Last editedMay 20234 min read
What is open banking?
Unlike what you might be expecting, open banking is not a 24/7 bank that gives away free money! The concept of open banking allows regulated third-parties to use APIs to build tools that gather and refine financial data provided by traditional banking. By doing so, it opens up a new world of possibilities when it comes to financial services and products, making them more accessible, personalised and safe than ever.
This allows account management from one place, accessing tools that can help with our budgets or with controlling our spendings. While providing flexibility and a more secure experience, financial institutions now have better instruments to earn their customers’ trust, and there is no greater asset than that.
Are open banking and PSD2 the same thing?
No. Open banking is a concept designed around the idea of making bank account data securely available to third-party providers through Application Programming Interfaces (APIs). This concept is the catalyst to many positive changes in the banking industry, guaranteeing better products and services to customers.
PSD2 is the revised payment services directive, a European Union legislation that regulates how open banking is implemented. PSD2 makes sure that the access to customer financial data by TPPs is made in the safest way possible.
Furthermore, open banking is expanding worldwide, while PSD2 is only applicable in the EU and EEA.
Can anyone have access to my data?
No, open banking requires your explicit consent to share data with a regulated third-party provider (TPP). By giving your consent, you are allowing banks to share your account and transaction details with a TPP through an Application Programming Interface (API).
Upon signing up, services or applications using open banking will present you the information they need to access in order to provide their services, but will only see it if you allow it. You therefore have to carefully read notifications, emails, and pop-ups before you press any button.
Can I revoke access to my data?
Yes. You can withdraw your consent by either:
Contacting the regulated third-party provider and withdrawing consent directly with them;
Contacting your bank or financial institution to inform them that you no longer wish to allow access to your information by a regulated TPP;
Can I resume access to my data?
Yes, if you revoke access to your data by a specific third-party provider (TPP) you can revert that decision anytime.
Does open banking only apply to online banking?
Yes. To use open banking, you need online or mobile banking for your payment account. This includes personal and business current accounts, credit cards and online e-money accounts.
How do open banking APIs work?
An open banking Application Programming Interface (API) is responsible for the safe transfer of data from a bank account to an authorised and regulated third-party provider (TPP). These TPPs can then, with the permission of the data holder, access specific information from their bank.
APIs must meet PSD2 security standards, enforcing measures like Strong Customer Authentication (SCA) in order to mitigate the risk of security vulnerabilities.
Is open banking free?
Access to open banking APIs developed by banks is free. However, to access them, third-party providers need to obtain specific licences that require large financial investment. For that reason, TPPs end up charging for access to their products and services.
Is open banking safe?
Open banking has security at its core. APIs allow for highly secure data transfers, and you’ll always have to authorise access to your financial data.
This means that only you have access to your security credentials and that you are always in control of what’s being shared with whom and for how long.
How can open banking ensure user safety?
Online payments' fraud is greatly reduced by the implementation of zero-trust cybersecurity protocols like Strong Customer Authentication (SCA). In order to comply with SCA requirements, payment providers have to confirm user ID through at least two independent pieces of information:
Something they own (e.g., smartphone)
Something they know (e.g., PIN code)
Something they are (e.g., fingerprint)
At least two of the previous conditions must be fulfilled in order for a transaction to be confirmed and accepted.SCA is mandatory, but there are some possible exemptions. Have a look at our dedicated Strong Customer Authentication page for more detailed information.
I had a problem with a TPP or bank. To whom can I complain to?
If needed, they also provide the contact of the responsible regulator, which varies according to the country where the TPP is registered.
How is open banking regulated?
In Europe, everyone has the right to access their bank accounts and financial data through licensed and regulated third-party providers under the Revised Payment Services Directive (PSD2).
Payment service providers (PSPs) are obliged, under this EU legislation, to allow customers to securely share their data with third-parties. Each Member State of the European Union (EU) and European Economic Area (EEA) has to determine a national competent authority to oversee PSD2 implementation and allow PSPs to use open banking.
The overarching regulator for PSD2 in the EU and EEA is the European Banking Authority (EBA). In the UK, PSD2 regulation is enforced by the Financial Conduct Authority (FCA).
Who is responsible for handling open banking processes?
Third Party Providers (TPPs) is a term used to refer to regulated businesses that provide financial products or services using open banking APIs. They are also referred to as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
These TPPs are responsible for the innovative financial solutions that make the best use of the customer data that was previously exclusive property of traditional banking.
What does AISP mean?
AISP is short for Account Information Service Provider. AISPs can use account information from people and businesses to provide a financial service. AISPs have to specifically request authorisation from data holders in order to use their information, and their access is read-only, which means that the third-party provider cannot make any transactions on behalf of its customer.
What is a PISP?
PISP means Payment Initiation Service Provider, and refers to a business that has permission to ask for consent from a consumer in order to connect to their bank account and initiate payments or transfers on their behalf.