Open Banking & PSD2

What is Open Banking?

Open Banking is the standardised legislation that allows all of us to take control of our own financial data. We can choose to share our banking information with trusted third-parties to get the financial products and services we want faster, cheaper and more easily than we do today.

What’s the background to Open Banking?

Way back in 2013 The Competitions and Markets Authority (CMA) started a review of the current UK retail banking industry.

Incredibly it took a 3 year-long review before the CMA published a report in August 2016 that unsurprisingly found that the financial services industry lacks innovation and more importantly, competition. The CMA found that smaller financial technology (Fintech) companies are unable to penetrate the banking market as it’s dominated by the big name banks.

Because of this review, the CMA and the Government ordered the largest 9 UK banks, named the CMA9, to start creating Open Banking API’s that allow the passing of data from one party to another securely.

The deadline for delivery of the APIs from the CMA9 was January 13th, 2018.

What is PSD2?

PSD2 is a directive from the European Union, which sets requirements for banks and businesses in the financial services sector to improve consumer protection, make payments safer and more secure, and drive down the costs of payments services.

API

What is an API?

API stands for application programming interface. In short, an API transfers data securely from one party to another.

How do Open Banking APIs work?

An Open Banking API, securely transfers data from a person or businesses bank account, to an authorised and regulated third-party provider.

Who can access the Open Banking APIs?

Each participating bank will create their own Open Banking API. Trusted and authorised third parties approved by the banks and the financial regulator, the Financial Conduct Authority, can then, with the data holders permission, access specific data from their bank.

Third Party Providers (TPPs)

What are Third Party Providers

Third Party Providers (TPPs) is a term used to refer to any regulated and authorised business that provides a product or service using the Open Banking APIs.

What regulations are in place to protect my data from unauthorised Third Party Providers?

All TPPs have to be FCA regulated and listed in the Open Banking directory to use Open Banking APIs.  

The information transferred is encrypted and your information always remains anonymous.

But you should always be aware of fraudulent businesses that use various techniques to gain access to bank accounts. To ensure that you’re using an authorised TPP check that they’re regulated by the FCA and listed in the Open Banking register.

Also make sure that when you get redirected to your online banking to sign in to your account, that you’re definitely on your banks website and that it is a secure URL. A secure URL begins with ‘https’ and has a padlock.

What should I check before using a TPP with an Open Banking connection?

There are three things that you should always check before giving a TPP your permission to access your financial data.

1. Always check that the TPP supplying the Open Banking connection is FCA regulated. You can do this by typing the business name or FCA registration number into the FCA register.
2. When you’re redirected to your bank account to log in to your account always check that you’ve landed on your bank accounts domain and that the domain is secure. For example, in your browser, you should see ‘https:’ and a padlock.  

What do the FCA regulate?

The Financial Conduct Authority (FCA) is the conduct regulator for 58,000 financial services firms and financial markets in the UK. They operate in the belief that Financial markets need to be honest, fair and effective so that consumers get a fair deal and aim to make these markets work well – for individuals, for business, large and small, and for the economy as a whole.

Part of their role means they are responsible for evaluating the fitness and proprietary of a business in order to determine whether they are suitable to provide services using Open Banking. 

OpenWrks is authorised and regulated by the FCA as an Account Information Services Provider (AISP). You can find us on the FCA register here.

 What does AISP mean?

AISP means Account Information Service Provider. This means that the business has been granted permission to request consent from people and businesses to connect to their bank account and use their account information to provide a service. This access is read-only, meaning the TPP cannot move any money or make any transactions on the behalf of the consumer.

What does PISP mean?

PISP means Payment Initiation Service Provider. This means that the business has been granted permission to request consent from a consumer to connect to their bank account and initiate payments or transfers on their behalf.

Security

Is Open Banking safe?

Open Banking is highly secure. Not only does it all exist within the banks established and highly secure technology platform, the APIs themselves allow for a highly secure transfer of data. You need to authorise the connection between the two parties, which means neither party needs to see your full security credentials and you always stay in control of the data you share, with who and when.

Permissions

How do I give permission for a TPP to access data on my behalf?

When you sign up to a service or app that uses Open Banking, you’ll be taken through a consent journey where you’ll be presented with all the information that the TPP needs to see, in order to provide their service.

If you’re happy with the information presented then you’ll be redirected to your account provider., Your account provider will double check that the TPP has been clear with what you are giving permission for by presenting the same information again and asking for your final consent.

How do I remove permission for a TPP?

You can see every TPP connected to your account from within your online banking. From here you can also remove your permission for any TPP.

You could also inform the TPP of your decision to remove your permission or even cancel your account directly with the TPP and they would remove the connection for you.

To inform OpenWrks of your desire to remove your permission, you have a Right to Erasure.

Can I ‘Opt-out’ of Open Banking?

Your account information is not available by default. You control whether anybody has permission to see your account information, so there is no need to proactively opt-out. If you don’t want to give permission to anyone to see your account information, simply don’t consent to any of the services or tools that use it.