What is Open Banking? Everything you need to know

Open banking is everywhere. At least, that’s how it feels when you read the financial services press. But what is it and why does it matter? Read on to find out… 

What is open banking?

Open banking is a financial framework and technology standard that allows third-party providers to access consumer banking data through secure application programming interfaces (APIs) with customer consent. This enables customers to share their financial information with authorized apps and services beyond their primary bank.

Under open banking regulations, banks must provide standardized access to customer account data when customers grant permission. Third-party providers can then use this data to offer services like budgeting apps, payment initiation, account aggregation, and personalized financial advice.

Open banking aims to increase competition in financial services, give consumers more control over their financial data, and enable innovation in fintech. It operates under strict security protocols and data protection regulations to ensure customer information remains safe and is only shared with explicitly authorized parties.

How does open banking work?

Open banking operates through a secure, permission-based system that connects banks with third-party financial service providers. The process relies on APIs that enable safe data sharing between institutions.

We can lay out the open banking process in five steps:

1. Customer initiates connection

The customer chooses a third-party app or service (like a budgeting tool or payment app) that uses open banking. The app requests permission to access specific financial data from the customer’s bank account.

2. Authentication and consent

The customer is redirected to their bank’s secure login page, where they authenticate their identity. The customer explicitly consents to share specific data (like transaction history or account balances) with the third-party provider.

3. API connection established

With access approved, the bank’s API securely transmits the requested data to the third-party provider. No passwords are shared, only the authorized data, which flows through the encrypted connection.

4. Data access and service delivery

The third-party app receives the customer’s financial information and uses it to provide services such as expense tracking, financial insights, or payment processing. Access continues as long as the consent remains active.

5. Ongoing security and control

The customer can revoke access at any time through their bank or the third-party app. Banks monitor API connections for suspicious activity and maintain strict security protocols throughout the process.

Key security features

Open banking uses multiple layers of protection including encryption, secure authentication, and regulatory oversight. Financial institutions must comply with data protection standards and can only share information the customer has explicitly authorized them to share.

Encryption and data protection:

• All data uses bank-grade 256-bit TLS/SSL encryption
• Financial information is encrypted during transfer
• Only authorized parties can read your data

Authentication requirement:

• Multi-factor authentication (MFA) required before account access
• The customer must actively confirm each connection
• The customer can revoke access at any time through their banking app

Regulatory oversight:

• Must comply with regulations such as PSD2 (Europe) or Consumer Data Right (Australia)
• Strict data handling practices are mandatory
• Regular security audits are required by law

Customer consent controls:

• Banks only share data the customer has specifically authorized
• The customer controls which companies access their information
• The customer decides what data companies see and for how long
• The customer can withdraw consent instantly

Real-time monitoring:

• Systems monitor for suspicious activity 24/7
• Unauthorized access attempts are detected immediately
• Unusual patterns trigger automatic security measures and alerts

Consumer consent and authorization flows

The open banking process laid out above encompasses a range of regulatory requirements and technical features. One example is Strong Customer Authentication (SCA) – a European regulatory requirement mandating the use of multi-factor authentication to secure electronic payments. Another is the need for granular consent, which enables customers’ choice over precisely which data they share, between which accounts, and for what time period. 

Other consent and authorization flow requirements include the need for banks and fintechs to log consent and access events. They must also have processes in place for graceful error handling that doesn’t compromise security in the event of authentication failures, consent denials, and other errors. 

How did open banking evolve?

Open banking has been a hot topic for several years now, spurred on by Europe’s snappily titled Payment Services Directive 2 (PSD2) and an increasing number of initiatives around the world.  

The term open banking was originally created by the Open Bank Project, with the “open” referring to “open API”. Its model proposes a means of using APIs to perform customer account functions – making a payment, creating a beneficiary, and so on. This “composable banking” gives customers choice over the apps or services they use to check their balance, make payments, etc..

Regulations and initiatives that invoke the spirit of this aim to bring competition into the banking sector by introducing “non-banking” participants – largely defined as “fintechs.” Most fintechs don’t hold accounts or banking licenses. Their products do something that customers don’t get from their bank, such as providing a financial lifestyle app like Snoop or bringing alternative ways to pay like Wise and Trustly. 

Fintechs must access the customer’s account in order to perform actions like pulling their transactions or making a payment. Such products previously interacted with a customer’s internet banking through screen-scraping, but this has various account security and access scope implications that make it sub-optimal.

Instead, open banking regulations and initiatives have resulted in banks creating a raft of new APIs that are changing the global banking industry.

What are the benefits of open banking for consumers?

For consumers, open banking delivers greater choice and greater control, as well as underpinning a steady stream of new products as fintechs continue to innovate at pace. 

In terms of choice, open banking supports increased competition in financial services. It is opening up the market to new players with new ideas. The result of this is greater choice for customers in terms of how they bank and through which organization. Customers can prioritize their own banking needs and use the services that best suit them. 

Control is another key benefit of open banking. It is now the customer – not their bank – who decides who has access to their data, and for what purpose.  

The shift from closed systems to API-enabled data sharing

Key to this shift in control of financial data is the move from closed systems to API-enabled data sharing, which is at the core of the open banking landscape. As banks have been forced to relinquish their tight control of customer data (even as they remain responsible for the security of that data), exciting new services have been given space to flourish. From budgeting apps to loan comparison tools, customers can now achieve the personalized financial services that work best for their unique situation. API-enabled data sharing between banks and third parties sits at the heart of this. 

How open banking relies on standardized APIs

There are three main types of open banking APIs. These are standardized in numerous ways to ensure consistency, security and interoperability between different banks and fintechs. That standardization encompasses:

• Data formats: JSON is the accepted standard. 
• Data structures: Standardized names and types are in place for fields such as account numbers and transaction dates. 
• Endpoints and operations: Fixed sets of endpoints for routine actions (such as retrieving account details) behave in a predictable way. 
• Authentication and security: Protocols such as OAuth 2.0 deliver Strong Customer Authentication. 
• Error handling: Standardized codes support easier error handling. 

Regulations such as PSD2 enforce standardization to ensure easier integration between banks and fintechs. 

The three types of open banking APIs are:

Account Information APIs (AIS)

These APIs enable third parties to access customers’ financial data, such as balance information (with the appropriate consents in place). It is these APIs that have enabled the success of apps for tasks such as budgeting and credit checking.  

Payment Initiation APIs (PIS)

These enable third parties to initiate payments from a customer’s account. They make it easier for customers to pay bills and transfer money, as the customers no longer have to go through a card network. In many cases, this is a cheaper and faster approach than making a traditional card payment. 

Product/Service APIs

These APIs provide access to product information, such as a bank’s account types or interest rates. Comparison tools use them when comparing different financial products. 

Why open banking requires robust API gateway infrastructure

Open banking initiatives come with strict security and compliance obligations. This means that introducing security policies at the API gateway level, rather than having to enforce them per API, is crucial to delivering consistently compliant API products. 

One of the key functions that an API gateway serves for open banking is authentication and authorization enforcement. The gateway ensures that access to open banking APIs – and thus to customer account data – is only granted to third parties with appropriate permissions to access it. API gateways such as Tyk provide a range of methods for clients to authenticate themselves, ensuring flexibility in the application of authentication and authorization controls. 

With an API gateway in place, banks can securely route requests and responses between third party clients and their backend. They can take care of protocol translation and request/response transformation via the gateway, ensuring the smooth and secure flow of data. 

An API gateway also provides banks with the power to protect API performance and support high availability, even during periods of bursty traffic or in the event of a denial of service attack. Rate limiting, throttling, and load balancing all support this. Applied at the gateway level, they support the seamless operations that modern banking customers have come to expect as standard. 

Core API management capabilities for open banking

In addition to an API gateway, a comprehensive API management approach delivers multiple capabilities and benefits for open banking. Let’s look at a few now. 

API lifecycle management (design, publish, version, deprecate)

Ensuring you evolve your APIs safely and consistently ensures compliance with regulatory standards, supports backwards compatibility, reduces errors, and accelerates time to market. A sound versioning strategy can also help avoid security risks, for example from APIs that haven’t been deprecated properly. At the heart of all this is a consistent, well-ordered approach to every stage of the API lifecycle. 

Developer portal and API documentation

A developer portal and API documentation ensure fintech developers have the clear guidance and resources they need to work with open banking APIs. This drives up adoption and accelerates integration with partners. It can also reduce support requests. 

Access control and API key management

A crucial element of open banking API management, access control and API key management enhance security and protect sensitive financial data by enforcing who can access what. This aids regulatory compliance and enables the controlled onboarding of fintech partners. 

Analytics and monitoring

Tracking API usage, performance, and potential issues in real-time, with alerting enabled, delivers multiple benefits. It enables a proactive approach to problem resolution and fraud detection, as well as underpinning performance optimization and enhanced decision-making. 

Policy enforcement and governance

A robust approach to API management involves applying rules consistently across your APIs, covering security, usage, compliance, and more. Governing your APIs in this way not only ensures more seamless regulatory compliance, it also reduces risk, supports consistent service quality, and standardizes operational practices. 

New roles in banking

Regulations like PSD2 cement fintechs’ role in financial services and ensure banks provide a standardized means for data access. PSD2, for example, creates two key roles:

• Account Information Services Provider (AISP): Can access the customer’s account to retrieve data that a customer has consented to share – their balance, transactions, or profile information.
• Payment Initiation Services Provider (PISP): Can initiate payment from the customer’s account based on their instruction and consent.

These roles aren’t the only ones available in open banking initiatives, but they typify the data and services on which fintechs build their business.

Standards and continued growth

APIs square the circle of open banking. Financial markets – driven by standards bodies working on behalf of regulators – have also created standards in the form of OpenAPI specifications. Examples in Europe include OBIE in the UK and Berlin Group, which is implemented in multiple countries. This sets expectations for fintechs, which know what to expect from APIs in the market, and for banks, which understand what to implement.

However, the regulations and the APIs are only the tip of the iceberg. Regulators and commentators are already looking to expand the scope away from just payment accounts towards all types of accounts across more banking functions. This movement – often termed “open finance” and being investigated in markets like the UK – looks beyond regulatory coercion and towards how banks benefit from the API economy. Such initiatives indicate that the door to open finance is only just opening; much more is to come.

Open banking vs open finance

While open banking relates to the partially regulated exchange of data and services between banks and third parties, at the time of writing no such regulatory framework applies to open finance. Open finance provides access to financial information and services outside the scope of current regulations such as PSD2. Examples include pensions and investments. 

Open finance takes the concepts that underpin open banking and applies them to a broader range of financial products and services. It is still evolving, with regulation likely to follow in due course. 

Making open banking happen with Tyk

Open banking represents a significant opportunity for banks and fintechs to profit from new opportunities rooted in the API economy. As the market grows, with the development of open finance, being an API provider is increasingly important.

Tyk is all about APIs. The Tyk API platform offering – available in both Cloud and On Premise form factors – can help get your open banking implementation off the ground. Whether you’re re-platforming your API management solution or looking to move into the open finance space with commercial APIs, Tyk can help by:

• Automatically ingesting existing OpenAPI and Swagger specification documents to create your APIs. This means you can take the documents created by the standards bodies and get up and running quickly.
• Working natively with OAuth 2.0 and OpenID Connect (among many other authentication modes), two security protocols at the heart of the majority of open banking standards.
• Providing a fully customizable developer portal, essential for engaging with the open banking community and driving easy adoption of your APIs.

Tyk’s features mean you can build an open banking implementation with a platform geared towards getting you started as quickly as possible. Speak to our team today to find out how your business – and your customers – could benefit.