Open Banking Around the World
The Open Banking Movement
Open Banking as a concept befuddles many because of the various regulations that have emerged in different countries. However, Open Banking goes well beyond regulatory environments. It’s applicable globally even where there isn’t a government mandate in place.
At the heart of Open Banking is opening APIs to allow access to customer accounts. This enables third parties to build applications and services around an existing financial institution, usually a large bank. The institution creates open APIs, which allow a developer certified by a government or industry authority to create a product or service that can utilize data shared through those APIs with the customer’s explicit consent. The idea is to create a more competitive marketplace with innovative financial services that benefit customers, while also allowing customers to take control of their data and how it is shared.
Trends Among Regional Initiatives
Regulation vs. Industry Cooperation: There have been instances where governments and regulatory bodies are issuing broad statements encouraging banks to participate in Open Banking. In other cases, like PSD2 in the EU, the Open Banking Standard in the UK and the Consumer Data Right in Australia, government mandates have gone into legislation with deadlines for enterprises to create open APIs.
Emerging Industry Standards: In some Open Banking schemes, participants must conform to a standard in order to ensure interoperability. In others, parties are required to certify conformance to the standard before participating in the API ecosystem. While a standard API format is up for debate across Open Banking initiatives, the security of those APIs is primarily based on OAuth 2.0 and OpenID Connect frameworks. Many stakeholders across global initiatives are working together and looking to adopt FAPI, the financial-grade API model that puts a financial lens on the broader OAuth 2.0 authorization framework.
Open Banking in Different Countries
Open Banking was initiated by the European Parliament in 2015, with the drafting of the revised Payments Services Directive, commonly known as PSD2. Unlike Open Banking in the UK, PSD2 requirements were vague, and as a result, the widespread adoption of a single standard has been difficult thus far. Currently, the most popular standard is the one created by the Berlin Group & its NextGenPSD2 Task Force. It offers four architecture models for authentication: redirect, OAuth 2.0, decoupled and embedded.
PSD2 entered into force on January 12, 2016, with a two-year deadline for EU member states to transpose it into national law. Two key 2019 deadlines (14 March and 14 September) have already passed for implementing the strong customer authentication requirement. However, in the UK, the FCA has announced that it will delay enforcement for 18 months where there is evidence that firms have taken the necessary steps to comply with the plan. Other countries, such as France and Denmark, are issuing similar extensions.
The UK is considered the leader in Open Banking, implementing its Open Banking Standard in January 2018. It was a response to a report by the Competition and Markets Authority (CMA) indicating a lack of competition amongst big banks in the UK. The Open Banking Standard furthered PSD2 by specifically requiring banks to provide data to third parties via APIs (as of June 2019, 19 are enrolled). The Standard is determined by the Open Banking Implementation Entity, which approves participants and is doing business as Open Banking Limited, a non-profit entity. The Standard is based on OAuth 2.0 and OpenID/FAPI.
The relevant regulation in Australia is called the Consumer Data Right (CDR). It has begun with an Australian Open Banking pilot, but also has a broader focus that encapsulates numerous industries, with energy and telecom set to follow. (Ping Identity is the only vendor on the Advisory Committee for CDR). The focus is initially around transaction data only, and standards are close to coming out of draft status. The deadline for the “big four banks” to comply is February 2020.
In New Zealand, Open Banking efforts have been led by the industry, with government encouragement (or threat of regulation, depending on how you see it). It’s starting off with two major banks and two fintech companies. A key driver is to reduce credit card transaction fees to 0%. The standards process supervised by Payments NZ now also involves access to account data and uses OAuth and OpenID/FAPI.
The Monetary Authority of Singapore (MAS) has released a playbook with API standards, but has made adoption by banks voluntary. So far it’s been limited to established banks. The standard is based on OAuth 2.0 and OIDC and benefits from the national identity card system (NRIC), which has more widespread digital use and adoption versus other countries. Standards development is being facilitated by MAS in conjunction with the major banks.
The spirit of Open Banking in Japan can be described as collaboration, versus the usual regulatory approach of other jurisdictions. The Japanese Banking Act initiated in May 2017 introduced a framework for Electronic Payments Intermediate Service Providers (similar to PSD2) and forecasts that at least 80 banks open APIs by 2020. However, the number of APIs thus far has been low, as the focus has not been to increase competition, but rather to improve operational efficiencies.
The Hong Kong Money Authority launched the Open API Framework in January 2019 with a four-phase approach to Open Banking-related initiatives. The initial phase is for banks to publish open APIs for third-party providers to access ‘read-only’ information on products and services. The second phase involves processing applications for financial products. The next phases cover individual account information and transactions, respectively.
There has been no serious government-sponsored Open Banking policy in the United States, but several federal agencies have issued non-binding guidelines, including the Financial Institutions Examinations Council (FFIEC) and the Consumer Financial Protection Bureau (CFPB). Instead, there has been an industry-led approach most notably with the Financial Data Exchange (FDX) composed of 30+ members, including many leading financial institutions. The FDX has published its own API, which is based on FAPI.
Many forward-thinking U.S.-based financial institutions are looking to emerging Open Banking standards around the world and leaning into open API business models as an innovative way to fight back against data aggregators’ insecure screen-scraping practices.
Identity and Access Management Underpins Open Banking
No matter which geography or regulatory environment you operate in, the same key foundational technologies make it possible to securely open your APIs. Identity and access management in the form of authentication, authorization, secure identity data storage, consent management and API security will ensure you have a solid architecture to support any flavor of Open Banking.
Start with your APIs. A couple of common API types are (1) consumer banking account and transaction data used by data aggregators and/or (2) payments, which can be used by a broad number of third-party payment initiators, such as retailers, utilities providers and charities.
Customer identity and access management. Provide secure, consistent OAuth & OIDC-based access to your APIs. You’ll need an authorization server to issue tokens. Strong customer authentication with multi-factor authentication will ensure it’s your customer on the other end of an API call from a third-party. A consolidated user profile will provide an omnichannel user experience across API-based services and the rest of your digital channels. Lastly, you’ll need a user-friendly mechanism for customers to grant and revoke consent for third parties to access their data.
API access management and security. Once the foundational API access controls are in place to validate access tokens, many organizations are looking to implement data access governance, which provides fine-grained authorization to API data using dynamic, attribute-based access controls based on customer consent. With the increase in traffic to your APIs, AI-powered API cybersecurity gives you visibility, threat detection and blocking to reduce organizational risk from a growing number of API attacks.
Ping Identity Knows Open Banking
Identity and access management is essential to providing a seamless, secure and standards-based Open Banking experience and managing digital identities across multiple parties. Since 2002, Ping Identity has been a contributor to many of the major identity standards that are used today. Our platform was purpose-built for financial services, and we count 12 of the 12 largest U.S. banks by assets as customers, as well as a number of UK, EU and Australian banks.
We are a leader in enterprise identity because our customers love the flexibility of our platform. Many of our solutions can be deployed in the cloud or on premises. In addition, our features coexist with other products and can be deployed by capability, which reduces vendor lock-in and future-proofs your enterprise.
Open Banking is not only already happening, it's also here to stay. There’s a lot at stake for the industry: banks, fintechs, governments, and most importantly, consumers. If you’re serious about harnessing the value of Open Banking, security has to be top of mind. APIs represent a target for bad actors, and opening more APIs to third parties increases the potential for cyberattacks. In fact, Gartner predicts by 2022, “API abuses will be the most frequented attack vector resulting in data breaches for enterprise web applications.”
In addition to security, you need a strong focus on user experience to ensure widespread adoption by both third-parties and consumers. You have to capture the consent of your customers to use their data and remain in compliance with local regulations like GDPR and CCPA. Finally, your organization needs to build its solutions on open standards to fully realize the potential of Open Banking opportunities.
Find out more about how identity and access management can support the different Open Banking movements around the world.
Mark Perry - APAC CTO & Principal Architect
About Ping Identity
Ping Identity envisions a digital world powered by intelligent identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent Identity™ platform provides customers, employees and partners with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft, Amazon and Google. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities.