basic Infrastructure (BI);
- NPP re-certification requirements, prompted by certain triggers; and
- NPP compliance requirements.
Most importantly, Participants will need to plan to fit these requirements into their enterprise planning and release timeframes, whilst complying with an NPPA mandated Release strategy and timeline. These all present their own set of challenges for Participants.
Planit has already successfully partnered with ‘Wave 1’ Participants to achieve Industry certification prior to NPP launch, and are uniquely placed to continue to work with existing Participants, and indeed new Direct and Indirect Participants, to achieve their NPP testing certification requirements going forward.
Industry Testing Challenges
As with any large complex integration program of work, once the solution has gone live and moves into a BAU mode, testing teams are typically stood down and resources deployed to other projects and programs. The NPP is no different for many Participants.
As alluded to above, in order to address some of these challenges, ongoing NPP testing needs to be carefully planned. Consideration needs to be given to the points raised in the following sections:
NPPA plan to have two releases impacting the BI each year, the contents of each are planned and agreed with both Society for Worldwide Interbank Financial Telecommunication (SWIFT) and NPP Participants. In the case of the Release contents, these will be planned and agreed through the NPP Change Management Sub Committee and the NPP Operating Committee, with groups comprised of members from Participants and SWIFT.
Participant testing teams need to be aligned to Release contents and timelines:
- Typically, one will be a Minor release that will be optional for Participants to accept. The other will be a Major release, and this is mandatory for all Participants to accept;
- The major release will also incorporate the changes contained in the minor release. However, should a Participant elect to not take the minor release, they can expect to have increased testing scope when adopting the major release;
- Releases will need to be tested by Participants from a functional or non-functional perspective, or both, depending upon the release contents;
- The scope of certification testing will be defined in the NPPA Release Test Plan for the respective release;
- NPPA and SWIFT will set the release adoption timeframe, from when the code is released by SWIFT for Participant access in a testing environment, through to when it must be deployed to production. These timelines will be strictly enforced by NPPA. Note that the SWIFT Release Plan details the timeline whereby SWIFT will provide release support, which is typically n-1, where ‘n’ is the current, available release.
Participants must also ensure that these NPP releases are aligned to their wider enterprise release strategy/plans and timelines.
Post public launch of the NPP, there are certain triggers that will require a Participant to go through a re-certification process, and this is expected to entail a level of both functional and non-functional testing.
This may be either a partial or a full re-certification, and this is dependent upon the types of changes being made by the Participant. Some examples include:
- Changes to Notifiable Components. This is defined as:
- The equipment and operating systems on which the Payment Gateway (PAG), Direct Messaging Channel (DMC) and any other SWIFT components sit, together with associated Hardware Security Module (HSM) and VPN equipment exclusively dedicated to production NPP, and impact the NPP real time clearing flow;
- The IBM WebSphere MQ environment connected to the PAG;
- The Payments Connector that is connected to the MQ environment and gets/puts messages on MQ, and is responsible for creating and processing XML messages in ISO20022 format conforming to the BI Interface Specification;
- Additionally, by extension, it includes any other system or subsystem which is directly involved in responding to a Clearing Request (pacs.008) with a Clearing Notification (pacs.002) within the prescribed SLA, including any ‘stand in’ service for use when any other banking systems are unavailable for any reason;
- These changes must be advised to NPPA in advance to allow an Impact Assessment to be performed.
- Introduction of additional services: functionality introduced after Certification through changes to the BI, or consumption of new Overlay Services;
- Changes made to existing services consumed by the Participant where there are changes to the BI, or Participants’ Back Office (BO) functions affected by the change. Importantly, this also includes changes made as a result of a Participant who had an exemption (based upon the solution they were implementing) for any mandatory functionality prior to NPP Go-Live, changing their solution post Go-Live and where this mandatory functionality is then bought into scope;
- Compliance based re-certification: where a Participant is correcting notified breaches of the NPP Regulations, SLA breaches or Security breaches;
- Regular conformance checks: annual compliance checks imposed by NPPA, with these requirements being articulated to Participants through their NPP Operating Committee representatives.
NPPA will either work with the impacted Participant, or all Participants, dependent upon the changes being made, and may mandate the certification tests to be re-run and passed at a minimum, and the timeframe in which they must be run.
Failure to meet the deadlines imposed could lead to a suspension of a Participant from the NPP, and would set in train a compliance-based approach for that Participant to again access the BI. This is equally applicable to testing of NPP releases.
Where Participants’ testing teams have been disbanded, or key testing resources are no longer available, Planit has the NPP program testing knowledge and experience to be able to assist in the planning and execution of the required testing to satisfy NPPA’s requirements.
In addition to the above, new Participants may elect to join the NPP, and after meeting the requirements for joining set out in the NPP Regulations, will access the BI in one of the ways below:
- Directly Connected – this is where a Full Participant elects to procure the required SWIFT componentry and accesses the BI directly. In this case, the Participant is responsible to undertake all required Certification testing prior to accessing the NPP in a production environment;
- Indirectly Connected – where the new Participant elects not to directly connect, but instead connects through an existing aggregator, who is a Full Participant. In this case there is a Sponsorship Agreement put in place resulting in the Sponsoring Institution being responsible for the testing performed by the Indirectly connected Participant, including the required Certification testing.
- Overlay Service Providers (OSP) use another type of connection, though at this time this activity is still in its infancy. At a high level, OSP’s may connect to the BI in either a direct or indirect manner.
- It should be noted that based on the NPP testing strategy, the same rules as above will apply. Most importantly, if an OSP is developing a new service or one that an existing Participant is wanting to consume, then that Participant is responsible to ensure that all testing requirements upon the OSP (including NPP certification) are met. Planit can assist in this regard.
New Participants (both for Direct Participants and Indirect Participants) wishing to join the NPP will be required to undertake NPP certification testing. This will involve both unilateral and bilateral functional and non-functional testing, and OAT. See below for more details.
Additional Service Provider Certification
Additional certification(s) required by any service providers, such as Bpay Osko Service 2 (Payment with Document) and Osko Service 3 (Request to Pay), will also be required.
Participants planning to subscribe to these Bpay Osko services must also plan this additional certification requirement into their testing. Further information can be obtained from the respective service providers.
NPP Test Suites
NPPA maintains two test suites in their test management tool. These are available to Participants, and are dependent upon the type of connection they have to the NPP:
This test suite contains the NPPA mandated Certification test scenarios that must be run, and passed by new Participants wishing to certify and access the BI. This suite contains functional, non-functional and OAT-type test scenarios, and are a sub-set of the Industry test suite used for the initial implementation of the NPP. These scenarios must be run in either a unilateral or bilateral style, or both, dependent upon the scenario intent and documented in the ‘NPPA Participant Certification Approach’ document, which is the NPPA authored and owned testing strategy.
It should be noted however that these test scenarios are NPPA’s requirement to certify against only. For example, Bpay as an NPP service provider will have their own certification process for Participants wishing to subscribe to the ICS services developed by them and run on the BI.
Participants will need to complete this Bpay certification process, as well as NPPA’s certification requirements, prior to accessing the BI. NPPA does not manage Bpay’s certification process.
Where an existing Participant is expected to recertify, for instance, due to changes to a Notifiable Component, NPPA will assess the change and confirm with the Participant which of the Certification test scenarios will be expected to be run, and passed, to prove no impact to the BI of the Participant’s changes.
The process that Participants are also expected to follow to achieve NPP certification are further defined in the ‘NPP Certification Approach’ document.
The second is an Assurance test suite that contains test scenarios that, whilst are not mandatory, are recommended to be run by all new Participants to complement their own testing. These also formed part of the original Industry test scope.
However, now that the NPP is live, they are not deemed to be critical (or mandated) test scenarios. They are provided to Participants to extend their own testing, and to provide an extra level of ‘assurance’ prior to seeking NPP certification.
All of these scenarios are based on the Industry testing that was performed prior to the launch of the NPP.
Testing with Planit
Based on the above requirements, Planit is well placed as a trusted testing partner to assist new Participants wishing to access the NPP Basic Infrastructure, either as a directly or indirectly connected Participant, a Sponsoring Institution, or an Overlay Service Provider with functional and non-functional testing services.
Given our solid experience in NPP Industry testing, we can provide these testing services to existing Participants for Release testing. We can also meet the requirements of re-certification and any other NPP-related testing.
Our consultants come with Payments, NPP program and domain knowledge. When coupled with extensive functional and non-functional test expertise, we can ensure robust testing of NPP features and integration points.
Furthermore, we can maximise testing windows and progress through utilising our near shore and off-shore test delivery models, thereby providing clients with increased flexibility in testing delivery. Visit out Testing Services page to find out how we can assist with performance, automation, and security testing, and much more.