7. Open banking APIs
What is an open banking API?
An API is an application programming interface, a technology which connects different IT systems together so that they can exchange data. One system can ‘call’ or request data from the other system using an API, and receive that data in a standard format. APIs are used to connect third party providers to banks in a secure and uniform way. Banks provide their own APIs for use by Third Party Providers. In the UK, these must conform to standards set out by the Open Banking Implementation Entity (OBIE).Open banking providers like TrueLayer aggregate bank APIs and provide businesses with a single API connection.What are Account Information Service Providers (AISP)?An AISP is a business that has regulatory permission from the Financial Conduct Authority (FCA) in the UK to access a bank’s API for the purpose of fetching account transaction data. This is read-only access — the AISP cannot initiate any payments or actions from the account. AISPs typically fetch financial data through open banking APIs to provide their customers with services like spending overviews, budgeting advice and money-saving tips.What are Payment Initiation Service Providers (PISP)?A PISP can initiate payments from a customer’s bank account, with the customer’s explicit consent. PISPs are businesses that are regulated by the Financial Conduct Authority (FCA) in the UK to initiate payments from their customer’s bank account. These payments could be to pay another person, to move money to another bank account or to pay for a product or service online. What are Account Servicing Payment Service Providers (ASPSP)?An ASPSP, for example a bank, provides and maintains payment accounts for its customers. Under PSD2 regulation, all ASPSPs must enable third party providers to access account data and initiate payments where they have the customer's consent to do so.
Can I use open banking APIs?
What is an eIDAS certificate and how do I get one?
Under a 2016 EU regulation, electronic signatures can have the same level of legal validity as a handwritten signature. However, such signatures must comply with eIDAS (electronic Identification, Authentication and Trust Services) requirements.In European open banking, eIDAS certificates allow ASPSPs such as banks to identify and authorise the API connections from Third Party Providers like PISPs and AISPs. This is a vital factor in preventing fraudulent access to bank accounts.Since Brexit, UK-authorised Third Party Providers are not able to use eIDAS certificates. The FCA has scoped an alternative — for more information .
Open banking API providers and specifications
There’s no single ‘official’ API. Instead, banks and Technical Service Providers provide their own APIs which must conform to the specifications set out by the Open Banking Standard.Where can I find the open banking API specifications?The Open Banking Implementation Entity (OBIE) lists the specifications for open banking APIs on .What is the Read/Write API specification?The is the main API specification that dictates how third party providers must connect to banks. It enables Third Party Providers (TPPs) to access bank accounts for read access (such as fetching account balance and transaction information) and for write access (for making authorised payments).What is the Open Data API Specification?The dictates how banks create access endpoints for Third Party Providers (TPPs). It specifies the ways in which TPPs should be able to use a bank’s Read/Write API. What is Dynamic Client Registration? is a process by which banks can automate the enrolment of new Third Party Providers, without having to manually authenticate each one. Who is the Open Banking Implementation Entity (OBIE)? is the official UK company that oversees open banking implementation in the UK.
How is open banking API performance, uptime and reliability?
Open banking vs screen scraping: how do they compare?
Screen scraping (or credential sharing) is an old method of gaining access to a customer’s bank account to retrieve transaction data. Screen scraping works like this:
- The customer shares their login details with a third party provider (TPP)
- The TPP uses these details to log in to the customer’s bank account
- The TPP then copies or ‘scrapes’ the customer’s bank data for use outside of the customer’s banking app