Skip to content

Open banking Glossary

Vitor Urbano
Written by

Last editedMay 20238 min read

Jump to: A | B | C | D | E | F | G | H | I | M | O | P | Q | R | S | T | V | W

Almost every single area of business is rich with its own terms and abbreviations. None so much as finance where you have specific processes, tools as well as regulations that all need accounting for.

This is why dedicated glossaries and word banks are needed. Here, you will find the open banking glossary with the essential open banking terms defined and explained!

Open Banking in simple terms

Open banking is a niche that is very closely linked to Fintech. This is why the glossary for open banking is filled with not only financial terms and abbreviations, but also important information about technical aspects and the technology that’s in place. Even though open banking engulfs a broad spectrum of services and products, some terms and abbreviations repeat throughout the field.

The essential open banking glossary is almost entirely comprised of abbreviations. These abbreviations are usually created in order to shorten already quite elongated terms and names for regulations, tools, and services.

• A •

Account to account (A2A)

Cardless payments directly from one bank account to another (for example credit transfers, immediate payments and direct debits).

Account information service provider (AISP)

A business that has access to bank account information. AISP’s mustn’t be confused with PISP’s because contrary to the latter, AISP are not able to initiate payments.

Account servicing payment service provider (ASPSP)

Account servicing payment service providers provide and maintain a payment account for a payer as defined by payment services regulations (PSRs) and, in the context of the open banking ecosystem, are entities that publish read/write application programming interfaces (APIs).

These APIs permit consented payments initiated by third party providers and/or make their customer account transaction data available to third party providers via their API endpoints.

API data

Application programming interface (API) data includes data made available to an API user or third party provider (TPP) through the API.

API provider

An application programming interface (API) provider is the service provider implementing an open data API, which provides open data via an API gateway.

API user

An application programming interface (API) user is any person or organisation who develops web or mobile apps that can access data from an API provider.

Application programming interface (API)

The main vehicle driving the open banking ecosystem forward. It is a connection between different software or devices that also establishes the rules on how these components and devices can and should interact.

ASPSP brand

An account servicing payment service provider (ASPSP) brand is any registered or unregistered trademark or other Intellectual Property Right provided by an ASPSP.

• B •

Business identifier code (BIC)

A business identifier code is the SWIFT address assigned to a bank that allows automated payments to be sent quickly and accurately to the banks concerned. It uniquely identifies the name and country of the bank involved.

• C •

Card based payment instrument issuer (CBPII)

A card-based payment instrument issuer is a payment services provider that issues card-based payment instruments that can be used to initiate a payment transaction from a payment account held with another payment service provider.


The nine largest banks and building societies in Great Britain and Northern Ireland based on the volume of current personal and business accounts:

  • AIB Group (UK) plc trading as First Trust Bank in Northern Ireland

  • Bank of Ireland (UK) pls.

  • Barclays Bank pls.

  • HSBC Group

  • Lloyds Banking Group pls.

  • Nationwide Building Society

  • Northern Bank Limited, trading as Danske Bank

  • The Royal Bank of Scotland Group pls.

  • Santander UK plc, in Great Britain and Northern Ireland

CMA order

The Retail Banking Market Investigation Order 2017.

CMA remedies

Remedies that the Retail Banking Market Investigation Order 2017 (CMA) deemed appropriate to introduce to address a number of key features of the UK retail banking market considered to have an adverse effect on competition.

These remedies include a requirement for the UK banking industry to adopt a subset of Her Majesty's Treasury (HMT) proposals for open banking.

Competent authority

A competent authority, in the context of the open banking ecosystem, is a governmental body, regulatory or supervisory authority that is responsible for the regulation or supervision of the subject matter concerning participants.

Competition and markets authority (CMA)

The Competition and Markets Authority is a non-ministerial government department in the United Kingdom responsible for strengthening business competition and preventing and reducing anti-competitive activities.

Clearing settlement mechanism (CSM)

Includes processes underlying all payment transactions exchanged between two payment service providers (PSPs). They are invisible to the end-users of the payment schemes, yet they are indispensable in transferring money from one account to another when two different PSPs are involved.

• D •

Dynamic client registration (DCR)

Dynamic client registration allows trusted third parties to register themselves with an account services payment services provider (ASPSP).


The open banking directory is the core infrastructure of our ecosystem — it enables participants to request and grant access to customer financial data in a secure, consented way via open banking application programming interfaces (APIs).

Directory sandbox

The open banking directory sandbox is a testing area for the directory, where developers can easily experiment with all the features of the infrastructure, making sure every aspect is working as desired before going live. The directory sandbox can be used to support application testing with test API endpoints and testing integration within the open banking directory.

• E •

European banking authority (EBA)

The European Banking Authority is an independent EU Authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector.

European banking authority regulatory technical standards (EBA RTS)

The European Banking Authority develops Regulatory Technical Standards, which are submitted to the European Commission for endorsement. Regulatory Technical Standards are a set of detailed compliance criteria defined for all parties that cover areas, such as data security, legal accountability and other processes.

Electronic identification, authentication, and trust service (eIDAS)

Yet one more EU regulatory document, outlining how electronic identification and trust-related factors of digital transactions should be handled in the European Union and EEA markets.

European payments council (EPC)

Institution responsible for managing Single Euro Payments Area (SEPA) schemes, which are the rules underlying most euro credit transfers and direct debits within Europe.

• F •

Financial conduct authority (FCA)

The Financial Conduct Authority is the conduct regulator for 56,000 financial services firms and financial markets in the UK, and the prudential regulator for over 18,000 of those firms.

• G •

General data protection regulation (GDPR)

A regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).

• H •

Host card emulation (HCE)

Technology used to store card credentials in the cloud instead of mobile devices.

• I •

International bank account number (IBAN)

An international bank account number is a standard international numbering system developed to identify an overseas bank account. The number starts with a two-digit country code, followed by two numbers, ending with several more alphanumeric characters.

• M •

Mandatory ASPSP

Mandatory account servicing payment service providers (ASPSPs) are entities that are required by the CMA Order to enrol with open banking regulations.

Modified customer interface (MCI)

The method by which a third party provider (TPP), payment initiation services provider (PISP) or account information services provider (AISP) accesses bank accounts through an online bank/customer portal as an alternative to using an application programming interface (API).

• O •

Open API

An open API, or public API, is a free-to-use, publicly available application programming interface (API) that provides developers with programmatic access to a proprietary software application.

Open banking ecosystem

The open banking ecosystem refers to all the elements that facilitate the operations needed to conduct open banking services. This includes the application programming interface (API) standards, governance, systems, processes, security, and procedures used to support participants.

Open banking implementation entity (OBIE)

The Open Banking Implementation Entity is the delivery organization working with the CMA9 and other stakeholders to define and develop required application programming interfaces (APIs), security and messaging standards that underpin open banking. Otherwise known as Open Banking Limited.

Open banking services

The open banking services provided to participants, including, but not limited to, the provision and maintenance of standards and the directory.

Open data

Information on ATM and branch locations and product information for personal current accounts, business accounts (for SMEs), and SME unsecured lending, including commercial credit cards. Open data is data that anyone can access, use or share.

• P •


An application programming interface (API) provider, API user, account servicing payment service provider (ASPSP), or third party provider (TPP) that participates in the open banking ecosystem.

Payment initiation services provider (PISP)

This one is a bit more complex. PISP indicates a business that sells services online and can initiate an order for payment per the request of the user. The PISP company must follow and respect the rules and regulations for the payment account which is owned by the user at the payment service provider. To simplify — the PISP service provider is usually an intermediary between a service provider and a financial institution.

Payment services provider (PSP)

A payment services provider is an entity that carries out regulated payment services, including account information services providers (AISPs), payment initiation services providers (PISPs), card based payment instrument issuers (CBPIIs) and account servicing payment service providers (ASPSPs).

Payment services regulations (PSR)

The Payment Services Regulations 2017, the UK’s implementation of PSD2, is amended or updated from time to time and includes the associated regulatory technical standards as developed by the EBA.

Primary business contact (PBC)

A primary business contact is an individual nominated by an entity to have access to the directory and have the ability to nominate other directory business users. This should be a formal business point of contact with a senior member of staff responsible for systems and controls related to open banking.

Primary technical contact (PTC)

A primary technical contact is an individual nominated by the entity to have access to the directory and have the ability to nominate other directory technical users. This should be a main point of contact on technical configuration with a senior member of staff responsible for management of the open banking digital identity.

Point of sale (POS)

Point of sale is the time and place where a retail transaction is completed.

• Q •

Qualified certificate for electronic seals (QSealC)

The qualified certificate for electronic seals is used for identity verification at the application layer to protect transactional information from potential attacks.

This means that the person receiving digitally signed data can be certain about who signed the data and that it has not been changed. It is used to sign application programming interface (API) or/ HTTP requests.

Qualified trust service provider (QTSP)

Entities regulated to provide trusted digital certificates under the electronic Identification and signature (eIDAS) regulation.

Qualified website authentication certificate (QWAC)

Comparable to SSL certificates, QWAC is the term used to describe identification measures at the authentication step. QWAC is often used to authenticate websites and service pages of third-party, account information, or other service providers in the field.

• R •

Read/write API

A read/write application programming interface (API) enables third party providers, with the end customer’s consent, to request account information. This includes the transaction history of personal and business accounts and/or initiates payments from those accounts.

Read/write data

Read/write data includes personal current account and business current account transaction data sets made available by account servicing payment service providers (ASPSPs) in accordance with the read/write data standard.

Revised payment services directive (PSD2)

The most important EU legislative act and directive that regulates service, related to payments. It’s aimed at providers of financial services and outlines how they should do business in the EU and EEA.

• Risk-based authentication (RBA)

Risk-based authentication is a method of applying varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised.

• S •

Small and medium-sized Enterprises (SMEs)

Small and medium-sized enterprises by scale of business, as defined by the Competition and markets authority (CMA), with a turnover <€10m p.a. (small enterprises) or <€50m p.a. (medium enterprises).


Standards are the data standards and security standards in accordance with which account servicing payment service providers (ASPSPs) will be required to make read/write application programming interfaces (APIs) available.

Strong customer authentication (SCA)

Strong customer authentication, as defined by the European Banking Authority (EBA) regulatory technical standards, is authentication based on the use of two or more elements categorised as:

  • Knowledge (something only the user knows [for example, a password])

  • Possession (something only the user possesses [for example, a particular mobile phone and number])

  • Inherence (something the user is [or has, for example, a fingerprint or iris pattern])

These elements are independent, so that the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.

Software statement assertion (SSA)

The software statement assertion (SSA) is a JSON web token (JWT) containing client metadata during registration or association processes of third party provider (TPP) client software. The JWT is issued and signed by the open banking directory.

• T •

Third party provider (TPP)

TPP is used to define all businesses that utilize API technology for the sake of accessing accounts and relevant financial information of clients. Everything is done in accordance with PSD2 standards, of course. TPP’s are usually also PISP’s or AISP’s, or both.

• V •

Voluntary ASPSP

Voluntary account servicing payment service providers (ASPSPs) are entities which, although not obliged to enrol with open baking, have elected to do so in order to utilise the standards to develop their own application programming interfaces (APIs), enrol into the open banking directory, and use the associated operational support services.

• W •

Web token

A web token is a highly secure format used to transmit sensitive information between two parties in a compact and self-contained manner. Web tokens are often used to strengthen authentication processes, whether that be within a website or application.

Over 85,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More
Interested in automating the way you get paid? GoCardless can help
Interested in automating the way you get paid? GoCardless can help

Interested in automating the way you get paid? GoCardless can help

Contact sales

Try a better way to collect payments, with GoCardless. It's free to get started.

Try a better way to collect payments

Learn moreSign up