Open banking is taking the financial world by storm. Mainly driven by the regulation it obliges financial institutions to open up their precious data to regulated third parties. The main idea behind these changes is that Open Banking will bring more competition and innovation to financial services which will lead to a range of new products and services, and better customer experience.
Although some financial institutions are already en route to their Open Banking compliance implementation, for others there might still be unanswered questions. In this post we cover the most frequently asked questions for Open Banking from the banking industry perspective.
What is Open Banking?
Open Banking is a protected way of sharing customer’s financial information with third-party providers. With customer’s consent, banks can share account and transaction details with third parties through application programming interfaces (API). Open APIs enable exchange of information between the bank and third-party software provider. This helps banks to offer tailored products and services to acquire and retain customers.
For third-party service providers to be fully authorized to use Open Banking APIS, they must be registered under one of or both of the following:
- AISP– Stands for Account Information Service Provider
- PISP– Stands for Payment Initiation Service Provider
An authorized AISP, is a third-party provider who seeks permission from the bank to connect to a customer’s bank account and use that account information to provide a service.
An authorized PISP seeks permission from the bank to connect to AISPs for initiating payments on the customer’s behalf, from their bank account.
What is PSD2?
Payment Services Directive is a regulation that enables bank customers – both consumers and businesses – to use third-party providers to manage their financial data. PSD (started in 2007) replaced by PSD2 (revised payment service directive) in 2015 is an European Union Directive for a new legal framework for payment services in the European Union (EU) and the European Economic Area (EEA). PSD2 helps to:
- Ensure consumer protection and transparent financial transactions
- Create a single payment market based on regulatory framework for payments
- Increase competition among banks and fintechs
- Transform the payments value chain, identify lucrative business models and enhance customer experience
What is CMA9?
Competition and Markets Authority (CMA) is an independent department of the UK government. The aim of CMA is to generate market competition and ensure fair business without any harmful monopolies.
In August 2016, CMA announced the Open Banking initiative and identified nine major UK banks to adopt Open Banking APIs by a deadline of January 13th 2018. These participating banks are referred to as the CMA9. The nine banks and building societies are:
- AIB Group UK (trading as First Trust Bank in Northern Ireland)
- Bank of Ireland (UK)
- Barclays Bank
- HSBC Group (including First Direct and M&S)
- Lloyds Banking Group (including Bank of Scotland and Halifax)
- Nationwide Building Society
- Northern Bank Limited (trading as Danske Bank)
- The Royal Bank of Scotland Group (including NatWest and Ulster Bank)
- Santander UK
What are the major functional components of PSD2?
The major functional components of PSD2 are around accounts and transactions information, payments initiation, and confirmation of funds for cards, which are covered by Open Banking UK, the Berlin Group, and Stet. Additionally, Open Banking UK defines APIs around standing orders, direct debits, scheduled and file payments, and statements.
What are the key PSD2 dates to look out for in 2019?
By 14th September 2019 banks will need a PSD2-compliant API framework, as defined by the RTS of the European Banking Authority. Six months prior to it, on 14 March 2019, banks were obliged to disclose the technical specifications and provide support and testing facility.
What are Open APIs?
Open APIs expose a range of data to third-party financial service solution providers. They enable third-party developers to build applications and services around the financial institution.
These APIs are designed to support Open Banking regulations. Through the adoption and deployment of APIs, banks can extend and enhance their native services and offerings. Banks can rapidly advance their digital transformation agenda in the Open Banking world by leveraging third-party applications and service ecosystems that are enabled by APIs.
Will fintech companies get access to PSD2 APIs disclosed by financial institutions?
No, FinTech companies need to register with and be approved by the local national competent authority (NCA) in each country where they wish to operate as a third-party provider (TPP). When a customer wishes to share his/her account details held at a bank with a registered TPP, the bank must check with the local NCA to ensure the TPP is registered and the type of service (Is it account access only, payments initiation only, or both?). It is vital for the bank to check that the TPP has been permitted by the local regulator to offer such services in that country before granting access to their customers’ data.
Is my bank in scope for implementing PSD2?
All financial institutions and banks that operate within the European Union and offer payment accounts, credit cards, e-money accounts, and have a digital banking offering are in scope of PSD2. In addition, payment accounts available to customers only via digital banking channels are also in scope.
What are some of the key terms related to PSD2?
PSD2: The Second Payment Services Directive
NCA: National Competent Authority (the FCA in the UK)
ASPSP: Account Servicing Payment Services Provider (for ex. Bank)
TPP: Third Party Provider
AISP: Account Information Service Provider
PISP: Payment Initiation Service Provider
RTS: Regulatory Technical Standards
What are the key requirements for API security?
Open Banking UK recommends using an OpenID Connect (OIDC) provider certified by the OpenID Foundation to ensure that API security meets the PSD2 standards, known as the Financial-grade API (FAPI) security. Banks can also choose to implement Client Initiated Backchannel Authentication (CIBA). Banks also need to implement strong customer authentication (SCA) for online and mobile banking as mandated by PSD2 for API-based access. During this process, penetration testing must be performed to check and remediate any security vulnerabilities.
What are the requirements around Strong Customer Authentication (SCA)?
Financial institutions must implement SCA (adhering to at least two factors) for customer access to their digital banking offering over their web and mobile channels.
It must include at least two of the following three elements:
- Something a customer knows such as password or a pin number
- Something a customer has, for example phone or a token
- Something a customer is, such as fingerprint, voice or facial recognition
From September 14, 2019 banks are required to implement SCA and payments not meeting these criteria will be declined.
What constitutes a ‘payment account’?
In October 2018 the court of Justice of the European Union ruled that a savings account should not be considered as a ‘payment account’ if it didn’t allow the account holder to make payments to third parties or received payments from third parties. However, there are still other types of accounts that need to be defined.
Is authenticated screen scraping allowed under PSD2?
PSD2 requires banks to provide screen scraping on their online banking sites to third-party providers (TPP) as a stopgap solution if they are unable to provide reliable and high-performance APIs. If a bank has a multi-factor authentication enabled in its digital banking offering, it doesn’t require any extra efforts. This is true from the period from January 13, 2018 to September 14th, 2019. From September 14th TPPs should use APIs.
What are the requirements around fraud monitoring and prevention?
PSD2 requires banks and financial institutions to implement electronic fraud monitoring and risk management facilities, especially around payments. Payments initiated by TPPs will have risk data that can be used by the institution’s risk monitoring engine to assess risk and process transactions with further checks as appropriate.
Can I get my PSD2 implementation certified to ensure that it meets the regulatory requirements?
Open Banking UK offers tools to ensure certification. These come in two parts:
- Open Banking Conformance Suite:
Security profile OIDC conformance can be achieved by running the Open Banking conformance suite. The results of the tests need to be submitted to the UK Open Banking for certification.
More details are available here.
- JSON Data Validation tool:
The UK Open Banking also offers tools for validation of the APIs including the resource APIs; further details can be found here.
What does my bank need to think about in terms of customer journeys?
PSD2 mandates that while using TPPs to access customer accounts and initiating payments, the customer journey must be as seamless as the transition between internet and mobile banking. This means that the TPP-based authentication must use the current digital banking authentication mechanisms for access and consent management.
In the UK, based on consumer research, the OBIE has defined a clear set of customer journeys for various scenarios. The details can be found here.
How does Open Banking impact my organization in the long term?
The regulatory directive on Open Banking has been to create a technically secure environment for banks to reveal their customers’ data (upon their consent) to regulated third parties. This will open the door for new players to create innovative products across industries that solve customer needs. At the same time, incumbent banks face increasing pressure from digitally lean challenger banks that often have much lower operating costs and much shorter innovation cycles. This presents an ideal opportunity for banks to get themselves on the innovation bandwagon and reinforce themselves as leaders of financial services by aligning their digital strategies for improved customer experiences, revenue growth, and operational efficiencies.
How are GDPR and Open Banking connected?
General Data Protection Regulation (GDPR) is an EU directive and a regulatory environment which requires institutions to disclose the use of consumer data for commercial purposes with prior consent of consumer and to protect consumer data privacy.
Open banking is the EU directive that requires banks to release data to third parties on prior consent of the customer. According to this directive, customers could make their banking data available to third parties to faster payments.
At heart, both regulations are about customers having more control over their data – about the data being used to support the interests of the customer. GDPR and open banking have set the standards for how the financial data of customers are supposed to be handled.
Which Open Banking initiatives have been launched in Europe?
- Open Banking Implementation Entity (UK) – The Open Banking Implementation Entity was created by the UK’s Competition and Markets Authority to create software standards and industry guidelines that drive competition and innovation in UK retail banking.
- The Berlin Group (Germany) – The Berlin Group is a standards initiative and API framework to help banks comply with PSD2 regulation. To ensure Strong Customer Authentication (SCA) for online payments and seamless ‘payment initiation and account information services’, operated by Third Party Providers (TPPs), Berlin Group NextGenPSD2 has worked on a detailed ‘Access to Account (XS2A) Framework’ with data model (at conceptual, logical and physical data levels) and associated messaging. Over the past few months, versions 1.1, 1.2, and 1.3 of NextGenPSD2 have been released. Open Bank Project delivers Berlin Group 1.3 APIs to production commercial license holders so they can fulfill their PSD2 compliance requirements.
- STET (France) – STET is one of the organizations that has defined interfaces aligned to the new Payment Services Directive (PSD2). The interfaces define a secure and easy-to-use set of services to be implemented by European ASPSPs (Account Servicing Payment Service Providers).
Are there any developments outside Europe in terms of Open Banking?
Yes, regulators in several countries around the world are looking at bringing in new legislation with respect to Open Banking. Currently, Australia is leading the way with a requirement for the big four banks to be compliant by 1st February 2020, and others to follow a year later. Other countries such as Canada, Mexico, Brazil, Japan and the United States have also started assessing their options around this.
Banks and financial institutions are challenged to innovate and transform digitally. Open Banking has become a major source of innovation in the banking industry. It defines how financial data should be created, shared and accessed giving full power to a customer – the owner of the data. Banks are encouraged to take advantage of this tremendous opportunity to strengthen their customer relationships. They are expected to make every banking experience intuitive, seamless and digitally engaging to better meet customer needs.