Open Banking

The expression “Open Banking” refers to the way in which banks can make data and services available via interfaces to authorized service providers or third parties who act on behalf of the customer who owns the account.

I have gathered for you all puzzle pieces such as Open Banking, PSD2, eIDAS, e-commerce, online retailers, TPPs, XS2A, API, to help you to figure out the big picture of Open Banking in just a few minutes.

Let’s get started:

  1. A visual scheme:

  1. Definition of the terms (from left to right)
PSU (Payment Service User) = the Client
TPP (Third Party Provider)

 

= the Fintech or other entity
PISP  (Payment Initiation Service Provider) =just a type of TPP- who initiates payments without going through the traditional payment networks

 

AISP  (Account Information Service Provider) =just a type of TPP -who provides information about the customer’s accounts and balances
PIISP (Payment Instrument Issuing Service Provider ) =just a type of TPP- also known as CISP (Card Issuing Service Provider)-who provides information about the funds availability on payment transactions based on the payment cards; the related services supplied can be identified as FCS (Confirmation on the Availability of Funds Service).
XS2A (Access to Account) = the provision of secure access to accounts operated by ASPSPs using APIs, in order to enable TPPs to provide to customers:

a)      Payment Initiation Services (PIS),

b)      Account Information Services (AIS) and

c)      Card Based Payment Instruments Issuing (CBPII).

 

ASPSP (Account Servicing Payment Services Provider)

 

= the Bank
API (Application Programming Interface) =a set of definitions, protocols, and tools that can be used to create applications, interact with other applications, and exchange data.

 

 

  1. The connections between the entities defined above and the consequences

You have read the PSD2 (Revised Payment Services Directive 2), the Law 209/2019 on payment services, the eIDAS Regulation (Electronic Identification, Authentication and Trust Services Regulation) and maybe you need some quick explanations  and examples in order to establish the connections between the entities.

PSD2 enables Open Banking by introducing XS2A. Basically XS2A allows customers to use the services of TPPs to access account information or initiate transactions on their behalf.

As a consequence, the traditional e-commerce transaction is changed. Instead of entering all debit or credit card details, the customer will then be asked whether he/she wants to give the retailer access to his/her bank account. By agreeing, the merchant will take the customer to his/her bank’s internet banking site where the customer gives the required permissions.

Open Banking should bring in the payments industry smart innovations, by allowing licensed TPPs to easily initiate payments from bank accounts and retrieve account information – if the account holder consents.

In what concerns smart innovations, you should know that it is possible for a technical service provider to take away a large part of the burden from a TPP, such as:

  1. the integration with banks via a variety of different APIs and authentication methods;
  2. the account consent management;
  3. the storage of account balance and transactions;
  4. PSD2 and GDPR compliance.

 

  1. Requirements applicable to TPPs:

In accordance with PSD2, registered TPPs are authorized to access customer bank accounts as well as execute payments. The regulatory standards require processing of transactions via secure channels, in order to protect data in terms of authenticity and confidentiality. In this respect, PSD2 requires TPPs to:

  1. have the capability to safely, securely and reliably initiate and process XS2A services with banks,
  2. use electronic Identification, Authentication and Trust Services (eIDAS) certificates for electronic signatures and electronic seals.

Please note that various regulations and standards set out the Internet security and certificate requirements for implementing secure authentication and identification for XS2A.

Qualified Certificates can be obtained from a Qualified Trusted Service Provider (QTSP) when setting up the XS2A services infrastructure, to maintain stability and interoperability and provide security:

  • Qualified Website Certificates (QWACs) should be used for website authentication, so that ASPSPs and TPPs can be certain of each other’s identity.

Example: TPP makes a request to the bank to obtain account information or initiate a payment initiation. It is imperative that the bank checks the validity of the TPP certificate. This ensures that no customer data is mistakenly issued to third parties. This is where the QWAC intervenes. The QWAC validates the identity and role (AISP, PISP, PIISP) of the TPP and then releases the call of the TPP. Only after this confirmation the TPP receives the requested XS2A access.

  • Qualified Electronic Seal (QSEAL) Certificates should be used for identity verification, so that transaction information is protected from potential attacks during or after a communication.

The use of Qualified Certificates must be standardized for PSD2, in line with the eIDAS Regulation. By using eIDAS-conformant Trust Services and the appropriate technological protocols, all Payment Service Providers (PSPs) and Payment Service Users (PSUs) can be compliant and are provided with:

  1. Identification;
  2. Confidentiality ;
  3. Authenticity/Integrity ;
  4. Non-Repudiation.

As set out in the eIDAS Regulation, Trust Service Providers (TSPs) can freely passport their services within the European Union (EU), without the need for additional confirmation.