The Open Banking Revolution – Time for Change
What is Open Banking and why should I care?
Open banking is the use of public application programming interfaces — most commonly called Open APIs — to enable third-party developers to build apps and services around more traditional banking and financial services
In addition to the Open APIs empowering this, open banking also refers to an influx of open data and a greater financial transparency, as well as leveraging open source technology to make it all happen.
Open Banking is important because you can better access to your data and it will allow you to make better and more informed choices about the financial products that are right for you. It will also drive competition within the financial services sector, promoting innovation and allowing new and better products and services to be developed.
It is designed to give customers more control over their information, leading to more choice in their banking and more convenience in managing their money—thus resulting in more confidence in the use and value of an asset mostly undiscovered by customers: their data.
“IT’S A QUIET REVOLUTION THOUGH….92% OF PEOPLE HAD NOT EVEN HEARD OF OPEN BANKING”
What about Security?
Safety has been the main concern of the open banking debate. Financial institutions and other companies that participate in open banking will need to adhere to strict security standards when accessing and storing your data and will be subject to the privacy act. These organisations will also only be able to access your data at your request and do with it what you want.
Let’s break down Open Banking in more detail:
Since PSD2 has been initiated in Europe, we have seen the entrace of the Third Party Providers (TPPs). The types of TPPs impacted by PSD2 include
- Payment Initiation Service Provider (PISP)
- Account Information Service Providers (AISP)
PISPs are Companies which access customer’s bank accounts to transact (e.g debit & credit).
- Examples of PISPs include Stripe, PayU and Trustly.
AISPs are Companies which can access customer account data to provide financial management service.
- Examples of AISPs include Spiir, Meniga, YOLT and Wealthfront.
Considerations when implementing Open Banking:
The use of OAuth 2.0 is critical here as third parties who want to access data must send the customer to the bank first who will strongly authenticate them and request their consent before issuing an access token to the third party that will allow them to access.
APIs & Security
Most organizations did not have Open Banking in mind when they designed their APIs and security platforms. They now need to find secure ways to expose their APIs, many of which are likely running on top of legacy platforms.
Strong Customer Authentication
In Europe, PSD2 mandates that financial institutions must enforce Strong Customer Authentication (SCA) when customers perform certain actions and this includes Open Banking. Typically when considering authentication mechanisms we consider three factors: knowledge, possession, and inherence.
Trust & Governance
Institutions need to determine if a third party is fit to access customer data. In the UK the Open Banking directory, managed by the FCA, delivers this assurance however at this time across the rest of the world no such facility exists. Organizations outside of the UK must therefore implement their own third-party governance processes and means to enforce them.
Many of the organizations now grappling with Open Banking have never really had to think about the developer experience before.
Designing, publishing & documenting a set of APIs and making them as easy as possible to view and use is not a simple problem and it really requires a whole different way of thinking. The need for standardization across APIs is very important across the design.
PSD2 also mandates that organizations make available a development sandbox that allows third parties to test their integrations in advance.
Where is Open Banking available and what other countries are implementing it?
Since 13th January 2018, Open Banking is ‘live’ in the United Kingdom. Many financial institutions are ‘live’ somewhat with Open Banking but they will admit there is a lot more to do before they are fully compliant.
Across the EU, PSD2 was transposed in member states' domestic laws in Jan 2018. Between November 2018 and April 2019 they need to be compliant or face penalties.
Australia is another country where the government is enforcing rules around open banking in 2017.
The Australian Government will phase in Open Banking with the aim that the four major banks will make data available on credit and debit card, deposit and transaction accounts by 1 July 2019 and mortgages by 1 February 2020, including for joint accounts where digital authorizations to transact on the accounts already exist. Consumer data on all products recommended by the Review will be available by 1 July 2020.
How can financial institutions benefit from tools to get started with Open Banking?
Some key areas when implementing an open banking strategy in terms of technology include having a developer portal containing the APIs. Easy-to-follow documentation is crucial here.
Having a sandbox environment is also important when designing and developing these open APIs. Many financial institutions will see the need for virtualized or mocked services where responses can be edited from a definition or routed from a 3rd party and also where authorization (OAuth 2.0) and behavior (bandwidth/congestion) can be simulated to act as a production-like an environment.