Open banking

In financial services, open banking allows for financial data to be shared between banks and third-party service providers through the use of application programming interfaces (APIs). Traditionally, banks have kept customer financial data within their own closed systems. Open banking allows customers to share their financial information securely and electronically with other banks or other authorized financial organizations such as payment providers, lenders and insurance companies.

Proponents argue open banking provides greater transparency and data control for account holders, and could allow for new financial services to be provided. Proponents also say that it aims to promote competition, innovation, and customer empowerment in the banking and financial sectors. Opponents argue that open banking can lead to greater security risk and exploitation of consumers.

The first open banking regulations were introduced by the European Union in 2015, and many other countries have introduced financial regulations related to open banking since.

History
The concept was first explored in 2003 as part of the open innovation movement that was promoted by Henry Chesbrough. The advent of internet banking and development of online technology in the early 2000s led to interest in access to the data, which was first seen in account aggregation attempts by technology companies.

During the 2010s, open banking was also linked to shifts in attitudes towards the issue of data ownership, illustrated by regulations such as GDPR and the open data movement. With open banking, banks turn into financial service platforms, technically implemented through a banking as a service concept.

The first real regulatory move to open banking came in 2015 when the European Parliament adopted a revised Payment Services Directive known as PSD2. The new rules were aimed at promoting the development and use of innovative online and mobile payments through open banking. This introduced a number of new services, definitions, and obligations for market participants.

This was welcomed by fintech companies but banks were generally slow to agree to sharing the data for technical and security reasons as well as concerns for new competition. Between 2015 and 2021, a number of countries enacted laws and regulations forcing traditional banks to provide API access to customer data.

Risks and criticism
With open banking, banks open their APIs to third-party fintech companies, which comes with security risks. Hackers can target third-party apps and excessive access privileges could be given to employees. Malicious actors may be able to trick banking customers and third-party companies with phishing scams.

There are also privacy concerns about open banking. There is a risk of aggressive market practices or offering a customer more expensive products based on an analysis of openly-available financial data.

For consumers, open banking poses a risk of "digital and financial exclusion". Mick McAteer, from the UK research firm Financial Inclusion Centre, said that only the tech-savvy would benefit from open banking and it would lead to more financial exclusion of those with low income. He said that consumers could be exploited, either by new types of payday loans or the misuse of data and personal information that people have revealed online.

Africa
Open banking in Nigeria was kickstarted by the Open Banking Nigeria as an initiative to be non-partisan and non-financial API standards for Nigerian financial services. It was formed in June 2017 by a group of bankers and fintech experts who got together to propose the adoption of common API standards for the country. Open banking in Nigeria later evolved into a regulatory backed initiative with the release of the open banking regulation by the Central Bank of Nigeria in 2021 and the subsequent Operational Guidelines for Open Banking in Nigeria.

Australia
An open banking project was launched in Australia on 1 July 2019 as part of the Consumer Data Rights (CDR) project by the Treasury and Australian Competition & Consumer Commission. The CDR legislation was passed by the Australian parliament in August 2019.

In May 2023, Payments NZ, which supervises the payment system in New Zealand, said that the main banks will be ready by 2024 to implement open banking.

European Union
In October 2015, the European Parliament adopted a revised Payment Services Directive known as PSD2. The new rules were aimed at promoting the development and use of innovative online and mobile payments through open banking. It introduced a number of new services, definitions, and obligations for market participants.

More than two years after the entry into force of the PSD2 provisions, which took place on 13 September 2019, the European Commission announced the commencement of the review procedure of the Directive. On 18 October 2021, the European Commission submitted a call for advice to the European Banking Authority (EBA). The EBA responded on 23June 2022. Amendments to the Directive were planned for the fourth quarter of 2022.

The SEPA (Single Euro Payments Area) API Access Scheme initiative was launched by the ERPB (Euro Retail Payment Board), a strategic advisory body at the European Central Bank. The initiative was described in two reports, the first was published on 31 May 2019, and the second was published on 4 June 2021. The information on the transfer of the initiative for further works and the implementation of the SEPA API Access scheme by the European Payments Council is also publicly available.

The proposed scheme defines the principles of cooperation between the entities participating in it and defines standard methods of implementing selected services based on the use of APIs, billing systems, and payment systems. The starting point for the work on the scheme was PSD2 services provided by European credit institutions, which would remain free of charge for third parties. Other services – referred to as value-added services, premium services or extended services – could be monetised by credit institutions based on the rules adopted in the scheme. These rules and the general assumptions of the scheme would be discussed with the relevant Directorates-General of the European Commission.

On 26 October 2020, The Berlin Group established a new task force called The Berlin Group openFinance API Framework, which replaced the previous task force responsible for creating the NextGenPSD2 standard. The new task force's work focuses on the standardisation of value-added services that credit institutions may make available to eligible third parties based on bilateral agreements or potential new payment schemes.

Standardisation initiatives include:


 * NextGenPSD2 – Pan-European standardisation initiative run by The Berlin Group.
 * STET standard – developed by the French clearing house (STET); in its shape, the standard has been as close as possible to the NextGenPSD2 standard of The Berlin Group as part of the convergence project.
 * Slovak Banking API – a standardisation project entirely run by the Slovak Bank Association in cooperation with the National Bank of Slovakia, made available in the form of documentation.
 * PolishAPI – the PolishAPI standard defines an interface for the needs of services provided by third parties based on access to payment accounts, i.e. services introduced by the amended directive on payment services within the internal market (PSD2). Participants include the Polish Banks Association, associated commercial and cooperative banks, and third-party providers.

Latin America
Mandatory and centralised electronic invoicing was implemented relatively early in countries such as Mexico, Chile, Colombia, and to a lesser extent, Brazil, offering the possibility to retrieve open accounting data in a similar way as open banking.

The Central Bank of Brazil deployed its open banking model, which mandates banks and financial institutions (including fintech) to make available information on traditional financial services and products. Brazil's implementation is mandatory for institutions with large sizes, significant international activity, and high-risk profiles, and optional for all other institutions. The implementation of the first phase happened almost two years after the first open banking framework was published in April 2019, in which the fundamental requirements for the implementation of the law were disclosed. The Central Bank of Brazil outlined the following phases of implementation:


 * Phase 2: Customer Information (July 2021) – Consumers have the option to share their data (registration, account transactions, card, information, and credit transactions) with the institutions of their choice, at the time of their choice.
 * Phase 3: Transactional Information and Payment Initiation (August 2021) – Consumers have access to services, such as new payment options and credit offers, through the shared channels by financial institutions.
 * Phase 4: Extra information (December 2021) – The following phases include additional products such as insurance, pension plans, and investments.

In late 2020, the Chilean government announced that it was working on a proposal for fintech regulation and the incorporation of an open banking standard. The government edited the Financial Portability Act, a set of regulations aimed to facilitate the switch between banks and financial providers. On 4 January 2023, Chile enacted a law with the aim to establish a regulatory framework for fintech activity and create an open finance system that enables secure data-sharing.

Colombia has established a voluntary model for open banking, with the Financial Regulation Unit (URF)'s goal being to foster public-private discussion.

Mexico was the first Latin American country to implement open banking legislation. On 9 March 2018, the Fintech Law of 2018 (Ley para Regular las Instituciones de Tecnología Financiera) was published in the Federal Official Gazette (DOF; Diario Oficial de la Federación). Article 76 states that standardised APIs must be established to enable connectivity and access to other interfaces. As a consequence, more than 2,300 institutions were technically required to share information. Article 76 provides that certain information may be shared by financial institutions, money transmitters, Credit Information Companies (SIC; Sociedades de Información Crediticia), clearing houses, and financial technology institutions. Those types of data are open data (related to products and services offered to the general public), aggregated data (related to any type of statistical information related to operations), and transactional data (related to the use of a product or service).

On 10 March 2020, the Mexican Central Bank (Banxico) published Circular 2/2020 in the DOF. Circular 2/2020 outlined secondary provisions of the law, specifically dealing with open banking. Different financial market entities were required to share information through APIs. The secondary provisions only apply to SICs and clearing houses; Circular 2/2020 states that both SICs and clearing houses must obtain authorisation from Banxico for the use of the APIs by other institutions. In turn, SICs and clearing houses must enter into agreements with other entities authorised by Banxico for the exchange of information. Additionally, the issuance of fees to be charged between institutions that exchange information is also defined. Circular 2/2020 states that in case of non-compliance with the provisions of Circular 2/2020, SICs and clearing houses may face fines levied by Banxico.

In June 2020, the rules for exchanging open data were applicable to all financial institutions – banks, fintechs, and companies authorised by the Comisión Nacional Bancaria y de Valores.

United Kingdom
In August 2016, the Competition and Markets Authority (CMA) issued a ruling that required the nine biggest UK banks – HSBC, Barclays, RBS, Santander, Bank of Ireland, Allied Irish Bank, Danske Bank, Lloyds, and Nationwide – to allow licensed startups direct access to their data, down to the transaction level. The direction came into force on 13 January 2018, using standards and systems created by Open Banking Limited, a non-profit created especially for the task, while enforcement rests with the CMA. Protection for consumers is the responsibility of the Financial Conduct Authority (FCA) for account information and payment initiation services (under the PSD2 directive), and the Information Commissioner's Office for data. The CMA direction only applies to the nine largest banks, and works alongside the broader PSD2 rules that apply to all payment account providers.

, there are 339 FCA-regulated providers enrolled in open banking. Many of them provide financial apps that help manage finances; others are consumer credit firms who use open banking to access account information for affordability checks and verification.

In March 2021, the CMA consulted on arrangements for the future oversight of open banking. This consultation referenced a proposal by UK Finance (a trade association for the banking and finance industry), which had engaged with stakeholders to develop a blueprint for a new organisation (a 'Future Entity') to replace Open Banking Limited, which would serve the needs of the significantly larger number of financial institutions by enabling an Open Data and payments market.

United States
In 2021, president Joe Biden issued an executive order indicating the administration's desire to begin rulemaking for Section 1033 of the Dodd–Frank Act. The intention was to support open banking initiatives in the United States. Also in 2021, open banking provider Plaid settled for US$58M in a consumer-driven, privacy-related class-action lawsuit. Rohit Chopra, the director of the Consumer Financial Protection Bureau, initiated rulemaking pertaining to Section 1033 in 2023.