Have you heard about Open Banking? It's quite a popular concept right now! Open Banking is a part of a wider global movement for consumer data rights, called Open Data. Open Banking can also refer to the regulations and technology that enable these rights to be exercised in the banking and financial services sector.
This article focuses on how the recent trends and changes in Open Banking around the world—especially regulatory changes in the EU and UK—are likely to affect banks, fintechs, and other businesses in the US. We conclude that globalization is forcing US banks, fintechs, and other businesses to make internal changes to comply with EU and UK regulations, but these same changes also prepare them to join the Open Banking community.
Good Programming Practices Inevitably Lead to Open Banking
The concept of open banking is not new. In fact, it is based on sound software architecture principles that can be applied to any industry. The banking industry, however, is conservative and highly security conscious. As well, the industry must deal with multiple complex, archaic, legacy IT infrastructures that make implementing new architectures difficult. So, without deadlines imposed by legal regulations, banks have no incentive to quickly adopt Open Banking principles.
Open Banking is Based on Existing Programming Principles
Open banking is based on a “digital first business model,” where a bank’s internal software is built modularly, and each module communicates with the other modules through application program interfaces (APIs). Because all the data is passed through APIs, it is easy for the banks to open selected APIs to third parties so the third parties can aggregate or manipulate financial data on behalf of consumers. It is also easy for banks to maintain security by limiting the number and type of APIs opened to third parties.
Open Banking Needs Standardized APIs to Function Efficiently
Although banks can choose to follow good programming principles and use APIs for both internal and external data transfer, these APIs can be homegrown and therefore unique and proprietary. It is difficult for a third-party developer such as a fintech to interface with multiple banks if the banks all use their own unique APIs.
This is why, around the world, several organizations have initiated projects to standardize the APIs that typically interface with third party developers. One organization, the Open Bank Project, offers at least ten categories of standardized APIs. These categories include:
- Accounts, which allows access to a user’s account information such as current balance in an account
- Payments and Transaction Requests, which allows for initiation of transfers
- Transactions, which allows access to a user’s transaction history
In the US, Nacha has started a standards group called Afinis. The group currently has the following nine payments related APIs live and available for use:
- ACH Account Validation (AAV) for use with Phixius
- Account Validation
- ACH Payment Initiation
- Bank Contact Information
- Bank Contact v2
- Pay Me
- Payee Profile
- Real-Time Billing Account Validation
- Transaction Status
In Europe and since 2016, the Banking Industry Architecture Network (BIAN) has defined 30 standardized APIs and implemented them both from the consumers’ end and providers’ end. Although BAIN started in Europe, they are well-connected in the US as well.
Lastly, the industry group the Financial Services Information Sharing and Analysis Center (FS-ISAC), through its subsidiary the Financial Data Exchange (FDX), is also developing APIs relevant to Open Banking.
With so many organizations developing standardized APIs for Open Banking and payment processing, banks and fintechs in the US and elsewhere already have the software tools they need to adopt the Open Banking model. The question then becomes whether they have the incentive to do so.
Open Banking Regulations in the EU and UK Are Forcing Changes In the US
Banks are typically reluctant to share their customers’ financial information. They view the information as their business asset and believe that, for security reasons, they need to restrict access to the information. For the banks to share the information, there would have to be either some regulatory reason or a financial incentive.
In the EU and UK, various regulations have successfully driven the fast adoption of Open Banking. The US has no such national regulation, so adoption is slower. However, due to globalization, even US banks and fintechs must ultimately comply with EU and UK regulations if they wish to do business in the EU.
The Second Payments Service Directive (PSD2) and Similar UK Regulations Require Banks to Share Customer Data When the Customer Gives Permission
In the EU, the PSD2 requires banks to share customer financial data and defines the security measures needed for such sharing. PSD2 was first implemented in January 2018, but some elements of the regulation did not go into effect until September 2019. The regulation primarily:
- Clarifies that a customer’s financial data belongs to the customer instead of the bank, so it is the customer who has a right to permit third parties to access their data.
- Requires banks to implement certain APIs to allow third parties to access the financial data.
- Requires banks and third-party providers to implement security measures, including strong customer authentication methods (e.g., two factor authentication, biometrics) to secure customer data and to monitor and mitigate risks to data breaches.
Recent UK legislation required the nine largest retail and small- and medium-sized business account providers to use open APIs. The same regulation gave customers the right to authorize third party providers to initiate payments on their behalf.
In addition and also in the UK, the Competition and Markets Authority created the Open Banking Implementation Entity (OBIE) in 2016. OBIE is tasked with helping banks, fintechs, third-party providers, consumer groups, and similar to implement Open Banking APIs and provide an environment to foster adoption of Open Banking.
The US has no regulation equivalent to those in the UK or to the PSD2. This means that there is no clarification that the customer, instead of the bank, owns the customer’s financial information. There is also no deadline similar to those under PSD2 to implement data sharing and data security requirements. This is why, currently, US banks, fintechs, and other financial businesses lag EU banks in implementing--and, more importantly, in benefiting from--Open Banking.
The European General Data Protection Regulation (GDPR) Also Affects Open Banking, Both in the EU and in the US
In addition to the PSD2, in the EU, the GDPR also governs a customer’s financial data. GDPR is, therefore, also relevant to Open Banking.
Under GDPR, data transfer of a customer’s information is considered secure and is automatically permitted if the transfer is to countries approved as safe by the EU. Because the US has no national data security regulations, it is considered an unsafe country. However, for several years, there was a safe harbor argument to treat the US as a safe country.
Unfortunately, the European Court of Justice ruled in July of 2020 that the safe harbor argument is invalid. As a result, data transfer between the EU and US would require each US company to agree to a set of data protection rules, either through contractual obligations or through corporate governance rules.
Therefore, in order for US-based banks and fintechs to continue to do business with EU-based companies, they must quickly implement data security procedures to comply with GDPR.
As a Result of Globalization, EU and UK Open Banking Rules are Forcing Compliance by US Banks and Fintechs
Even though PSD2 and GDPR are EU-centered regulations, their effects reach across the globe. US-based banks and fintechs are forced to make changes to comply with these laws so they can do business with enterprises based in the EU.
Most companies, when dealing with fragmented operational standards and legal regulations, prefer to pick a best practice and implement it throughout the company. With Open Banking, logic suggests banks would operate in more or less this way. In fact, there is evidence that this is indeed how some of the largest banks in the world are approaching Open Banking.
HSBC, BNP Paribas, the Royal Bank of Scotland, and many more banks are members of the Open Bank Project. They use the Open Bank Project’s APIs to transfer data to third parties.
In the US, Bank of America, Citi, Wells Fargo, JP Morgan Chase, several federal reserve banks, several payment card processors, Mastercard and Discover, and many technology companies are all members of Nacha’s API standardization group, Afinis. These entities are working together to develop standardized, payment-related APIs.
With major financial institutions participating in API standardization, even without strict regulation, US-based banks and fintechs are following the lead of their EU counterparts. The US banks and fintechs might implement open APIs and various security procedures somewhat slower than those in the EU, and it may take some time for all US banks and fintechs to come into full compliance, but the need to do business globally means that they cannot lag too far behind.
As to the data security requirements under both the PSD2 and GDPR, as long as US-based banks and fintechs wish to do business in the EU, they must comply with these regulations. Since the US no longer has a safe harbor under the GDPR, each bank or fintech wishing to do business—or wishing to continue to do business—in Europe will have to individually implement the security procedures that can pass the PSD2 and GDPR requirements. The need to do business globally, therefore, forces US-based companies to implement data security measures and be similarly protected as their EU counterparts.
How Trustly Fits Into the Open Banking Movement
Very early on, Trustly decided to construct its programming architecture using APIs for both internal and external communications. This architecture fits squarely into the Open Banking framework. Trustly also already communicates with a large number of its banking partners through APIs. As well, because Trustly operates both in the EU and in the US, it already employs data security standards that comply with both PSD2 and GDPR.
Trustly has been driving the Open Banking movement since its start in Europe. In fact, our CEO Oscar Berglund is a part of the EU API evaluation group. With our US-based technology and our Open Banking leadership position in Europe, Trustly is already at the forefront of Open Banking. Let Trusly help you grow globally with Open Banking. Contact us and find out how.
I hope you enjoyed reading this article. If you would like to learn more how Trustly is leading Open Banking initiative for the US, please email us at email@example.com with "Open Banking in the US" in the subject line.