APIs are at the heart of open banking. In recent years, they have proven transformative in supporting banks, fintechs, and third party providers to connect with customers in new ways. To understand the role of open banking APIs, including their purpose, functionalities, and industry impact, read on…
What is an open banking API
Open banking APIs have transformed modern financial services, but what is an API in open banking?
An open banking API is a digital connection that allows for the secure and standardized exchange of customer financial data between banks and third-party providers. Bank API integration enables these third-party providers to create new tools and services, provided the customer has given explicit authorization for access to their data.
Open banking APIs must conform to relevant regional standards, such as those set out by the Open Banking Implementation Entity (OBIE) in the UK, the Berlin Group in Europe and Financial Data Exchange (FDX) in the US. These open banking API specification standards ensure that any API created by a bank for use in open banking meets developer expectations in terms of standardized protocol and data formats. This consistent, developer-friendly nature makes it easier for third party providers to build, integrate, and innovate within the open banking framework.
APIs in financial services leverage the potential of open banking by creating new opportunities for innovation and monetization. They also support greater customer choice and control, making open banking API solutions a win for banks, fintechs, and customers alike.
The open banking ecosystem
An API banking platform that provides an open banking API makes customer data accessible to organizations that have sufficient permissions to access it. These fall into a few broad categories, as we explore below. Such roles have been shaped by relevant open banking and data privacy regulations, such as Europe’s Payment Services Directive 2 (PSD2).
Account information service providers (AISPs)
AISPs are organizations that can use a bank’s open banking API to fetch and read account transaction data. The customer can authorize AISPs to view such data, for example as part of apps that review spending and help with budgeting.
Payment initiation service providers (PISPs)
Unlike AISPs, which can only read and present data to the customer, PISPs can initiate payments from a customer’s account, provided they have the customer’s explicit consent to do so. These payments can be outside of traditional card networks, keeping costs down and supporting customers to pay for products and services and to easily move money between their accounts.
Account servicing payment service providers (ASPSPs)
ASPSPs are organizations that provide and maintain payment accounts for their customers, such as banks and some neobanks. Those ASPSPs that are regulated under PSD2 must provide account data access to third party providers when the customer consents to them doing so.
Third-party providers (TPPs) and their roles
Third-party providers use open banking API integration in a range of innovative ways, including to develop new products and connect with previously underserved markets. They must authenticate securely before accessing an open banking API, ensuring that all parties remain compliant with relevant data security and open banking regulations at all times. AISPs and PISPs are both examples of third-party providers within the open banking ecosystem.
Regulatory bodies (FCA in UK, NCAs in EU)
The bodies responsible for open banking regulation vary around the globe. In the UK, for example, it is the Financial Conduct Authority (FCA), while in Europe it is the European Banking Authority (EBA). The EBA supervises National Competent Authorities (NCAs) in each EU member state as part of enforcing PSD2 rules. Examples of NCAs include BaFin in Germany and the Central Bank of Ireland.
Over in the US, it is the Consumer Financial Protection Bureau (CFPB) which oversees the development of open banking rules. In Australia, it is the Australian Competition and Consumer Commission (ACCC).
Regulators ensure that banks and third-party providers act in compliance with their rules, applying stringent oversight. In the UK, for example, all AISPs and PISPs are regulated by the FCA.
Open banking API specifications and standards
There is no single open banking API specification or standard. Like regulatory oversight, specifications and standards vary across different countries and regions. However, they all support the same aims of making banking systems interoperable and supporting integration through secure, standardized APIs.
In the UK, the Open Banking Implementation Entity (OBIE) has developed a comprehensive and structured set of standards that facilitate efficient data sharing with appropriate consent and security mechanisms. The Berlin Group has done the same with the NextGenPSD2 standard in Europe, while in the US the CFPB has officially recognized FDX as a standard-setting body for open banking.
How open banking APIs work
Now we’ve looked at the scope of the open banking API ecosystem, let’s turn to the technical side of how open banking APIs work and how they keep consumer data secure.
The API request flow
Nothing can happen without the customer explicitly authorizing a third-party provider to access their data. This authorization and authentication process usually follows an OAuth flow, where the customer grants the TPP access to their bank account. It is within the customer’s power to revoke the token used to grant this access whenever they so wish.
With appropriate consent given, the TPP uses open banking APIs to request access to the customer’s bank account data. This can include transaction histories, details of subscriptions, account balances, and more.
Assuming the appropriate permissions and credentials are in place, the bank grants the access request and proceeds to send the data to the third-party provider in response to it. The TPP can then use that data to provide services to the customer. TPP services cover a wide range of areas; examples include budgeting tools, apps that monitor subscription and bill payments, and diverse other apps that give customers more transparent insights into their finances.
Data types and permissions
Open banking involves access to data types that are standardized to help manage interoperability, providing developers with reliable, predictable, and documented definitions. This means developers can ensure their apps request permission to the right data types.
Open banking data types include:
- Account data such as balances, account holder details, and account numbers and currency types.
- Transaction data including dates, amounts, currencies and transaction types. This data also includes payee and payer names, account identifiers, and metadata.
- Payment data such as amounts, currencies, pending payments, failed payments, and direct debits.
- Product data, which covers loans, credit cards, mortgage products, savings accounts, and more. These details include fees, interest rates, product features, and any eligibility requirements.
- Customer consent and authorization data, which relates to the scope and duration of consent, along with revocation options and relevant authentication details.
- Metadata and reference data, such as transaction categories, product types, and identifiers such as bank and branch codes.
Using API aggregators
Another element of open banking is account aggregation services. This is where apps use not just one API in banking but multiple open banking APIs to obtain and aggregate data from different institutions into one single platform. An example of this in practice is an app that providers the customer with an overview of their entire financial situation, including all their bank account, credit card, loan, and mortgage balances.
Why are open banking APIs important?
Open banking APIs are important because their standardized nature means that data can be shared securely and seamlessly between banks and third-party providers. This has fostered a culture of innovation and enhanced customer experiences – a culture which continues to evolve.
The result of this is a move away from closed systems to open standards and new products. This is supporting previously underserved customer groups – both individuals and business customers – to access banking services that were previously unavailable to them.
Open banking APIs’ benefits
The benefits of open banking API products are many and varied. Open banking APIs support fintechs and other businesses to shape and define new products. The real-time nature of data sharing through an open banking API, for example, means that the risks of lending can be assessed based on up-to-the-moment financial information. This has implications for everything from loans to investments, as well as for a new approach to credit scoring.
Open banking APIs are also enabling the rise of new models, such as banking as a service (BaaS) and embedded finance, further enhancing control and choice for end users. All of this is done while maintaining regulatory compliance, ensuring customers’ data security remains a top priority even as that data opens up new product, application, and service options.
Another benefit for third-party providers is the increased potential for monetization that accompanies the use of aggregated open banking data.
The banks themselves also benefit. They can develop partnerships that offer new services to their customers in a far more agile, rapid, and scalable way than might previously have been possible. They can also implement new monetization models, from BaaS products to charging for data access. An open banking API-first approach can therefore become a significant competitive advantage.
Customers also benefit, with a wider range of customized, personalized products available to them. Open banking APIs are supporting them to take greater control of their finances, making ownership of their financial data easier and more transparent. This enables customers to make better financial decisions and to attain a greater understanding of their spending behavior. Apps powered by open banking API data can even support customers to save money on products and subscriptions.
Security and authentication standards
Open banking API management is an important part of ensuring banks and TPPs comply with relevant security and authentication standards.
Core security protocols
Security is paramount in open banking APIs. This means API providers must use secure access protocols, such as OAuth 2.0 and OpenID Connect. The use of an API gateway, with secure endpoint management, comprehensive documentation, API versioning, and rate limiting, supports a robust approach to the security that open banking APIs demand.
Strong Customer Authentication (SCA)
Strong Customer Authentication is also essential for an open banking API. This is a requirement of Europe’s PSD2 rules, which require security to incorporate multifactor authentication: something you know, something you have, and something inherent to you (such as your fingerprint or facial features).
The need for SCA and other security and authorization elements has given rise to the Financial-grade API 2.0 (FAPI 2.0) standard, built on OAuth 2.0 and OpenID Connect. This was designed specifically to meet the requirements of open banking and financial data sharing. You can read more here about FAPI, open banking, and Tyk’s FAPI Accelerator capability.
Certificates and identity verification
Certificates and identity verification are critical to building trust between customers, banks, and TPPs. Open banking API providers therefore often use mutual TLS (mTLS) to authenticate both the clients requesting data and the servers responding to those requests. Digital certificates issued by recognized certificate authorities add to the security of these transactions, cutting down the risk of man-in-the-middle attacks and combining with identity verification processes to enhance security and trust.
Data protection
Open banking API management requires that API providers encrypt data both in transit and at rest. This must encompass strong encryption standards to ensure maximum protection of sensitive data.
Discover more about open banking with Tyk
Ready to find out more and accelerate your open banking adoption? Then Tyk’s FAPI Accelerator can help. Talk to the Tyk team today to find out more.