View from the top – Maciej Kostro, Board Advisor, Polish Bank Association & Leader PolishAPI
Standards in the Open Banking landscape
For many reasons, we do not have a uniform standard of access to payment accounts in Europe. First of all, the regulator did not opt to define such a requirement either in the directive or in regulatory technical standards (RTS). On the contrary, certain RTS provisions – such as Article 36 (1) (a) – force the creation of different interfaces for virtually every bank. The regulations did not even include a list of basic transaction data which must be provided by the ASPSP.
European markets have different levels of digital maturity in the area of banking. In some countries, access to mobile banking and the use of instant payments is standard, in others not. The awareness of digital security threats is also different, both among customers and organisations. In addition, pressure from fintech companies also varies from country to country. In some countries, and Poland is among them, cooperation with third companies has a long and rich history.
Based on this history, the Polish payment community decided to establish a project for the common XS2A standard. The goal has been clearly defined: to find a solution satisfying both sides: ASPSPs and TPPs. At the beginning of 2017, a project group was formed, which included banks, credit unions, non-banking payment institutions, industry organisations and infrastructure companies (Polish Clearing House, Credit Office). The group has received the support of consulting companies, law firms, and IT experts. Its attention has been focused on security issues.
Pay-by-link payments were our main inspiration. These type of payments have been present in our market since 2002 and constitute over 60 per cent of all e-commerce payments, significantly exceeding the share of card payments. The process is based on redirection to the bank’s infrastructure to authenticate the user, select the payment account from which the payment will be made and authorize the given transaction (almost the same process as in the case of the Payment Initiation Service). This process involves an intermediary, an integrator, responsible for integrating merchants with individual banks – almost all banks in Poland offer such a service. Payment is made immediately and the merchant receives immediate confirmation. From the customer’s perspective, this is a well-known, safe and simple process.
With billions of processed transactions, practical knowledge came about during this process, including information on vulnerabilities and security threats. This led to proposals on security for the PolishAPI standard, distinguishing our standard from NextgenPSD2 or the Open Banking UK standard. These include:
- minimising the use of HTTP headers: all transaction data are contained in the body (payload) of the request,
- the lack of GET queries is a consequence of including all relevant data in the payload,
- mandatory mutual authentication based on eIDAS QWAC certificate,
- both request and response must be signed with eIDAS QSealC certificate,
- extension of the `scope` parameter of the OAuth protocol – the `scope_details` parameter contains all information necessary for proper interpretation of the permissions.
We are aware that PolishAPI is not fully in line with the REST API or OAuth 2.0 standard. Nevertheless, we believe that the area of access to financial data should be treated in a slightly different way to other data. Especially if we are talking about data collected as part of the Account Information Service, including account data, balance and transaction history.
An additional aspect that we must take into account is the use of banking authentication tools for public services in Poland and the recommendation of Polish financial supervision regarding the ban on sharing authentication tools with third parties.
From the point of view of interface implementation, the fact that there is more than one standard in Europe does not seem to be a big problem. This situation also creates a market for hub solutions, and in my opinion, this is how the Open Banking market in Europe will be shaped: it will be a market of several hubs offering access to banks with some value-added services.