Open banking is the term applied to the provision of access by third party providers (TPPs) to the data and funds of Financial Institutions’ customers. This is normally provided through application programming interfaces (APIs).
In Europe, PSD2 open banking access to accounts came into effect in September 2019. From this date, regulated organisations offering transactional payment accounts, accessible via an online interface, were mandated to provide TPPs account access provided prior “explicit consent” had been given by the account holder. Over 5,000 financial institutions across Europe were affected by the regulation.
Many jurisdictions across the globe have followed Europe’s lead and are developing their own open banking and open finance regulatory frameworks. To follow progress, see our Open Banking World Map.
For a full explanation of the most common open banking and open finance terms, see our glossary below.
A Service provider accessing the open finance API of an Asset Holder. An Access Client is equivalent to an API Client.
An online service which provides consolidated account information to a Payment Service User (PSU) on one or more payment accounts held by that PSU with various FIs.
Any TPP that wishes to aggregate online account information of one or more accounts held at one or more ASPSPs (FIs). This service can be used for account management or generation of dashboards for a PSU.
In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. A good API makes it easier to develop a computer program by providing all the building blocks, which are then put together by the programmer. An API may be for a web-based system, operating system, database system, computer hardware, or software library. An API specification can take many forms, but often includes specifications for routines, data structures, object classes, variables, or remote calls. POSIX, Microsoft Windows API, the C++ Standard Template Library, and Java APIs are examples of different forms of APIs. Documentation for the API is usually provided to facilitate usage. The status of APIs in intellectual property law is controversial.
API Data is data made available to an API User or a TPP through the API.
An aggregation platform that provides the API services that connect to several Asset Holders.
Service provider accessing the open finance API of an Asset Holder. A TPP is an example of an API Client.
An API User is any person or organisation who develops web or mobile apps which access data from an API Provider.
Any form of value that is held by an Asset Holder (e.g. bank owned data, customer owned data, transaction data).
An entity that uses assets (e.g. data) from the Asset Holder to deliver value to end users. A TPP is an example of an Asset Broker.
An entity that holds end user data (e.g. account information, securities data, pension data). An ASPSP is an example of an Asset Holder.
An ASPSP is any financial institution that offers a payment account with online access. PSD2 means ASPSPs have to provide access to let regulated third parties initiate payments and access account information. APIs are currently considered the most practical way to do this.
An ASPSP brand is any registered or unregistered trademark or other Intellectual Property Right provided by an ASPSP.
Brexit is the process by which the United Kingdom ended its membership of the European Union. In the context of PSD2 Brexit has had no effect on the implementation of the legislation in the UK.
A competent authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the competent authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2. In the UK the competent authority for PSD2 is the Financial Conduct Authority (FCA).
A payment network tied to payment cards (debit or credit). FIs can join these schemes to offer cards to consumers.
A cryptographically protected data structure for storing and transporting a public key. The data structure contains the public key value together with the identity of the owner of the key, the validity period of the key and the identity of the Certificate Authority that registered the public key and signed the certificate.
The Competition and Markets Authority is a UK body, they have been working to increase competition in UK banking; this has led them to push for reforms in retail banking that are in line with PSD2.
The nine largest FIs in the UK, based on the volume of personal and business current accounts. Barclays plc, Lloyds Banking Group plc, Santander, Danske, HSBC, RBS, Bank of Ireland, Nationwide and AIBG.
The Retail Banking Market Investigation Order 2017.
Remedies that the CMA deemed appropriate to introduce to address a number of key features of the UK Retail Banking market considered to be having an adverse effect on competition. These remedies included a requirement for the UK banking industry to adopt a subset of Her Majesty’s Treasury’s (HMT’s) proposals for Open Banking.
Sometimes referred to as cardholder not present, this refers to a transaction where the payer, payee and the method of payment (the card) are not in the same location, when the transaction takes place. Tackling fraud in the CNP process is a main objective of PSD2.
Consultation Paper issued by the EBA to the market to solicit feedback and opinions.
The data standards issued by Open Banking from time to time in compliance with the CMA Order.
An independent EU authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
The EBA Register provides an electronic central register that contains information on PSPs as notified by CAs.
An institution of the European union, it is responsible for proposing legislation, implementing decisions and upholding EU treaties. In the context of PSD2 it is the force behind the proposition and adoption of the directive at a European wide level. In each country this responsibility will be managed in conjunction with the local governments and appointed Competent Authorities, for example in the UK the FCA.
An agency in charge of everything from the regulation of financial services to taxation and competition policies.
The European Economic Area (EEA) unites the EU member states and the three EFTA States (Iceland, Liechtenstein and Norway) 31 countries are members. PSD2 is in force for payments within the EEA, from the EEA to outside countries and from outside countries into the EEA, in all currencies. Where one of the PSPs is situated outside the EEA these are known as One Leg Payment Transactions.
A framework that provides a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. For PSD2, the eIDAS framework was selected as the identity framework used to mutually authenticate TPPs and ASPSPs when establishing TLS sessions and to seal their message contents.
A public key certificate that conforms to the eIDAS framework and has been issued by a Qualified Trust Service Provider (QTSP).
An eIDAS certificate containing the public key used to verify the Seal (or digital signature) generated by the corresponding private key.
The Directive regulates electronic payment systems in the European Union. The aim of the Directive is to enable new and secure electronic money services and to foster effective competition between all market participants.
An e-money institution is a supplier of the financial product ‘electronic money’. The electronic money can be used to make payments to parties other than the issuer. ‘Electronic money’ is a monetary value stored on an electronic carrier or remotely in a central accounting system. An EMI has received regulatory approval from their NCA. An EMI can passport their regulatory status to other markets in the EU.
Electronic money is an electronic store of monetary value on a technical device that may be widely used for making payments to entities other than the e-money issuer.
Is a membership organisation created in 2002 by the major European FIs. The main task of the EPC is the development of the Single Euro Payment Area (SEPA), a key initiative of PSD1. They represented their members’ interests in the development of PSD2, for example by preparing responses to the developing Regulatory Technical Standards.
The purpose of the ERPB, launched by the European Central Bank (ECB) is to facilitate and contribute to the further development of an integrated, innovative and competitive market for euro retail payments in the EU.
Related to the application of exemptions from Strong Customer Authentication ETV defines the payment value at which the Reference Fraud Rates must be adhered to, in order to secure a payment using Transaction Risk Analysis.
The European Union is a political and economic union of 27-member states that are located primarily within Europe.
The Financial Conduct Authority is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms.
A generic term applied to banks, credit unions, building societies, EMIs and Payment Institutions.
A regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).
Internet Protocol (IP) is the principal set (or communications protocol) of digital message formats and rules for exchanging messages between computers across a single network or a series of interconnected networks, using the Internet Protocol Suite (often referred to as TCP/IP).
Implementing Technical Standards define how requirements will be developed, agreed upon and implemented. The European Banking Authority is responsible for the development of the ITS’s to meet the objectives of PSD2 as defined by the European Commission.
A financial organisation that processes credit or debit card payments on behalf of a merchant.
As per competent authority but often called National Competent Authority. A national competent authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the competent authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2. In the UK the competent authority for PSD2 is the Financial Conduct Authority (FCA).
The general term applied to the provision of access by TTPs to FI customers’ data normally through APIs.
The Open Banking Implementation Entity is the delivery organisation working with the CMA9 and other stakeholders to define and develop the required APIs, security and messaging standards that underpin Open Banking. Otherwise known as Open Banking Limited.
Established in September 2015 to explore how data can be used to help people transact, save, borrow, lend and invest their money. The OBWG has set out an Open Banking Standard to guide how open banking data should be created, shared and used by its owners and those who access it. It is expected that the UK’s implementation of PSD2 will be somewhat driven by these recommendations.
An Open API or Public API is a free-to-use, publicly available application programming interface (API) that provides developers with programmatic access to a proprietary software application.
The Open Banking Ecosystem refers to all the elements that facilitate the operation of Open Banking. This includes the API Standards, the governance, systems, processes, security and procedures used to support participants.
The open banking services to be provided by Open Banking to Participants, including but not limited to, the provision and maintenance of the Standards and the Directory.
Information on ATM and Branch locations, and product information for Personal Current Accounts, Business Current Accounts (for SMEs), and SME Unsecured Lending, including Commercial Credit Cards. Open Data is data that anyone can access, use or share.
Premium access to account interface provided by an Asset Holder to API Clients for accessing extended services offered by the Asset Holder.
Founded in 2017, the P20 will bring together 20 leaders in the payments industry, plus UK and US government officials and regulators to promote growth of the industry globally.
Born out of the original Payment Services Directive (PSD), a Payment Institution is a special form of payment service provider. It offers services including payment processing, foreign exchange and money remittance.
An online service which accesses a PSU’s account to initiate the transfer of funds on their behalf with the user’s consent and authentication. Alternative payment methods commonly called push & pull payments.
A type of Third Party Provider (TPP) offering a service that allows initiation of payments without the customer needing to directly access their account or use a debit or credit card.
The Directive on Payment Services (PSD) provides the legal foundation for the creation of an EU-wide single market for payments. The PSD aims to establish a modern and comprehensive set of rules applicable to all payment services in the European Union. The goal is to make cross-border payments as easy, efficient and secure as “national” payments within a Member State.
Provides the necessary legal platform for the Single Euro Payments Area (SEPA).
Provides the necessary legal platform and changes to the payments framework in order to better serve the needs of an effective European payments market, fully contributing to a payments environment which nurtures competition, innovation and security to the benefits of all stakeholders and consumers in particular.
For PSD2 Exemptions are most widely talked about in the context of exemptions from using Strong Customer Authentication, for example for parking or ticketing payments or for payments where the threshold is met based on Reference Fraud Rates for the payment value; these permissible exemptions are detailed in the Regulatory Technical Standards.
A Payment Services Provider is an entity which carries out regulated payment services, including AISPs, PISPs, CBPIIs and ASPSPs.
The Payment Services Regulations 2017, the UK’s implementation of PSD2, as amended or updated from time to time and including the associated Regulatory Technical Standards as developed by the EBA.
A Payment Services User is a natural or legal person making use of a payment service as a payee, payer or both.
An entity approved to issue qualified digital certificates which can be used to establish mutually authenticated SSL sessions or create qualified electronic signatures or seals.
eIDAS QWACs ensure the confidentiality, integrity and authenticity of data communicated between the TPP and ASPSP but only during transmission
A set of architectural principles for designing web services
Regulatory Technical Standards define certain requirements of PSD2 in more detail. The European Banking Authority is responsible for the development of the RTS to meet the objectives of PSD2 as defined by the European Commission.
Strong Customer Authentication as defined by EBA Regulatory Technical Standards is an authentication based on the use of two or more elements categorised as knowledge (something only the user knows [for example, a password]), possession (something only the user possesses [for example, a particular cell phone and number]) and inherence (something the user is [or has, for example, a finger print or iris pattern]) that are independent, [so] the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.
A set of software development tools that allows the creation of applications.
An entity that wants to access an openFinance API as a client.
The Standards are the Data Standards and Security Standards in accordance with which ASPSPs will be required to make Read/Write APIs available.
Third Party Providers are organisations or natural persons that use APIs developed to Standards to access customers’ accounts, in order to provide account information services and/or to initiate payments. Third Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).
Gives financial institutions, plus approved and regulated third parties, access to the customer accounts of FIs in the EEA.