Open Banking and Open Finance are reshaping the global financial landscape, driving innovation, competition and financial inclusion. With legislative change, such as the EU Digital Operational Resilience Act (DORA), the proposed PSD3 & PSR and the Financial Data Access (FIDA) regulation, staying informed is more critical than ever. This glossary is your go-to resource for understanding the key terms, regulations and concepts shaping the future of financial services in Europe. Explore the language of this transformation and unlock the potential of a truly interconnected financial ecosystem.
Open banking is the term applied to the provision of access by third party providers (TPPs) to the data and funds of Financial Institutions’ customers. This is normally provided through application programming interfaces (APIs).
In Europe, PSD2 open banking access to accounts came into effect in September 2019. From this date, regulated organisations offering transactional payment accounts, accessible via an online interface, were mandated to provide TPPs account access provided prior “explicit consent” had been given by the account holder. Over 5,000 financial institutions across Europe were affected by the regulation.
Many jurisdictions across the globe have followed Europe’s lead and are developing their own open banking and open finance regulatory frameworks. To follow progress, see our Open Banking World Map.
For a full explanation of the most common open banking and open finance terms in Europe, see our glossary below.
A Service provider accessing the open finance API of an Asset Holder. An Access Client is equivalent to an API Client.
Gives financial institutions, plus approved and regulated third parties, access to the customer accounts of FIs in the EEA.
An online service which provides consolidated account information to a Payment Service User (PSU) on one or more payment accounts held by that PSU with various FIs.
A TPP that wishes to aggregate online account information of one or more accounts held at one or more ASPSPs (FIs). This service can be used for account management or generation of dashboards for a PSU. Examples of Account Information Services include money management, budgeting, accounting and personal finance (PFM) tools. Organisations such as Credit Agencies may use AISP functionality to access additional credit data on an individual or a business applying for a loan, to supplement their existing data sets.
An ASPSP is any financial institution that offers a payment account with online access. PSD2 means ASPSPs have to provide access to let regulated third parties initiate payments and access account information. APIs are currently considered the most practical way to do this.
Service provider accessing the open finance API of an Asset Holder. A TPP is an example of an API Client.
API Data is data made available to an API User or a TPP through the API.
An API Provider is a service provider implementing an Open Data API. An API Provider provides Open Data via an API gateway.
An API User is any person or organisation who develops web or mobile apps which access data from an API Provider.
An ASPSP brand is any registered or unregistered trademark or other Intellectual Property Right provided by an ASPSP.
Any form of value that is held by an Asset Holder (e.g. bank owned data, customer owned data, transaction data).
An entity that uses assets (e.g. data) from the Asset Holder to deliver value to end users. A TPP is an example of an Asset Broker.
An entity that holds end user data (e.g. account information, securities data, pension data). An ASPSP is an example of an Asset Holder.
Brexit is the process by which the United Kingdom ended its membership of the European Union. In the context of PSD2, Brexit has had no effect on the implementation of the legislation in the UK.
Sometimes referred to as cardholder not present, this refers to a transaction where the payer, payee and the method of payment (the card) are not in the same location, when the transaction takes place. Tackling fraud in the CNP process is a main objective of PSD2.
A payment network tied to payment cards (debit or credit). FIs can join these schemes to offer cards to consumers.
A cryptographically protected data structure for storing and transporting a public key. The data structure contains the public key value together with the identity of the owner of the key, the validity period of the key and the identity of the Certificate Authority that registered the public key and signed the certificate.
The nine largest FIs in the UK, based on the volume of personal and business current accounts. AIB Group (UK) plc (trading as First Trust Bank in Northern Ireland), Bank of Ireland (UK) plc, Barclays Bank plc, HSBC Group, Lloyds Banking Group plc, Nationwide Building Society, Northern Bank Limited (trading as Danske Bank), the Royal Bank of Scotland Group plc, Santander UK plc.
The UK Retail Banking Market Investigation Order 2017.
A Competent Authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the Competent Authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2. In the UK the Competent Authority for PSD2 is the Financial Conduct Authority (FCA).
The Competition and Markets Authority is a UK body, they have been working to increase competition in UK banking; this has led them to push for reforms in retail banking that are in line with PSD2.
Remedies introduced by the CMA to address competition issues in the UK retail banking market, including requiring the adoption of key Open Banking proposals from His Majesty’s Treasury.
Used by a Payment Instrument Issuing Service Provider (PIISP) TPP to confirm availability of funds from a PSU’s account.
Confirmation/Verification of Payee is an account name checking service. It allows an account name to be checked (including a personal and business account indicator) before initiating or collecting a payment, providing greater assurance that a payment(s) is being sent to the correct account.
Consultation Paper issued by the EBA to the market to solicit feedback and opinions.
DORA (Digital Operational Resilience Act) is an EU regulation that ensures financial institutions and their ICT (Information and Communication Technology) providers can manage, withstand, and recover from cyber threats and IT disruptions, promoting a unified and robust approach to digital resilience. It covers risk management, incident reporting, testing, and oversight of Third Party Providers.
The Directive regulates electronic payment systems in the European Union. The aim of the Directive is to enable new and secure electronic money services and to foster effective competition between all market participants.
A public key certificate that conforms to the eIDAS framework and has been issued by a Qualified Trust Service Provider (QTSP).
An eIDAS certificate containing the public key used to verify the Seal (or digital signature) generated by the corresponding private key.
The EBA Register provides an electronic central register that contains information on PSPs as notified by CAs.
EU regulation that secures transactions by establishing a framework that provides a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. For PSD2, the eIDAS framework was selected as the identity framework used to mutually authenticate TPPs and ASPSPs when establishing TLS sessions and to seal their message contents.
Electronic money is an electronic store of monetary value on a technical device that may be widely used for making payments to entities other than the e-money issuer.
An e-money institution is a supplier of the financial product ‘electronic money’. The electronic money can be used to make payments to parties other than the issuer. ‘Electronic money’ is a monetary value stored on an electronic carrier or remotely in a central accounting system. An EMI has received regulatory approval from their NCA. An EMI can passport their regulatory status to other markets in the EU.
An independent EU authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
An institution of the European union, it is responsible for proposing legislation, implementing decisions and upholding EU treaties. In the context of PSD2, it is the force behind the proposition and adoption of the directive at a European-wide level. In each country this responsibility will be managed in conjunction with the local governments and appointed Competent Authorities, for example in the UK the FCA.
The European Economic Area (EEA) unites the EU member states and the three EFTA States (Iceland, Liechtenstein and Norway). 30 countries are members. PSD2 is in force for payments within the EEA, from the EEA to outside countries and from outside countries into the EEA, in all currencies. Where one of the PSPs is situated outside the EEA these are known as One Leg Payment Transactions.
An agency in charge of everything from the regulation of financial services to taxation and competition policies.
Is a membership organisation created in 2002 by the major European FIs. The main task of the EPC is the development of the Single Euro Payment Area (SEPA), a key initiative of PSD1. They represented their members’ interests in the development of PSD2, for example by preparing responses to the developing Regulatory Technical Standards.
The European Union (EU) is a political and economic union of 27 countries promoting integration, cooperation and shared governance across trade, legislation, environment and finance.
The purpose of the ERPB, launched by the European Central Bank (ECB) is to facilitate and contribute to the further development of an integrated, innovative and competitive market for euro retail payments in the EU.
Related to the application of exemptions from Strong Customer Authentication, ETV defines the payment value at which the Reference Fraud Rates must be adhered to, in order to secure a payment using Transaction Risk Analysis.
The Financial Conduct Authority is the conduct regulator for 42,000 financial services firms and financial markets in the UK.
A generic term applied to banks, credit unions, building societies, EMIs and Payment Institutions.
The Financial Data Access (FIDA) proposal, published by the European Commission in June 2023, aims to expand data access beyond payment accounts under PSD2 to include a wider range of financial services data, such as savings, loans, mortgages, insurance, pensions and investments. This initiative seeks to enhance data sharing and innovation across the financial sector.
A regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).
Implementing Technical Standards define how requirements will be developed, agreed upon and implemented. The European Banking Authority is responsible for the development of the ITS to meet the objectives of PSD2 as defined by the European Commission.
IBANs are used to make or receive international payments. The IBAN does not replace a domestic sort code and account number, but is an additional number with extra information to help overseas banks identify an account for payments.
Internet Protocol (IP) is the principal set (or communications protocol) of digital message formats and rules for exchanging messages between computers across a single network or a series of interconnected networks, using the Internet Protocol Suite (often referred to as TCP/IP).
A financial organisation that processes credit or debit card payments on behalf of a merchant.
A security process that establishes mutual authentication, ensuring that both parties are who they claim to be before data is shared.
Under PSD2 Open Banking, the National Competent Authorities in each EU member state are primarily responsible for monitoring compliance and enforcing PSD2 regulations. In the UK, this role is fulfilled by the Financial Conduct Authority (FCA).
A mechanism for logging on to a network or service using a unique password that can only be used once.
The general term applied to the provision of access by TTPs to FI customers’ data normally through APIs.
The Open Banking Ecosystem refers to all the elements that facilitate the operation of Open Banking. This includes the API Standards, the governance, systems, processes, security and procedures used to support participants.
Open Banking Limited, initially called the Open Banking Implementation Entity (OBIE), is the delivery organisation working with the CMA9 and other stakeholders to define and develop the required APIs, security and messaging standards that underpin Open Banking in the UK.
An Open API or Public API is a free-to-use, publicly available application programming interface (API) that provides developers with programmatic access to a proprietary software application.
An online service which accesses a PSU’s account to initiate the transfer of funds on their behalf with the user’s consent and authentication. Alternative payment methods commonly called push & pull payments.
A type of Third Party Provider (TPP) offering a service that allows initiation of payments without the customer needing to directly access their account or use a debit or credit card.
Born out of the original Payment Services Directive (PSD), a Payment Institution is a special form of payment service provider. It offers services including payment processing, foreign exchange and money remittance.
A Payment Services Provider is an entity which carries out regulated payment services, including AISPs, PISPs, CBPIIs and ASPSPs.
A Payment Services User is a natural or legal person making use of a payment service as a payee, payer or both.
The Directive on Payment Services (PSD) provides the legal foundation for the creation of an EU-wide single market for payments. The PSD aims to establish a modern and comprehensive set of rules applicable to all payment services in the European Union. The goal is to make cross-border payments as easy, efficient and secure as “national” payments within a Member State.
Directive 2007/64/EC, or the Payment Services Directive (PSD), established a unified legal framework for EU payment services, promoting competition, efficiency and consumer protection. It introduced payment institutions as regulated entities and was later updated by PSD2 in 2015.
Provides the necessary legal platform and changes to the payments framework in order to better serve the needs of an effective European payments market, fully contributing to a payments environment which nurtures competition, innovation and security to the benefits of all stakeholders and consumers in particular.
Under PSD2, exemptions are primarily discussed in the context of Strong Customer Authentication (SCA). These exemptions allow certain transactions, such as parking or ticketing payments, or payments meeting thresholds based on Reference Fraud Rates, to bypass SCA requirements. The specific criteria for these exemptions are outlined in the Regulatory Technical Standards (RTS).
PSD3 and the PSR are new legislative proposals from the EU Commission that bring changes to the payments framework of the European payments market. PSD3 & the PSR aim to enhance consumer protection, promote innovation and regulate emerging payment services. It introduces new security measures to address evolving market needs and improve competition in the payments sector.
Qualified Seals for Electronic Certificates (QSealCs) are digital certificates under eIDAS that ensure data integrity and authenticate the sender in Open Banking, supporting secure and tamper-proof communication.
An entity approved to issue qualified digital certificates which can be used to establish mutually authenticated SSL sessions or create qualified electronic signatures or seals.
eIDAS QWACs ensure the confidentiality, integrity and authenticity of data communicated between the TPP and ASPSP but only during transmission.
A set of architectural principles for designing web services.
Regulatory Technical Standards define certain requirements of PSD2 in more detail. The European Banking Authority is responsible for the development of the RTS to meet the objectives of PSD2 as defined by the European Commission.
An encryption based security protocol that provides privacy, authentication and integrity to Internet communications.
A standardised way of making cashless electronic euro payments – via credit transfer and direct debit – to anywhere in the European Union, as well as a number of non-EU countries, in a fast, safe and efficient way, just like national payments.
A set of software development tools that allows the creation of applications.
Standards are the Data Standards and Security Standards in accordance with which ASPSPs are required to make Read/Write APIs available.
Third Party Providers are organisations or natural persons that use APIs developed to Standards to access customers’ accounts, in order to provide account information services and/or to initiate payments. Third Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).
A cryptographic protocol designed to facilitate privacy and security for communications over a computer network.
The UK data standards issued by Open Banking Limited from time to time in compliance with the CMA Order.
The UK Open Banking Working Group (OBWG), established in 2015, developed the framework and standards for secure financial data sharing to promote competition and innovation while ensuring consumer protection. Its work led to the creation of the Open Banking Implementation Entity (OBIE).
A payment method in which customers grant permission to a Third Party Provider (TPP) to make regular payments of varying amounts from their bank account. There are two types of VRP: sweeping and non-sweeping.
