PSD2 Open Banking and
Open Finance Glossary

A Service provider accessing the open finance API of an Asset Holder. An Access Client is equivalent to an API Client.

An online service which provides consolidated account information to a Payment Service User (PSU) on one or more payment accounts held by that PSU with various FIs.

Any TPP that wishes to aggregate online account information of one or more accounts held at one or more ASPSPs (FIs). This service can be used for account management or generation of dashboards for a PSU.

An API (Application Programming Interface) is a set of rules that let different software programs work together. It often includes details about routines, data, and how to make remote calls. APIs are crucial for modern app development and digital systems.

API Data is data made available to an API User or a TPP through the API.

An API Provider is a service provider implementing an Open Data API. An API Provider provides Open Data via an API gateway.

Service provider accessing the open finance API of an Asset Holder. A TPP is an example of an API Client.

An API User is any person or organisation who develops web or mobile apps which access data from an API Provider.

Any form of value that is held by an Asset Holder (e.g. bank owned data, customer owned data, transaction data).

An entity that uses assets (e.g. data) from the Asset Holder to deliver value to end users. A TPP is an example of an Asset Broker.

An entity that holds end user data (e.g. account information, securities data, pension data). An ASPSP is an example of an Asset Holder.

An ASPSP is any financial institution that offers a payment account with online access. PSD2 means ASPSPs have to provide access to let regulated third parties initiate payments and access account information. APIs are currently considered the most practical way to do this.

An ASPSP brand is any registered or unregistered trademark or other Intellectual Property Right provided by an ASPSP.

Brexit is the process by which the United Kingdom ended its membership of the European Union. In the context of PSD2 Brexit has had no effect on the implementation of the legislation in the UK.

A competent authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the competent authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2. In the UK the competent authority for PSD2 is the Financial Conduct Authority (FCA).

Used by a Payment Instrument Issuing Service Provider (PIISP) TPP to confirm availability of funds from a PSUs account

A payment network tied to payment cards (debit or credit). FIs can join these schemes to offer cards to consumers.

A cryptographically protected data structure for storing and transporting a public key. The data structure contains the public key value together with the identity of the owner of the key, the validity period of the key and the identity of the Certificate Authority that registered the public key and signed the certificate.

The Consumer Financial Protection Bureau (CFPB) is a U.S. government agency established in 2011 under the Dodd-Frank Act to protect consumers in the financial sector. It oversees financial products and services like mortgages, credit cards, and loans, ensuring fair practices, transparency, and accountability. The CFPB enforces regulations, takes action against unfair practices, and educates consumers about their financial rights.

The Competition and Markets Authority is a UK body, they have been working to increase competition in UK banking; this has led them to push for reforms in retail banking that are in line with PSD2.

The nine largest FIs in the UK, based on the volume of personal and business current accounts. Barclays plc, Lloyds Banking Group plc, Santander, Danske, HSBC, RBS, Bank of Ireland, Nationwide and AIBG.

The Retail Banking Market Investigation Order 2017.

Remedies introduced by the CMA to address competition issues in the UK retail banking market, including requiring the adoption of key Open Banking proposals from His Majesty’s Treasury.

Confirmation/Verification of Payee is an account name checking service. It allows an account name to be checked (including a personal and business account indicator) before initiating or collecting a payment, providing greater assurance that a payment(s) are being sent to the correct account.

Consultation Paper issued by the EBA to the market to solicit feedback and opinions.

Sometimes referred to as cardholder not present, this refers to a transaction where the payer, payee and the method of payment (the card) are not in the same location, when the transaction takes place. Tackling fraud in the CNP process is a main objective of PSD2.

The data standards issued by Open Banking from time to time in compliance with the CMA Order.

An independent EU authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.

The EBA Register provides an electronic central register that contains information on PSPs as notified by CAs.

An institution of the European union, it is responsible for proposing legislation, implementing decisions and upholding EU treaties. In the context of PSD2 it is the force behind the proposition and adoption of the directive at a European wide level. In each country this responsibility will be managed in conjunction with the local governments and appointed Competent Authorities, for example in the UK the FCA.

An agency in charge of everything from the regulation of financial services to taxation and competition policies.

The European Economic Area (EEA) unites the EU member states and the three EFTA States (Iceland, Liechtenstein and Norway). 30 countries are members. PSD2 is in force for payments within the EEA, from the EEA to outside countries and from outside countries into the EEA, in all currencies. Where one of the PSPs is situated outside the EEA these are known as One Leg Payment Transactions.

A framework that provides a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. For PSD2, the eIDAS framework was selected as the identity framework used to mutually authenticate TPPs and ASPSPs when establishing TLS sessions and to seal their message contents.

A public key certificate that conforms to the eIDAS framework and has been issued by a Qualified Trust Service Provider (QTSP).

An eIDAS certificate containing the public key used to verify the Seal (or digital signature) generated by the corresponding private key.

DORA (Digital Operational Resilience Act) is an EU regulation that ensures financial institutions and their ICT (Information and Communication Technology)providers can manage, withstand, and recover from cyber threats and IT disruptions, promoting a unified and robust approach to digital resilience. It covers risk management, incident reporting, testing, and oversight of third-party providers.

The Directive regulates electronic payment systems in the European Union. The aim of the Directive is to enable new and secure electronic money services and to foster effective competition between all market participants.

An e-money institution is a supplier of the financial product ‘electronic money’. The electronic money can be used to make payments to parties other than the issuer. ‘Electronic money’ is a monetary value stored on an electronic carrier or remotely in a central accounting system. An EMI has received regulatory approval from their NCA. An EMI can passport their regulatory status to other markets in the EU.

Electronic money is an electronic store of monetary value on a technical device that may be widely used for making payments to entities other than the e-money issuer.

An Electronic Money Institution is a financial institution that is authorised to issue electronic money and provide payment services such as domestic and international electronic funds transfers and can provide bank accounts and e-wallets.

Is a membership organisation created in 2002 by the major European FIs. The main task of the EPC is the development of the Single Euro Payment Area (SEPA), a key initiative of PSD1. They represented their members’ interests in the development of PSD2, for example by preparing responses to the developing Regulatory Technical Standards.

The purpose of the ERPB, launched by the European Central Bank (ECB) is to facilitate and contribute to the further development of an integrated, innovative and competitive market for euro retail payments in the EU.

Related to the application of exemptions from Strong Customer Authentication ETV defines the payment value at which the Reference Fraud Rates must be adhered to, in order to secure a payment using Transaction Risk Analysis.

The European Union is a political and economic union of 27-member states that are located primarily within Europe.

The Financial Conduct Authority is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms.

A generic term applied to banks, credit unions, building societies, EMIs and Payment Institutions.

The Financial Data Access (FIDA) proposal, published by the European Commission in June 2023, aims to expand data access beyond payment accounts under PSD2 to include a wider range of financial services data, such as savings, loans, mortgages, insurance, pensions, and investments. This initiative seeks to enhance data sharing and innovation across the financial sector.

A regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).

Internet Protocol (IP) is the principal set (or communications protocol) of digital message formats and rules for exchanging messages between computers across a single network or a series of interconnected networks, using the Internet Protocol Suite (often referred to as TCP/IP).

Implementing Technical Standards define how requirements will be developed, agreed upon and implemented. The European Banking Authority is responsible for the development of the ITS’s to meet the objectives of PSD2 as defined by the European Commission.

IBANs are used to making or receiving international payments. The IBAN does not replace a domestic sort code and account number, but an additional number with extra information to help overseas banks identify your account for payments.

A financial organisation that processes credit or debit card payments on behalf of a merchant.

A security process that establishes mutual authentication, ensuring that both parties are who they claim to be before data is shared. 

Under PSD2 Open Banking, the National Competent Authorities in each EU member state are primarily responsible for monitoring compliance and enforcing PSD2 regulations. In the UK, this role is fulfilled by the Financial Conduct Authority (FCA).

A mechanism for logging on to a network or service using a unique password that can only be used once.

The general term applied to the provision of access by TTPs to FI customers’ data normally through APIs.

The Open Banking Implementation Entity is the delivery organisation working with the CMA9 and other stakeholders to define and develop the required APIs, security and messaging standards that underpin Open Banking. Otherwise known as Open Banking Limited.

The UK Open Banking Working Group (OBWG), established in 2015, developed the framework and standards for secure financial data sharing to promote competition and innovation while ensuring consumer protection. Its work led to the creation of the Open Banking Implementation Entity (OBIE).

The Open Banking Ecosystem refers to all the elements that facilitate the operation of Open Banking. This includes the API Standards, the governance, systems, processes, security and procedures used to support participants.

The open banking services to be provided by Open Banking to Participants, including but not limited to, the provision and maintenance of the Standards and the Directory.

Information on ATM and Branch locations, and product information for Personal Current Accounts, Business Current Accounts (for SMEs), and SME Unsecured Lending, including Commercial Credit Cards. Open Data is data that anyone can access, use or share.

Open Finance APIs are Application programming interfaces that give third-party parties access to the data they need to build applications and services in the financial industry.

An Open API or Public API is a free-to-use, publicly available application programming interface (API) that provides developers with programmatic access to a proprietary software application.

Founded in 2017, the P20 will bring together 20 leaders in the payments industry, plus UK and US government officials and regulators to promote growth of the industry globally.

Born out of the original Payment Services Directive (PSD), a Payment Institution is a special form of payment service provider. It offers services including payment processing, foreign exchange and money remittance.

An online service which accesses a PSU’s account to initiate the transfer of funds on their behalf with the user’s consent and authentication. Alternative payment methods commonly called push & pull payments.

A type of Third Party Provider (TPP) offering a service that allows initiation of payments without the customer needing to directly access their account or use a debit or credit card.

The Directive on Payment Services (PSD) provides the legal foundation for the creation of an EU-wide single market for payments. The PSD aims to establish a modern and comprehensive set of rules applicable to all payment services in the European Union. The goal is to make cross-border payments as easy, efficient and secure as “national” payments within a Member State.

Directive 2007/64/EC, or the Payment Services Directive (PSD), established a unified legal framework for EU payment services, promoting competition, efficiency, and consumer protection. It introduced payment institutions as regulated entities and was later updated by PSD2 in 2015.

Provides the necessary legal platform and changes to the payments framework in order to better serve the needs of an effective European payments market, fully contributing to a payments environment which nurtures competition, innovation and security to the benefits of all stakeholders and consumers in particular.

Under PSD2, exemptions are primarily discussed in the context of Strong Customer Authentication (SCA). These exemptions allow certain transactions, such as parking or ticketing payments, or payments meeting thresholds based on Reference Fraud Rates, to bypass SCA requirements. The specific criteria for these exemptions are outlined in the Regulatory Technical Standards (RTS).

PSD3 amd the PSR are new legislative proposals from the EU Commission that bring changes to the payments framework of the European payments market. PSD3 & the PSR aim to enhance consumer protection, promote innovation, and regulate emerging payment services. It introduces new security measures to address evolving market needs and improve competition in the payments sector.

A Payment Services Provider is an entity which carries out regulated payment services, including AISPs, PISPs, CBPIIs and ASPSPs.

The Payment Services Regulations (PSR) are UK regulations that implement the EU Payment Services Directive (PSD2) into domestic law. They establish the legal framework for payment services in the UK, focusing on promoting competition, ensuring transparency, enhancing consumer protection, and fostering innovation in payment markets.

A Payment Services User is a natural or legal person making use of a payment service as a payee, payer or both.

Section 1033 of the Dodd-Frank Act grants U.S. consumers the right to access and share their financial data securely. Overseen by the CFPB (Consumer Financial Protection Bureau), it promotes transparency, innovation, and competition, driving data portability and a more consumer-focused financial ecosystem.

An entity approved to issue qualified digital certificates which can be used to establish mutually authenticated SSL sessions or create qualified electronic signatures or seals.

Qualified Seals for Electronic Certificates (QSealCs) are digital certificates under eIDAS that ensure data integrity and authenticate the sender in Open Banking, supporting secure and tamper-proof communication.

eIDAS QWACs ensure the confidentiality, integrity and authenticity of data communicated between the TPP and ASPSP but only during transmission

A set of architectural principles for designing web services

Regulatory Technical Standards define certain requirements of PSD2 in more detail. The European Banking Authority is responsible for the development of the RTS to meet the objectives of PSD2 as defined by the European Commission.

A standardised way of making cashless electronic euro payments – via credit transfer and direct debit – to anywhere in the European Union, as well as a number of non-EU countries, in a fast, safe and efficient way, just like national payments.

Strong Customer Authentication (SCA), as defined by EBA standards, uses two or more independent elements—knowledge (e.g., a password), possession (e.g., a device), and inherence (e.g., a fingerprint)—to securely verify a user while protecting authentication data.

A set of software development tools that allows the creation of applications.

The Standards are the Data Standards and Security Standards in accordance with which ASPSPs will be required to make Read/Write APIs available.

A cryptographic protocol designed to facilitate privacy and security for communications over a computer network.

Third Party Providers are organisations or natural persons that use APIs developed to Standards to access customers’ accounts, in order to provide account information services and/or to initiate payments. Third Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).

A payment method in which customers grant permission to a Third-Party Provider (TPP) to make regular payments of varying amounts from their bank account. There are two types of VRP: sweeping and non-sweeping.

Gives financial institutions, plus approved and regulated third parties, access to the customer accounts of FIs in the EEA.