Open banking is taking the financial world by storm. Mainly driven by the regulation it obliges financial institutions to open up their precious data to regulated third parties. The main idea behind these changes is that Open Banking will bring more competition and innovation to financial services which will lead to a range of new products and services, and better customer experience.
Although some financial institutions are already en route to their Open Banking compliance implementation, for others there might still be unanswered questions.In this post we cover the most frequently asked questions for Open Banking from the banking industry perspective.
In this post we cover the most Frequently Asked Questions (FAQ) for Open Banking from the banking industry perspective:
Open Banking is a protected way of sharing customer's financial information with third-party providers. With customer's consent, banks can share account and transaction details with third parties through application programming interfaces (API).
Open APIs enable exchange of information between the bank and third-party software provider. This helps banks to offer tailored products and services to acquire and retain customers.
For third-party service providers to be fully authorized to use Open Banking APIS, they must be registered under one of or both of the following:
An authorized AISP, is a third-party provider who seeks permission from the bank to connect to a customer's bank account and use that account information to provide a service.
An authorized PISP seeks permission from the bank to connect to AISPs for initiating payments on the customer's behalf, from their bank account.
Payment Services Directive is a regulation that enables bank customers both consumers and businesses to use third-party providers to manage their financial data. PSD (started in 2007) replaced by PSD2 (revised payment service directive) in 2015 is an European Union Directive for a new legal framework for payment services in the European Union (EU) and the European Economic Area (EEA). PSD2 helps to:
Competition and Markets Authority (CMA) is an independent department of the UK government. The aim of CMA is to generate market competition and ensure fair business without any harmful monopolies.
In August 2016, CMA announced the Open Banking initiative and identified nine major UK banks to adopt Open Banking APIs by a deadline of January 13th 2018. These participating banks are referred to as the CMA9. The nine banks and building societies are:
The major functional components of PSD2 are around accounts and transactions information, payments initiation, and confirmation of funds for cards, which are covered by Open Banking UK, the Berlin Group, and Stet. Additionally, Open Banking UK defines APIs around standing orders, direct debits, scheduled and file payments, and statements.
By 14th September 2019 banks will need a PSD2-compliant API framework, as defined by the RTS of the European Banking Authority. Six months prior to it, on 14 March 2019, banks were obliged to disclose the technical specifications and provide support and testing facility.
Open APIs expose a range of data to third-party financial service solution providers. They enable third-party developers to build applications and services around the financial institution.
These APIs are designed to support Open Banking regulations. Through the adoption and deployment of APIs, banks can extend and enhance their native services and offerings. Banks can rapidly advance their digital transformation agenda in the Open Banking world by leveraging third-party applications and service ecosystems that are enabled by APIs.
No, FinTech companies need to register with and be approved by the local national competent authority (NCA) in each country where they wish to operate as a third-party provider (TPP). When a customer wishes to share his/her account details held at a bank with a registered TPP, the bank must check with the local NCA to ensure the TPP is registered and the type of service (Is it account access only, payments initiation only, or both?). It is vital for the bank to check that the TPP has been permitted by the local regulator to offer such services in that country before granting access to their customers‚ data.
All financial institutions and banks that operate within the European Union and offer payment accounts, credit cards, e-money accounts, and have a digital banking offering are in scope of PSD2. In addition, payment accounts available to customers only via digital banking channels are also in scope.
PSD2: The Second Payment Services Directive
NCA: National Competent Authority (the FCA in the UK)
ASPSP: Account Servicing Payment Services Provider (for ex. Bank)
TPP: Third Party Provider
AISP: Account Information Service Provider
PISP: Payment Initiation Service Provider
RTS: Regulatory Technical Standards
Open Banking UK recommends using an OpenID Connect (OIDC) provider certified by the OpenID Foundation to ensure that API security meets the PSD2 standards, known as the Financial-grade API (FAPI) security. Banks can also choose to implement Client Initiated Backchannel Authentication (CIBA). Banks also need to implement strong customer authentication (SCA) for online and mobile banking as mandated by PSD2 for API-based access. During this process, penetration testing must be performed to check and remediate any security vulnerabilities.
Financial institutions must implement SCA (adhering to at least two factors) for customer access to their digital banking offering over their web and mobile channels.
It must include at least two of the following three elements:
From September 14, 2019 banks are required to implement SCA and payments not meeting these criteria will be declined.
In October 2018 the court of Justice of the European Union ruled that a savings account should not be considered as a 'payment account' if it didn't allow the account holder to make payments to third parties or received payments from third parties. However, there are still other types of accounts that need to be defined.
PSD2 requires banks to provide screen scraping on their online banking sites to third-party providers (TPP) as a stopgap solution if they are unable to provide reliable and high-performance APIs. If a bank has a multi-factor authentication enabled in its digital banking offering, it doesn't require any extra efforts. This is true from the period from January 13, 2018 to September 14th, 2019. From September 14th TPPs should use APIs.
PSD2 requires banks and financial institutions to implement electronic fraud monitoring and risk management facilities, especially around payments. Payments initiated by TPPs will have risk data that can be used by the institution's risk monitoring engine to assess risk and process transactions with further checks as appropriate.
Open Banking UK offers tools to ensure certification. These come in two parts:
Security profile OIDC conformance can be achieved by running the Open Banking conformance suite. The results of the tests need to be submitted to the UK Open Banking for certification.
More details are available here.
The UK Open Banking also offers tools for validation of the APIs including the resource APIs; further details can be found here.
PSD2 mandates that while using TPPs to access customer accounts and initiating payments, the customer journey must be as seamless as the transition between internet and mobile banking. This means that the TPP-based authentication must use the current digital banking authentication mechanisms for access and consent management.
In the UK, based on consumer research, the OBIE has defined a clear set of customer journeys for various scenarios. The details can be found here.
The regulatory directive on Open Banking has been to create a technically secure environment for banks to reveal their customers data (upon their consent) to regulated third parties. This will open the door for new players to create innovative products across industries that solve customer needs.
At the same time, incumbent banks face increasing pressure from digitally lean challenger banks that often have much lower operating costs and much shorter innovation cycles. This presents an ideal opportunity for banks to get themselves on the innovation bandwagon and reinforce themselves as leaders of financial services by aligning their digital strategies for improved customer experiences, revenue growth, and operational efficiencies.
General Data Protection Regulation (GDPR) is an EU directive and a regulatory environment which requires institutions to disclose the use of consumer data for commercial purposes with prior consent of consumer and to protect consumer data privacy.
Open banking is the EU directive that requires banks to release data to third parties on prior consent of the customer. According to this directive, customers could make their banking data available to third parties to faster payments.
At heart, both regulations are about customers having more control over their data ‚ about the data being used to support the interests of the customer. GDPR and open banking have set the standards for how the financial data of customers are supposed to be handled.
Yes, regulators in several countries around the world are looking at bringing in new legislation with respect to Open Banking. Currently, Australia is leading the way with a requirement for the big four banks to be compliant by 1st February 2020, and others to follow a year later. Other countries such as Canada, Mexico, Brazil, Japan and the United States have also started assessing their options around this.
Banks and financial institutions are challenged to innovate and transform digitally. Open Banking has become a major source of innovation in the banking industry. It defines how financial data should be created, shared and accessed giving full power to a customer the owner of the data. Banks are encouraged to take advantage of this tremendous opportunity to strengthen their customer relationships. They are expected to make every banking experience intuitive, seamless and digitally engaging to better meet customer needs.
Subscribe to keep up-to-date with recent industry developments including industry insights and innovative solution capabilities
Learn perspectives on some of the top trends and opportunities around customer analytics in banking, an IDC and Virtusa joint video podcast