View From The Top – helping account providers meet regulatory requirements
The Open Banking ecosystem has been growing rapidly in the UK over the last couple of years. There are now over 230 third party providers (TPPs) and 55 Account Servicing Payment Service Providers (ASPSPs) enrolled – over half of which are regulated entities, with the remainder pending authorisation.
There is a growing number of Open Banking-enabled propositions on offer, made up of aggregation services, comparison platforms, money management tools, credit bureaus and providers. These are already delivering real value to individuals and businesses.
ASPSPs in UK and Europe now need to apply to their National Competent Authority (NCA) for an exemption against having a ‘contingency mechanism’ in place in case a dedicated interface fails. For exemption, ASPSPs are required to demonstrate three months’ wide usage of their dedicated (API) interface beforePSD2’s Regulatory Technical Standard (RTS) deadline of14 September.
Since 2016, OBIE has been developing a Standard for Open Banking APIs. Version 3.1 of the OBIE Standard, published in November, now covers all PSD2 in-scope accounts and requirements, enabling any ASPSP to implement a PSD2-compliant API interface.
The Standard covers around 92 per cent of the UK’s banking market, with 38.2 million API calls made in March 2019. Our team is working to on-board the remaining eight per cent ahead of the September deadline.
ASPSPs who implement the Standard should increase the likelihood of TPPs engaging with them in testing and wide usage, and hence reduce their compliance risk in applying for an exemption.To further support ASPSPs with their applications, OBIE and UK Finance have published example answers for the FCA forms.
Over the last year, OBIE has been working with the OpenID Foundation (OIDF)to develop a Security Conformance Tool to help implementers test conformance, and has developed a Functional Conformance Tool for the Read/Write API Specifications. It has also published checklists for both Customer Experience Guidelines and Operational Guidelines.These tools are all open source and freely available for anyone to download without registration.
Both OBIE and OIDF have taken further steps in offering certification services. Although these are based on self-certification, they offer an independent validation, or proof point, for ASPSPs to share with TPPs and regulators.
When the roll out of Open Banking began in 2018, the RTS was not finalised and the ETSI profile for eIDAS certificates with PSD2 roles was still in draft. To ensure that firms could securely identify and connect, OBIE developed a trust framework called the Open Banking Directory. Over the last year, the Directory has evolved and developed further, offering additional benefits over and above relying on eIDAS certificates alone for identification.
OBIE also offers a comprehensive support service for enrolled participants, including technical support and participation in regular Testing Working Group meetings for discussion of issues and problem solving. Critically, the testing team provides a ‘buddy-up’ support service to ensure that ASPSPs and TPPs can collaboratively test and live-prove connectivity.
The core infrastructure being put in place by firms in response to the CMA Order and PSD2 is an enabler of competition within the market: ultimately helping consumers and small and medium businesses. We are starting to see the narrative shift: beyond regulatory/compliance programmes to embracing the commercial opportunities that an API economy can offer customers.
Therefore, OBIE has recently published Version 3.1.2 of the Open Banking Standards, enabling additional functionality over and above the requirements of PSD2, including two-way (push) notifications, SCA exemptions for trusted beneficiaries, and enhanced payment status.
We are now working on a suite of ‘premium API’ standards for use cases which are not explicit PSD2 requirements, but where there is significant market demand. Initially the focus is on propositions covered under the CMA Order Roadmap – such as variable recurring payments (VRPs) and refunds – and recommend functionalities from the API Evaluation Group.
The CMA’s foresight – requiring OBIE to develop a robust standard and then work with the CMA9 to implement APIs consistently, 18 months ahead of PSD2 deadlines – has been of significant value to the market. While still in the early stages, the vibrancy of the UK Open Banking ecosystem is a testament to many months of hard work and lessons learned.
So much has been achieved, and a lot remains still to do to deliver a mature, market-driven platform for innovation, competition and customer-centric service.