Technical Note on Open Banking Comparative Study on Regulatory Approaches ACKNOWLEDGEMENTS This document has been prepared by Luis Maldonado (Consultant) under the guidance of Fredesvinda Montes (Senior Financial Sector Specialist) in the context of the Financial Inclusion Global Initiative for the authorities in Mexico, including the Secretariat of Finance and Public Credit (Secretaría de Hacienda y Crédito Público, SHCP), the National Banking and Security Commission (Comisión Nacio- nal Bancaria y de Valores, CNBV), and the Bank of Mexico (Banco de México). We are grateful to the Reserve Bank of India, Financial Conduct Authority of the United Kingdom, Fintech Association of Spain, Monetary Authority of Singapore, Hong Kong Monetary Authority, Bank of Canada, and Spanish Association of Banks for their valuable contributions toward the finalization of this document. FINANCE, COMPETITIVENESS & INNOVATION GLOBAL PRACTICE ©2022 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW, Washington, DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org DISCLAIMER The Financial Inclusion Global Initiative led in partnership by the World Bank Group (WBG), International Telecommunication Union (ITU), and the Committee on Payments and Market Infrastructures (CPMI), with the support of Bill & Melinda Gates Foundation (BMGF). The FIGI program funds national implementations in three countries (China, Egypt, and Mexico), supporting topical working groups to tackle 3 sets of out- standing challenges in closing the global financial inclusion gap, and hosting 3 annual symposia to gather the engaged public on topics relevant to the grant and share intermediary learnings from its efforts. This report forms part of a broader project under the Financial Inclusion Global Initiative Mexico country implementation. The work is a product of the staff of the World Bank with external contributions prepared for the Financial Inclusion Global Initiative. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the Financial Inclusion Global Initiative partners includ- ing The World Bank, its Board of Executive Directors, or the governments they represent, or the views of the Committee for Payments and Market Infrastructure, International Telecommunications Union, or the Bill & Melinda Gates Foundation. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or accep- tance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. Table of Contents Acknowledgements  inside cover Abbreviations and Acronyms  ii Executive Summary  1 1 Introduction and Background  2 2 Context for Open Banking  4 3 Objective of the Technical Note, Scope and Methodology  5 4 Challenges and Opportunities of Open Banking  6 5 Legal Framework of Open Banking and APIs in selected countries  8 6 Analysis of Selected Topics  14 6.1 Data exchange through Application Programming Interfaces (APIs)  14 6.1.1 Types of data  14 6.1.2 Types of participants  14 6.2 APIs Infrastructure  16 6.2.1 Governance  16 6.2.2 Technical Requirements  17 6.2.3 Security Measures  18 6.2.4 APIs developed in-house by banks or outsourced. APIs providers  18 6.2.5 Interoperability  19 6.2.6 Access to third parties  20 6.3 Consent Mechanisms  21 6.4 Authentication of consumers  22 6.5 Incentives to adopt open banking  22 7 Conclusions and future agenda of open banking  24 References  26 Endnotes­­  29 Tables Table 1: Challenges and Opportunities of Open Banking  7 Table 2: Regulatory Approaches to Open Banking  13 Table 3: Types of Data Exchanged in Selected Countries  15 Table 4: Types of Participants and Nature of the Framework in Selected Countries  16 Table 5: Technical Standardization in Selected Countries  17 Figures Figure 1: Open-Banking Timeline   9 TECHNICAL NOTE ON OPEN BANKING • i Abbreviations and Acronyms AFIN ASEAN Financial Innovation Network API application programming interface CDR Consumer Data Right CMA Competition and Markets Authority EBA European Banking Authority GDPR General Data Protection Regulation HKMA Hong Kong Monetary Authority MAS Monetary Authority of Singapore OBIE Open Banking Implementation Entity PSD2 Revised Payment Services Directive RBI Reserve Bank of India RTS Regulatory Technical Standards SCA strong customer authentication TPP third-party provider ii • FINANCIAL INCLUSION GLOBAL INITIATIVE Executive Summary* Open banking has emerged strongly in the past few years third-party providers need to operate, and the definition as a system to give customers the right to share with or not of concrete standards, among other things. parties they trust the information that banks have about them in a secure manner and also as a way to open up While there is no single right approach, there are com- processes and services in banking. The main objectives mon challenges that countries considering regulation pursued by regulatory frameworks that define open bank- certainly need to bear in mind in terms of the definition ing are generally encouraging innovation and fostering and interoperability of technical standards, security, gov- competition, resulting in new products and services at ernance, and consent and authentication mechanisms. competitive prices to the benefit of consumers. With different strategies and intensity, some banks are With that in mind, and with the United Kingdom as a starting to be active in the development and opening of first mover, different regulatory approaches have been their application programming interface frameworks. On developed. Some of them are regulatory driven, while the other hand, different business models and players in other cases, with a hands-off approach, they have have emerged to connect banks with fintech companies been led by industry. In between, we also find collab- through a middleware of application programming inter- orative models in which both the public sector and pri- faces, especially in Europe, the United States, and some vate-party players are instrumental to the definition and Asian countries. adoption of open banking. Although open-banking regulatory frameworks have Regulatory approaches also differ in the scope of data that been operating for less than two years at most, early les- is to be shared, the definition of the financial institutions sons can be drawn from the first movers and the debates that have to publish their application programming inter- that are taking place between regulators and market faces and share data, the mandatory or voluntary nature participants. of the framework, the definition of the type of license that TECHNICAL NOTE ON OPEN BANKING • 1 1. Introduction and Background The Financial Inclusion Global Initiative (FIGI) is imple- points, in parallel with leveraging technology for remote mented in partnership by the World Bank Group, Com- access, and (iii) empowering users through increased mittee on Payments and Market Infrastructure, and transparency and the use of transactional and other rele- International Telecommunications Union and is funded vant data. The Mexico FIGI Program includes six different by the Bill and Melinda Gates Foundation to support and components: (i) access points, (ii) digital ID, (iii) fintech accelerate the implementation of country-led reforms to regulation, (iv) financial consumer protection, (v) finan- meet national financial-inclusion targets and, ultimately, cial literacy, and (vi) large-volume payments. the global Universal Financial Access 2020 goal. Article 76 of the Fintech Law determines that financial FIGI funds national implementations in three countries institutions, money transmitters, credit information com- (China, Egypt, and Mexico) and supports working groups panies, clearing houses, regulated fintech companies, and to tackle three sets of outstanding challenges for reaching companies authorized to operate with new models will universal financial access: (1) electronic payment accep- be required to establish application programming inter- tance, (2) digital ID for financial services, and (3) security. faces (APIs) that allow interconnectivity between these FIGI also hosts three annual symposia on relevant topics institutions. The Fintech Law also requires the develop- to gather national authorities, the private sector, and the ment of secondary regulations by the National Banking public and to share emerging insights from the working and Security Commission (Comisión Nacional Bancaria groups and country programs. y de Valores, CNBV) for banks and financial institutions, including the new Financial Technology Institutions, and The Mexico FIGI Program aims to expand access to trans- by Banco de México for payment systems, central coun- action accounts and broader financial services by more terparties, and credit-reporting systems. The Fintech Law empowered users. This objective will be achieved by (i) states that entities required to create APIs shall share enhancing the design of payment and financial products, three types of data: (i) open financials, which are noncon- including through the innovation of technology and busi- fidential data including information on services offered ness models to meet the needs of underserved individ- and access points; (ii) aggregate data, which are those uals and micro, small, and medium-sized enterprises, (ii) related to the statistical information of its operations; and fostering the sustainable expansion of physical access (iii) transactional data, which are those related to the use 2 • FINANCIAL INCLUSION GLOBAL INITIATIVE of financial products and services by a consumer. The consent to access their transactional data. As per the Fin- General Dispositions issued by the National Banking and tech Law, to permit transactional data to be shared and Security Commission and Banco de México establish the accessed, the consumer shall grant authorization, and the common technical standards that ensure the interoper- data shall be used only for the uses expressly authorized ability of APIs, including their design, development, and by the consumer. The consumer can also withdraw this maintenance standards. The secondary regulations also authorization at any time. establish the security mechanisms to access, send, and obtain data and information and outline the informa- In this context, Mexican authorities are interested in under- tion considered critical for the good functioning of the standing the approaches pursued in other markets and applications requiring access to APIs. Finally, the General fintech ecosystems to inform and develop their own poli- Dispositions outline the process to obtain consumers’ cies and regulation effectively. TECHNICAL NOTE ON OPEN BANKING • 3 2. Context for Open Banking The increasing interaction and use of bank-held custom- The frameworks created vary across countries in terms er-permissioned data by third parties has led different of stage of development, approach, and scope. Indeed, countries to take regulatory actions on different aspects most regulations are in the early stages of development, of open banking.1 Data sharing has taken place though and many were issued or came into effect in 2018 or later. different techniques, such as screen scraping and reverse It is therefore still very early to draw substantial lessons. engineering, as standard market practices. However, reg- In any case, the countries that are developing their regu- ulations are generally encouraging the use of APIs, con- latory frameworks are looking at learnings from the early sidering the use a more secure and reliable practice. players. Some jurisdictions have taken a prescriptive approach, Finally, while some topics have not been incorporated requiring banks to share customer-permissioned data into any regulation yet and hence are beyond the scope of and requiring third parties that want to access such the technical note, they are on the agenda for discussion data to register with particular regulatory or supervisory in many countries. The role of bigtech firms in the data authorities. Other jurisdictions have taken a facilitative economy, the extension of data sharing to other sectors approach, issuing guidance and recommended stan- of the economy (referred to as “smart data”), or potential dards and releasing open API standards and technical efforts toward international interoperability are examples specifications. Remaining jurisdictions follow a mar- of issues that will very likely have the attention of regula- ket-driven approach, having no explicit rules or guidance tors in the near future. that requires or prohibits banks from sharing customer- permissioned data with third parties. 4 • FINANCIAL INCLUSION GLOBAL INITIATIVE 3. Objective of the Technical Note, Scope, and Methodology Mexico issued its Fintech Law in 2018 with the purpose of also been considered. Additionally, those initiatives that regulating financial services provided by financial technol- include authentication of consumers have been taken ogy institutions that are offered or performed by innova- into account. Finally, incentives to adopt APIs have been tive means. This law is based on the principles of financial reviewed. A comparison of how different countries have inclusion and innovation, the promotion of competition, approached these elements, as well as lessons learned consumer protection, the preservation of financial stabil- from early implementation, could serve as a guide for ity, the prevention of illegal operations, and technologi- future regulatory efforts. cal neutrality. A general approach to the open-banking Countries analyzed for this technical note include Aus- framework in Mexico is contained in the article 76 of the tralia, Brazil, Canada, the European Union, Hong Kong, Fintech Law. India, Japan, Mexico, New Zealand, Singapore, the United To give context to the Mexican authorities as they Kingdom, and the United States. develop their secondary regulation around consumer Part of the analysis in this note is based on a desk data-driven open banking, this technical note reviews review of (a) relevant regulations in the abovementioned open-banking regulations and practices in those coun- countries; (b) materials on open banking by the World tries that are more advanced in that respect. To under- Bank and other international financial institutions; (c) lit- stand the different elements to consider when developing erature on open banking by international market analysts a regulation, the following aspects of API infrastructure and other reliable sources; and (d) reports and consulta- are analyzed: governance, technical requirements, secu- tions made public by different countries. rity measures, outsourcing models, interoperability, and The desk review was complemented with informa- access to third parties. Also, a review of the players pro- tion gathered through in-person and phone interviews viding API infrastructure has been included. Aspects with authorities, market participants, lawyers, and other referring to consumer rights around the use of their experts from the countries included in the scope of this data and regulations affecting the use of their data have technical note. TECHNICAL NOTE ON OPEN BANKING • 5 Challenges and Opportunities of 4.  Open Banking A new wave of disruption has been progressively intro- that banks are facing. At the same time, implementation duced in the retail banking industry in the past few of open finance allows banks to develop new business years. Open banking can securely provide other finan- models with potential new revenue streams and, to the cial institutions and third-party providers (TPPs) with extent banks also connect with other banks or players, seamless access to customer data through APIs and have deeper insight into their customers. enable banks and non-banks to provide integrated As far as fintech companies are concerned, open bank- modular services sourced from different specialist firms. ing creates an environment that encourages the devel- This consent-based access to data and the potential opment of the ecosystem. Access to consumer data and communication that it allows open great opportunities collaborative business models with banks enable great for innovation to banks, fintech companies, and other opportunities for innovation. Building the necessary secu- players. This access to data is not exempt of risks; to rity and compliance elements that an adequate treatment reap the full benefits of open banking, they must be of customers data require is an important challenge for accounted for. fintech companies. From the standpoint of banks, they have traditionally Consumers, for their part, are probably the biggest been in control of the data about their customers, and winners from a move toward open banking. While some within a closed architecture, this allows them to make use concerns may arise about privacy and data security, of that data and gives them the initiative on the design access to a wider range of services, improved user and development of products. Opening to third parties experience, lower prices that increased competition requires API developments that enable other players to entails, and the potential for wider financial inclusion have access to their customers’ data and to play a role are important gains. Those gains could be enhanced in the production and delivery of financial and auxiliary with “dynamic efficiency” as the process around data services, moving banks to some extent from their com- exchange consolidate. fort zone and opening up to competition. The need to Concerning regulators, they can find in APIs a more develop and maintain an API infrastructure, the time and stable framework of data sharing, with enhanced secu- cost involved, the potential loss of revenue, more com- rity. Also, the development of solutions could potentially plex distribution of liabilities between banks and third contribute to more efficient surveillance and compliance parties, and cybersecurity are among the challenges of banks. Open banking could play a role in the areas of 6 • FINANCIAL INCLUSION GLOBAL INITIATIVE regtech and suptech, capturing information directly from Regulators are also facing important challenges in an financial institutions through APIs and, hence, signifi- open-banking framework, such as the need to have new cantly automating the supervision. At the same time, this technical capabilities to analyze APIs, the need to resolve could allow financial institutions to meet their compliance conflicts between banks and fintech companies, and obligations in a more efficient manner. One interesting coordination among regulators. example in this direction is AuRep, an innovative regula- Finally, all the players involved on the potential exten- tory reporting system that has been implemented by the sion are challenged by data sharing to other sectors of Austrian central bank and the country´s banks to capture the economy and the role that bigtechs might be playing data directly from financial institutions. in the data economy. TABLE 1: Challenges and Opportunities of Open Banking Banks Fintech Companies Consumer Regulators Opportunities New business models Enables ecosystem Wider range/choice of More stable exchange of New revenue streams development services information Deep customer insight New business models Improved user Enhanced security Collaborative business experience Potential for suptech More user-centric solutions models with banks Lower prices solutions Scale faster Financial inclusion Challenges Need to develop API infrastructure Security Privacy Need to have technical (cost and time) Compliance Data security capabilities to analyze Competition and revenue loss APIs New distribution of liability Need to resolve conflicts between banks and TPPs Business model risk Coordination among Customer disintermediation regulators Cybersecurity Source: Author’s summary TECHNICAL NOTE ON OPEN BANKING • 7 Legal Framework of Open Banking 5.  and APIs in Selected Countries Open banking offers great opportunities for incumbents, why national authorities are implementing and enforc- new service providers, and consumers. At the same time, ing these rules. On the one hand, large financial institu- banks and financial institutions are big targets for crimi- tions (or groups thereof) held too much control over the nals, and the loss or misuse of financial data can cause real industry and the array of payment and other services that damage and distress to individuals. The risk of data loss, users could combine with their core banking services. On privacy breaches, fraud, and other cybersecurity attacks the other hand, big techs are entering the financial mar- is real and increasing. Therefore, banks and financial ser- ket and are outside of the regulatory perimeter. Avoiding vice providers face new legal responsibilities to prevent regulatory arbitrage has become a key priority for finan- the unauthorized or unlawful processing of data and to cial-sector regulatory authorities. prevent loss, destruction, or damage. In such a context, Data sharing is one of the key aspects of open banking, there might be a need to balance legal and regulatory and safeguarding such data is also important. In this con- provisions related to information sharing and enabling text, the adoption of measures to secure not only data but access by different institutions with legal provisions also networks, software, applications, hardware, and facil- related to data protection. Since rules are enacted by dif- ities is a relevant element of the design of open finance ferent authorities, potential conflicts of law might exist. In ecosystems. This security includes not only banks and addition, one of the objectives of enabling open banking institutions accessing data through APIs but also insti- is to provide consumers more control over their account tutions that provide outsourcing services to banks and information and the possibility to decide with whom they other institutions accessing their data, including providers would like to share such data. In such a context, con- of cloud-computing services. sumer consent to allow third parties to access information Sharing data through the screen-scraping technique— through APIs has become a key issue in the formulation where a TPP or financial data aggregation service accesses of the legal and regulatory framework of open banking. bank accounts on the consumer’s behalf using their cre- Safeguarding competition, strengthening market con- dentials—raised consumers’ as well as lawmakers’ and testability, and protecting the integrity of legal frame- banks’ concerns, as there was no possibility to limit the works in the face of innovations from payment initiation time or scope of data accessed by the third party. Open and account services/aggregation are the main reason banking therefore requires a new approach to authentica- why the European legislator has decided to intervene and tion and access to permissioned data. 8 • FINANCIAL INCLUSION GLOBAL INITIATIVE The adequate assignment of accountability for finan- Envisaging the important benefits that open banking cial losses in the event of erroneous data sharing is also could unlock, the Treasury and the Cabinet Office com- a relevant legal aspect that is typically covered under missioned a report2 in 2014 to assess the opportunities contractual arrangements that might not be enforced in that a model of open banking with data on bank transac- a rapid manner. tions shared with APIs could entail for banks in the United Finally, one additional important point is the adoption Kingdom. The authors concluded that a greater access to of alternative dispute-resolution mechanisms, established data would improve competition, and they made a strong either by banks or by the third parties through processes case for the use of common standards to enable interop- and procedures and contractual arrangements between erability between banks and providers. banks and third parties. As a next step toward establishing open banking in the Although early precedents are also in other constituen- United Kingdom, the Treasury in 2015 created the Open cies, the United Kingdom was the first country to regulate Banking Working Group, with representatives from the open banking; the Open Banking Standards went live in banks, open-data groups, consumers, and TPPs, to deter- January 2018. Since then, the number of countries defin- mine the practical definition of data sharing. In 2016, the ing their open-banking regulatory frameworks has been working group published a framework for banking data increasing. sharing and guidelines on how to implement it.3 The group The first attempt to create an open-banking framework recommended standardized APIs to be shared. in the United Kingdom was the Midata Initiative, which In parallel to those developments in the United King- was launched in 2011 by the Department for Business, dom, important pieces of regulation emerged at a Euro- Innovation and Skills with the objective to give consumers pean level affecting how open banking and data sharing greater access to their transaction data in a portable elec- were unfolding in the United Kingdom—namely, the tronic format. Banks voluntarily supported the initiative revised Payment Services Directive (PSD2) and the Gen- by providing downloadable account-transaction data in a eral Data Protection Regulation (GDPR). These will be standardized file format. Customers needed to download analyzed later. these files, save them to a disk, and then upload them. The Competition and Markets Authority (CMA) con- Providers, in turn, would analyze the data and make rec- ducted an investigation of the retail banking market in ommendations based on them. Midata was rolled out in 2017 that resulted in the issuance of a mandatory order4 2015 but emerged with serious problems, in particular a concluding that competition was insuffient in the United very poor user experience. The project was not as sat- Kingdom, leading to high prices and insufficient incentives isfactory as had been envisaged and did not reach wide to innovate, to the detriment of final consumers. Among adoption. However, it served well as a learning experience the remedies that merged from this result, the nine largest for the framework to be designed later. banks (referred to as the CMA9)5 were obliged to make FIGURE 1: Open-Banking Timeline RBI Report Working First Open API EBA Working Group Group Fintech launched APIs India UK UK Fintech Law Retail banking market Mexico investigation order UK GDPR PSP2 RTS deadline Yodlee Sofort UIDAI Mi Data Framework Payments NZ launch API EU (extended) PSD2 published founded Banking India Initiative introduced workstream EU EU (data founded UK Hong Kong New Zealand PSD2 applies aggregator) Germany API Playbook AFIN EU Singapore ASEAN 1999 2005 2009 2011 2013 2014 2015 2016 2017 2018 2019 Fingleton Open Banking UPI Amendment to the Report Working India Banking Act Japan UK Group Launch review Communiqué (OBWG) Farrell Report open banking Central Bank Court UK Australia Canada Brazil decision in Banks NACHA API case standardization Review open against USA banking-CDR Sofort Australia Germany Source: Author’s summary based on public information TECHNICAL NOTE ON OPEN BANKING • 9 customer data from their current personal and business Europe´s GDPR12 marked a significant milestone in accounts available to authorized third parties through data protection and had a global impact. GDPR is the pri- APIs. The CMA also established an implementation entity mary law regulating how all companies protect the per- to write the standards, build the supporting infrastruc- sonal data of citizens of the European Union. It provides ture, and coordinate and drive the implementation. The several new rights relating to personal data for citizens of design of open banking was delegated to an individual the European Union, including a right to access, a right to (the Trustee), who would head up a body, the Open Bank- be forgotten, a right to restrict processing, a right to data ing Implementation Entity (OBIE), that would work with portability, and a right to revoke consent. GDPR requires stakeholders across the sector to deliver open banking explicit consent and that customers are made fully aware and at the same time have powers delegated to compel of how their personal data will be used and by whom. banks to comply. Open banking went live in January 2018, Finally, GDPR also imposes legal duties on organizations with the launch of the first account-information API. Once to protect customer data and to ensure its accuracy and the implementation phase is complete,6 the role of the completeness. OBIE will transition into a monitoring role to ensure that The European Data Protection Board is working on banks continue to meet their obligations. guidelines on the relationship and compatibility between Among the early learnings from the United Kingdom’s relevant provisions of GDPR and PSD2. The first version experience, analyzed in a report commissioned by the of this guidelines is expected for the first quarter of 2020. OBIE,7 the importance of enhancing the user experience, In Japan, the Amendment to the Banking Act in 2017,13 the need to improve payment capabilities, the need also which came into force in June 2018, introduced a regis- to improve consent protection for customers, the possi- tration system for TPPs and set the framework for col- bility to expand open banking into open finance, and the laboration between banks and TPPs, including both introduction of premium APIs that go beyond the manda- payment-initiation and account-information service pro- tory ones could be highlighted. viders. The amendment encourages banks to open up While the United Kingdom’s experience has opened their APIs. Financial institutions have the discretion to opt the way and been taken into account by other countries, in to open banking but must comply with specific rules different models and regulatory approaches to open if they do. Banks must endeavor to establish a system banking have emerged. for carrying out interconnection through APIs within two In Europe, PSD28 came into force on January 12, 2016, years from the enforcement of the amended Banking Act. and for most of the provisions, member states had until In 2018, banks had already presented their plans to real- January 13, 2018, to implement them into national laws. ize open APIs. The fact that TPPs need an authorization, The most impactful parts of PSD2 related to open bank- and especially that they are required to sign an individual ing are the introduction of new payment-initiation and agreement with each of the banks to which they want to account-information services operated by TPPs that are connect, are making the process burdensome and adop- granted access to bank data though APIs, and the provi- tion slow. sions on strong customer authentication (SCA) for online The Monetary Authority of Singapore (MAS) has been payments. The PSD2 security measures related to TPP very active promoting open banking with a comprehen- account access and to SCA were further detailed in the sive, nonmandatory regulation and governance frame- European Banking Authority Regulatory Technical Stan- work. The MAS has led by example by opening its own dards (RTS),9 which were foreseen to enter into force on data for APIs and establishing scalable data practices September 14, 2019. Finally, due to the complexity in the and a payments infrastructure that underpins innovation implementation, the European Banking Authority (EBA) in the area. Singapore has taken a collaborative stance has allowed national authorities to postpone for a year with the industry. In 2016, with the Association of Banks the introduction of the RTS for online payments. in Singapore, it published an API playbook14 that encour- At a European level, no common APIs standard have ages banks to participate in open banking. The playbook been adopted. Different set of standards have been pro- presents a high-level guideline for API design aimed at posed by bodies representing coalitions of European stakeholders intending to use APIs, including providers, banks (for example, STET10 and the Berlin Group11). consumers, fintech companies, and the developer com- In January 2019, the EBA established a working group munity. It includes a description of the full sequence of on APIs under PSD2. The working group is tasked with steps toward a complete strategy to open banking: prior- facilitating industry preparedness for the Regulatory itize and select APIs, implantation guidelines, data stan- Standard on Strong Customer Authentication and Com- dard, security standards, and governance mechanisms. mon and Secure Communication and to support the Four categories of APIs are included: product, servicing, development of high-performing and customer-focused marketing, reporting and payments. Finally, the MAS has APIs under PSD2. also established an API register, to list open APIs available 10 • FINANCIAL INCLUSION GLOBAL INITIATIVE in the Singaporean financial industry. In total, the play- CDR accreditation process and supplementary guidelines book sets out a comprehensive framework, listing more on the insurance and information-security requirements than 400 recommended APIs and over 5,600 processes of accreditation. for their development. Also following a public consultation, the Hong Kong At a regional level, the MAS, with the Association of Monetary Authority (HKMA) published its Open API Southeast Asian Nations (ASEAN) Bankers Association Framework for the Hong Kong Banking Sector18 in July and the International Finance Corporation, has partic- 2018, laying out its approach to open banking. The for- ipated in the creation of ASEAN Financial Innovation mulation of the Open API Framework is one of the seven Network (AFIN), established in 2018 as a not-for-profit initiatives announced by the HKMA in September 2017 market institution. AFIN´s objective is to create a scalable, to prepare Hong Kong to move into a new era of smart market-driven, open architecture platform that can help banking. expand access to responsible financial services innova- The framework takes a risk-based principle and a tion in the digital economy to smaller banks and markets four-phase approach to implement various Open API across Asia. AFIN operates the API Exchange (APIX)15 functions (product information, customer acquisition, platform, the world’s first cross-border, open-architecture account information, and transactions) and recommends API marketplace and sandbox platform for collaboration prevailing international technical and security standards between fintech companies and financial institutions. to ensure fast and safe adoption. It also lays out detailed The marketplace expedites discovery and collaborative expectations on how banks should onboard and maintain undertakings between fintech companies and financial relationship with TPPs in a manner that ensures consumer institutions. protection. As a result, several banks have launched their own Hong Kong has defined a collaborative approach where initiatives and API platforms in Singapore (DBS, OCBC the HKMA will monitor progress of Open API implemen- Bank, Citi, and Standard Chartered, among others), mak- tation and further consider the need for new regulatory ing Singapore one of the most dynamic markets in the measures. However, it has permitted flexibility to banks development of an API ecosystem. in implementing Open API as part of their strategies. It Australia has approached open banking from the wider has allowed the industry to set its own standards with- perspective of consumer data rights. out making them mandatory. Having reviewed imple- In 2017, the Treasury Department commissioned the mentation challenges after a year, the HKMA signaled its Review into Open Banking in Australia, chaired by Scott intent to play a more proactive role in the definition of Farrell,16 to recommend the most appropriate model for standards and security for the higher-risk phases 3 and 4 open banking in Australia. Since then, the government of API implementation for account information and debit has decided to legislate a Consumer Data Right (CDR)17 initiation. to empower customers to choose to share their data with Concerning the US market, the regulator has taken a trusted recipients only for the purposes that they have hands-off approach, issuing nonbinding guidelines and authorized. The right will be implemented initially in the letting open-banking practices be industry driven. We can banking (open banking), energy, and telecommunica- find a general driver for open banking in Section 1033 of tions sectors and then rolled out economy wide on a sec- the Dodd-Frank Act,19 which states that US citizens can tor-by-sector basis. allow access to their financial data. Also, the Consumer On May 9, 2018, the Australian government agreed to Financial Protection Bureau issued a document in 2017 the recommendations of the review, both for the frame- containing consumer nonbinding principles for data-shar- work of the overarching CDR and for the application of ing protection20 that encourage the use of APIs for data the right to open banking, with a phased implementa- sharing. tion from July 2019. The government decided to phase in More recently, in July 2018, the US Treasury issued a open banking with all major banks making data available report21 containing general recommendations on the use on credit and debit cards and deposit and transaction of consumer financial data and encouraging regulators to accounts by July 1, 2019, and mortgages by February 1, take the necessary steps to avoid regulatory uncertainty 2020. Data on all products recommended by the review and create a context for secure and efficient access to will be available by July 1, 2020. All remaining banks will data. be required to implement open banking with a 12-month With a widely established practice of screen scraping, delay on timelines compared to the major banks. the United States’ bank payments association, the National The Australian Competition and Consumer Commis- Automated Clearing House Association, launched in 2017 sion has a supervisory role in the process and has been a group to work on API standardization, mainly in three empowered to adjust timeframes if necessary. In Septem- areas: fraud and risk reduction, data sharing, and payment ber 2019, the commission released draft guidelines on the access.22 Also, in late 2018 the Financial Data Exchange23 TECHNICAL NOTE ON OPEN BANKING • 11 was launched with the goal of unifying the leading finan- to understand how stakeholders perceived the potential cial institutions in the United States, together with fintech benefits of open banking and, also, how Canadians felt and others, around a common API standard and technical that risks related to consumer protection, privacy, cyber- framework for data sharing across the industry. security, and financial stability should be managed. In New Zealand, the development of open-banking While the government completes the review, different standards is also being led by the payment association, stakeholders are contributing to the debate. In June 2019, PaymentsNZ. It launched an API workstream as a central the Standing Senate Committee on Banking Trade and part of its Payments Direction strategic initiative since Commerce issued a report with recommendations on how 2017; the main driver for that initiative is encouraging inno- the deployment of open banking should take place in Can- vation in the payment sector in the country. In March 2018, ada.29 The recommendations include (i) the designation of the first pilot of APIs for payment initiation and account the Financial Consumer Agency of Canada as the interim information was launched. This pilot is now closed, and oversight body for screen scraping and open-banking the first versions of payment-initiation and account-infor- activities, with a mandate to conduct research and pub- mation APIs are available in the newly created API Centre. lic education and to respond to complaints; (ii) the pro- In June 2019, PaymentsNZ released a set of standards on vision of immediate funding to consumer-protection account information and payment initiation.24 groups to help them conduct and publicize research on India entered into open banking in the area of pay- the benefits and risks of screen scraping and open-bank- ments. The National Payments Corporation of India, an ing activities; and (iii) to facilitate the development of a umbrella organization for operating retail payments and principles-based, industry-led open-banking framework. settlement systems in India, as an initiative of the Reserve Over the longer term, it is also recommended modern- Bank of India (RBI) and Indian Banks’ Association under izing the Personal Information Protection and Electronic the provisions of the Payment and Settlement Systems Documents Act, to align it with global privacy standards Act, launched the Unified Payments Interface in 2016. The and to designate the privacy commissioner of Canada interface facilitates interbank transactions through an API and the Canadian commissioner of competition as the framework together with a digital identity solution. It is co-regulatory and enforcement authorities for open-data partly built within the unique identification platform in frameworks. India (Aadhaar). In Mexico, the Fintech Law30 came into force in March The history of API infrastructure dates back to 2009, 2018. This the first law in the world to regulate in a com- when India launched the Unique Identification Authority prehensive manner all the aspects affecting digital inno- and created the Unique Identification Numbers (UIDs), vation in the financial sector, new business models, and named as Aadhaar. The first API was launched in 2010, new players, including the creation of a sandbox. The and several APIs were progressively added within the plat- main guiding principles of this regulation are financial form India Stack: Payment Bridge and Aadhaar Enabled inclusion and innovation, which differ from the focus on Payment System, eKYC, eSign, and DigiLockers. In 2019, competition stated by some other regulations mentioned India Stack has collected 1.06 billion Aadhaar numbers, in this section. Open banking is mandated in article 76, linked 339 million bank accounts, and done 150 million describing the institutions that must publish their APIs electronic know-your-customer actions.25 and the type of data to which they need to give access. The RBI has remained active, encouraging the adoption The details of these elements of the strategy, together of open banking. In 2017, the RBI published a report of with the other dispositions of the Fintech Law, are being the Working Group on Fintech and Digital Banking,26 pro- developed by the Mexican authorities. viding recommendations for an environment for develop- Finally, Brazil has also declared its intent to regulate ing fintech innovations and testing of APIs. Also, the RBI open banking. In a communiqué published in April 2019,31 established directions for a Non-Banking Financial Com- the Central Bank of Brazil disclosed the fundamental pany-Account Aggregator,27 describing a framework for requirements for the implementation of open banking the registration and operation of an account aggregator in Brazil. Specifically, the communiqué provides for the in India. scope of the Brazilian open-banking model, the defi- More recently, Canada embarked on a journey toward nition of the customer personal and transactional data open banking with the announcement in the 2018 budget to be shared, and its phased implementation approach, of the government’s intent to undertake a review of the expected to be completed for the second half of 2020. merits of open banking.28 To guide the review, the minis- Self-regulation initiatives are expected, and the Central ter of finance appointed an advisory committee on open Bank of Brazil may coordinate these initial self-regulatory banking. The following three core financial-sector policy efforts. In December 2019, as a first step to start the reg- objectives were clearly stated to be guiding the review: ulatory process, the central bank submitted the drafts for efficiency, utility, and stability. The consultation sought public consultation. 12 • FINANCIAL INCLUSION GLOBAL INITIATIVE TABLE 2: Regulatory Approaches to Open Banking Regulatory-Driven Model Collaborative Model Industry-Led Model United Kingdom Singapore United States European Union Hong Kong New Zealand Australia Japan Brazil Mexico Canada India Source: Author’s summary TECHNICAL NOTE ON OPEN BANKING • 13 Analysis of Selected Topics 6.  6.1 DATA EXCHANGE THROUGH APPLICA- • Customer-provided data: Information provided directly TION PROGRAMMING INTERFACES by customers to their banks. Customer ownership is most obvious in this type of data. Data exchange between financial institutions and service • Transactional data: Data generated as a result of a providers has become increasingly common, as it prom- direct interaction with the financial institutions. This ises to facilitate industry-wide innovation and increased data is usually available in internet or mobile banking business agility and competition while allowing consum- statements. Products included can go from the most ers further choices. However, the types of data to be basic current account to a wide range. exchanged, the mandatory versus voluntary nature of the exchange, and the types of participants in the exchange • Customer insights: Data that results from an effort might vary from one context to another. made to gain insights about a customer. Credit scor- ing or know-your-customer data would be examples of 6.1.1 Types of Data this type of data. The scope of open banking varies with the kind of data • Aggregate data sets: Non-individualized data that and functions made available via APIs. Some frameworks results when the bank uses multiple customer´s data apply only to specific types of data, such as payment pro- to produce collective or average data across a group cessing data, and provide third parties with both “read” or subset of customers. and “write” access to data and payment initiation, while other frameworks provide “read-only” rights for data 6.1.2 Types of Participants aggregation purposes. Concerning type of data shared, Participants in the open-banking ecosystem are both the following five categories could be considered: banks and financial institutions, and third parties access- • Product and service data: Non-confidential data pro- ing the data. Among the latter, payment initiators and vided by financial institutions—for example, data about account information aggregators have emerged as the their products or services offered or offices and ATM two main actors. locations. 14 • FINANCIAL INCLUSION GLOBAL INITIATIVE TABLE 3: Types of Data Exchanged in Selected Countries UK EU Singapore Japan Hong Kong Australia New Zealand India USA Brazil Mexico Payment ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ initiation Current account ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ information Product ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ information Credit scoring ✔ ✔ ✔ Verification—ID ✔ ✔ ✔ Information about ATMS ✔ ✔ ✔ ✔ and offices Source: Author’s summary based on public information and interviews with authorities and market participants Concerning the institutions that are subject to opening transmitters, credit information companies, clearing- their data, different approaches are observed, depend- houses, financial technology institutions, and companies ing on how wide the definition of financial institutions authorized to operate under new models. affected by open banking is. In some cases, the opening of APIs for the financial Developing an API framework, the definition of pro- institutions described in the regulations is established as cesses, compliance requirements, and staff training or mandatory, while in other cases, countries have drafted hiring impose some initial costs that have been consid- the regulation more in the shape of nonbinding guidelines ered in some instances to include only players of a cer- or other prescriptions that make them voluntary. tain size. This is the case, for example, of Open Banking Concerning the parties who can have access to the in the United Kingdom, where initially opening mandated data, ensuring that only entities that adhere to the appro- largest banks to give access to current personal and busi- priate security and privacy standards and have the cus- ness accounts customer´s data to authorized third parties tomer´s authorization becomes key to guaranteeing a through APIs (the CMA9). secure open-banking framework. With that in mind, some Brazil has announced a progressive approach, where, at constituencies have established licensing or authorization first, only the institutions that are part of prudential con- requirements for TPPs. That is the case of Australia, the glomerates will be obliged to participate. Subsequently, European Union, India, Japan, Mexico, New Zealand, and this obligation may be extended to other institutions, the United Kingdom. In the case of Japan, regulation has at the discretion of the Central Bank of Brazil. The final gone a step further, also requiring an individual bilateral scope of the model envisaged for Brazil should include agreement between the TPP and the bank. Finally, Hong financial institutions, payment institutions, and other insti- Kong gives banks the freedom to choose which TPP to tutions licensed by the Central Bank of Brazil. collaborate with using bilateral agreements. In most countries, banks are the addressee of regula- In the case of Europe, to increase transparency, the EBA tions or guidelines about open banking. This is the case established a central register that contains information in the European Union, Hong Kong, Japan, New Zealand, about payment and electronic money institutions autho- Singapore, and the United States. In some of those cases, rized or registered within the European Union.32 TPPs, such as in Hong Kong, New Zealand, or the United States, both account information service providers and payment only major banks are affected, at least at an initial stage. initiation service providers, are required to have an elec- Finally, in some instances, a broader set of institutions tronic ID to prove that they are a licensed player. This ID is are subject to the opening of their APIs. then read by the bank before granting their access. In the case of India, the concept of financial information In Singapore, the authorities have established a Finan- provider includes the bank, banking company, non-bank- cial Industry API Register, updated semiannually, which ing financial company, asset-management company, tracks APIs by functional category as they are launched. depository, depository participant, insurance company, These open APIs provided by financial institutions have insurance repository, pension fund, and any other entity been broadly classified as either transactional (that is, that the RBI may identify. containing sensitive client data, user/partner authentica- In Mexico, the Fintech Law has included as obliged to tion required) or informational (that is, containing non- establish standardized APIs financial institutions, money sensitive data, no/minimal authentication required). TECHNICAL NOTE ON OPEN BANKING • 15 TABLE 4: Types of Participants and Nature of the Framework In the case of the United Kingdom, to in Selected Countries manage API standards in a way that enables a transparent and open governance frame- UK EU work that supports accessibility, usability, UK Banks Mandatory for MA9 and innovation, an independent body was EU Banks Mandatory created. Recognizing that the CMA could not Singapore Banks Voluntary specify the technical standards in the primary regulation, the design of open banking was Japan Banks Voluntary delegated to the “Trustee” who would head Hong Kong Banks Voluntary up a body, the OBIE, that would work with Australia Banks and other sectors Mandatory stakeholders across the industry to deliver New Zealand Banks Voluntary open banking. Funding for the OBIE comes from the largest banks (the CMA9), while India Financial information provider Voluntary the CMA, the Financial Conduct Authority, USA Banks Voluntary and Her Majesty´s Treasury provide gover- Brazil Financial institutions Mandatory nance oversight. The OBIE is the custodian Mexico Financial institutions and others Mandatory of the Open Banking Standards for APIs and owns and maintains the Directory of Open Source: Author’s summary based on public information and interviews with authorities and market participants Banking Participants (also referred to as the Open Banking Directory), which provides Finally, one particular principle that the CDR has intro- a “whitelist” of participants able to operate in the open duced in Australia is reciprocity. All accredited recipients banking ecosystem. Once the implementation phase is (fintech companies and other) must transfer data at their completed, the role of the OBIE will transition into a mon- customers’ request in a format equivalent to how they itoring role to ensure that service levels and obligations received it. are met. Considering the API architecture and framework within a bank or financial institution, there is the need on their 6.2 API INFRASTRUCTURE part to define an internal governance that includes the following phases: ideation of APIs; prototyping and pro- 6.2.1 Governance duction; publishing; consumption (including partner onboarding, security, and so on); and retirement (notifi- One important aspect around open banking is how to cation of changes and migration). Singapore has been the operationalize the open-banking framework, including country that has issued the most detailed description of the potential creation of governance entities, and their guidelines about this API life-cycle governance. Also, in roles, responsibilities, and activities. To ensure an ade- the case of Singapore, recommendations around the API quate governance of the open-banking framework, cer- risk governance have been detailed. tain aspects need to be defined, such as the appropriate In the case of Hong Kong, which leaves the strategy of mechanisms to determine engagement of participants to adoption of open API to banks, the HKMA mandates that ensure that obligations are met, or how issues that mate- those that chose to move forward should ensure that a rialize between participants are resolved. commensurate level of protections and suitable TPP gov- Authorities involved in open banking can include the ernance arrangements are in place with appropriate, clear banking supervisor, an API or technical standards com- contracts to define responsibility, liability, control, and petition authority, the consumer-protection authority, the customer protections. A detailed description of the pre- data privacy authority, and an alternative dispute mech- ferred governance framework, based on bilateral arrange- anism. ments with a common baseline, for the different phases In some cases, such as in the European Union, Hong of API adoption is described by the HKMA in their Open Kong, India, and Singapore, the bank supervisor is the API framework.33 Processes range from simple TPP regis- one in charge of overseeing the open-banking frame- tration process with basic consumer-protection measures work. In other cases, such as Australia, it is the competi- to onboarding checks, ongoing monitoring, and bilateral tion authority that is responsible for the implementation contractual relationships. of the open-banking framework to increase competition Also, once open APIs have been implemented by in the banking sector and to foster innovation. banks, the HKMA contemplates the creation of a body to review the relevance of the architecture, security, and 16 • FINANCIAL INCLUSION GLOBAL INITIATIVE data standards on an ongoing basis. The body may also fraudulently or with gross negligence. In Japan, the Asso- take on other industry-wide tasks, such as coordination ciation for Electronic Payment Services, a private body, is and consumer education, where needed. In the longer responsible for handling customer complaints related to term, if harmonization of open API functions is desired by open banking. In Singapore, the Personal Data Protection the industry, the body can also take on this task to work Commission facilitates the complaint between the cus- with the industry to achieve interoperability. tomer and the provider. India has an ombudsman scheme In the case of Australia, to govern the data standards, for digital transactions. the Australian Competition and Consumer Commission For jurisdictions that do not have regulatory guidance has established the creation of a data standards chair and requiring complaint- or dispute-handling mechanisms, an advisory committee. customers often initially take their complaints and dis- There are instances where industry-led workstreams putes to their bank. are defining the governance of APIs. This is the case of payment associations in the United States (National Auto- 6.2.2 Technical Requirements mated Clearing House Association) and New Zealand While regulation in some countries has defined stan- (PaymentsNZ). dardized technical standards, in other cases, a flexible Concerning liability frameworks, many countries have approach has been adopted. In some instances, the indus- existing or planned laws for regulations addressing cus- try has been the one establishing nonbinding standards. tomer liability with respect to data access by third par- In the case of Australia, Mexico, and the United King- ties. For example, PSD2 requires authorized third parties dom,34 the standards have been mandated by regulation. to have professional indemnity insurance, or a compara- Both Australia and the United Kingdom have introduced ble guarantee, against specified liabilities, such as unau- guidelines on standards even in customer experience. thorized transactions or non-execution and defective or Hong Kong, based on international practice and the feed- late execution of payment transactions. In other cases, back during the consultation exercise, recommended customer liability may be addressed by national personal internationally accepted architecture and security stan- data-protection laws, general banking laws covering cus- dards. In Singapore, a joint effort between the MAS and tomer protection against fraudulent transactions, con- the Association of Banks resulted in the publication of an sumer-protection laws, and civil, commercial, and criminal API playbook containing detailed recommended stan- codes. In some countries, customer liability is included in dards for APIs. In New Zealand and the United States, it the bilateral contracts or agreements between the bank has been the industry that has led the publication of non- and TPP. binding standards. In India, the RBI envisages developing Finally, several countries have existing or planned com- API standards with the technical support of the Reserve plaint-handling or alternative dispute-resolution mecha- Information Technology. nisms that cover open-banking issues. Concerning Europe, while PSD2 has not defined pre- Among jurisdictions with existing or planned com- scriptions on technical standards, some market initiatives plaint-handling or alternative dispute-resolution mech- have emerged (such as the German Group, STET, and the anisms, in the European Union, PSD2 requires payment Polish API). Secondary regulation in the European Union service providers, including authorized third parties, to has defined regulatory technical standards for SCA and put in place adequate and effective complaint-resolution common and secure open standards of communication procedures. In Hong Kong, terms addressing the com- (RTS).35 plaint-handling mechanisms are expected to be included In Brazil, the expectation is that the participating in contracts with third parties, as customers should not be industries will agree themselves on technology standards, responsible for any direct loss suffered as a result of unau- operational procedures, safety standards and certificates, thorized transactions conducted unless the customer acts and the implementation of interfaces. However, to ensure TABLE 5: Technical Standardization in Selected Countries UK EU Singapore Japan Hong Kong Australia Technical No standards, partial Collaboration MAS/ Regulatory No standards Recommended Regulatory standards industry adoption Banking association New Zealand India USA Brazil Mexico Technical Expectation of industry Industry Regulatory Industry Regulatory standards self-regulation Source: Author’s summary based on public information and interviews with authorities and market participants TECHNICAL NOTE ON OPEN BANKING • 17 compliance with the regulation, as well as the achieve- Banks in Australia are also subject to prudential stan- ment of the proposed objectives for the model, the dards and guidance on data security issued by the Austra- Central Bank of Brazil may coordinate the initial self-reg- lian Prudential Regulation Authority37 and to the Privacy ulatory efforts, approve decisions and revisions, and exer- Act’s requirement to secure personal information. Those cise the veto power, imposing restrictions or regulating standards set out the authority’s expectations for regu- nonagreed aspects. lated financial institutions to consider and address risks In Mexico, the Fintech Law dictates that the Supervi- such as fraud due to theft of data, business disruption due sory Commission and the central bank could determine to data corruption or unavailability, delivery failure due to the technical standards for the interoperability of APIs, inaccurate data, breach of regulatory obligations result- their governance, security, and consent mechanisms. ing from unauthorized disclosure, and controls to ensure adequate data quality and data security, particularly in 6.2.3 Security Measures arrangements involving third parties. In India, the main characteristics, and the definition, Different potential operational and cybersecurity issues of security elements of APIs will be defined in guidelines have been identified related to the use of APIs, includ- that are being drafted. The main features are likely to be ing data breaches, misuse, falsification, denial-of-service technology agnostic, reliable, scalable, simple, minimal- attacks, and un-encrypted login. Mechanisms used by ist and evolutionary in nature, customer-centric, driven some banks to mitigate these risks include stricter access by consent, and asynchronous by design. The specifica- privileges, authorized end-to-end encryption, authentica- tions would promote interoperability and layered inno- tion mechanisms, and vulnerability testing, among others. vation and transparency and accountability through Robust security foundations are crucial to realizing data, including data privacy and security concerns. The the benefits of data transfer that open banking promises account aggregator will be data blind, and the data will without compromising the soundness of the system. A move in encrypted form, so that account aggregators right balance needs to be struck to ensure that security cannot store data on their servers. standards do not act as a barrier to entry for new players. Finally, in Hong Kong, the Open API Framework rec- This general principle has resulted in different degrees of ommends the architecture and security standards. The regulation, from mandatory standards to recommended HKMA will also define a more detailed set of standards guidelines on security measures. in 2020 for Phase III and IV open APIs to facilitate secure In the United Kingdom, the OBIE has released highly and efficient implementation across the industry. While detailed and prescriptive technical security standards36 in certain technical standards have been prescribed, they the areas of customer authentication, API specification, cannot be considered as the only standards that cover all encryption, management of data, and controls. security requirements. Banks should always refer to sound The European Union has also mandated specific require- industry practices and relevant regulatory and internal ments in PSD2 with regards to payments in aspects such requirements and apply holistic controls on information as managing operational risks, including system perfor- and cybersecurity based on a risk- and principle-based mance monitoring, contingency measures for unplanned approach to protect banks’ systems as well as bank and unavailability or a system breakdown, incident manage- consumer data. ment, and reporting. The European Regulation 2018/389 develops the requirements to be complied with by pay- APIs Developed In-House by Banks or 6.2.4  ment providers to apply the procedure of SCA, protect the Outsourced APIs Providers confidentiality and the integrity of the payments service user´s personalized security credentials, and establish On a practical matter, banks have followed different common and secure open standards for communication approaches to open banking, resulting in different levels between the different parties involved in open banking. of openness for their APIs. Depending on their API strat- In Singapore, the API playbook contains detailed guide- egy and internal capacities, banks either have decided to lines on information security standards in domains such as develop and publish their own APIs or have connected to authentication, encryption, authorization, hosting secu- external platforms. rity, secure coding, vulnerability assessment, and robust While each model has its merits and challenges, stan- fail-over mechanisms. MAS recommendations clarify that dardized APIs (either regulatory or industry driven) tend the level of security standards for each API depends on to create a more balanced competitive context than the business criticality of the data being exchanged, per- closed APIs, which give a higher level of power and con- missible access levels, including role-based access, and trol to large banks and fewer opportunities to compete to availability requirements across the identified information smaller banks. And they also impose more costs on fin- security domains. tech companies wanting to partner with several financial institutions. 18 • FINANCIAL INCLUSION GLOBAL INITIATIVE We can find examples of banks having launched their published generally do not allow banks to charge for them. open APIs framework in different countries. Some of the For those APIs that are not mandatory, the so-called pre- banks leading globally the development and publishing mium APIs, regulations generally leave freedom for banks of their APIs are DBS in Singapore—with the largest API to decide on a business model for charging. So far, there developer portal, with more than 155 APIs available— are not many instances where banks are charging for APIs. OCBC, Unionbank in Philippines, Citi, and BBVA. The two main origins of front-runner banks are either advanced 6.2.5 Interoperability Asian countries—namely, Singapore—or banks in the Interoperability could be defined as the ability of a sys- European Union adhering to PSD2. (More than 250 banks tem or a product to work with other systems or products operating in the European Union have launched devel- without increased cost or effort. In the context of open oper portals and APIs.) According to market analysis, 65 banking, interoperability entails that legal and opera- percent of banks’ implementation in Europe adheres to tional terms facilitate switching between banks. Regard- the Berlin Group standards. ing fintech companies and third parties, interoperability On the other hand, a large number of banks deploy provides banks with the reciprocal stability of being able their offering through so-called API hubs, which provide to change providers or work with several of them with- a single interface to access all banks using their solution. out increasing fixed costs. When standardization has not The following two models of API hubs are in the mar- been imposed or has not yet been completely imple- ket: mented, interoperability becomes a key driver for ecosys- 1. Compliance model: This model incorporates a layer to tem development, and especially for customer adoption. bank APIs that guarantees compliance with the regula- It is also key for enabling a competitive environment that tion, hence mitigating compliance risk. They have been encourages small and medium players to develop their developed specially in Europe to ensure compliance APIs on a level playing field with large banks. with PSD2. Examples are Redsys (Spain), CBI (Italy), Indeed, one of the recommendations of the Fintech Stet (France), and Nets (Nordic countries). Bali Agenda40 is to reinforce competition and a commit- ment to open, free, and contestable markets to ensure a 2. Technical TPPs or aggregators: They develop their own level playing field and to promote innovation, consumer APIs, which enable interconnection between banks and choice, and access to high-quality financial services. The fintech companies. Examples are BEC, Luxhub, SIBS, successful and large-scale adoption of technology would Eurobits, and Figo (Europe); Plaid and Yodlee (United be facilitated by an enabling policy framework regard- States); or Saltedge (Europe and United States). less of the market participant, underlying technology, or Some of these platforms work as marketplaces, allowing method by which the service is provided. It encourages the connection between banks and fintech companies policy makers to address the risks of market concentra- through APIs, and have appeared on the market with tion and to foster standardization, interoperability, and a regional approach and, in some cases, with public or fair and transparent access to key infrastructures. multilateral support. The AFIN APIX platform,38 working Also, different reviews of digital competition across in the countries of the Association of Southeast Asian Europe, such as the Furman Review41 and the European Nations and with some partnerships outside the region, Commission’s digital competition report,42 concluded that such as Abu Dhabi Global Markets, is one example of a data and protocol interoperability could drive increased multicountry marketplace platform. Another example is competition in digital markets. Finconecta,39 operating with the platform 4wrd, which Hence, interoperability has been broadly incorporated provides an API framework for connecting banks with as an objective for countries to achieve while promoting fintech companies in some African countries, the Middle and encouraging the adoption of API standards. Industry East, Europe, and Latin America, in partnership with the practice also becomes key to achieving interoperability. Inter-American Development Bank in that region. In the case of the United Kingdom, interoperability Several banks, especially in the European Union, have has been forced by regulation but also pushed by banks, also started to act themselves as third parties; many especially large ones. Authorities estimate that 80–90 large banks now offer account-aggregation services (for percent of account providers currently operate under the instance, Railsbank, Solaris, and BBVA). This trend is likely open-banking standards. to consolidate in other markets introducing open-banking Hong Kong is also moving toward interoperability. regulation. Since the launch of the first phase of open banking in Concerning the business models around APIs and the January 2019, the APIs launched by banks have largely possibility of charging third parties for the use of APIs, followed the recommended technical standards in the jurisdictions that regulate the obligation of APIs to be Open-API Framework. TECHNICAL NOTE ON OPEN BANKING • 19 India has interoperability as a clear aim as it moves in sultation and the reaction to it on the part of the Standing advance of its draft API standards. Senate Committee on Banking, Trade and Commerce.43 In Europe, the EBA has determined in the RTS that, to Some of the concerns associated with screen scraping ensure the interoperability of different technological com- and reverse engineering have to do with security and cus- munication solutions, the interface should use standards tomer protection, stability, and the lack of revoking rights of communication that are developed by international or on the part of the customer. Hence, screen scraping and European standardization organizations. Thus, without reverse engineering are perceived as slower, less stable, defining a concrete standard, it calls for the interoperabil- and less secure processes. Also, they allow less control ity of the system. on the part of the bank over who accesses customer data In Singapore, collaboration with the banking associa- and which data are retrieved. Generally, banks prefer a tion in the development of the API handbook has been system of APIs where they are in full control of the data instrumental to promote the interoperability of the API accessed by TPPs. However, the cost and time needed framework. to build and maintain public APIs could represent a chal- In some cases, such as in the United States and New lenge, particularly for smaller banks. Zealand, efforts toward interoperability have been led by On the other hand, while fintech companies are aware industry associations. of some of the drawbacks entailed with accessing data Finally, Australia has understood interoperability in a through screen scraping and reverse engineering, they wider way, in the sense that what has been designed for generally also have concerns about limitations on access the banking sector will also be able to work in other sec- only through APIs, which give permission only to certain tors of the economy (for instance, in energy and telecom- data, with more limited flexibility on the type and num- munications). ber of queries and, in some cases, with some lags on the update to the latest information. 6.2.6 Access to Third Parties In some areas, these different approaches have led to tension about whether the regulator should choose to Access by third parties to customer data has occurred prohibit screen scraping once APIs are mandatory. Most in the absence of APIs with the use of the widespread jurisdictions do not prohibit the practices of screen scrap- practices of screen scrapping or reverse engineering, still ing and reverse engineering. prevalent in several markets. The case of the European Union is particularly illus- In screen scraping, the customer provides a third party trative of this heated debate. The RTS introduced the with his or her log-in credentials (for example, a username concept of a “dedicated interface” (API). This enabled and password) for the online banking platform. This third account servicing payment service providers, those who party then uses the details to log in to the website of the provide and maintain a payment account for a payer, to customer’s bank and extract data on behalf of the cus- develop their own APIs and impose them on TPPs. tomer. Indeed, the latest version of the RTS saw a last-minute The practice of reverse engineering decompiles the change in December 2018 incorporating a contingency code of the mobile banking applications to figure out mechanism to use screen scraping (also known as the which information is exchanged between the applica- “fall-back mechanism”) in case the dedicated API inter- tion and a bank’s servers (through the nonpublic API) face is unavailable or not working properly. In that vein, and subsequently build a “reverse-engineered” version of the EBA Guidelines from the Contingency Mechanism the mobile application that is capable of directly exploit- under Article 33(6) of the RTS44 establish that, if the inter- ing the communication from and to the bank’s servers. face does not respond to five requests within 30 seconds, It requires a second enrollment of a mobile application it is considered unavailable, mandating banks to publish upon receipt of the customer’s authentication credentials metrics on their service levels. and the subsequent use of these credentials, or even the Banks can benefit from an exemption if their dedicated creation of a proprietary set of authentication creden- interface fulfills a number of conditions centered around tials (to the third party). This technique is often favored how robust, available, and well supported the solution is. by data aggregators over screen scraping because it is To gain the exemption, the dedicated interface also has much more scalable and robust, as its performance is not to meet certain design and testing standards and has to influenced by changes that banks make to their customer have been widely used for at least three months. There interface. are a number of challenges with the exemption process, Interestingly, one of the latest countries to launch a especially given that these assessments include fairly consultation process, Canada, is paying a lot of attention technical analysis of each interface. Several regulators to the analysis of the advantages and disadvantages of in the European Union are open about the fact that they open banking versus screen scraping, as part of their con- 20 • FINANCIAL INCLUSION GLOBAL INITIATIVE do not have the technical expertise required to perform the right of access, the revocation of consent, or the right these assessments, so they are encouraging banks to use to be forgotten. All payment service providers (banks, standardized conformance tools available in the industry. payment institutions, or new providers) must comply with Many have also mandated self-assessments and audit the data-protection rules when they process personal steps as part of the exemption process. data for payment services. TPPs make several claims about the system estab- Australia, under the principle of giving customers con- lished in Europe. They allege that it creates an imbalance. trol of their data, has determined that customers should Each account servicing payment service provider has, at be able to give specific instructions on what data is shared, most, one API to implement—namely, its own. Whereas with whom that data is shared, and for what purpose it is TPPs must implement a large number of APIs, depending shared, as well as the duration the sharing arrangement. on their current service and market coverage. Also, they The CDR requires banks to implement effective and effi- underline the challenge that TPPs have in testing these cient consent-management policies and processes and APIs for bugs and other problems without compensation. establish dashboards. Banks must demonstrate clear gov- Finally, the APIs were opened up for testing on March 14, ernance around collecting and managing customer con- 2019. Initial evaluations from some of the largest TPPs sent and authorizations before data is shared. Also, the in Europe found that testing environments (sandboxes) CDR contemplates that a consumer who has given con- were available for only about half the account servicing sent to use particular CDR data may withdraw the con- payment service providers. sent at any time by communicating the withdrawal to the accredited person in writing In Singapore, open-banking practices also need to be 6.3 CONSENT MECHANISMS fully compliant with the regulation that protects the use of individual personal data, the Personal Data Protec- Data openness is an essential element of open-banking tion Act,45 where it is mandated that organizations must regimes. One key aspect to deal with is the protection obtain previous consent to collect, use, or disclose per- of customer rights. This has resulted in the need for an sonal data, and where an individual has the right to with- explicit consent on the part of customer, which in some draw this consent at any time. cases is contained in other regulatory pieces that deal The Open API Framework in Hong Kong expects banks horizontally with customer data rights that could intro- and TPPs to implement appropriate measures for address- duce more strict measures to the open-banking frame- ing requirements related to customer data protection and work. the protection of personal data, including applicable laws In Europe, in accordance with data-protection rules and guidance on the protection of personal data. These under both PSD2 and GDPR, account holders can exer- include the Personal Data (Privacy) Ordinance in Hong cise control over the transmission of their personal data. Kong,46 as well as the regulations and codes promulgated Hence, no data processing can take place without the by the Privacy Commissioner for Personal Data under explicit informed consent of the consumer. the said ordinance. Specifically, this regulation requires Under PSD2, providers (that is, banks, account informa- consent from the data subject and mandates that data tion service providers, payment initiation service providers, subjects must be informed whether supplying data is and so on) can access and process only the data needed obligatory or voluntary, the purpose of using their data, for the provision of the services subscribed to or requested and the classes of person to whom their data may be by the consumer. PSD2 regulates the provision of new transferred. A data subject can withdraw his/her consent payment services that require access to the payment ser- previously given. vice user´s data. For instance, this could mean initiating a In India, the consent architecture established in the RBI payment from the customer’s account or aggregating the Master Directions47 determines that no financial informa- information about one or multiple payment accounts held tion of the customer shall be retrieved, shared, or trans- with one or more payment service providers for personal ferred by the account aggregator without the explicit finance management. When a consumer seeks to benefit consent of the customer. The consent of the customer from these new payment services, she or he will have to should be obtained in a standardized way and contain, request such services from the relevant provider explicitly. among other details, the identity of the customer and Payment service providers must inform their customers optional contact information, the purpose of collect- about how their data will be processed. ing such information, and the consent expiration date. Payment service providers will also have to comply Account aggregators should also provide their customers with other customers’ rights recognized in GPDR, such as with a functionality to revoke consent. TECHNICAL NOTE ON OPEN BANKING • 21 Brazil has also declared that the sharing of a customer’s SCA was performed. Also, for remote transaction between personal and transactional data, as well as the execution €30 and €500, it is accepted not to use SCA if the levels of payment services, should be subject to the customer’s of fraud are proved to be under certain thresholds. prior consent. Procedures to obtain such consent should The requirements of SCA across the European Union aim to promote a simple, efficient, and safe customer are aimed at reducing the risk of fraud for online pay- experience. ments and online banking and protect the confidentiality Finally, Mexico requires in the Fintech Law that per- of the user’s financial data, including personal data. How- sonal transactional data could be shared only with prior ever, given the complexity of adoption, the EBA has given explicit consent from the customer. Only data that has flexibility to national authorities to postpone the adoption been authorized may be used, and the owner of the data of RTS for non-present card transaction up to 15 months (the customer) has the right to revoke consent. from September 2019. SCA in Europe could result in different user experience levels depending on how the authentication flow is imple- 6.4 AUTHENTICATION OF CONSUMERS mented by banks. TPPs are required to have an electronic ID, which serves to certify that it is a licensed player. The The transmission of data, and especially remote electronic bank must not create obstacles to the process, but, in payment transactions, are subject to a high risk of fraud. the absence of a contract, once the bank has read the Hence, some constituencies have deemed the introduc- electronic ID, it has the option to require the SCA to take tion of additional requirements for SCA to be necessary. place on its website and then send the customer back to Also, fraud methods are constantly changing; thus, the the TPP. requirements of SCA should allow for the innovation of Other countries, such as Hong Kong, have so far opted technical solutions addressing the emergence of new to introduce only recommendation in their Open API threats to security. Framework about security-protection requirements and In this vein, PSD2 introduces in Europe strict security technologies related to the authentication of customers. requirements for the initiation and processing of elec- It is expected that in 2020, the HKMA will also define a tronic payments. PSD2 and the development regulation more detailed set of standards, which may include more (the RTS) oblige payment service providers to apply SCA security elements, including more sophisticated technol- when payment service users ogy and authentication infrastructure. In the case of Singapore, their API playbook has defined • Access their payment accounts online, whether directly the recommended authentication standards through or through an account information service provider; tokenized protocols (OAuth 2.0 and Open ID Connect). • Initiate an electronic payment transaction, or In other cases, such as Australia, different authentication methods are being tested as part of the implementation • Carry out any action through a remote channel that of the regime. may imply a risk of payment fraud or other abuses. Broadly speaking, there are two options for enabling customer authentication: bank-specific (models such as SCA is an authentication process that validates the iden- the one described above, where banks need to comply tity of the user of a payment service or of the payment with certain rules) or market-specific schemes (such as transaction. More specifically, SCA indicates whether the eID solutions). We can find examples of eID solution in use of a payment instrument is authorized. some Nordic countries, in India (UID), and in New Zealand It requires payment service providers to provide two of (Digital Identy NZ). the following three items to verify identity: In the case of India, Aadhaar Auth API allows banks • Something you know (a password, response to a secu- and other financial institutions to verify the identity of the rity question, or PIN) customer instantly, as required by RBI regulations. • Something you have (two-factor authentication via mobile phone, hardware token, or smart card) 6.5 INCENTIVES TO ADOPT OPEN BANKING • Something you are (a fingerprint scan or facial recog- nition) Although regulators and market participants recognize the importance of the financial industry taking a lead- SCA isn’t applied to some transactions that are consid- ing role in the adoption of open banking, countries are ered low risk, including balance checks, low-value trans- adopting particular measures to kick-start the adoption actions (less than €30 for a single transaction), and the of a framework. number or amount of transactions relative to the last time 22 • FINANCIAL INCLUSION GLOBAL INITIATIVE First, most regulations have taken place after a prior other repositories. The industry or individual banks are open consultation process and intense dialogue with the free to list their open APIs in multiple repositories. industry. Additionally, other practices—such as partnering with Second, in some cases, standards have been defined interested parties on the promotion of open banking, in a collaborative manner with the banking industry. One organizing educational events and competitions on the of the clearest examples of such a practice has been the use of open APIs among the industry, or hosting seminars joint publication of API standards by the MAS and the and workshops for banks and technology companies to banking association in Singapore. share use-case ideas or experience gained elsewhere—are Having a single point of reference (known as a repos- ideas mentioned by different regulators as potential for- itory or dashboard) of all open APIs offered by banks is mulas to encourage the adoption of open banking. also a measure that some countries, such as Hong Kong, An enabling environment in which regulators set stan- have taken to facilitate ease of access by TPPs. During dards of a technical or legal nature can provide a baseline discussions, some banks suggested that it would be desir- that reduces risks for banks and other users, encouraging able for the Data Studio of the Hong Kong Science and the use of APIs. Technology Parks to take up this dashboard role. Hence, Finally, some market drivers—such as new business the HKMA recommended that all open APIs should be models in e-commerce or other areas of digital business listed under the Data Studio. The listing of open APIs that require real-time intercompany processes or real- under the Data Studio will not preclude banks from using time payments—are incentivizing the use of APIs. TECHNICAL NOTE ON OPEN BANKING • 23 Conclusions and Future Agenda of 7.  Open Banking As described in this document, open banking is to great • TPPs claim that the APIs published by banks do not extent about ecosystem creation and the smart use of have the quality they require and are not being used, data to deliver new products to customers and to encour- and de facto screen scraping is still prevalent. TPPs age competition. There is no single model or solution to claim that there is no real incentive for banks to publish achieve these objectives. The models analyzed in this note good, free, open APIs. differ in their approach and scope, in the strictness of the • As a corollary to the former, some market players standards or principles defined, and in the definition of argue that it would have been desirable to regulate the responsible governing bodies, among other things. based more in principles and less in details that in the Most regulations analyzed under this note came into end require interpretation, and hence are subject to effect in 2018, so it might be too early to draw substantial controversy. lessons, but the following trends are observed: • In Europe, more TPPs than payment initiators have Early regulatory efforts have been concentrated on been authorized as aggregators, signalling higher chal- defining standardized API frameworks, creating gov- lenges in the business model and accessing process in ernance bodies and rules, enhancing security, devel- the case of the latter. oping infrastructure, and establishing authentication methods. Among the next items on regulators’ agenda • Some concrete technical definitions on PSD2 are act- in the area of open banking are issues such as the future ing as a bottleneck for the development of TPPs. For scope of open banking, competition with other indus- instance, requiring the customer to provide consent tries, especially with big tech players, and international every 90 days results in a very high rate of dropoff. interoperability. Also, the fact that PSD2 does not accept variable recur- rent payments impedes the inclusion of a wide assort- In that respect, market participants and regulators are ment of use cases. Finally, PSD2 is not contemplating starting to talk about the evolution of the scope of open the possibility of a refund on direct payments, giving banking toward open finance and smart data. Open much less flexibility than traditional payment schemes. finance refers to the capacity of consumers to access their 24 • FINANCIAL INCLUSION GLOBAL INITIATIVE data via a suite of finance products, including mortgages, the impact of their access to data from financial institu- savings, insurance, pensions, and so on. On the other hand, tions. Some banks are starting to claim the idea of reci- smart data suggests the idea of customers accessing their procity in the access to customer data to guarantee a level data in nonfinancial services sectors, such as energy, water, playing field. On the other hand, regulatory authorities are mobile, and data from bigtechs. Although the only country analyzing the implications for financial stability and con- to regulate the extension of open banking to other sectors sumer protection, and also the division of responsibilities so far is Australia, discussions around it are taking place at between bigtechs and their partnering banks. different levels in other areas. The idea of reciprocity when giving access to data is a principle that banks are starting Finally, one last element on the agenda of open bank- to claim as a necessary step toward a level playing field. ing that could contribute to the development of global The Smart Data Review in the United Kingdom and the markets is international interoperability, still at very early report of the Canadian Senate Committee on Open Bank- stages of discussion. The fact that there is no globally ing also go in the direction of extending access to data to adopted API standard, and that TPPs may need to use other sectors beyond banking. different API standards to communicate with banks in different jurisdictions, could lead to potential challenges, Concerning bigtechs, their increasing interest and posi- such as inefficiencies for third parties or fragmentation of tioning as financial service providers, especially through the digital financial ecosystem. banking-as-a-service models, has raised questions about TECHNICAL NOTE ON OPEN BANKING • 25 References ABS (Association of Banks in Singapore) and MAS (Monetary Badour, Ana, Shauvik Shah, and Tyler Hawley. 2018. Open Authority of Singapore). 2019. Finance-as-a-Service: API Banking Update: Canada 2020 Issues Open Banking Report. Playbook. ABS and MAS, 2019. August 1, 2018. ACCC (Australian Competition and Consumer Commission). Banco Central Do Brasil. 2019. Communiqué 33,455/2019, April 2019. Competition and Consumer (Consumer Data) Rules 2019. 2019. Exposure Draft, March 2019. BBVA. 2019. “Estados Unidos encara el open banking.” October Accenture. 2018a. “The Brave New World of Open Banking.” 2019. Accenture. 2018b. Making Open Banking a Platform for Industry BCBS (Basel Committee on Banking Supervision). 2019. Report Transformation: An Australian Perspective. on Open Banking and Application Programming Interfaces. Accenture. 2019a. It’s Now Open Banking: Do You Know What Bank for International Settlements, November 2019. Your Commercial Clients from It? Bhat, Deepa. 2018. “Screen Scraping vs. API—10 Questions to Accenture. 2019b. Open Banking in Canada: Opportunity Understand the Differences.” Medium, October 11, 2018. Knocks. Brodsky, Laura, and Liz Oakes. 2017. “Data Sharing and Open Accenture. 2019c. Unlocking Value with Consumer Data Rights Banking.” McKinsey & Company, September 5, 2017. Rules. Capgemini and BNP Paribas. 2018. World Payments Report Accenture, Avanade, and Microsoft. 2019. PSD2 and Open 2018. Banking: Using Regulation to Kick-Start the Transformation Capgemini and Efma. 2019. World Fintech Report 2019. of Banking. CFPB (Consumer Financial Protection Bureau). 2017. “Consumer AEFI (Asociación Española Fintech e Insurtech). 2017. “¿Quién Protection Principles: Consumer-Authorized Financial Data gana la batalla con la nueva directiva PSD2?” December 14, Sharing and Aggregation.” October 18, 2017. 2017. Chaib, Ismail. 2018. “How to Regulate Open Banking.” Open Application Programming Interface Evaluation Group. 2018. Bank Project, November 2018. “Terms of Reference,” API EG 002-18, February 28, 2018. Chandran, Sasidharan. 2017. “Open Banking: Implications and APRA (Australian Prudential Regulation Authority). 2019. Risks.” Financier Worldwide, July 2017. Prudential Practice Guide: Draft CPG 234 Information CMA (Competition and Markets Authority). 2017. “Guidance: Security. March 2019. The Retail Banking Market Investigation Order 2017.” Gov.UK, Australian Government. 2017. Review into Open Banking: Giving February 2, 2017. Customers Choice, Convenience and Confidence. December Congreso General de los Estados Unidos Mexicanos. 2018. Ley 2017. para Regular las Instituciones de Tecnología Financiera. Badour, Ana, and Arie van Wijngaarden. 2019. “UK Open Nueva Ley DOF 09-03-2018. Banking Implementation Entity Report Released.” McCarthy Cortet, Mounaim. 2018. “Mastering Open Banking: How the Tetrault, July 26, 2019. ‘Masters in Openness’ Create Value.” Innopay, January 7, 2018. 26 • FINANCIAL INCLUSION GLOBAL INITIATIVE Creehan, Sean, and Paul Tierno. 2019. “The Slow Introduction Persons with Regard to the Processing of Personal Data and of Open Banking and APIs in Japan.” Pacific Exchanges on the Free Movement of Such Data, and Repealing Directive Podcast, May 2, 2019. 95/46/EC (General Data Protection Regulation). Datahen. 2018. “Data Harvesting War: Scraping vs Using API.” European Parliament and Council of European Union. 2017a. Datahen Blog, December 14, 2018. Commission Delegated Regulation (EU) 2018/389 of 27 Deloitte. 2018. “Open Banking around the World: Towards a November 2017 Supplementing Directive (EU) 2015/2366 Cross-Industry Data Sharing Ecosystem.” with Regard to Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Deloitte. 2019. Open Banking: A Seismic Shift. Standards of Communication. Department of Finance Canada. 2019. A Review into the Merits European Parliament and Council of European Union. 2017b. of Open Banking. Department of Finance Canada/Ministère Revised Rules for Payment Services in the EU: Summary of des Finances Canada, January 2019. Directive (EU) 2015/2366 on EU-wide Payment Services. EBA (European Banking Association). “EBA Open Banking European Union, March 2017. Working Group” (website). EY Americas. 2019. “Why Building Consumer Trust Is Key to EBA (European Banking Authority). 2017. “Draft Regulatory Brazil’s Open Banking Success.” EY, August 14, 2019. Technical Standards on Strong Customer Authentication and Financial Data Exchange. n.d. The Global Industry Standard for Common and Secure Communication under Article 98 of Consumer Access to Financial Data. Directive 2015/2366 (PSD2).” EBA/RTS/2017/02, February 23, 2017. Freebairn, Pip. 2018. Response to the Farrell Report into Open Banking: Submission to Australian Treasury. Australian EBA (European Banking Authority). 2018. “Guidelines on Banking Association, March 23, 2018. the Conditions to Benefit from an Exemption from the Contingency Mechanism under Article 33(6) of Regulation Gehrke, Nobert. 2019. “Open Banking & Open APIs in Japan.” (EU) 2018/389 (RTS on SCA & CSC)”. EBA/GL/2018/07, Medium, March 28, 2019. December 4, 2018. Gilder, Andrew. 2018. “How Open Banking in Singapore May EBA (European Banking Authority). 2019a. “EBA Clarifications Pivot or Remain Organic.” EY, December 17, 2018. to Issues I to III Raised by Participants of the EBA Working Gobierno de España. 2018. Real Decreto-ley 19/2018 de servicios Group on APIs under PSD2.” March 11, 2019. de pago y otras medidas urgentes en materia financiera. EBA (European Banking Authority). 2019b. “EBA Responses to November 2018. Issues IV to VII Raised by Participants of the EBA Working GoCardless. 2017. “Screen Scraping 101: Who, What, Where, Group on APIs under PSD2.” April 1, 2019. When?” Medium, July 19, 2017. EBA (European Banking Authority). 2019c. “EBA Responses to Harrison, Megan. 2018. Open Banking vs. Screen Scraping: Issues VIII to XIII Raised by Participants of the EBA Working What’s the Difference? Infographic. Openwrks, July 5, 2018. Group on APIs under PSD2.” April 26, 2019. HKMA (Hong Kong Monetary Authority). 2018. Open API EBA (European Banking Authority). 2019d. “EBA Responses to Framework for the Hong Kong Banking Sector. July 2018. Issues XIV to XX Raised by Participants of the EBA Working IDC. 2018. Who’s Ready for OPEN? Infographic, March 7, 2018. Group on APIs under PSD2.” July 26, 2019. JBA (Japanese Bankers Association). 2017. Report of Review EBA (European Banking Authority). 2019e. “EBA Responses Committee on Open APIs: Promoting Open Innovation. July to Issues XXI to XXVI Raised by Participants of the EBA 13, 2017. Working Group on APIs under PSD2.” August 14, 2019. Kanehisa, Naoki, and Kenichi Tanizaki. 2018. “Open Banking in EBA (European Banking Authority). 2019f. “Opinion of the Japan.” Payments & Fintech Lawyer, July 2018. European Banking Authority on the Elements of Strong KPMG. 2017. Embracing PSD2 and the Era of Open Banking: Customer Authentication under PSD2.” EBA-Op-2019-06, Comply, Compete, Innovate. June 2017. June 21, 2019. KPMG. 2018. Fintech in India—Powering a Digital Economy. EBA Working Group on Electronic Alternative Payments. 2019. September 2018. Understanding the Business Relevance of Open APIs and KPMG. 2019. Open Banking Opens Opportunities for Greater Open Banking for Banks. EBA, May 2016. Customer Value: Reshaping the Banking Experience. May Endeavor México. 2018. Termómetro fintech: Los retos de la 2019. regulación. Krupena, Silvija. 2019. “Has the Ship Sailed for PSD2 Fallback Eroglu, Hakan. 2019. “The Asia-Pacific Way of Open Banking Exemptions?” RedCompass Labs, March 28, 2019. Regulation.” Finextra, June 20, 2019. Lancos, Peter, and Jonathan Naismith. 2019. “Open Banking Estévez Luaña, Rita. 2019. “Open banking: una nueva Security Risks May Open Pandora’s Box.” Innovate Finance, oportunidad en la era del ‘data.’” CincoDías, September 10, May 14, 2019. 2019. Light, Jeremy. 2017. “PSD2: Scoping Out the Impacts of the European Parliament and Council of European Union. 2015. RTS.” Accenture, July 2017. Directive (EU) 2015/2366 of the European Parliament and López Morales, Tomás. 2017. “Tu banco está celoso: no quiere the Council of 25 November 2015 on Payment Services más ‘screen scraping.’” El Pais, December 16, 2017. in the Internal Market, Amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No MAS (Monetary Authority of Singapore). n.d. “Application 1093/2010, and Repealing Directive 2007/64/EC. Programming Interfaces (APIs),” https://www.mas.gov.sg/ development/fintech/technologies---apis. European Parliament and Council of European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and Mastercard and Ipsos. 2019. The State of Pay 2019–2020. of the Council of 27 April 2016 on the Protection of Natural September 2019. TECHNICAL NOTE ON OPEN BANKING • 27 Mathorpe, Roland. 2018. “What Is Open Banking and PSD2? PwC and ODI (Open Data Institute). 2018. The Future of Banking WIRED Explains.” Wired, April 17, 2018. Is Open: How to Seize the Open Banking Opportunity. McDowell, Brett. 2019. “Open Banking: Why a New Approach to PYMNTS. 2019. “How APIs Safeguard Bank-FinTech Authentication Is Key to Its Success.” The Paypers, March 7, Collaboration.” Pymnts.com, May 6, 2019. 2019. RBI (Reserve Bank of India). 2017. Report of the Working Group McKinsey & Company. 2019. The Last Pit Stop? Time for Bold on FinTech and Digital Banking. November 2017. Late-Cycle Moves: McKinsey Global Banking Annual Review Read-Parish, Kelly. 2019. “Open Banking vs. Screen Scraping: 2019. October 2019. Looking Ahead in 2019.” Finextra, January 4, 2019. Medici. 2018. Open Banking Report 2018. September 2018. Rothwell, Graham. 2018a. “The Brave New World of Open Miyamoto, Koichi, and Hajime Taura. 2017. “Amendments to Banking in APAC: Japan.” Accenture Banking Blog, October Legislation on Electronic Payment Intermediate Service 16, 2018. Providers.” Anderson Mōri & Tomotsune Financial Services & Rothwell, Graham. 2018b. “The Brave New World of Open Transactions Group Newsletter, June 2017. Banking in APAC: Singapore.” Accenture Banking Blog, Mnuchin, Steven T., and Craig S. Phillips. 2018. A Financial September 27, 2018. System That Creates Economic Opportunities: Nonbank Standing Senate Committee on Banking, Trade and Commerce. Financials, Fintech, and Innovation. US Department of the 2019. Open Banking: What It Means for You. Senate of Treasury, July 2018. Canada, June 2019. Moyer, Kristin. 2016. “BankThink Screen Scraping vs. APIs Is a Stoyanov, Radoy. 2019. “10 Things You (May) Have Forgotten in Sideshow. Here’s the Real Battle.” American Banker, June 15, Your PSD2 Project.” BULPROS, April 2019. 2016. The Paypers. 2019. Open Banking Report 2019: Insights into the ODI (Open Data Institute) and Fingleton Associates. 2014. Data Global Open Banking Landscape. Sharing and Open Data for Banks: A Report for HM Treasury Thomas, Hamish. 2020. “Open Banking Opportunity Index: and Cabinet Office. September 2014. Where Open Banking Is Set to Thrive.” EY, August 31, 2020. ODI (Open Data Institute) and Fingleton Associates. 2019. Open Thomas, Hamish, and Anita Kimber. 2019. “How Regulation Is Banking, Preparing for Lift Off: Purpose, Progress & Potential. Unlocking the Potential of Open Banking in the UK.” EY, July 2019. March 28, 2019. Online Business Technologies. 2018. PSD2 and Open Banking: Tibshraeny, Jenée. 2019. “Payments NZ Releases Standards Summary of the Most Important Lessons Learned from the Detailing How Banks and Fintechs That Engage in Open PSD2 Workshop of June 22, 2018. Banking Have to Protect Consumers’ Data.” Interest.co.nz, Open Banking (web site), https://www.openbanking.org.uk/ March 4, 2019. about-us/. Tink. 2019. “Why 2019 Is the Year of Open Banking.” Tink Blog, Open Banking. “Welcome to the Open Banking Standard” (web April 2, 2019. page), https://standards.openbanking.org.uk/. TMI Associates. 2019. “Banking Regulation in Japan.” March Open Banking. n.d. Background to Open Banking, https://www. 2019. openbanking.org.uk/wp-content/uploads/What-Is-Open- Umezawa, Taku. 2016. “FinTech Developments in Japan and Banking-Guide.pdf. Reform of the Banking Act.” NO&T Japan Legal Update, no. 6 Open Banking. 2018a. Open Banking: Guidelines for Open Data (August 2016). Participants. July 2018. WB (World Bank). 2019a. “Open Banking and APIs Survey for Open Banking. 2018b. Participant Guide: Information Security Authorities of Hong Kong,” October 2019. Operations—A Guide to Implementing Effective Information WB (World Bank). 2019b. “Open Banking and APIs Survey for Security Controls. January 2018. Authorities of India,” October 2019. Open Banking Working Group. 2017. Open Banking: Advancing WB (World Bank). 2019c. “Open Banking and APIs Survey for Customer-centricity—Analysis and Overview. EBA, March Authorities of the United Kingdom,” October 2019. 2017. Which?. 2021. “Open Banking vs Screen Scraping, What Are My Pallardó, Arturo. 2016. “PSD2: Screen Scraping vs APIs?” Kantox, Rights?” Which?, March 4, 2021. December 19, 2016. Whyte, Lindsay. 2019. “Why Is the UK Leading the World on Pavoni, Silvia. 2019. “What Impact Will Open Banking Have on Open Banking?” Medium, January 18, 2019. Brazil?” The Banker, July 2, 2019. Wood, Chris. 2019. “How Does Open Banking Apply to US PaymentsNZ. 2019. 2019 Environmental Scan Report: Banks?” Nordic Apis, April 2, 2019. Developments in the Global Payments Landscape. August Zachadiaris, Markos, and Pinar Ozcan. 2017. “The API Economy 2019. and Digital Transformation in Financial Services: The Case of Peyton, Antony. 2019. “New Zealand Heads to Open Banking.” Open Banking”. SWIFT Institute Working Paper No. 2016-001, Fintech Futures, March 4, 2019. June 15, 2017. Policy Lab. 2018. Open Banking: Report on Findings and Zunzunegui, Fernando. 2018. “La digitalización de los servicios Resolutions. Canada 2020, July 5, 2018. de pago (Open Banking),” Working Paper No. 1. Revista de PwC. 2018a. The Imminent Arrival of the Age of Open Banking: Derecho del Mercado Financiero, October 11, 2018. A Shift to the Platform Business Model in Banking. PwC. 2018b. Opening the Bank for a New Era of Growth. June 2018. 28 • FINANCIAL INCLUSION GLOBAL INITIATIVE Endnotes 1. There are different definitions of open banking. The Bank for 17. https://treasury.gov.au/consumer-data-right International Settlements, for example, defines open banking as 18. https://www.hkma.gov.hk/media/eng/doc/key-information/press- the sharing and leveraging of customer-permissioned data by release/2018/20180718e5a2.pdf banks with third-party developers and firms to build applications 19. https://www.cftc.gov/LawRegulation/DoddFrankAct/index.htm and services, including, for example, those that provide real-time payments, greater financial transparency options for account holders, 20. https://files.consumerfinance.gov/f/documents/cfpb_consumer- marketing, and cross-selling opportunities. protection-principles_data-aggregation.pdf 2. https://assets.publishing.service.gov.uk/government/uploads/system/ 21. https://home.treasury.gov/sites/default/files/2018-08/A-Financial- uploads/attachment_data/file/382273/141202_API_Report_FINAL. System-that-Creates-Economic-Opportunities---Nonbank-Financials- PDF Fintech-and-Innovation.pdf 3. https://www.paymentsforum.uk/sites/default/files/documents/ 22. https://www.nacha.org/news/nachas-api-standardization-industry- Background%20Document%20No.%202%20-%20The%20Open%20 group-names-first-five-apis-develop-support-payments Banking%20Standard%20-%20Full%20Report.pdf 23. https://cdn.shopify.com/s/files/1/0038/4987/9625/t/4/assets/8.23_ 4. https://www.gov.uk/cma-cases/review-of-banking-for-small-and- FDX_WhitePaper_Final.pdf?2846 medium-sized-businesses-smes-in-the-uk 24. https://paymentsdirection.atlassian.net/wiki/spaces/ 5. The CMA9 includes Lloyds Bank, Nationwide, RBS, Danske Bank, PaymentsNZAPIStandards/overview Barclays, HSBC, Bank of Ireland, Allied Irish Bank, and Santander. 25. https://indiastack.org/about/ 6. The initial phase of implementation of Open Banking began in early 26. https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/ 2018 and ran until September 2019. WGFR68AA1890D7334D8F8F72CC2399A27F4A.PDF 7. https://www.openbanking.org.uk/wp-content/uploads/open-banking- 27. https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598 report-150719.pdf 28. https://www.fin.gc.ca/activty/consult/2019/ob-bo/pdf/obbo-report- 8. https://ec.europa.eu/info/law/payment-services-psd-2- rapport-eng.pdf directive-eu-2015-2366_en 29. https://sencanada.ca/content/sen/committee/421/BANC/reports/ 9. https://eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on BANC_SS-11_Report_Final_E.pdf +SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf 30. http://www.diputados.gob.mx/LeyesBiblio/pdf/LRITF_090318.pdf 10. https://www.stet.eu/en/psd2/ 31. https://www.bcb.gov.br/content/config/Documents/BCB_Open_ 11. https://www.berlin-group.org/psd2-access-to-bank-accounts Banking_Communique-April-2019.pdf 12. https://eur-lex.europa.eu/legal-content/EN/TXT/ 32. The comprehensive list of registered TPPs is available at https:// PDF/?uri=CELEX:32016R0679&from=EN euclid.eba.europa.eu/register/pir/search. 13. https://www.fsa.go.jp/common/diet/193/index.html 33. https://www.hkma.gov.hk/media/eng/doc/key-information/press- 14. https://abs.org.sg/docs/library/abs-api-playbook.pdf release/2018/20180718e5a2.pdf 15. https://apixplatform.com/landing 34. https://www.openbanking.org.uk/wp-content/uploads/Guidelines- for-Open-Data-Participants.pdf 16. https://treasury.gov.au/sites/default/files/2019-03/Review-into- Open-Banking-_For-web-1.pdf TECHNICAL NOTE ON OPEN BANKING • 29 35. https://eur-lex.europa.eu/legal-content/EN/TXT/ 43. https://sencanada.ca/content/sen/committee/421/BANC/reports/ PDF/?uri=CELEX:32018R0389&from=EN BANC_SS-11_Report_Final_E.pdf 36. https://www.openbanking.org.uk/wp-content/uploads/Participant- 44. https://eba.europa.eu/regulation-and-policy/payment-services- Guide-Information-Security-Operations.pdf and-electronic-money/guidelines-on-the-conditions-to-be-met-to- 37. https://www.apra.gov.au/sites/default/files/draft_prudential_ benefit-from-an-exemption-from-contingency-measures-under- practice_guide_cpg_234_information_security_march_2019.pdf article-33-6-of-regulation-eu-2018/389-rts-on-sca-csc- 38. https://apixplatform.com/landing 45. https://sso.agc.gov.sg/Act/PDPA2012 39. https://finconecta.com 46. https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_ Glance/ordinance.html 40. https://www.imf.org/en/Publications/Policy-Papers/ Issues/2018/10/11/pp101118-bali-fintech-agenda 47. https://www.rbi.org.in/Scripts/NotificationUser. aspx?Id=10598&Mode=0 41. https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/785547/unlocking_digital_ competition_furman_review_web.pdf 42. https://ec.europa.eu/competition/publications/reports/ kd0419345enn.pdf 30 • FINANCIAL INCLUSION GLOBAL INITIATIVE