Open banking is a framework that enables authorised third-party providers to access financial account data and initiate payments on behalf of customers, through secure and standardised application programming interfaces (APIs), subject to the customer’s explicit consent. In the European Union, this framework is governed by the Revised Payment Services Directive (PSD2), which imposes a legal obligation on all account-holding payment service providers, including banks, payment institutions, and e-money institutions, to publish open banking APIs that TPPs can use to deliver account information and payment initiation services. The objective of PSD2’s open banking provisions is to increase competition, reduce barriers to entry for new financial service providers, and give customers greater control over their own financial data.
As illustrated in a typical open banking API interaction, a customer grants consent to an authorised TPP through the TPP’s application. The TPP uses the financial institution’s open banking API to either retrieve account data (in the case of an AISP) or submit a payment instruction (in the case of a PISP). The financial institution, acting as the ASPSP, authenticates the customer using SCA, verifies the scope of consent, and fulfils the API request. All interactions are conducted over encrypted channels, and the customer’s consent can be revoked at any time through either the TPP’s platform or directly through the financial institution.
Key Takeaways: #
- Open banking is a regulatory and commercial framework that requires financial institutions acting as an Account Servicing Payment Service Providers (ASPSPs) to give authorised third-party providers (TPPs) secure access to customer account data and payment initiation functionality, through standardised APIs, with the customer’s explicit consent;
- In the EU, open banking API publication is a legal obligation under PSD2, enforced by national competent authorities. Banks, payment institutions, and e-money institutions that hold payment accounts must provide a compliant API interface to authorised AISPs and PISPs;
- Open banking APIs must meet the technical requirements set out in the EBA RTS on SCA and secure communication, including strong customer authentication, encrypted data transmission, and a dedicated interface or fallback mechanism for TPP access.
Why EU Institutions Are Required to Publish Open Banking APIs #
PSD2 and the legal obligation to provide API access: Under PSD2, any payment service provider that provides payment accounts capable of receiving or sending money is classified as an Account Servicing Payment Service Provider (ASPSP) and is legally required to provide at least one interface through which authorised TPPs can access customer account data and initiate payments. This obligation applies to banks, licensed payment institutions, and e-money institutions operating within the EU and EEA. The UK has a similar requirement under the PSRs 2017. The interface must meet the technical standards defined in the EBA RTS on SCA or UK-RTS in case of the UK, and secure communication, and must be made available to TPPs without unnecessary obstacles or discriminatory conditions.
Dedicated interface and fallback requirements: ASPSPs may fulfil their API obligation through a dedicated interface, which is a purpose-built API designed specifically for TPP access. Where a dedicated interface is provided, the ASPSP must also ensure a fallback mechanism is available in the event that the dedicated interface is unavailable, unless a competent authority has granted an exemption from the fallback requirement based on the robustness of the dedicated interface. The dedicated interface must be tested and made available to TPPs before the ASPSP goes live, and must support the full range of account information and payment initiation functionality that PSD2 requires.
Driving competition and market access: The open banking API obligation under PSD2 was designed to lower the barriers to entry for new financial service providers by giving them standardised, regulated access to the banking infrastructure that customers already use. Before PSD2, TPPs seeking to access customer account data were dependent on unsecured methods such as screen scraping, which carried significant security and data quality risks. Mandatory API publication replaces these methods with a secure, consent-driven channel that operates on equal terms for all authorised TPPs, regardless of their size or market position.
Customer empowerment and data portability: Open banking APIs give customers direct control over who can access their financial data and for what purpose. By granting and revoking consent through a structured, regulated process, customers can share their account data with financial management tools, lending platforms, or payment services without disclosing their banking credentials to those third parties. This separation of data access from credential sharing is a fundamental security and privacy improvement over pre-PSD2 data access methods.
Innovation and new financial services: Open banking APIs provide a regulated foundation on which TPPs can build new financial products and services using existing banking infrastructure. This has enabled the development of account aggregation tools, automated affordability assessment for lending, variable recurring payment services, and integrated payment solutions at e-commerce checkout. The standardised API layer means that a single TPP integration can operate across multiple ASPSPs, reducing the technical cost of building multi-bank financial services.
Security and data protection requirements: Open banking APIs must implement the security requirements set out in the EBA RTS, including SCA for account access and payment initiation, encrypted and mutually authenticated API connections, and qualified certificate requirements for TPP identification. ASPSPs are required to monitor their API interfaces for availability and performance, and to report significant incidents to their national competent authority. TPPs accessing the API must be registered or authorised by a national competent authority and identified using a qualified certificate issued under eIDAS, ensuring that only regulated entities can connect to the API.
Cross-border payments and EU financial integration: Standardised open banking APIs facilitate cross-border payment initiation and account access across the EU and EEA, as the PSD2 framework applies uniformly across member states. A TPP authorised in one EU member state can use its passport rights to access open banking APIs provided by ASPSPs in other member states, without requiring separate authorisation in each jurisdiction. This supports the development of pan-European payment and financial management services that operate consistently across borders.
FAQ: #
What happens if an ASPSP’s open banking API does not meet PSD2 requirements?
- ASPSPs that fail to provide a compliant open banking API, or that impose obstacles on TPP access, are subject to enforcement action by their national competent authority. Enforcement measures can include supervisory directions, financial penalties, and publication of non-compliance findings. ASPSPs are also required to report API availability and performance statistics to their competent authority, providing ongoing evidence that the interface meets the standards required by the EBA RTS.
Does open banking under PSD2 apply to the UK after Brexit?
- The UK implemented PSD2 into national law through the Payment Services Regulations 2017 before leaving the EU, and the open banking obligation continues to apply to UK-based payment service providers under this legislation. The UK’s open banking framework is overseen by the Open Banking Implementation Entity (OBIE) and regulated by the FCA and the Payment Systems Regulator (PSR). While the UK framework has diverged from the EU framework in some respects since Brexit, the core obligation for ASPSPs to provide TPP access through a compliant API interface remains in place.
In conclusion, the open banking API is an essential cornerstone of the modern, transparent, competitive, and customer-centric financial ecosystem. Its influence extends beyond merely providing open access to customer account information and payment initiation. It drives innovation, enhances customer experiences, and improves the efficiency of financial services, ensuring that the banking industry remains responsive and customer-focused in the digital age.
Learn how you can ensure compliance with your open banking requirements and how Baseella can foster access to other applications via our ready-made open banking API.
