Open banking is a concept that allows user to give consented access to their bank account data to third party providers through APIs (application programming interfaces). These third party providers can then make use of this data to provide additional services and make it available to developers.
Third party providers in the open banking industry usually present themselves as account information service providers (AISPs) and payment initiation service providers (PISPs).
Although the concept of open banking is already expanding worldwide, Europe still is one of the biggest hubs for its growth and development.
By providing easy, practical and secure access to customers’ financial data, open banking is being used in a wide variety of scenarios, such as lending, credits, personal finance management systems and “buy now, pay later” implementations.
Considering the type of sensitive data open banking deals with, and the fact that it’s being implemented in a wide variety of countries which have different laws and regulations, it was crucial to develop a set of standards to guarantee its good functioning.
By drafting and implementing a set of defined standards on how open banking works, and it’s implemented in any country in Europe, became possible to control all the processes and guarantee to work perfectly, no matter which countries are involved in the transactions.
To complement the PSD2 regulations in Europe, the European Commission decided to endorse a set of technical compliance standards (RTS). These standards have the main goal of outlining the minimum conditions that need to be met for a business to be compliant with PSD2 regulations.
The revised payment services directive, also known as the PSD2, was implemented in 2018 with the aim of increase consumer rights, improve security and permission for third parties to access customer’s bank account information.
It was developed to increase cooperation and collaboration between financial institutions and fintechs, allowing them to initiate payments without the intervention of traditional card brand networks.
Regulatory Technical Standards are a set of technical compliance standards drafted by the European Banking Authority, and got endorsed by the European Commission. Once endorsed, these standards need to be met by all parties in order for them to be compliant with current regulations.
When applied directly to PSD2, this technical compliance standards define specific security measures that companies need to follow to ensure effective and secure communication.
More specifically, this measures refer to the application of strong customer authentication (SCA) to every payment processed.
Strong customer authentication, also known as SCA, is a regulatory requirement in Europe to fight fraud and make online payments secure. To enhance the security level of the PSD2 directive, SCA was integrated as a solution.
Usually, SCA present itself in the form of two-factor authentication (2FA), forcing users to provide two individual pieces of information to verify their identity.
To be able to comply with SCA, payment providers need to recur to this pieces of information before processing the payment. This pieces of information can be organised in three diferent categories:
There are some situations where payment providers might request exemption from certain payments. To know more about these exemptions, please consult our page, where we do a deep dive into strong customer authentication.
In the United Kingdom, it was developed a very detailed and specific set of standards by the Open Banking organisation. The Standard, as it is referred to by the organisation, was conceived with the main goal of helping all European account providers to meet all PSD2 and RTS requirements.
These guidelines are not restricted to API specifications, but also approach customer experience and the operational side of open banking. In a very summarised manner, The Standard covers all online payment accounts and integrates 5 core components:
Open banking APIs need to follow a pre-determined set of specifications, called API Specifications. They are organised into 5 categories:
These specifications outline a group of RESTful APIs that allow third party providers to gain access to customer’s bank data and initiate payments on their behalf. All these connections are made securely, efficiently, and always with a specific customer consent.
Open Data API specifications are presented as guidelines for API providers, such as banks and ATM providers, to develop API endpoints that are accessible to third party providers. This access allows them to develop end-user mobile and web applications.
As the name suggests, these specifications clarify and explain how the Open Banking Directory works. Also, states the roles and responsibilities of each participant in the Directory.
These guidelines were created to define which APIs third party providers should use to submit software statement assertions to account servicing payment service providers (ASPSPs). This is done every time they need to create OAuth clients.
Simple guidelines on how the MI Reporting of ASPSPs should be done to Open Banking. These reports include specific information about the Data Dictionary.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept