What is an open banking API and how does it work?
Open Banking APIs are changing banking. The Open Banking initiative is enabling banking customers to share their account information securely with Third Party Providers (TPPs). This is accomplished through Application Programming Interfaces (APIs) which allow TPP programs to communicate with the banks’ applications. The objective is to promote innovation in digital banking and accelerate the development of new financial applications and improved services for businesses and consumers.
Open Banking was initiated in 2018 by the UK’s Competition and Markets Authority (CMA) which directed banks to open up their applications to TPPs. That same year, The European Union update to the Payment Services Directive (PSD2) had the same objective, while also mandating new security regulations for access to payment accounts and financial transactions.
A typical use of an Open Banking API is aggregating data from different bank accounts into a single view, provided by a TPP application. There are two types of TPPs. Payment Initiation Service Providers (PISPs) connect to a customer’s bank account and initiate payments on behalf of the customer. Account Information Service Providers (AISPs) connect to a customer’s bank account to provide a financial service, such as money management.
Benefits of open banking APIs
Since one of the long-term outcomes of Open Banking will be increased competition, incumbent banks have been reluctant to embrace it. Historically they have been in competition with fintech companies to provide their customers with better financial services. But Open Banking actually provides banks with the opportunity to explore new business models where they collaborate and partner with emerging fintechs and other banks instead of trying to compete with them. And customers ultimately benefit as Open Banking gives them greater control over their transactional data.
It’s a win-win situation for both the banking customer experience and for financial institutions. The customer gets better access and control of their accounts and finances, and can take advantage of new features and services. Financial institutions can offer their customer improved services and participate in a revenue sharing ecosystem. According to an Insider Intelligence article entitled How open banking and bank APIs are boosting fintech growth, the research firm “projects the revenue potential in the UK generated through Open Banking-enabled small- and medium-sized businesses (SMBs) and retail customer propositions to reach $2 billion by 2024.”
Banks, and therefore their customers, can be the big winners by using Open Banking APIs to open up their applications to fintechs. A few benefits include:
- Faster Innovation: Fintechs typically can innovate and develop new applications and functionality faster than incumbent bank IT teams.
- Increased Revenue: Fintechs are better positioned to take on and deliver technology build projects.
- Detailed Customer Insights: Fintechs can connect with banks’ customer data to provide customer financial trends and patterns.
- Personalized Offers: Using customer financial trends and patterns, fintechs can improve customer engagement by offering personalized services and recommendations.
Examples of banks using open banking APIs
Across the financial industry, some of the best known and largest banks, financial institutions, lenders, and fintech startups are already using Open Banking APIs to offer improved financial products and services. Here are a few examples:
- Telefonica Deutschland’s O2 Banking: Telefonica Deutschland launched a mobile-only bank account which offers transactions via mobile phone number, small instant loans, and better mobile data plans, built on German Bank Fidor’s platform.
- Wave Integration of Customer Financial Information: Invoice and accounting software Wave uses banking APIs to connect to a user’s bank account, empowering its clients with full control of their business finances in one place.
Open banking initiatives
There are two primary categories of drivers of Open Bank initiatives around the world: market- driven initiatives and regulatory initiatives.
In market-driven environments, such as in the United States and some Asian countries including Japan, Singapore, India, and South Korea, regulators are leaving it up to the players – banks and TPPs – to take the initiative in deploying Open Banking APIs. Many major banks in the US have started their own initiatives and are working with TPPs. In the US, for example, Open Banking is still largely based on screen scraping, where fintechs gather customer information from data displayed on the banking app display, but the industry is expected to transition to more secure and reliable APIs.
In regulatory-driven environments, such as in the UK and Europe, initiatives have been driven primarily by PSD2. Hong Kong has also taken the regulatory approach and allows financial institutions to choose which TPPS they collaborate with.
Another thing worth noting is the Open Banking approach in Australia. This may be the most ambitious and most innovative approach to Open Banking so far. Australia is actually moving beyond Open Banking and proposing an Open Data economy, whereby Australian citizens can not only request retail banking institutions to enable data sharing with third party providers, but also other companies like energy providers or telecommunications companies, for example.
Security risks with open banking APIs
The opening of banking applications to TPPs does come with risks that need to be addressed. Fraud prevention must be a top priority for all parties. Frederik Mennes, head of OneSpan’s Security Competence Center, breaks these risks into three types.
- First, financial institutions are opening their systems and sharing consumer data with TPPs. So it is incumbent on the financial institution to ensure that they work only with trustworthy TPPs. They cannot allow a malicious or unauthorized TPP to have access to their data.
- Second, the users of the applications provided by the TPPs must be properly authenticated to prevent unauthorized access when they access an account in the bank. This can require additional authentication such as Strong Customer Authentication (SCA).
- Third, the bank’s IT infrastructure essentially now contains the IT infrastructure of the TPP. So if the TPP suffers a data breach or is otherwise compromised, the bank may also be impacted.
How to protect banks against security threats
The first risk described above involves unauthorized TPPs trying to access the bank’s accounts. To protect against unauthorized access of this type, banks can require the TPP to digitally sign all requests. TPPs would have a public/private key pair with a corresponding certificate issued by a trustworthy certificate authority. This will allow the TPPs to authenticate themselves when they communicate through open banking interfaces.
To address the risks of unauthorized users accessing the bank’s accounts, banks must use strong customer authentication and transaction monitoring as directed under PSD2. Among other specifications, PSD2 mandates transaction authentication by which the level of authentication required to process a request depends on the level of risk of the transaction being requested. For example, after logging in to online banking, a request from a customer to check their balance may be processed seamlessly, but a request to transfer funds may prompt the user for stronger authentication.
PSD2 and associated Regulatory Technical Standards (RTS) mandate that fraud monitoring should be done and Strong Customer Authentication (SCA) applied for a majority of online payments, including those that occur through Open Banking APIs. SCA has to be applied to access to payment account information and to every payment initiation, including transactions via Open banking unless an exemption applies under the RTS. Exemptions are not obligatory, but banks can benefit from them if they decide so.
In the context of Open Banking fraud analytics programs, solutions such as OneSpan Risk Analytics support the monitoring of events coming from a TPP operating one or several Open Banking services through Open Banking APIs published by the bank. OneSpan Risk Analytics provides pre-built rule scenarios covering PSD2 fraud monitoring requirements, business logic, and typical fraud scenarios. These rules support digital banking channels, including Open Banking.
The open APIs required by PSD2 will lead to new, innovative banking services and apps. At the same time, however, banks must prevent criminals from accessing customer data and transactions. Banks and TPPs must therefore be aware of the risks and offer sufficient protection. Learn more in this blog: Open Banking APIs under PSD2: How to Mitigate Risk.
Strong customer authentication
To pass SCA, the customer must successfully authenticate using multifactor authentication (MFA). In the context of online payments under PSD2, this means that the customer must provide two of the three factors of authentication. The three factors are:
- Knowledge: something the user knows, e.g. their password, PIN, etc.
- Possession: something the user has, e.g. their mobile phone, etc.
- Inherence: something the user is, e.g. their fingerprint, palm print, etc.
There are three methods of accomplishing SCA:
- A redirect approach with the bank's web application
- An embedded approach directly through the TPP application
- A decoupled approach with the bank's mobile trusted device application
In the redirected approach users are redirected to the website of their bank to enter authentication credentials. In the embedded approach the authentication process is fully automated with users sharing their credentials with a TPP which authenticates and initiates the payment in the background. With the decoupled approach, the second factor is provided via a separate device from the one requesting the transaction.
On to open finance
Open Banking is still fairly new to the banking industry. But financial organizations are already talking about taking it to the next step – Open Finance. Open Banking initiatives apply primarily to payment accounts. Now it’s time to apply the concept to all accounts so consumers can get a holistic view of their personal finances and financial data. There is no reason why the new services, techniques and benefits of Open Banking can’t be applied to other financial accounts such as mortgages, investments, pensions and insurance.
Tyrrell, Darcy, Yodlee, “Open Banking APIs Explained,” June 2020, https://www.yodlee.com/open-banking/open-banking-api
Belmaker, Gidon, TearSheet, “7 Examples Showing the Power of Banking APIs,” November 2016, https://tearsheet.co/artificial-intelligence/7-examples-showing-the-power-of-banking-apis/
Mennes, Frederik, OneSpan, “Security and Compliance in an Open Banking World,” https://www.onespan.com/resources/video-open-banking-security-considerations