With over 6 million users, and 7 million payments made every month in the UK, open banking is already changing the way people pay and use their financial data. It’s led to a new generation of financial services, built by third party providers that can innovate quickly to better serve the needs of users.
For consumers, open banking can simplify the way they manage their finances, give them new options for using their data, along with new ways to pay. For businesses using open banking, they can better understand their customers’ needs, onboard customers more quickly and completely transform the way they collect payments.
But what actually powers open banking? What is the core technology behind it and how does it work? And how do businesses interested in using open banking gain access to this technology. The answer, in the UK and EU at least, are application programming interfaces (APIs). To fully understand open banking APIs, you first need to understand API technology in general.
What is an API?
An API is a set of rules and protocols that define how two systems can interact with each other. It essentially acts as a bridge between different systems, allowing them to share data and functionality in a structured and controlled way. One system can ‘call’ or request data from the other system using an API, and receive that data in a standard format.
APIs are a common way for a business to integrate new technologies, allowing developers to add new functionality to their product without building from scratch. APIs are also typically built with security in mind, whether through practices like tokenization, encryption and authentication protocols.
What is an open banking API, specifically?
Open banking APIs are the APIs built by banks and other financial institutions, which registered Third Party Providers (TPPs) use to connect to those banks in a secure and uniform way.
In 2018, EU legislation called PSD2, was introduced that gave consumers and businesses the right to access their account data and payments through TPPs. At the same time, the UK Competition and Markets Authority (CMA) required the nine biggest banks in the UK to develop an open API standard. This standard provided a consistent way for TPPs to connect to banks, creating the framework that would allow open banking to flourish in the UK. These banks are known as the CMA9.
So I need to connect to every bank API?
Businesses who want to benefit from open banking can make their own connections to the APIs that banks provide. However, to do this, businesses must become authorised by the financial regulator. Additionally, maintaining dozens of connections to banks is resource intensive and difficult.. To account for this, some TPPs — including TrueLayer — specialise in aggregating bank APIs and can make all banks available to businesses through a single API connection.
Do open banking APIs have specific specifications?
To help standardise the open banking experience, the Open Banking Implementation Entity (OBIE), the governing body for instituting open banking in the UK, created the Open Banking Standard. This Standard includes customer experience and operational guidelines, along with good practice for data management and terminology. Most importantly, it includes a detailed set of API specifications that banks follow when building their APIs.
The specifications cover the parameters of identity verification, information sharing, payment initiation, security and analytics. Specifically, the specifications cover several areas:
The Read/Write API is how third party providers must connect to banks. It enables TPPs to access bank accounts for read access (such as account balance and transaction information) and for write access (to make payments).
The Open Data API dictates how banks must create access endpoints for TPPs, specifying the ways in which TPPs should be able to use a bank’s Read/Write API. This is designed to ensure the banks build APIs in a consistent manner.
The Directory is the technical information describing the Open Banking Directory, which is the directory of open banking participants, from providers to banks, and provides the single point of entry to connect with other participants.
MI reporting includes specifications for management information (MI) reporting, by banks to the OBIE. In simple terms, it is how banks should report data about the APIs back to the governing body.
The Open Banking Standard is specific to the UK. There are other standards or specifications that apply to open banking in other countries. The standards cover a range of financial data and services, including account information, payments, and identity verification. For example:
The Berlin Group NextGenPSD2: a set of API specifications that were developed by the Berlin Group, a European industry association, to support the implementation of the EU's revised Payment Services Directive (PSD2).
The Australian Open Banking Standard: a set of API specifications developed by the Australian Competition and Consumer Commission (ACCC) as part of Australia's Customer Data Right initiative
The Financial Data Exchange (FDX) API Standard: a set of API specifications by the Financial Data Exchange (FDX), a US-based industry group.
The SEPA Payment Account Access (SPAA) Scheme Rulebook: a recently developed set of rules, practices and standards that will allow functionalities beyond those specified in PSD2 to be provided by banks to TPPs as a paid-for service.
What are the benefits of standardised APIs in open banking?
There are several benefits of using standardised APIs in the context of open banking, including:
Consistent customer experience
Consumers using open banking-powered products and paying by open banking will enjoy a consistent user experience. Over time, this consistency will bring a sense of familiarity and trust, further increasing the likelihood of customers continuing to use open banking.
API performance and service uptime
A good API will have very high availability (ie there will be very little time the API won’t work). In November 2022, the average availability of UK open banking APIs was 99.3%, all while handling a record-high 7.2 million payment initiations.
Bank coverage
Coverage is the proportion of your existing and potential future customers that you can collect payments from. By using an aggregator, like TrueLayer, businesses can connect to over 98% of UK bank accounts from a single connection.
Data minimisation
Data minimisation is where a user consents for only the specific data that is necessary for a specific service to be provided. APIs make it possible for data minimisation to be built into the open baking experience.
Improved security
By using APIs to access financial data and services, financial institutions can reduce the need for customers to share their login credentials or other sensitive information with third-party apps or services.
What are the alternatives to APIs in open banking?
The main alternative for accessing open banking is using screen scraping. Screen scraping is the process of collecting display information from a ‘screen’ (typically a webpage) to use elsewhere or to perform actions that the user would normally carry out.
Screen scraping works using a programme or ‘bot’, which gains access to a customer account and automatically captures the data on the screen in the background, without the customer being present.
Screen scraping doesn’t allow for data minimisation, meaning that all of a customer's data can be accessed at any one time, rather than a subset of the data relevant to the use case (as is the case with APIs).
There has been plenty of debate on whether screen scraping should be phased out. In the UK, most banks provide APIs for access, and some banks that only supported screen scraping have now been required to transition to APIs. In Europe, the European Banking Authority (EBA) has advocated to end the practice, but industry consultations are still ongoing.
How does my business access open banking APIs?
Only authorised organisations can use open banking APIs. In the UK, the FCA regulates all open banking providers (TPPs). Regulated providers are classed as either Account Information Service Providers (AISP) or Payment Initiation Service Providers (PISP).
An AISP is a business that can offer account information services (AIS) by gathering read-only financial information. They can compile data from multiple bank accounts, but they can’t initiate activity — such as payments — from those accounts.
A PISP, on the other hand, is a business that can provide payment initiation services (PIS). This means they can move money from a user’s bank account with a customer’s consent.
To find out more about open banking, APIs, UK regulation and more, check out our definitive guide to open banking.
What is 3D secure and how does it work?
5 points for the National Payments Vision
