Table of Contents
Open Banking API
Banking is evolving as a result of Open Banking API. Banks users may safely exchange account information with third-party suppliers thanks to the Open Banking program. This is accomplished through application programming interfaces (APIs), which allow TPP programs to interact with bank applications. The goal is to encourage digital banking innovation and speed the development of innovative financial apps and services for businesses and consumers.
What exactly is an Open Banking API, and how does it Function?
Open banking was pioneered in 2018 by UK’s Competition and Markets Authority (CMA), which mandated banks open their applications to TPPs. The European Union’s update of the Payment Services Directive (PSD2) had the same objective while demanding new security standards for accessing financial payment records and financial dealings.
The aggregation of data from several bank accounts into a single view offered by a TPP application is a common usage of an Open Banking API. TPP comes in two varieties. Payment initiation service providers (PISPs) are companies that link to clients’ bank accounts and make payments on their behalf. Account Information Service Providers (AISPs) link to a customer’s bank account to provide financial services like money management.
Advantages of Open Banking API
Since one of the long-term results of open banking will be increased competition, traditional banks have been reluctant to adopt it. They have historically competed with fintech companies to offer their clients better financial services. But Open Banking offers banks the opportunity to explore new business models where they collaborate and partner with emerging fintech and other banks rather than compete with them. And customers ultimately gain an advantage, as Open Banking gives them more control over their transactional data.
It is a win-win condition for the banking customer experience and the financial institutions. The customer gains better access and control of their accounts and finances and can take advantage of new features and services. Financial institutions can offer their customers enhanced services and participate in a revenue-sharing ecosystem. According to an Insider Intelligence article titled How open banking and bank APIs are boosting fintech growth, the research firm “projects that UK revenue potential generated through proposals from small and medium-sized businesses (SMEs) and retail clients enabled by Open Banking will reach 2,000 million.
Banks, and therefore their clientele, can be the big winners if they use the Open Banking APIs to open their applications to fintech. Some of the advantages are:
- Faster innovation: Fintechs can often innovate and develop new applications and functionality faster than traditional bank IT teams.
- Increased revenue: Fintechs are better located to take on and deliver tech-building projects.
- Detailed customer insights: Fintechs can connect with bank customer data to provide customer financial trends and patterns.
- Personalized offers: Using customers’ financial trends and patterns, fintech can improve customer engagement by offering personalized services and recommendations.
Examples of Banks using Open Banking API
Across the financial industry, some of the biggest and best-known banks, financial institutions, lenders, and fintech startups are already using Open Banking APIs to offer better financial products and services. Here are some examples:
- Banking: launched a mobile-only bank account offering mobile number transactions, small instant loans, and better mobile data plans, built on the platform of German bank Fidor.
- Integration of customer financial information in Wave: Wave billing and accounting software use banking APIs to connect to the user’s bank account, allowing your customers to have complete control of their company’s finances in one place.
Open Banking Initiatives
There are two main categories of open banking initiatives worldwide: market-driven initiatives and regulatory initiatives.
Open. In market-driven environments, such as the United States and some Asian countries such as Japan, Singapore, India, and South Korea, regulators are letting the players – banks and TPPs – take the lead in deploying banking APIs. Many central US banks have launched their initiatives and are working with the TPPs. In the US, for instance, open banking is still primarily based on screen scraping. Financial companies collect customer information from the data that appears on the screen of the banking application. Still, the industry is expected to transition to more secure and reliable APIs.
Open Banking API United States podcast
In regulation-driven environments, such as in UK and Europe, initiatives have been driven primarily by DSP2. Hong Kong has also taken the narrow approach and allows financial institutions to decide which TPPS they work with.
Another thing worth noting is the open bank approach in Australia. This may be Open Banking’s most ambitious and innovative approach yet. Australia is going beyond Open Banking and proposing an Open Data economy, where Australian citizens can ask retail banks to allow data sharing with third-party providers and other companies such as energy or telecommunications.
Security risks with Open Banking API
Fraud prevention must be a priority for all parties. Opening banking applications to TPPs carries risks that need to be addressed. Frederik Mennes, director of OneSpan’s Security Competence Center, divides these risks into three types.
First, financial institutions open up their systems and share consumer data with TPPs. They cannot allow malicious or unauthorized TPP to access their data. Therefore, it is up to the financial institution to ensure that it only works with trusted TPPs.
Second, users of TPP-provided applications must be properly authenticated to prevent unauthorized access when accessing a bank account. This may require additional authentication, such as Strong Client Authentication (SCA).
Third, the bank’s IT infrastructure now contains the TPP’s IT infrastructure. Therefore, if the TPP suffers a data breach or is compromised, the bank may also be affected.
How to Protect Banks Against Safety Threats
The first risk described above involves unauthorized TPPs trying to access bank accounts. To protect against this type of unauthorized access, banks can require the TPP to sign all requests digitally. The TPPs would have a pair of public/private keys with their corresponding certificate issued by a trusted certification authority. This will allow TPPs to authenticate themselves when communicating through open banking interfaces.
Banks must use robust customer verification and transaction monitoring to address the risks of unauthorized users accessing bank accounts, as outlined in PSD2. Among other specifications, PSD2 requires transaction authentication, so the level of authentication needed to process a request depends on the risk level of the requested transaction. For example, after classification into online banking, a customer’s request to check their balance can be processed without issue. Still, a request to transfer funds may require the user to provide stronger authentication.
Safety Threats
PSD2 and associated Regulatory Technical Standards (NTRs) require fraud monitoring and Strong Customer Authentication (SCA) to apply to most online payments, including those made through APIs open banking. SCA must use to access payment account information and for all initiation of charges, including transactions through Open banking, unless an exemption under the RTS applies. The exemptions are not mandatory, but banks can take advantage of them if they so choose.
In the context of Open Banking fraud analysis programs, solutions such as OneSpan Risk Analytics support the monitoring of events coming from a TPP that operates one or more Open Banking services through the Open Banking APIs published by the bank. . OneSpan Risk Analytics offers pre-built rule scenarios that cover PSD2 fraud monitoring requirements, business logic, and typical fraud scenarios. These standards are compatible with digital banking channels, including open banking.
The aggregation of data from several bank accounts into a single view offered by a TPP application is a common usage of an Open Banking API. TPP comes in two varieties. Payment initiation service providers (PISPs) are companies that link to clients’ bank accounts and make payments on their behalf. Account Information Service Providers (AISPs) link to a customer’s bank account to provide financial services like money management.
Strong Client Authentication
To pass the SCA, the client must successfully authenticate using multi-factor authentication (MFA). In online expenditure under PSD2, the customer must provide two of the three authentication factors. The three factors are:
- Knowledge: something that the user knows, for example, their password, their PIN, etc.
- Possession: something the user has, for example, their mobile phone, etc.
- Inherence: something the user is, for example, their fingerprint, palm print, etc.
There are three methods to carry out the SCA:
- A redirect approach with the bank’s web application
- An integrated approach directly through the TPP application
- A decoupled system with the bank’s trusted mobile app
In the redirected approach, users turn to their bank’s website to enter authentication credentials. The authentication process fully automates in the integrated system, as users share their credentials with a TPP that authenticates and initiates a payment in the background. The decoupled approach provides the second factor through a separate device from the one requesting the transaction.
Also Read: Ten Characteristics of a Successful Business Mobile Application