The Open Banking PSD2 directive was adopted in October 2015 by the European Parliament as a revision of the already existing Payment Services Directive. The new rules were designed to foster the innovative development of online payments through open banking.
Legally, PSD2 introduces a series of services, obligations and definitions for market participants. The most relevant are:
- Strong Customer Authentication (ACS): type of enhanced authentication based on two or more elements in the following categories:
- Possession (requesting something that only the consumer owns);
- Knowledge (requesting something that only the user is aware of);
- Characteristics of the customer (request for a characteristic or personal data of the customer);
- PIS (Payment Initiation Service): a service that allows you to make a transition through a third-party payment service provider using a bank account located with another banking service provider under authorization.
- COF (Confirmation of the Availability of Funds): a service aimed at ascertaining the availability on the current account of the user who is making a transaction of the amount needed to perform the payment operation.
- AIS (Account Information Service): a service that allows the sharing of information held in at least one bank account, managed by a particular service provider, with another (or more) payment service provider.
- TTP (Third Party Provider): a new category of service providers. Banking institutions must provide customers, businesses and retailers with the ability to access their accounts through TTP, ensuring an unrestricted experience as if the customer entered the bank portal directly. This is possible thanks to the API (Application Programming Interface). Third-Party Providers can be:
- PISP: Payment Initiation Service Provider. These entities offer consumers the possibility to execute a payment transaction on behalf of a buyer, subject to authorization, without the need to visit the online platform of the bank where the account is located. PISPs provide more flexibility to users when it comes to making digital transactions.
- AISP: Account Information Service Provider. AISPs are third-party companies that are able to enter the user’s online bank in order to obtain data relating to their bank account. One of the advantages of this dynamic is undoubtedly the fact that the consumer, in this way, would have all the information of the different accounts that he possibly has on a single platform, having a clear and general overview of his financial situation, the payments he has made and of his current accounts.
- PIISP: Payment Instrument Issuer Service Provider. PIISPs are companies that have the ability to issue debit cards connected to bank accounts located in other institutions. These institutions do not hold the accounts directly, but check the availability on the support account and allow the implementation of a payment in favour of a merchant.
- The obligation to provide ASPSPs (Account Service Provider Providers) with a dedicated programming interface (API), which allows TPPs (Third Party Providers) to provide the categories of services seen above (PIS, AIS, CAF, …) and others. All third-party service providers are monitored by specific financial supervisory institutions in all member states of the European Union.
It should be borne in mind that after two years of the entry into force of the PSD2 (which took place on 13 September 2019), the European Commission has decided to start working on a revision of the directive. In October 2021, the European Commission published a call for proposals addressed to the European Banking Authority (EBA), which outlined the areas that will be subject to revision of the directive. These are:
- Obligations and rights deriving from the directive;
- Procedures for customer authentication through the methodologies provided by the SCA;
- Definitions and fields of application of the directive;
- Transparency of information conditions and requirements;
- Payment Institution License and Payment Service Provider Compliance;
- Methods of access to payment systems;
- How to access the accounts held in a specific credit institution;
- How to overuse and use your payment account details.
The changes that are being discussed are expected to be adopted by the Commission from the fourth quarter of 2022.
Open banking is part of that phenomenon that today is called the API economy, which is an economic trend that is based on the use of APIs in order to create services and products through data, interfaces, and functionalities prepared by other suppliers; this type of economy is typical of large technology companies.
Open banking and the need for such a model stem from a recent change in people’s thinking and expectations caused by online services other than banking. For example, people are now used to interoperable experiences like those offered by social networks or smooth like those provided by e-
commerce sites; as a result, people expect the same kind of experience and appeal from banking services and have the ability to decide what theywill use and in which channel.
So, people’s expectations are high, and they expect tailor-made products. The regulations seem to be pushing in a direction favourable to these expectations. The use of API makes it much easier and more immediate, both for service providers and customers. In order to meet these demands, banks need to cooperate with third parties. Thus, the banks have thought of expanding their offer by building new services and products based on the use of financial data.
Thanks to the implementation of open banking, customers can take advantage of a series of notable advantages: new payment methods and new banking products; support in managing one’s finances; the possibility of using non-banking services (such for example, insurance). However, we must keep in mind that there are also a number of risks associated with open banking. The most obvious is the threat of attacks by malicious people or hackers, as the more platforms share a given data, the more that data is more likely to be exposed to risk. However, the main risks derive from the problems that could arise in the field of privacy.
The latest threat is to offer services at differentiated prices calculated from the availability of a given bank account or to make some practices (such as debt collection) much more aggressive. There are also concerns regarding the lack of a responsible physical subject in the case of an important (if not total) use of automated solutions and artificial intelligence.
SEPA API Access Scheme
In Europe, discussions are already underway on possible solutions that can be implemented by payment institutions in order to comply with the provisions of the Open Banking PSD2 directive.
For example, the Euro Retail Payment Board (ERPB) is a strategic advisory body operating at the European Central Bank. In May 2019 and June 2021, this body published two reports describing an initiative called the “SEPA API Access Scheme ”. The ERPB proposal deals with the following topics, which will be discussed with the General Directorates of the European Commission:
- Definition of the principles of collaboration between the parties that participate in it, defining methods and standards for implementing the selected services based on the use of APIs;
- Billing and payment system for services based on the use of APIs;
- The monetisation system of the possible services offered;
- The services related to the PSD2 regulation provided by European credit institutions would remain free for third parties;
- Other types of services (extended, value-added, premium and so on), in compliance with the regulations of the individual country, will be of possible monetisation by credit institutions.
The primary and most exciting aspect of the open banking system is undoubtedly the API (Application Programming Interface). An API is a set of procedures that allow the exchange of information between two software components. A good API facilitates software development by providing components that can then be easily used by programmers.
An API declares an interface that allows us to interact with the software logic it is representing without necessarily having to know what happens programmatically. APIs are everywhere: operating systems, programs, web, programming languages and more.
In the context of open banking, considering the use of the API means assuming public access for developers to systems, products, and solutions belonging to companies. In this case, we are talking about banks or financial institutions.
Following the Directive of the European Parliament and of the Council 2015/2366 of 25 November 2015 on payment services concerning the internal market, in the countries of the European Union, some financial institutions such as banks have been obliged to provide APIs in defined, specific areas; in addition, other financial institutions involved have decided on Gold’s behalf to make the API available. Since the financial institutions involved in operating in European contexts are many, standardization initiatives have begun to develop. The most important are:
- Slovak Banking API: the Association of Slovak Banks, in collaboration with the Slovak National Bank, is working on this standardisation project, made available in the form of documentation;
- STET standard: project developed by the French clearinghouse;
- NEXTGenPSD2: the Berlin group is managing this standardization initiative from a pan-European perspective;
- PolishAPI: The Association of Polish Banks, commercial banks and associated cooperatives and third-party service providers are working on the design of the PolishAPI standard. This standard defines an interface for the needs of services provided by third parties that rely on access to payment accounts.
The UK example
The UK Competition and Markets Authority (known as the CMA) issued an order in August 2016 which covered the UK’s nine largest banks (Barclays, Santander, HBSC, RBS, Allied Irish Bank, Lloyds, Bank of Ireland, Danske Bank, Nationwide) to grant licensed companies or startups direct access to their data, in particular to transaction-account transactions.
In January 2018, the CMA directive came into effect. It used standards and systems that have been created by Open Banking Limited, which is a non-profit organization created specifically for this purpose.
This ordinance applies exclusively to the nine banks mentioned above and works with reference to the general Open Banking PSD2 rules that apply to all payment account providers.
The application of the directive is the responsibility of the Competition and Markets Authority; the protection of customers, with regard to data and information on the account and payment order exercises, is under the observance of the Information Commissioner’s Office and the FCA
(Financial Conduct Authority).
As of January 2020, FCA-regulated providers registered in Open Banking are a total of 202. Many of them provide applications that offer financial services (e.g. finance management), but also consumer credit companies that make use of Open Banking tools to access information on bank accounts for purposes of checks and accessibility checks.
What can you do with open banking?
The Open Banking PSD2 gives a good level of freedom to startups with innovative ideas. Do you have an interesting project and need legal advice? Contact us.