Open banking

Open banking is a financial services term within financial technology. It refers to:

#The use of open APIs that enable third-party developers to build applications and services around the financial institution.
#Greater financial transparency options for account holders, ranging from open data to private data.
#The use of open source technology to achieve the above.

Open banking, as a concept, could be considered as a subspecies to the open innovation concept, a term promoted by Henry Chesbrough. It is linked to shifts in attitudes towards the issue of data ownership, illustrated by regulations such as GDPR and concepts such as the open data movement. The banks turn into a financial service platforms, technically implemented through a Banking as a Service-concept.

History

In October 2015, the European Parliament adopted a revised Payment Services Directive, known as PSD2. The new rules were aimed at promoting the development and use of innovative online and mobile payments through open banking.

Support for the concept was not unanimous. Mick McAteer of the UK's Financial Inclusion Centre, thought that only the tech-savvy will benefit. He said that open banking is "a daft idea", which will lead to more financial exclusion for those with low income. He said it is naïve of regulators to expect consumers to own their data and be able to get better deals from banks, and pointed out the danger of consumers being exploited, either by businesses offering new types of expensive payday loans, or misuse of data and personal information that people have revealed in places such as social media.

European Union

Regulatory layer

The existence of open banking is conditioned by the law. In the European Union it is the regulations that seem to be the main catalyst for its development. The legal act that governs the functioning of open banking is the amended Directive of the European Parliament and of the Council (EU) 2015/2366 of 25 November 2015 on payment services within the internal market, i.e. PSD2.

The PSD2 Directive is the act amending the act on payment services and related acts (including the delegated regulation supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards regarding strong client authentication and common and secure open communication standards). It introduced a number of new services, definitions and obligations for market participants. The most important of these are:

* Payment Initiation Service (PIS) — a service consisting in initiating a payment order at the request of a payment service user in relation to a payment account held with another payment service provider, defined in art. 67 PSD2;
* Account Information Service (AIS) — an online service consisting in providing consolidated information on at least one payment account held by a given payment service user with another payment service provider or at more than one payment service provider, defined in art. 66 PSD2;
* Confirmation of the Availability of Funds (COF) — a service of confirming the availability on the payment account of the payer of the amount necessary to execute the payment transaction, defined in art. 65 PSD2;
* Strong customer authentication (SCA) — authentication based on the use of at least two elements belonging to the category: knowledge (something that only the user knows), possession (something that only the user has) and customer characteristics (something that the user is), independent in the sense that violation of one of them does not weaken the credibility of the others, which authentication is designed in a way that protects the confidentiality of credentials;
* A new category of service providers, i.e. entities providing the aforementioned services, third parties (TPP — Third Party Provider):
** Payment Initiation Service Provider (PISP),
** Account Information Service Provider (AISP),
** Payment Instrument Issuer Service Provider (PIISP).
* The obligation to provide Account Service Provider Providers (ASPSP) with a dedicated programming interface (API), enabling third parties (TPP) to provide payment initiation services (PIS), access to account information (AIS) and confirmation of the availability of funds (CAF).

The above-mentioned third parties are supervised by financial supervision institutions in all European Union member states.

More than two years after the entry into force of the PSD2 provisions, which took place on September 13, 2019, the European Commission announced the commencement of the review procedure of the Directive.

In a call for advice published on 18 October 2021, addressed to the EBA (European Banking Authority) the European Commission has outlined the areas that will be analyzed during the review of the directive:

* Scope of the directive and definitions used in the text
* Licensing of payment institutions and supervision over payment service providers under PSD2
* Transparency of conditions and information requirements
* Rights and obligations under the directive
* Strong Customer Authentication (SCA)
* Access to and use of payment account details in connection with payment initiation and account information services
* Access to payment systems and access to accounts maintained with a credit institution
* Cross-sector topics
* PSD2 enforcement

Amendments to the directive (adoption by the Commission) are planned for the fourth quarter of 2022.

Business layer

Open banking is part of the global trend of the economy based on the use of API (API economy) to create new services and products that use data or certain functionalities from other suppliers. The use of this trend can be observed in other areas of the digital economy, that include activities of big tech companies. The development of open banking is also connected with changes in customer expectations towards suppliers, in this case, banking and payment services — clients transfer their experience from other areas, such as social networks or e-commerce, and expect that the bank will also provide them with an equally attractive product. Customers want to decide what they will use and in which channel. They expect products tailored to their needs. In order to meet similar expectations, banks must necessarily establish cooperation with other entities. In this way, the way to build new services and products based on the use of financial data is opened. New regulations and standardization of interfaces, combined with the clients' expectations, lead to the emergence of new and attractive financial and payment products on the market. Exemplary benefits for consumers resulting from open banking can include:

* support in financial management,
* access to products previously unavailable — e.g. due to new creditworthiness assessment methods, better matching, etc.,
* new types of banking and payment products,
* combining banking and non-bank services (e.g. insurance),
* promoting e-commerce.

However, one must remember that open banking is also a series of risks. The threat of attacks by cybercriminals is obvious, as the number of entities that will have data allowing for fraud and theft increases. But threats also appear in other aspects, primarily privacy — a lot of new business models are based on the concept of "freemium", in which part of the functionality can be "paid" for the sharing of their data. There is a risk of aggressive market practices (including, for example, debt collection) or offering more expensive products based on an analysis of the financial data. Many doubts also arise in the context of the use of automated solutions based on artificial intelligence or machine learning — who is responsible for the decisions made by the machine, whether you can indeed automate all finance decisions etc. Finally, the development of new, often complex services and products can lead to deepening digital and financial exclusion, the part of society that for various reasons cannot benefit from access to the latest technologies.

= SEPA API Access scheme

=
Several concepts are developing in Europe that assume solutions implemented by payment institutions based on PSD2 provisions. The SEPA API Access Scheme initiative was launched by the ERPB (Euro Retail Payment Board), a strategic advisory body at the European Central Bank. The initiative was described in two reports, the first was published on May 31, 2019, and the second was published on June 4, 2021. The information on the transfer of the initiative for further works and the implementation of the SEPA API Access scheme by the European Payments Council is also publicly available.

The proposed scheme will define the principles of cooperation between the entities participating in it define standard methods of implementing selected services based on the use of API (open programming interfaces) and the billing and payment system for these services. The starting point for the work on the scheme was PSD2 services provided by European credit institutions, which will remain free of charges for third parties. Other services, referred to as value-added services, premium services or extended services, could be monetized by credit institutions based on the rules adopted in the scheme. These rules and the general assumptions of the scheme would be discussed with the relevant Directorates-General of the European Commission.

= The Berlin Group openFinance API Framework

=
On October 26, 2020, the Berlin Group established a new task force called The Berlin Group openFinance API Framework, which replaced the previous task force responsible for creating the NextGenPSD2 standard. The new task force's work focuses on the standardization of value-added services (so-called premium services) that credit institutions may make available to eligible third parties based on bilateral agreements or potential new payment schemes (see SEPA API Access Scheme).

Technological layer

The most important element of the technological layer of open banking is the application programming interface ( API), in the context of open banking — open, that is, assuming public access for developers to systems and solutions belonging to companies (here: financial institutions, primarily banks). In the European Union some financial institutions (including banks) have been obligated under applicable law ( Directive of the European Parliament and of the Council (EU) 2015/2366 of 25 November 2015 on payment services within the internal market, PSD2) to provide the application programming interface (API) in a strictly defined scope, other institutions have independently decided to make the API available. Due to the fact that the involved financial institutions, operating only on the European market, there are several thousand, standardization initiatives started to be created. Such initiatives are aimed at preparing a standard specification of the application programming interface, made available by obligated financial institutions so that the use of them by authorized third parties would be easier and safer. The most important standardization initiatives in the European Union are:

* NextGenPSD2 — Pan-European standardization initiative, run by The Berlin Group.
* STET standard — developed by the French clearing house (STET); in its shape, the standard has been as close as possible to the NextGenPSD2 standard of The Berlin Group as part of the convergence project.
* Slovak Banking API — a standardization project entirely run by the Slovak Bank Association in cooperation with the National Bank of Slovakia, made available in the form of documentation.
* PolishAPI — the PolishAPI standard defines an interface for the needs of services provided by third parties based on access to payment accounts, i.e. services introduced by the amended directive on payment services within the internal market (PSD2). The participants of the PolishAPI standardization initiative are the Polish Banks Association together with associated commercial and cooperative banks, and third party providers.

United Kingdom

Competition intervention

In August 2016, the United Kingdom Competition and Markets Authority (CMA) issued a ruling that required the nine-biggest UK banks – HSBC, Barclays, RBS, Santander, Bank of Ireland, Allied Irish Bank, Danske Bank, Lloyds and Nationwide – to allow licensed startups direct access to their data down to the level of transaction-account transactions.

The direction came into force on January 13, 2018, and using standards and systems created by Open Banking Limited, a non-profit created especially for the task. However, enforcement rests with the Competition & Markets Authority. Protection for consumers is the responsibility of the Financial Conduct Authority (FCA) (for account information and payment initiation services, under the PSD2 directive) or the Information Commissioner's Office (for data).

The CMA direction only applies to the nine largest banks and works alongside the broader PSD2 rules that apply to all payment account providers.

Adoption

As of January 2020, there are 202 FCA-regulated providers who are enrolled in Open Banking. Many of them provide financial apps that help manage finances and also consumer credit firms who use Open Banking to access account information for affordability checks and verification.

Future governance

In March 2021, the CMA consulted on arrangements for the future oversight of Open Banking. This consultation referenced to a proposal by UK Finance (a trade association for the banking and finance industry), which had engaged with stakeholders to develop a blueprint for a new organisation (a 'Future Entity') to replace the OBIE in its current form which would serve the needs of the significantly larger number of financial institutions by enabling an Open Data and payments market.

United States

Financial Data Exchange (FDX) organization was formed in 2018 as a non-profit consortium that started to sign on members from the fintech and banking communities in late 2018. The group consists of the largest financial institutions as well as aggregators and fintechs. Founders sought to create a common technical standard to enable secure, consumer-permissioned data sharing for financial data, effectively sounding the first signal that the US was going to pursue something like Open Banking. FDX aims to establish a common, shared standard for Open Banking through a market-driven approach, the idea being to engage with the different market players and use a consortium approach similar to Bluetooth.

The group maintains five core principles:

1) Control: the consumer should have control over how, where, and for how long their financial data is used.
2) Access: the consumer should have access to their financial data at all times and across all account types.
3) Transparency: third parties should be transparent about how they are using a consumer's financial data.
4) Traceability: consumers should be able to trace the routes data takes along the data sharing network.
5) Security: the consumer's financial data should always be protected with secure connections and trustworthy parties.

Open Banking in the United States became a hot-button issue with the Biden Executive Order indicating the Administration's desire to harness a robust 1033 rulemaking. The Dodd-Frank Act mandated that consumers have the right to their own financial data and should be able to access it in ways such as through financial applications, regardless if the application sits in the data holder house or not.

Some Open Banking providers such as Plaid settled for 58M in a consumer-driven privacy related class action lawsuit in 2021. By contrast, another leader in US Open Banking, Finicity, maintains higher than necessary compliance standards by self-subscribing as a consumer reporting agency and maintaining high standards of consent and privacy-related practices.

Latin America

The specific context of Latin America as it relates to Open Banking force to consider the importance of the informal economy, the prevalence of fraud with online payment, and the concentration of the banking industry, as well as the early implementation of technologies such as mandatory and centralized electronic invoicing. The importance of electronic invoicing in Latin America also provides an alternative source of information to open banking that does not yet exist in other countries in the world.

Mandatory and centralized electronic invoicing was implemented early on in countries such as Mexico, Chile, Colombia, and to a lesser extent, Brazil, offering the possibility to retrieve open accounting data in a similar way as open banking.

In this context the use cases are: Better knowledge of users and potential customers, Automation of KYC (Know Your Customer) processes, creation of new products and services especially for the unbanked, and fraud Reduction.

Key Latin American Countries by size are also the countries at the forefront of the adoption of open banking:

Mexico

Mexico is a leader in Fintech regulations and innovation in Latin America. Whether for centralized mandatory open banking or for the adoption of a coherent Fintech law, Mexico was the first country to implement legislation that serve as inspiration for other countries.

The most relevant legislation regarding open banking was the Fintech Law of 2018. On March 9, 2018, the Law was published in th
Federal Official Gazette
(''Diario Oficial de la Federación'' o "DOF", by its Spanish acronym). Article 76 states that standardized computer application programming interfaces (APIs) must be established that enable connectivity and access to other interfaces developed or managed by the same subjects referred to in the aforementioned article and third parties specialized in technology technologies. the information, in order to share the following data and information: open financial data, aggregated data and transactional data. As a consequence
more than 2,300 institutions
were technically required to share information.

In this regard, Article 76 provides that the information that may be shared by financial institutions, money transmitters, SICs, clearing houses, financial technology institutions, are:

* Open data; being those of products and services offered to the general public;
* Aggregated data; being those related to any type of statistical information related to operations carried out by or through the mentioned institutions; and
* Transactional data; those related to the use of a product or service, including deposit accounts, credits and means of disposal contracted in the name of the customers of financial institutions.

In addition, on March 10, 2020, the Mexican Central Bank (''Banco de México'') ("Banxico") published in the DOF the Circular 2/2020 as secondary provisions of the law, specifically dealing with open banking. In such, different financial market entities were required to share information through Computer Application Programming Interfaces. The March 2020 secondary provisions issued in the DOF only apply to Credit Information Companies (''Sociedades de Información Crediticia'') ("SIC", by its Spanish acronym) and clearing houses.

In June 2020, the rules for exchanging open data, applicable to all financial institutions (banks, fintechs and companies authorized by the Comisión Nacional Bancaria y de Valores (CNBV, the Mexican equivalent of the SEC). In it, financial institutions, such as banks, popular finance companies and savings and loans cooperatives, among others, were also included in the law

In accordance with the above, Circular 2/2020 states that both SICs and clearing houses must obtain authorization from Banxico for the use of the APIs by other institutions. In turn, SICs and clearing houses must enter into agreements with other entities authorized by Banxico for the exchange of information. Additionally, the issuance of fees to be charged between institutions that exchange information is also defined. Finally, Circular 2/2020 states that in case of non-compliance with the provisions of Circular 2/2020, SICs and clearing houses may face fines levied by Banxico.

Regulation of aggregated data and transactional data are expected to be legally defined in 2021. Industry experts agree that their enactment will generate value, causing high demand or data requests. Such is the size of the market that Gartner, the consultancy, claims that the open banking opportunity in Mexico tops one billion dollars. In that context, a Finerio Connect survey indicates that 68% of Mexican executives say open banking will be a significant game changer in the Mexican financial industry and 83% of respondents agree that "open banking allows the improvement of the services offered to customers". In addition, 68% consider that "open banking will offer growth opportunities to financial companies" and 65% states that "it will be generating positive competition between companies".

Regulatory advances now allow Mexico to be the first Fintech ecosystem by number of startups, according to the Finnovista Fintech radar, with 441 companies, followed by Brazil (370), Colombia (200), and Chile (67).

Brazil

The most recent movement of the Central Bank of Brazil was the Bank of Brazil's deployment of its open banking model, which mandates banks and financial institutions (including fintech) to make available information on traditional financial services and products.

Brazil's implementation is mandatory for institutions with large size, significant international activity and high risk profiles and optional for all other institutions.

This implementation of the first phase happened almost two years after the first open banking framework was published April 2019, in which the fundamental requirements for the implementation of the law were disclosed.

From 2021 onwards, the Central Bank of Brazil will continue to release details on the following phases of implementation:

* Phase 2 — Customer Information (July 2021): At this stage consumers will have the option share their data (registration, account transactions, card information and credit transactions) with the institutions of their choice, at the time of their choice. This is expected to allow for the development of more personalized products and services.
* Phase 3 — Transactional Information and Payment Initiation (August 2021): At this stage, consumers will have access access to services such as innovative payment options and credit offers, through the shared channels by financial institutions, allowing consumers to shop around in a large selection of products and services
* Phase 4 — Extra information (December 2021): the following phases will include additional products such as insurance, pension plans, investments, among others.

Chile

In late 2020, the Chilean government announced that it was working on a proposal to regulate the activity of financial technology companies, and incorporate an open banking standard for the market. As a result, last September the government edicted the Financial Portability Act, a set of regulations aimed to facilitate switch between banks and financial providers.

As of early 2021, banks have begun to make investments to open their legacy systems to other verticals, which support partner connection, a change impulsed, in part, by the opening laws such as the ones in Mexico.

Colombia

Colombia also announces its interest in developing an open banking standard, but is betting on a voluntary model; that is, letting the financial institutions open at their own pace.

The Financial Regulations Unit (URF) is expected to foster a public-private discussion that will set the stage for open banking best practices letting the stakeholders in the ecosystem free to define the regulatory framework. The regulator asked the stakeholders to come to an agreement on two preliminary stages:

* Stage 1 — First semester 2021: Conducting exploration to define the model to be implemented, as well as discussing the roadmap for its implementation.
* Stage 2 — Second Semester 2021: Issuing regulation and promoting "possible use" of ''sandbox testing.''

Adoption in the rest of the world

A number of other countries launched open banking initiatives based on the European and UK models. These were either through industry collaboration or through legislative changes. An open banking project was launched in Australia on the 1 July 2019 as part of the Consumer Data Rights project by the Treasury and Australian Competition & Consumer Commission. The CDR legislation was passed by the Australian parliament in August 2019.

On 1 June 2017, a group of bankers and Financial technology experts in Nigeria got together for the Open Banking Nigeria initiative to drive the adoption of common API standards for the country.

Security risks

Open banking made banks open their application programming interfaces (APIs) to third-party FinTech companies, which comes with security risks.
Customers using open banking apps will now be in an entirely new trust relationship. Hackers can target third-party apps and excessive access privileges could be given to employees. Malicious actors will get new opportunities to trick banking customers as well as third-party companies with phishing scams.

API security differs from traditional web application security in a number of ways, and as a result OWASP released
new Top Ten list
targeting API Security beginning in 2019 to augment the original OWASP Top Ten that began publication in 2003. A critical difference between the traditional web security attacks and attacks against APIs is that API attacks are logic-based, rather than rule-based. As a result, many companies and governments may have a false sense of security based on security products that were not designed to address logic-based attacks.

To combat this, innovations such as the FAPI (financial-grade API) security profile have been developed. This involves additional measures layered on top of OAuth2 and openid-connect, mandating the use of mutual TLS to ensure only accredited participants can produce and consume the APIs.

See also

* Account aggregation
* Open Banking Nigeria

References

{{Reflist

Banking technology