In July the Open Banking Implementation Entity released specifications for the ‘Read/Write’ payment initiation and account information Application Programming Interfaces (APIs) that will go live in January 2018.
This follows the release in March 2017 of the ‘Open Data’ APIs, offering standardised information on UK banking products and the location of branches and Automated Teller Machines (ATMs) throughout the country – writes James Whittle, Director International Standards and Services, Payments UK – in this article which first appeared in the EPC Newsletter.
These APIs form the core deliverables of the Open Banking programme in the UK, a world-leading collaborative effort to develop standardised APIs that will open up the banking industry for the benefit of consumers and businesses alike.
The UK got a head start on Open Banking in 2015 through the creation of the Open Banking Working Group (OBWG) set up at the request of HM Treasury. Bringing together industry experts from the banking, FinTech, consumer and business communities, it developed the first Open Banking Standard framework which guides how open banking data should be created and used.
The mandate to develop and implement the Standard emerged from the Competition and Markets Authority (CMA) retail banking market investigation which concluded in 2016. The review found that the UK’s older and larger banks do not have to work hard enough to win and retain customers. One of the key reforms (‘remedies’) was the delivery of Open Banking, which would enable customers to share – with their express consent – their own bank data securely with third parties through standardised APIs.
The remedy mandated the nine largest banks in the UK (the ‘CMA9’) to build and fund an Open Banking Implementation Entity that would deliver the APIs, but to do so in a broad and inclusive way through consultation with challenger banks, FinTechs, third parties and consumer groups.
PSD2 vs Open Banking
The Open Banking deliverables are split between March 2017 (Open Data APIs) and January 2018 (Read/Write APIs). The Open Data are unique to the UK and separate from any requirements in the revised Payment Services Directive (PSD2).
Reflecting the competition focus of the , they standardise publicly available product reference information such as current account features as well as ATM and branch locations to help customers compare products and services more easily.
The second part of the remedy – the Read/Write APIs – aligns with the PSD2 transposition deadline of 13 January 2018 to enable authorised third parties to extract transactional information and initiate payments on behalf of customers using standardised APIs.
For example, only the nine mandated institutions are in scope of Open Banking as opposed to all payment service providers under PSD2. The CMA remedy only covers personal and business current accounts; whereas PSD2 applies to all payment accounts accessible online.
The fact that CMA9 are required to deploy access to account and payment initiation APIs by January 2018 has helped to drive forward the design and build in the UK but opened the risk that the solution fragments from PSD2 and the rest of Europe.
The Role of the Stakeholder Group
Despite clear differences in mandated parties, timelines and deliverables, the CMA Order requires Open Banking to align with PSD2 requirements where there is any overlap in scope; for example, on requirements for Secure Customer Authentication (SCA), professional indemnity insurance, on the liability and trust models, and in the use of standardised API interfaces.
The Stakeholder Group was created to guide the Open Banking Implementation Entity towards PSD2 convergence in these areas and to help prevent fragmentation and to work more widely with the industry under Payments UK on the practical implementation of PSD2.
Its more than 300 members include a wide variety of experts (Third Party Payment Service Providers (TPPs), Account Servicing Payment Service Providers (ASPSPs) and others) from the UK, Europe and beyond who contribute to Open Banking via specialist working groups and who input expertise into the programme on compliance more generally.
Beyond Open Banking: Challenges and Opportunities
Driven by the CMA mandate to deliver Open Banking APIs by January 2018, the UK is at the forefront of API development. This is not without its challenges.
The CMA9 must launch the Read/Write APIs well ahead of the expected adoption (mid-2019) of the European Banking Authority (EBA) Regulatory and Technical Standards (RTS), which provide the underlying security and communication framework for both PSD2 and Open Banking. The General Data Protection Regulation (GDPR) introduces a further twist.
It comes into force in May 2018 and lays down much stricter rules around customer consent that must be balanced against requirements in PSD2 aimed at widening access to customer account information. Navigating the interim period between transposition and enforcement of the EBA RTS, and addressing the parallel challenge of GDPR, are now the focus of the PSD2 Stakeholder Group.
As the nine mandated institutions deliver the final set of Open Banking APIs in January 2018 and move toward completion of the CMA Order, the community as a whole is starting to focus on how the UK will achieve PSD2 compliance.
For example, the Group discussed recently the value of defining optional market practice as a way to help the transition from PSD2 towards RTS. It has even begun to define the basis for a framework approach that could address the implementation of standards, rules and practices to support the market during the PSD2 transition staring in January 2018.
One obvious opportunity is to create fully PSD2-compliant API standards that build on the pioneering work of the Open Banking programme and which is interoperable with European standardisation initiatives.
This article was written by James Whittle, Director International Standards and Services, Payments UK and published in the EPC Newsletter – September 2017. Click here to subscribe to the EPC newsletter.