Open Banking FAQ - Frequently Asked Questions - Nordigen

Open banking FAQ — Frequently Asked Questions

| Article by: Abílio RodriguesProfile Image Abílio Rodrigues 5 min

Unlike what you might be expecting, open banking is not a 24/7 bank that gives away free money! The concept of open banking allows regulated third-parties to use APIs to build tools that gather and refine financial data provided by traditional banking. By doing so, it opens up a new world of possibilities when it comes to financial services and products, making them more accessible, personalised and safe than ever. 

This allows account management from one place, accessing tools that can help with our budgets or with controlling our spendings. While providing flexibility and a more secure experience, financial institutions now have better instruments to earn their customers’ trust, and there is no greater asset than that.

No. Open banking is a concept designed around the idea of making bank account data securely available to third-party providers through Application Programming Interfaces (APIs). This concept is the catalyst to many positive changes in the banking industry, guaranteeing better products and services to customers.

PSD2 is the revised payment services directive, a European Union legislation that regulates how open banking is implemented. PSD2 makes sure that the access to customer financial data by TPPs is made in the safest way possible.

Furthermore, open banking is expanding worldwide, while PSD2 is only applicable in the EU and EEA.

No, open banking requires your explicit consent to share data with a regulated third-party provider (TPP). By giving your consent, you are allowing banks to share your account and transaction details with a TPP through an Application Programming Interface (API).

Upon signing up, services or applications using open banking will present you the information they need to access in order to provide their services, but will only see it if you allow it. You therefore have to carefully read notifications, emails and pop-ups before you press any button.

Yes. You can withdraw your consent by either:

  • Contacting the regulated third-party provider and withdrawing consent directly with them;
  • Contacting your bank or financial institution to inform them that you no longer wish to allow access to your information by a regulated TPP;

Yes, if you revoke access to your data by a specific third-party provider (TPP) you can revert that decision anytime.

Yes. To use open banking you need online or mobile banking for your payment account.
This includes personal and business current accounts, credit cards and online e-money accounts.

An open banking Application Programming Interface (API) is responsible for the safe transfer of data from a bank account to an authorised and regulated third-party provider (TPP). These TPPs can then, with the permission of the data holder, access specific information from their bank.

APIs must meet PSD2 security standards, enforcing measures like Strong Customer Authentication (SCA) in order to mitigate the risk of security vulnerabilities.

Access to open banking APIs developed by banks is free. However, TPPs choose to charge for their products and services, even though they have free access to financial data.

Currently, Nordigen is the only AISP (Account Information Service Provider) that provides free access to its open banking API.

Open banking has security at its core. APIs allow for highly secure data transfers, and you’ll always have to authorise access to your financial data.

This means that only you have access to your security credentials and that you are always in control of what’s being shared with whom and for how long.

Online payments' fraud is greatly reduced by the implementation of zero-trust cybersecurity protocols like Strong Customer Authentication (SCA). In order to comply with SCA requirements, payment providers have to confirm user ID through at least two independent pieces of information:

  • Something they own (e.g., smartphone)
  • Something they know (e.g., PIN code)
  • Something they are (e.g., fingerprint)

At least two of the previous conditions must be fulfilled in order for a transaction to be confirmed and accepted.

SCA is mandatory, but there are some possible exemptions. Have a look at our dedicated Strong Customer Authentication page for more detailed information.

As a standard, every TPP’s privacy policy page states a direct point of contact to solve any issues. In a first instance, you should discuss any concerns you have directly with the third-party provider. 

If needed, they also provide the contact of the responsible regulator, which varies according to the country where the TPP is registered.

In Europe, everyone has the right to access their bank accounts and financial data through licensed and regulated third-party providers under the Revised Payment Services Directive (PSD2).

Payment service providers (PSPs) are obliged, under this EU legislation, to allow customers to securely share their data with third-parties. Each Member State of the European Union (EU) and European Economic Area (EEA) has to determine a national competent authority to oversee PSD2 implementation and allow PSPs to use open banking.

The overarching regulator for PSD2 in the EU and EEA is the European Banking Authority (EBA). In the UK, PSD2 regulation is enforced by the Financial Conduct Authority (FCA).

Third Party Providers (TPPs) is a term used to refer to regulated businesses that provide financial products or services using open banking APIs. They are also referred to as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). 

These TPPs are responsible for the innovative financial solutions that make the best use of the customer data that was previously exclusive property of traditional banking.

AISP is short for Account Information Service Provider. AISPs can use account information from people and businesses to provide a financial service. AISPs have to specifically request authorisation from data holders in order to use their information, and their access is read-only, which means that the third-party provider cannot make any transactions on behalf of its customer.

PISP means Payment Initiation Service Provider, and refers to a business that has permission to ask for consent from a consumer in order to connect to their bank account and initiate payments or transfers on their behalf.


Recommended articles