In the second part of our series on open banking in Australia, we’d like to take you through some of the concrete differences compared to the UK. This guide may inform whether either is a ripe market for you to tackle — whichever way you’re going!
If your ambitions span these regions, we’d love to talk to you 🚀.
A cheat sheet to impress ✨
Before we dive in, here’s a cheat sheet to the jargon:
1. “Regulated, Standardised, Mandatory”
If Stevie Wonder wrote a song about open banking, this would be its title. You may argue it’s not got the same flow as the original, but… you’d be right.
Bad jokes aside, in both markets:
The ecosystem and its key participants are regulated,
The way for banks and third parties to connect is standardised, and
The provision of these connections from the holders of the data is mandatory.
There are differences in what triggers the requirement to get ‘licensed’, what’s in scope, and how connections happen technically. However, the principles are aligned. To start, the biggest banks — covering over 80% of the market — have to share banking data on the most common products for both retail and business customers.
2. The main purpose of open banking in both markets is encouraging competition
In Australia, as per our introductory post on the Consumer Data Right (“CDR”), the impetus behind open banking legislation was a review commissioned by the Treasury. Even before this, ‘open data’ was seen as a way to boost productivity and increase competition in banking. It’s telling that the main regulator for open banking is the Australian Competition and Consumer Commission (“ACCC”, pronounce ‘A-triple-C’). They decide who gets to participate, and how.
In the UK, open banking also came out of a regulatory push — in fact, two streams coincided. On one hand, the EU’s second Payment Services Directive (PSD2) instructed the regulation of two relevant payment services — account information and payment initiation.
On the other hand, the Competitions and Markets Authority (“CMA”) reviewed competition in the banking market, found it lacking and mandated the creation and adoption of an open banking standard by the 9 biggest banks (the “CMA9”). The resulting Open Banking Implementation Entity (“OBIE”) is responsible for developing, monitoring, and enforcing the implementation of standards, which were also used to enable the implementation of PSD2.
3. Both regions control access programmatically and centralised
This is about the question, “How do we make sure that, now we’ve created this API ecosystem, only licensed participants can access the APIs, without creating a tonne of ongoing manual checks?”.
You may have seen our in-depth post on eIDAS certificates. It summarises the EU’s approach to controlling how a regulated business identifies itself towards banks when they access a customer’s account information and payment functionality.
In Australia, the ACCC also wants to make sure that only accredited ‘data recipients’ are able to retrieve data from ‘data holders’ — without needing an army of people (I’m exaggerating to make a point) to manually check and approve every API call.
At a glance, both regions are using a combo of:
A central authority: gives out the ‘keys to the castle’ 🔑
A register of some sort: keeps track of who has access 🚪
A trusted certificate provider: issues certificates as per agreed technology standards ✔️
The certificates themselves: used by the parties in the system to identify each other and decide whether a connection should happen 📃
Understanding the nuts-and-bolts of certificate regimes across the globe, and helping our clients seamlessly navigate them is part of what we do at TrueLayer. We already help our clients with eIDAS certificates in Europe and continue to innovate to make this technical challenge easy to solve.
Now, let’s leave those technical depths aside to dive into what is different.
1. The trigger for needing a license is different
Many of our clients ask, “Do I need to be regulated to operate in Australia or in the UK?”.
A disclaimer: please get your own legal advice 😇. This is an overview of what we know about the triggers in regulation today.
In the UK, under the Payment Services Regulations 2017 (PSRs 2017), you need a license from the FCA if you are providing Account Information Services or Payment Initiation Services. These are defined in the Interpretation section of the PSRs 2017. At a high level:
An account information service is an online service to present consolidated information on payment accounts (in its original or processed form) back to the payment service user and other persons if instructed by the payment service user;
A payment initiation service is an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
In Australia, these two services don’t have a direct equivalent. Instead, the rules foresee ‘accredited data holders’ and ‘accredited data recipients’. The CDR Rules — called ‘Competition and Consumer (Consumer Data Right) Rules 2020’ in full — go into detail on their roles. To date, only one organisation has received accreditation as an Accredited Data Recipient, and we will know more about how exactly the ACCC will roll out the regime in full come July.
While the UK has a financial services regulator in charge and Australia a competition regulator, the requirements and obligations are very similar. As always, it’s about governance, security of data, consent procedures, complaints handling — checking that participants do right by their end-users and their data.
2. Australia has the lead on the scope of data (though they have yet to launch)
Because of the payments-centric origin of open banking regulation in Europe, the first set of accounts that companies have to share data about are payment services. Products like loans and mortgages are therefore not in scope… yet. The debate about Open Finance is progressing at a rapid clip, and we are pushing for increased scope to enable more innovation.
Meanwhile, with second-mover insight, Australia’s Consumer Data Right starts well beyond the scope of PSD2. It even includes an extension into utilities🚰 and telco data📞! In short, they are firmly targeting Open Data, not just Open Banking or even Open Finance. That said, they’ve not yet gone live with their transaction-level APIs. “Execution is everything”, but we are optimistic that Australia’s boldness will set a new bar globally.
3. The UK’s got the lead on payments
Australia’s ambitions on data are bold. However, the Consumer Data Right (“CDR”) does not cover ‘write access’ or payment initiation — which is an area we are seeing develop rapidly in the UK.
The journeys our partners are building with our Payments API are proof of the potential that awaits. Companies like Stake and Plum are innovating at the bleeding edge of payments. We expect and hope to see future iterations of the CDR introduce similar concepts, which are agnostic of the underlying payment rails and schemes.
In summary: talk to us about expanding 🗺
Whether you’re already active in both markets or thinking about what it might take to expand, we’d love to talk. If you’re only active in one of these countries and want to use open banking for your business, our [email protected] inbox is of course also open.