Open Banking is a global concept which infers the use of open APIs as an alternative interface for customers to access their bank account(s).
With these Open Banking APIs, personal and business banking customers will be able to use web and mobile applications to connect to and move money between bank accounts. These apps could include financial management services which save customers money, as well as enabling faster, cheaper and more secure online payments.
Open Banking in the UK
In 2016, The Competition and Markets Authority (CMA) published a report on the UK’s retail banking market and proposed a number of remedies including Open Banking, which enables customers and small and medium-sized businesses to share their current account information securely with other third party providers.
The CMA setup the Open Banking Implementation Entity (OBIE) to create a single API standard for this remedy, and mandated that this be adopted by the CMA9, the UK’s nine largest banks and building societies: Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group and Santander.
This UK Open Banking standard is based on PSD2 (see below), but version 1, which has gone live in January 2018), only covers personal and small business accounts in GBP. The CMA has since expanded the scope of the OBIE to create a single standard for all PSD2 accounts.
The Second Payment Services Directive (PSD2) is European legislation which came into force on 13 January 2018. This legislation sets out the rules for payment services in Europe, including the United Kingdom. Amongst other things, PSD2 defines:
- The type of payment enabled accounts which are covered.
- The role and requirements of the Account Servicing Payment Service Provider (ASPSP) in providing an alternative interface to these accounts.
- The role and requirements of regulated Third Party Providers (TPPs), in particular Account Information Service Providers (AISPs) who can access account and transaction APIs, and Payment Initiation Service Providers (PISPs) who can access payment initiation APIs.
- The rights of the customer or Payment Service User (PSU).
- The role of national competent authorities in each country, such as the UK’s Financial Conduct Authority (FCA), in governing the ecosystem.
The Regulatory Technical Standards (RTS) can be considered an extension to PSD2 and define the rules for Strong Customer Authentication (SCA) and secure communication.
RTS is expected to come into force early in 2018 and must be implemented within 18 months (i.e. by the end of 2019). Article 30.5 mandates that each ASPSP provides a testing facility six months in advance of this target date:
“Account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers, payment service providers issuing card-based payment instruments and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. This testing facility should be made available no later than six months before the application date referred to in Article38(2) or before the target date for the market launch of the access interface when the launch takes place after the date referred to in Article 38(2). However, no sensitive information shall be shared through the testing facility.”
In other words, by early 2019 each ASPSP will be required to provide access for TPPs to a simulation of their APIs which does not expose real customer data.
The Ozone platform is a perfect match for this requirement. Not only will it will enable ASPSPs to meet their regulatory obligations for testing PSD2 APIs, but it will also give a competitive advantage to engage with third party developers by providing a sandbox with fully working APIs and sample data. Furthermore, Ozone will enable this well in advance of the implementation dates for each release of the API standards.