What is an Open Banking API and how does it work??
Open Banking APIs are changing banking. The open banking initiative allows bank customers to securely share their account information with third-party providers (TPPs). This is achieved through application programming interfaces (APIs) that allow TPP programs to communicate with banks' applications. The goal is to foster innovation in digital banking and accelerate the development of new financial applications and improved services for businesses and consumers.
Open Banking was initiated in 2018 by the U.K. Competition and Markets Authority (CMA), which directed banks to open their applications to TPPs. In the same year, the European Union pursued the same goal by updating the Payment Services Directive (PSD2), while imposing new security rules for access to payment accounts and financial transactions.
A typical application of an Open Banking API is the aggregation of data from different bank accounts into a single view provided by a TPP application. There are two types of TPPs. Payment Initiation Service Providers (PISPs) connect to a customer's bank account and initiate payments on the customer's behalf. Account Information Service Providers (AISPs) connect to a customer's bank account to provide a financial service, such as e. B. the money management, offer.
Benefits of Open Banking APIs
Because one of the long-term outcomes of Open Banking will be increased competition, incumbent banks have been reluctant to get involved. Historically, they have competed with fintech companies to provide better financial services to their customers. But Open Banking actually offers banks the opportunity to explore new business models where they collaborate and partner with emerging fintechs and other banks, rather than trying to compete with them. And customers ultimately benefit, as Open Banking gives them more control over their transaction data.
It's a win-win for both the banking customer experience and financial institutions. Customers gain better access and control over their accounts and finances and can take advantage of new features and services. Financial institutions can offer enhanced services to their customers and participate in a revenue-sharing ecosystem. According to an Insider Intelligence article titled How open banking and bank APIs are boosting fintech growth, the research firm "forecasts the revenue potential in the U.K. generated by open-banking-enabled small and medium-sized businesses (SMBs) and retail offerings to reach $2 billion by 2024."
Banks, and therefore their customers, can be the big winners if they use open banking APIs to open up their applications to fintechs. A few benefits are:
- Faster innovation: Fintechs can typically innovate and develop new applications and features faster than IT teams at established banks.
- Increased revenue: fintechs are better positioned to take on and deliver technology build projects.
- Detailed customer insights: fintechs can connect to banks' customer data to identify customer financial trends and patterns.
- Personalized offers: Using customer financial trends and patterns, fintechs can improve customer engagement by offering personalized services and recommendations.
Examples of banks using Open Banking APIs include
Across the financial industry, some of the best-known and largest banks, financial institutions, lenders and fintech startups are already using Open Banking APIs to offer enhanced financial products and services. Here are a few examples:
- Telefonica Deutschland's O2 Banking: Telefonica Deutschland has launched a mobile-only bank account that offers mobile number transactions, small instant loans, and better mobile data plans, built on the platform of German bank Fidor.
- Wave integration of customer financial information: Wave billing and accounting software uses banking APIs to connect to a user's bank account and give its customers full control of their business finances in one place.
Open Banking initiatives
There are two main categories of drivers for open banking initiatives around the world: market-driven initiatives and regulatory initiatives.
In market-oriented environments, such as in the U.S. and some Asian countries like Japan, Singapore, India, and South Korea, regulators are leaving the initiative to the players – banks and TPPs – to implement Open Banking APIs. Many large banks in the U.S. have launched their own initiatives and are working with TPPs. In the U.S., for example, open banking is still largely based on screen scraping, where fintechs collect customer information from data displayed on the banking app screen, but the industry is expected to move to more secure and reliable APIs.
In regulatory environments, such as z. B. In the UK and Europe, initiatives have been driven primarily by PSD2. Hong Kong has also taken the regulatory approach, allowing financial institutions to choose which TPPS they work with.
Another point worth mentioning is the Open Banking approach in Australia. This is perhaps the most ambitious and innovative approach to Open Banking to date. Australia is going even beyond Open Banking, proposing an Open Data economy in which Australian citizens can require not only retail banking institutions to enable data sharing with third-party providers, but also with other companies such as z. B. Utilities or telecommunications companies.
Security risks associated with open banking APIs
Opening up banking applications to TPPs has risks that need to be addressed. Fraud prevention must be a top priority for all stakeholders. Frederik Mennes, head of OneSpan's Security Competence Center, breaks these risks down into three types.
- First, financial institutions open their systems and share consumer data with TPPs. So it's up to the financial institution to make sure it only works with trusted TPPs. They cannot allow a malicious or unauthorized TPP to access their data.
- Second, users of TPP-provided applications must be properly authenticated to prevent unauthorized access when they access an account in the bank. This may require additional authentication such as Strong Customer Authentication (SCA).
- Third, the bank's IT infrastructure now essentially contains the IT infrastructure of the TPP. So if the TPP suffers a data breach or is otherwise compromised, the bank may also be affected.
How to protect banks from security threats
The first risk described above is that unauthorized TPPs will attempt to access the bank's accounts. To protect against unauthorized access of this nature, banks can require the TPP to digitally sign all requests. TPPs would have a public/private key pair with a corresponding certificate issued by a trusted certificate authority. This will allow TPPs to authenticate themselves when communicating through open banking interfaces.
To address the risks of unauthorized access to bank accounts, banks must use strong customer authentication and transaction monitoring as required by PSD2. Among other specifications, PSD2 mandates transaction authentication, where the level of authentication required to process a request depends on the risk level of the requested transaction. For example, after logging into online banking, a request from a customer to check their account balance can be processed seamlessly, but a request to transfer money may require the user to use stronger authentication.
PSD2 and its associated Regulatory Technical Standards (RTS) mandate that for a majority of online payments, including those made through Open Banking APIs, fraud monitoring should be performed and strong customer authentication (SCA) should be applied to. SCA must be applied to access payment account information and to any payment initiation, including transactions through Open Banking , unless an exception applies under the RTS. Waivers are not mandatory, but banks can use them if they choose to do so.
As part of open banking fraud analytics programs, solutions such as OneSpan Risk Analytics support the monitoring of events coming from a TPP running one or more open banking services via open banking APIs published by the bank. OneSpan Risk Analytics provides pre-built rule scenarios that cover PSD2 fraud monitoring requirements, business logic and typical fraud scenarios. These rules support digital banking channels, including Open Banking.
Open APIs required by PSD2 will lead to new, innovative banking services and apps. However, there is a risk that criminals can gain access to customer data and transactions. Banks and third party payment service providers need to be aware of these risks and provide adequate protection. Learn more in this blog: Open Banking APIs under PSD2: How to mitigate risk.
Strong customer authentication
To pass SCA, the customer must successfully authenticate using multifactor authentication (MFA). In the context of online payments under PSD2, this means that the customer must provide two of the three factors to authenticate them. The three factors are:
- Knowledge: something the user knows, z. B. his password, PIN, etc.
- Possession: something the user has, z. B. his cell phone etc.
- Inherence: something the user is, z. B. Its fingerprint, palm print, etc.
There are three methods for performing SCA:
- A redirect approach with the bank's web application
- An embedded approach directly through the TPP application
- A decoupled approach with the bank's trusted device mobile app
In the redirected approach, users are redirected to their bank's website to enter authentication credentials. In the embedded approach, the authentication process is fully automated, with users passing their credentials to a TPP that authenticates and initiates the payment in the background. In the decoupled approach, the second factor is provided via a different device than the one requesting the transaction.
Moving on to open finance
Open banking is still relatively new to the banking industry. But financial organizations are already talking about the next step – Open Finance. Open Banking initiatives are primarily related to payment accounts.Now is the time to apply the concept to all accounts so consumers can have a holistic view of their personal finances and financial data. There is no reason why the new services, techniques and benefits of Open Banking cannot be applied to other financial accounts, such as mortgages, investments, pensions and insurance.