Open banking data - Nordigen

Open banking data: what is it and what is it good for?

| Article by: Abílio RodriguesProfile Image Abílio Rodrigues 7 min

The concept of open banking revolves around the idea of having open access to financial data, with authorisation from the customer. Without this free-flowing interlinked data stream, it wouldn’t be possible to offer better products and services, tailored to the specific needs of every client.

However, there are still a lot of questions about what types of data are shared with third-party providers, and how can that relationship based on trust bring benefits to all parties involved.

Below, we will discuss topics like what is open banking data, who can use it, what data is shared in these kinds of interactions and the importance of consent in this whole process.


Open banking: how do you manage consent?

All the innovations brought about by open banking couldn’t be possible if clients didn’t allow third-party providers (TPPs) to access their financial data. To initiate and deliver quality products and services, TPPs need to get consent from customers to secure, filter and process relevant information.

Consent management is a delicate matter, and one that shouldn’t be taken lightly by any of the parties involved. It requires diligence and a lot of legal and technical know-how, as well as a stable technological architecture.

Contrary to what you might think, managing consent is not as simple as pressing “agree” or ticking a box. It has to be done in accordance with rules and regulations like PSD2 and GDPR, as both the TPP and the bank need to know that the client has authorised access.

You can see below how the banking consent model usually works:

  • TPP asks the client for consent;
  • Client agrees and authenticates the agreement (digital authentication models);
  • Confirmation is seen by both ends and the data from the AISP is transferred to the TPP or from the PISP to the bank;

The thing is, this is just how things work most of the time. There can be a lot more variants to open banking consent that can work in different ways.

As an example, consider that instead of requesting confirmation or authentication for every single transaction, the open banking system could ask for consent renewal every 12 months. During this period after the confirmation, there would be no need for further client authentication.

A general understanding of how data and information flows during the consent requesting process is vital to the success and transparency of operations.

This open banking consent flow stems from the setup itself. It all starts by clearly indicating that, by agreeing, a client will transfer some of their financial data to third-party providers. This allows them to initiate payments or collect certain data on their behalf.

Of course, every region has different regulations about how authentication should be implemented, but usually it relies on two-step verification or other universally approved ID methods like:

  • Mobile identification service
  • Logging in to a bank account
  • Digital signature

How open banking consent works

In an effort to make this somewhat complex procedure more easily understandable, consent management can be divided into three different phases:

1. Consent Phase:

  • the interface relays to the user what information is requested, clearly exposing its purpose and always allowing for explicit opt-out;
  • if the user provides consent, they should be informed of the time-bound nature of the permission, assuring they remain in control of their data;

2. Authentication Phase:

  • bank takes over the process and engages the user in authentication methods to ensure data security;
  • user identity is verified, reassuring them that the third-party provider (TPP) cannot see their credentials. This stage of the process should be distinct from the TPPs user flow;
  • banks should use the same login/credentials process as their online banking to create familiarity and trust;

3. Authorisation Phase:

  • bank relays to the user what information is about to be shared with the TPP;
  • bank asks user if they authorise the sharing of account information, always allowing for request denial;
  • response from the user is sent to the bank’s backend, and data must be recorded accordingly;

When asking users for consent, financial institutions should refrain from using blanket terms and conditions, always minding the length of privacy policies.

Consumers must always be aware of who they are providing access to their data, for how long and for what purpose. Let’s also not forget that users have the right to revoke this consent.

When it comes to open banking, this is how these parameters can be interpreted:

  • Who they are providing access to their data: TPPs identity;
  • For how long: number of days;
  • For what purpose: account details/payments;
  • Expiration process: when will it expire and how can the user revoke consent;


Open banking data sharing: how does it work?

Open banking data is usually used as a synonym to the general term “open banking”. This practice allows third-party providers of financial services to access account and other relevant financial information from consumers, with their express permission.

This is done via designated tools commonly known as APIs or Application Programming Interfaces. The sharing of this data is monitored and supervised according to existing government regulations, like PSD2 in the European Union or the Open Banking Act in the UK.

However, since these regulations change from region to region, different types of data are being shared as a result of open banking services.

There are usually different layers of security and verification in place during the exchange of data between financial institutions and TPPs. This is done to ensure the transparency and faultlessness of the process.

The passing of data from one end to the other is done almost instantaneously - thanks to the state-of-the-art technology of APIs - ensuring fluidity, efficiency and security.


Open banking data sharing

Who can access open banking data?

In short, not everyone can easily access this type of information. To be able to collect such data, with consent from the user, one has to be an accredited data recipient.

To get accreditation, these organizations have to match certain requirements before they are even considered as a candidate or are given permission to access customers' personal information.

Approval of accredited data recipients is done by corresponding authorities in the respective countries or regions. For example, the ACCC (Australian Competition and Consumer Commission) is in charge of open banking data sharing accreditation in Australia.

The responsible entities in each region can give, modify or revoke accreditation for data gathering, also being accountable for ensuring the private sharing of relevant data without any violations to the law.

Of course, regulations are in order to disclose what kinds of data can be collected by third-party providers and also the security measures that they have to implement to guarantee the quality of their services.

What data is being collected by open banking?

The concrete data that is being gathered by open banking third-party providers can vary, according to your local/regional regulations and services provided.

There are usually strict limitations on what type of information is being collected, imposed by regulators. This aims to limit the freedom of data collection, ensuring that TPPs access solely what is strictly needed to provide a designated financial service.

With this in mind, the most common data points include:

  • Account holder data (name, surname, etc);
  • Personal code or company code;
  • Residential or location address;
  • Merchant category codes or activity codes;
  • Financial liability (active) information;
  • Account information regarding deposits and/or securities;
  • Transaction codes;

Sometimes there might be space for the gathering of other information in possession of the financial institution (employment status, place of employment, etc), but these always depend on active regulations.


Open banking data secure

Open banking: how is your data protected?

As with all open transactions, security and threats are always at the top of concerns and conversations. To keep open banking data safe, developers and regulators have to work together.

Open banking is already shifting the financial paradigm worldwide, and we shouldn’t look at it as a niche concept designed to benefit only some. Instead, we should interpret it as a valuable tool to change the way we all look at finance.

In the UK, for example, 75% of all  SMEs are looking to adopt open banking by the end of 2022. It is only natural, with this in mind, to have concerns about how defence mechanisms are being developed and implemented.

The industry has strived to prevent ill-intentioned people and cyber-criminals from taking advantage of the open nature of this project. There are 3 major concerns for both customers and developers:

  • Malicious software
  • Data breaches
  • Hacking

Although financial institutions, third-party providers and regulators are aware of menaces and try to keep up with modern day’s threats, there are some challenges that they need to address.

The most obvious one is the standardization and regulation of open banking data and data exchange, with a more severe impact on developers than on users.

Developers have to closely follow rules and guidelines. Open banking APIs are audited by independent regulators if they want to keep their licences and continue providing financial products and services.

A lot of this work was done by implementing PSD2 and GDPR legislation in the EU, now considered the gold-standard for all financial transaction related security.

Enabling open banking consumer data right can also help overcome many challenges. This way, the client is put in charge of when and how they wish to hand over their information. The TPPs must disclose what they are gathering and what for, ensuring full transparency and open banking data privacy.

Recommended articles