Open banking regulation
Open banking is a term used to describe a set of technologies and regulations that allow consumers to securely grant access to their banking data to third-party service providers. This data can be used in many ways, such as apps, websites, and services.
The revised European Payment Service Directive (PSD2) came into force in 2018 to better respond to a new generation of service providers and technologies. This legislation was developed with four main objectives:
- Contribute to a more integrated and efficient European payments market
- Creating equal opportunities for payment service providers (including newly registered ones)
- Increase payment security
- Guarantee consumer protection
As a result, financial data can be accessed more easily by account information service providers (AISPs) and account servicing payment service providers (ASPSPs).
This data becomes available through secure application programming interfaces (APIs) developed by banks, following a strict set of security and privacy standards. Said APIs can then be accessed by authorized AISPs and ASPSPs to securely gather consented information about customers accounts.
Are open banking and PSD2 the same?
Although these two terms are used interchangeably quite often, they are definitely not one and the same. Open banking is the concept that started a banking industry revolution, which later pushed banks to provide consented free access to customer banking data.
On the other hand, PSD2 is EU legislation that regulates how open banking is applied. It guarantees secure and safe access to customer financial information by third-party service providers.
PSD2 set the rules for payment service providers across the whole European Economic Area (EEA), and it was adopted by all EEA member states, as well as the UK. Globally we can see that many countries are following the example set by the EU and are eager to integrate the concept of open banking either by introducing new regulations or through a market-driven approach.
The EU has also adopted a supplementary PSD2 regulation called the Regulatory Technical Standards (RTS). It reduces the risk of fraud, ensures secure customer authentication and communication between payment service providers.
While RTS sets some obligations for ASPSP APIs, most institutions have chosen to follow the NextGenPSD2 Framework developed by The Berlin Group. This framework aims to standardise communication access to APIs and communication between payment service provider APIs in accordance with the RTS.
European open banking regulation
In Europe open banking regulations follow the RTS drafted by the European Banking Authority (EBA) in cooperation with the European Central Bank (ECB).
The RTS specify all the requirements for strong customer authentication (SCA) and requirements for common and secure open standards of communication (CSC) between ASPSPs, payment initiation service providers (PISPs), AISPs, and payment service providers (PSPs).
To ensure good compliance and guarantee security and privacy, all developed APIs must be approved by the designated authorities. This facilitates access for third parties to both transactional data and to payment operations.
Open banking regulation in the United Kingdom
In the United Kingdom, most rules that define open banking were implemented through EU regulation, in many cases relying on EU standards. Meanwhile, with the UK exiting the European Union, some changes are expected to be implemented in their open banking infrastructure.
Since the UK has exited the EU, a new Regulatory Technical Standards has come into force in the UK. Although the UK-RTS are currently substantially the same as RTS in the EU, we might see some improvements in this regulation to further accelerate the adoption of open banking.
The open banking application platform interface (API) follows a set of specifications regarding:
- Read/Write API
- Open Data API
- Dynamic Client Registration (DCR)
- Management Information (MI) Reporting
Which authorities regulate the issuance of payment service provider licenses in Europe?
In Europe, every country belonging to the European Economic Area has an authority responsible for regulating and controlling the issuance of payment institution licenses. It's through these companies that businesses can become active in the open banking industry as account information service providers (AISP).
According to the information gathered by Nordigen’s AIS open banking tracker, we know which are the 10 most important countries in the open banking industry, or at least the ones attracting the most AIS providers:
- Germany - Federal Financial Supervisory Authority
- Sweden - Swedish Financial Supervisory Authority
- Netherlands - The Netherlands Bank
- France - Prudential Supervisory and Resolution Authority
- Italy - Bank of Italy
- Poland - Polish Financial Supervision Authority
- Finland - Finnish Financial Supervisory Authority
- Belgium - National Bank of Belgium
- Spain - Bank of Spain
- Denmark - Danish Financial Supervisory Authority
You can find the complete list of 30 authorities that regulate the issuance of open banking licenses in Europe here.
Is open banking only available in Europe?
Although open banking is widely recognised and adopted in the UK and Europe, it's not exclusively available in these regions. Other countries, such as Turkey, Saudi Arabia, Japan, India, Hong Kong, and Australia, are also creating their own infrastructure. These countries are cooperating with third-party service providers (TTPs) to provide easy access to shared open banking data between banks.
Outside Europe there are two different approaches to open banking: market-driven and regulatory-driven.
With market-driven implementation, TTPs and banks can develop their own application platform interfaces (APIs). Even though in this case governments support and encourage partnerships between banks and TTPs, they don't regulate or interfere with the designing or creation of APIs.
On the other hand, where there is a regulatory-driven approach to open banking implementation, the government has a crucial role. All APIs developed need to follow a specific set of regulations, and data sharing is controlled and monitored by the government.