What is open banking and Open Banking Regulation?
Open banking refers to the banking practice of providing open access to financial data from financial institutions through the utilization of Application Programming Interfaces, also known as APIs. More specifically, in open banking, account-holding financial institutions, such as banks, are forced to share their previously-monopolized consumers‘ account data through open APIs with regulated third-party providers, usually fintech companies. To ensure the data exchange, banks must establish their APIs, which third parties integrate with their technologies to provide financial services as cryptocurrency considering consumers’ data with their consent. Open banking boosts competition and innovation in the sector by allowing third parties to access consumer financial and personal data and use this information to improve or create new financial services. Also, new financial institutions can access and use data to improve already existing financial services, including speeding up an application for a loan, making a transaction on behalf of a consumer, or giving a consolidated overview of several payment accounts in a single place. Due to open banking, consumers can time-efficiently and comfortably consolidate, view, and access their banking information across multiple banks and bank accounts and securely initiate payments.
Open banking regulation in the EU
In the European Union and the European Economic Area, the second Payment Service Directive, more commonly known as PSD2, provides the legislative and regulatory foundation for open banking and other initiatives regarding open access to payment data. This legislation that came into force in January 2018 aims to open up the banking industry to new players and promote the development and use of innovative financial services while ensuring customer protection and payments security in the sector. PSD2 introduces rights and obligations for new players in the sector, known as third-party providers or TPPs, to directly access payment service users’ payment accounts with their explicit consent and requirements for banks to permit access through APIs. Also, PSD2 includes Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication, commonly known as RTS on SCA & CSC. These regulatory standards describe concrete technical security measures only addressed through general objectives in PSD2, ensuring effective and secure communication between banks and third parties to protect consumers’ data. RTS on SCA requires the use of certain security elements, including those provided under eIDAS, that payment service providers must observe when they process payments or provide payment-related services to prevent financial fraud and theft. At the same time, RTS on CSC ensures the establishment of open and standard communication channels to regulate how access to the customer’s account is shared between the bank and third parties. Companies that want to become authorized third-party financial service providers must comply with RTS on SCA & CSC under PSD2 and further meet the rules set by their local Financial Supervisory Authority or so-called FSA.
How open banking is regulated in countries outside the EU?
As regulatory requirements under PSD2 govern access to payment accounts in countries outside the EU, various alternative initiatives exist to make open banking work. These alternative initiatives differ in scope across which institutions and products they apply (e.g., just banks or third parties) and what data is accessible by third parties, with the explicit customer’s consent (e.g., transactional information, product data, or aggregated statistics). Also, different initiatives have different approaches to standardization, the degree to which security rules, including customer authentication, data formats, and API specifications, are common across all financial institutions. Although different initiatives shed light on some inconsistencies and challenges regarding the adoption of open banking globally, they ensure new services can emerge around the practice of data exchange and consumers can control their data and get better deals.