Before we begin, let’s define a few acronyms:
- ASPSP Account Servicing Payment Service Provider (let’s call it a bank)
- TPP Third Party Provider (e.g. a FinTech startup)
- PSD2 Revised Payment Services Directive (new rules created by the European Union to foster integrated, safer and open banking)
A full glossary is available here.
An Introduction to Open Banking
Open Banking is the UK implementation for PSD2. On top of the PSD2 regulations, Open Banking provides a detailed specification for banks and third parties to follow when communicating with one another. This allows companies (TPPs) to build their applications and integrate with online services exposed by any bank (ASPSP) in a standardised way. A common interface for all banks, if you will.
The below diagram illustrates how the components and roles fit together in a simplified fashion:
Figure 1 - Artistic rendition of Open Banking
For example, Open Banking enables the end user to view their current account balances held with different banks and allows applications to display the information all together in one coherent dashboard. This gives the user an overview of all their finances in one place. At the same time, there are grave risks associated with trusting third parties with excessive access to banking information, or even worse the full online banking portal. Using the Open Banking APIs, the user is able to manage granular access permissions to each of their accounts directly through the bank for the account in question. This access, enabled through Open Banking, is how banks' mobile applications can show account details from other banks. As implied by this model, a bank can perform as both an ASPSP and a TPP simultaneously, albeit as different entities. Alternatively, they might rely on a third party to provide the platform for accessing account data from other banks.
Open Banking is revolutionary in allowing third party providers to access data and interact with customer bank accounts. At the same time, Open Banking sets strict guidelines to ensure customers have an overview and control of who is able to access their data. As such, a third party can legitimately operate on bank accounts, providing an alternative interface or richer features than the bank itself. This is a fundamental change in how customers interact with their banks, which attempts to introduce sweeping changes and innovation within traditional financial institutions.
Implementing the required changes internally to support a common API is a complex undertaking as it introduces a whole new channel for external entities to interact with the bank. The final PSD2 compliance deadline was 14 September 2019, however many banks are experiencing difficulties with fully implementing the APIs and integrating with the Open Banking ecosystem within the strict deadlines set out (see here). For urgent complex projects affecting core services, it is essential that development and testing (functional and security) are performed to the highest standards. This requires both the Banking and Security industries to innovate new ways to work together and deliver large scale projects.
Providing the APIs is only the first step of the whole endeavour. Following this, next steps will be for organisations to start using the APIs to provide advanced services and the public to understand what consenting to an access request entails. Both of these facets reveal additional interesting security concerns that, once solved through collaboration, should lead to a brighter future for bank customers.
In the next post of the series, we will be delving deeper into the technical and social challenges associated with introducing Open Banking based services.