PSD2 Open banking
What is open banking?
Open banking is a concept that allows customers to make their bank account data available to third-party providers through application programming interfaces (APIs). This access is secure and private, being only possible after detailed consent from the customer.
With the facilitated access to this data, fintech companies can maximise the services available to their customers, being able to tailor offers to perfectly fit their needs.
Europe is one of the biggest hubs for the growth and development of open banking, but the concept is expanding worldwide, getting more traction at a high pace.
Currently, two of the main use-cases of open banking are services that aggregate banking data from different banks into a single platform, and firms involved in the lending/credit industry.
What is PSD2?
PSD2 is the revised payment services directive proposed by the European Commission in 2007 and enforced between January 2018 and September 2019. The needs for a revised directive emerged from many technology advances that resulted in a great variety of new services.
The new directive was drafted with the main goals of improving customer protection, boost competition, innovation, and increase security in the payments market.
Although it was supposed to entered into force until September 2019, due to a possible negative impact on ecommerce the European Banking Authority (EBA) established a transition period for financial institutions to become PSD2-compliant. This transition period ended on December 31, 2020.
PSD2 and open banking
PSD2 and open banking are directly correlated, since the regulations introduced with the directive strongly influenced how open banking works by working toward eradicating the use of screen-scraping. This method to access financial data by a third-party provider uses customer login details, which presents unnecessary risks.
PSD2 was conceived to answer to new needs from customers and new technologies, like the possibility to access banking information remotely and outside the bank network. This is possible through bank APIs developed following the regulations implemented with PSD2.
Now, with PSD2 important steps towards true open banking were made, since customers have the possibility to access/share their financial data in a practical, safe and secure manner.
Are PSD2 and open banking the same thing?
The easy answer to this question is a big no. Open banking is a concept that initiated a wave of significant changes in the banking industry, leading banks to provide freely access to customer banking data, as long as consent was guaranteed.
PSD2 is a European Union (EU) legislation that regulates how open banking is implemented. With these set of regulations and standards, makes sure that third-party providers offer secure and safe access to customer financial information.
Open banking is available worldwide, but PSD2 is an EU “exclusive”
Another good example on how these two are definitely not the same is the fact that open banking is expanding worldwide, while PSD2 still is an EU legislation that is not applicable outside Europe.
Other countries, such as Turkey, Saudi Arabia, Japan, India, Hong Kong and Australia, are also creating their open banking infrastructure. In the American continent, the growth of open banking has also been impressive, specially in countries like the United States, Canada and Brazil.
Outside Europe, where PSD2 legislation regulates how open banking works, there are usual two different approaches to this concept: market-driven and regulatory-driven.
- Market-driven implementation — third-party providers and banks develop their application platform interfaces (APIs). The government support and encourage these partnerships, but they don’t regulate or interfere with the development of APIs.
- Regulatory-driven implementation — the government has a crucial role to play, establishing a specific set of regulations for the API development and data sharing is controlled and monitored by governmental entities.
PSD2 open banking API
Open banking APIs allow customer banking data to be accessible to third-party providers. Account information service providers (AISPs) and payment account servicing payment service providers (ASPSPs) take advantage of this data to offer a wider range of services to customers.
PSD2 regulations were responsible for forcing banks to develop their APIs to facilitate access to banking data, guaranteeing its security and privacy. Even though the name “open banking” might suggest that anyone can access this information, that is not true. Only licenced third-party providers can connect to bank APIs.
What is an application programming interface (API)
An API is a set of definitions and protocols for building and integrating application software. With them, developers can make their applications’ data and features available to other developers. Besides being made available to external developers, APIs can also be very useful internally, facilitating the organisation and interaction between different sections of a software.
How are APIs used in open banking?
APIs are extremely versatile, allowing developers to be only limited by their creativity. In regard to open banking, the use of APIs has revealed dozens of possibilities that until now were simply impossible to achieve.
With a growing number of use-cases for PSD2 open banking APIs, we have already explored over a dozen cases (you can find detailed information here):
- Personal finance
- Consumer lending
- Buy now, pay later
- Mortgage lending
- Real estate
- Credit bureaus
- Debt collection
- Business lending
- Investment platforms
What open banking APIs offer to a bank?
By allowing third-party providers to access customers financial data, bank institutions can benefit from faster innovation, increased revenue, detailed customer insights and personalised offers.
It’s easy to explain how this would be possible. By outsourcing the development of new technologies to fintechs, banks don’t have the need to create an in-house developer team or dedicate extra resources to create new offers.
Thanks to fintechs, financial institutions can essentially improve their customer service considerably with virtually no costs.
How customers benefit from the usage of open banking APIs?
The development and exploration of open banking APIs bring great benefits to customers, since it allows account information service providers (AISPs) and account servicing payment service providers (ASPSPs) to evolve their service offerings in a more efficient and secure manner.
Since the use of APIs to access became the standard procedure to access financial data, customers can be assured that no information will be viewed without consent.
The use of APIs helps third-party providers to offer an increasing variety of services to help customers access and manage their finances.
PSD2 open banking requirements
One of the goals with the implementation of PSD2 regulation to open banking was to improve the level of security and reliability to the payments market. With that in mind, one of the essential requirements was the implementation of strong customer authentication (SCA) in all European e-commerce transactions.
SCA main challenge is to reduce payment fraud without disregarding customer experience. To ensure that customer experience is maintained at a high level, the introduction of complicated steps into the payment process was avoided.
Strong customer authentication when applied to open banking
The application of SCA to open banking is pretty clear and practical, relying on two-factor authentication (2FA) to ensure that the payment is made in the most secure way possible.
With this solution, customers need to provide two independent pieces of information to confirm their identity. These pieces of information can be organised in three categories:
- Something they own (e.g., smartphone)
- Something they know (e.g., PIN code)
- Something they are (e.g., fingerprint)
Strong customer authentication is required by PSD2 in the majority of online payments in Europe, but there are a few scenarios where third-party providers can apply exemptions. You can find a more detailed description of the most common PSD2 SCA exemptions in our article dedicated to SCA, but here are the list:
- Low-risk transactions
- Payments below €30
- Fixed-amount subscriptions
- Merchant-initiated transactions
- Trusted beneficiaries
- Phone sales
- Corporate payments