How is open banking regulated in the UK?
The Payment Services Directive is a European Law that was passed in 2007 and updated in 2015 (PSD2). PSD2 came into force in different EU member states through the Payment Services Regulations (PSRs). Open banking is regulated in the UK by the Financial Conduct Authority (FCA), using these PSRs.
PSD2 and the resulting PSRs gave customers the right to ask third party providers to:
make payments on their behalf (Payment Initiation Services or PIS)
access their financial data (Account Information Services or AIS)
Before the Payment Services Regulations came into force, neither of these things were possible: bank terms and conditions often prevented customers using a third party provider to access their bank account.
The PSRs required payment service providers, including banks, to open up their systems to third party providers, at the request of customers. This created the legal and regulatory framework for open banking.
However the PSRs didn’t specify how banks should provide that access. They only stated that banks should provide a dedicated interface or way of accessing the account based on online banking.
In the UK, the Competition and Markets Authority (CMA) created an additional layer of regulation for the nine largest UK banks (which serve 99.9% of the UK population). The CMA said that these banks, known as the ‘CMA9’, must comply with the PSRs by building APIs — and that they must build them to a certain specification or standard, which banks themselves would need to develop.
To facilitate this, the Open Banking Implementation Entity (OBIE) was created. The OBIE developed the Open Banking Standard with the banks, as well as customer experience guidelines which told banks how to implement strong customer authentication (SCA).
Open banking is now regulated in the UK by the Financial Conduct Authority (FCA). Only companies that are authorised by the FCA can use open banking APIs to access financial information or initiate payments on behalf of a customer. In Ireland, the Central Bank of Ireland regulates open banking.
Other countries have different regulators. If you’re planning to provide open banking services to customers in the US, EU, Australia or other regions, see our guide to open banking around the world for more information.
How can I get regulatory permission to access open banking?
If you want to get access to open banking in order to provide a product or service to your UK customers, there are two different ways you can get permission. The approach differs slightly depending on whether you want to provide Account Information Services, or Payment Initiation Services.
How to get permission to provide Account Information Services to your customers
|Direct: RAISP||Indirect: AIS agent|
|Description||Become a Registered Account Information Services Provider (RAISP). Register with the FCA directly as a Third Party Provider under the Payment Services Regulations/PSD2 to provide Account Information Services.||Get appointed as an agent of a regulated Third Party Provider of Account Information Services, such as TrueLayer.|
|Accountability / responsibility||You are responsible for compliance with PSD2 and you have obligations towards your customers, including getting their consent to access their data, and dealing with any complaints. You must hold professional indemnity insurance (PII). You must fulfil ongoing duties, including reporting to the FCA.||Your regulated Third Party Provider is responsible for compliance with PSD2/PSRs and has obligations towards your customers, including getting consent from them to access their data, and dealing with any complaints. You will still need to undergo due diligence and ongoing compliance monitoring with your chosen TPP to become an agent. To find out more about becoming an agency of TrueLayer, email our legal team ([email protected]).|
|Technical access||You can choose to integrate directly with each individual bank’s APIs. However, maintaining these connections can be difficult and resource-intensive. That’s why some providers use an intermediary, known as a Technical Service Provider— a company that specialises in connecting to all the banks itself, and provides you with a single API.||You access open banking APIs via your Principal Third Party Provider, who connects to all the banks and provides you with a single API. (Note: TrueLayer is able to act both as a Technical Service Provider and a Principal Third Party Provider.)|
|Time taken to get permission||6 months - 1 year||4 - 6 weeks|
How to get permission to provide Payment Initiation Services to your customers
|Direct: PISP||Indirect: via a TPP|
|Description||Become a Payment Initiation Services Provider (PISP). Get regulated with the FCA directly as a Third Party Provider under the Payment Services Regulations/PSD2 to provide Payment Initiation Services.||Use a Third Party Provider (TPP), that is regulated by the FCA who can integrate into your app or website and provide payment services to your customers.|
|Accountability / responsibility||You are responsible for compliance with PSD2 and you have obligations towards your customers, including getting their consent to make payments and dealing with any complaints. You must fulfil duties, including reporting, which require you to have in-house compliance professionals. You must have €50,000 in initial capital (or higher if you provide certain other payment services) and hold professional indemnity insurance (PII).||Your regulated Third Party Provider is responsible for compliance with PSD2/PSRs and has obligations towards your customers, including getting consent from them to initiate the payment and dealing with any complaints.|
|Technical access||You can choose to integrate directly with each individual bank’s APIs. However, maintaining these connections can be difficult and resource-intensive. That’s why some providers use an intermediary, known as a Technical Service Provider — a company that specialises in connecting to all the banks itself, and provides you with a single API.||You integrate with a regulated Third Party Provider, who connects to all the banks and provides the payment method to your customers by integrating into your app or website. (Note: TrueLayer is able to act both as a Technical Service Provider and a Principal Third Party Provider.)|
|Time taken to get permission||6 months - 1 year||n/a — integration time only|
What do I need to do to get regulated?
If you decide to take the AIS agent route, you’ll need to find a Third Party Provider and/or Technical Services Provider to help you. If you’d like to speak to TrueLayer about helping you make the most of open banking payments (PIS) or account information services (AIS), please get in touch.
If you decide to take the direct route (see table above), and become registered as an AISP or authorised as a PISP (or both), you’ll need to apply to the Financial Conduct Authority (FCA).
If you intend to become registered as an AISP or authorised as a PISP (a Third Party Provider), you should:
Read up on the second Payment Services Directive (PSD2) and the FCA’s own guidance to ensure that your planned product or service will be compliant.
Find out which regulator covers your area of operations. In the UK, the FCA regulates open banking providers. However, if you are planning to offer services to customers in other countries and regions, you may have to apply to their regulators as well.
Ensure that your business model is clear and detailed, because this will form part of your application.
Ensure that you comply with all data protection and privacy regulations for the geographical area of your customer base. For example, GDPR (the General Data Protection Regulation) is essential when dealing with EU customers.
Ensure that all areas of your business — including IT, policy and security — are compliant with the relevant regulations.
Put the necessary professional indemnity insurance in place.
If you’re applying to be a PISP you will also need €50,000 in initial capital (or higher if they provide certain other payment services).
Once you’re prepared, you need to apply to the FCA. This process can take up to one year.
You can find out more on the FCA website and the PSD2 Navigator. If you have questions, you can call the FCA’s Contact Centre on 0300 500 0597 from the UK, or +44 207 066 1000 from abroad.
How do I enrol as an open banking provider?
Once you're regulated as a Third Party Provider in the UK, you should enrol into the Open Banking Implementation Entity (OBIE) Directory. This enables third party providers to securely identify themselves to account providers (e.g. banks). For more information on this process, and how to test your product and go live, visit the Open Banking Implementation Entity.
What is the OBIE Directory and how do I enrol in it?
The OBIE Directory is managed by the Open Banking Implementation Entity, which oversees Open Banking implementation in the UK.
The directory contains details of authorised and regulated Third Party Providers (AISPs and PISPs) and account providers (banks or ASPSPs). See our glossary for an explanation of these terms.
As a Third Party Provider, you should apply for enrolment in the directory because account providers (such as banks) will use it to verify your identity. Take a look at the guide to enrolment.
The OBIE Directory is also useful for customers of open banking services. If they have any doubts about the validity of an open banking organisation, they can check the directory to ensure that the organisation is properly regulated.
Which banks can I access through open banking?
In the UK there were initially nine banks signed up for open banking, known as the CMA9. These were: Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group and Santander.
Other banks have signed up since then, and the list of banking organisations supporting open banking is growing all the time. You can see the current list on the official UK Open Banking website.
How can technical service providers (TSPs) help me to access banks through open banking?
If you’ve decided to become a regulated Third Party Provider of open banking, you may still want help accessing and managing open banking APIs. That’s where Technical Service Providers come in. They are businesses that enable Third Party Providers to offer open banking services more easily, by connecting them to many different banks’ APIs.
The Payment Services Regulations in the UK determine how open banking should be implemented. However, there are differences in the way banks handle the technical side. TSPs such as TrueLayer provide a standardised API to simplify this complexity for businesses who want to use open banking. The TSP sits between the banks and the Third Party Providers, handling all open banking transactions between them.
The advantages of using a Technical Service Provider include:
speed to market, because it’s easier to use the TSP’s standardised API than work with many individual banks’ own APIs
conversion rate, which can be up to 20% higher than direct bank connections
higher quality data connections and better uptime
TrueLayer acts as a TSP for its regulated clients, including Revolut. TrueLayer's APIs are fully compliant. And more than half of the open banking traffic in the UK goes through TrueLayer.