There are many facets to the technology behind open banking, with interconnectivity and security playing key roles alongside user experience and outcomes. Open banking has a long history, and is continuing to evolve.
In this article, we delve into that technology to help you gain an understanding of Open Banking, and why it is truly revolutionary in the way that it can deliver financial outcomes and support to individuals and businesses worldwide.
At the base of this article, you will also find a discussion between Joao Martins and Freddi Gyara on the technology behind open banking, as part of our Ozone Layer series.
The Technology Behind Open Banking
To begin, we should discuss the basics of Open Banking.
Open Banking refers to when APIs are used to share financial data and services with third parties, with the aim to improve security, open finance options, eCommerce experiences, and more.
Third parties often deliver these experiences through a service or an app, with customer data only available through explicit consent.
The purpose of Open Banking is to ensure that the regulatory frameworks and infrastructure are available to allow for that explicit consent.
Open Banking and Open Finance
Open Banking technology and Open Finance technology are often confused. Where Open Banking technologies deal with the wider scope of regulations, infrastructure, payment and financial accounts, Open Finance technology provides a very different service.
Open Finance and Open Finance technologies refer to the use of APIs to provide a range of financial products. These products could include mortgages, pensions, loans, trading accounts and more, which may use shared data to provide a tailored option to the user.
Modernised Banking
Banks have long held an unassailable position for offering the only real opportunity for individuals to manage multiple accounts, and receive and make payments.
The financial world is ever-shifting, though, and those same banks now need to adopt Open Banking API technology to keep up with a world contending with new currencies and provide the means to hold and transfer them.
APIs as they currently stand most often power a bank’s app or website, and ensure that it is compliant while offering a range of methods to improve the user experience.
In the future, we will continue to see APIs used to innovate within the banking sector by creating new ecosystems and platforms.
Updating Regulatory Compliance
Open Banking technology does not just revolve around introducing new experiences for users.
The aim of some APIs in Open Banking, including our own Ozone API, is to help banks remain compliant. This is an incredibly complex field, with regional laws setting the limits for what is and isn’t possible.
It’s also within the remit of these APIs to make predictions on the future of regulation, and to ensure that banks are preparing for eventual compliance changes.
Security
Security is, naturally, a huge factor in Open Banking, where communication between banks, financial institutions, and third parties, is open in ways previously unseen.
It is vital then that the technology exists that makes Open Banking APIs work with each party to ensure that user data is completely secure at all ends.
Many Open Banking standards revolve around the Financial Grade API (FAPI), which is now largely the de facto security protocol of choice, with FAPI 2 on the horizon.
There are other security considerations though, such as:
Authentication and Authorisation
This means that each member of the ecosystem must be properly authenticated. From there, they must be authorised and fintechs that receive the data must prove trustworthy.
Certificates now play a huge part in the bank-to-fintech validation process. Fintechs achieve their QWAC and QSEAL certificates (built upon TLS certificates) by completing a rigorous process that ensures fintechs are fully compliant in due diligence processes.
Banks can then validate open banking data requests against the fintech each time a request is made. Banks must ensure that the certificates are valid and the identity of the fintech is trustworthy before any data can be sent.
In regards to the bank clients themselves, their identity is typically authenticated and authorised within the mechanisms that currently exist on their apps, websites, etc. Upon consent, authentication, and authorisation of both parties, data can begin to flow.
Strong Customer Authentication (SCA)
PSD2 regulations require Strong Customer Authentication methods to be implemented. This means that APIs must have the technology to allow for multifactor authentication, such as one-time passwords, hardware tokens, or biometrics.
On top of SCA being vital for security, it is also a critical element behind a strong user experience.
In fact, Visa states that more than half of credit cardholders (53%) say they would switch banks if their current bank doesn’t offer biometric authentication options.
When followed by Experian’s statistic stating that 81% of consumers see biometrics as a more secure method of identity verification, it is clear that biometrics as technology is highly regarded, especially when it comes to security purposes.
Regulation Considerations
It is also worth considering data protection rules like GDPR. When working within the EU, Open Banking technology must account for GDPR, and provide users with information on which data will be used, how long for, and what the data will be used for.
Many other countries have their own data regulation rules, too, some that model GDPR, and some that follow their own course.
Brazil, for instance, which is a burgeoning scene for Open Banking, uses the Lei Geral de Proteçao de Dados (LGPD), which is modeled directly on GDPR, but with leaner penalties for non-compliance.
Scalable Tech
Open Banking APIs must have technology that can scale quickly and easily to meet demand. Many rely on cloud-based solutions which allow for auto-scaling, which can be an incredibly powerful tool for high volumes.
An expectation for Open Banking tech is that it works alongside third-party providers with the expectation that they will pull data at specific times of day. This causes extreme usage peaks, which can cause bottlenecks and performance issues if not accounted for.
Customer Consent
Consent mechanisms are an integral part of any Open Banking API. These mechanisms are designed to ensure that the user gives explicit consent that their information can be shared with third parties.
Most frequently, the OAuth framework is used alongside its security profiles like FAPI, to act as the protocol to implement the consent mechanism within the API.
As mentioned above, data protection rules like GDPR play a large role in security, with explicit customer consent playing a key element in ensuring GDPR compliance.
Specifications and Standards
API Specifications must be agreed upon by all parties to ensure that functionality and data exchange are simplified and compliant.
Within certain jurisdictions, Open Banking standards and specifications are already laid out by regulators to ensure smooth operations and transparency between all ecosystem partners.
This is particularly the case for specifications within the UK or the Kingdom of Saudi Arabia, which have standards designed to meet regulations like PSD2. This ensures that the standards for data sharing between banks, bank customers, and third-party Fintechs, are enforced under British or Saudi law.
The EU on the other hand currently allows for some incompatibility between interfaces and implementation. While standardisations within the EU should perhaps be looked towards as a priority, there are fascinating cases of voluntary standardisation.
This can be seen in both the STETs PSD2 API specification, and the BerlinGroup’s NextGenPSD2 API specification, which helped those APIs to flourish with a deeper understanding of the ecosystem from all parties.
Currently, there are at least 20 Open Banking Standards that are used globally. Following these standards early can greatly help when regulations start to kick in, although associated parties should always be aware that they evolve frequently.
Onboarding and Readily Available Documentation
Banks and fintechs must be able to communicate effectively throughout the onboarding process, with thorough documentation available for the fintech.
Where Open Banking technology is concerned, access to API sandboxes and portals should also be given to the fintech to help mitigate any delays that occur from fintech due diligence processes.
By ensuring that these processes are in place early, onboarding fintechs can get to grips with a bank’s API early, which will speed up standardisations and aid in resolving issues that may arise before true client data is involved.
Making the most of the Open Banking Technology
As we can see, there are a lot of moving parts when it comes to Open Banking technology. When properly implemented though with distinct thought given to each of the above elements, there are very few limits to the potentially beneficial outcomes to users.
Open Banking technology also provides banks the opportunity to rapidly gain a foothold in an ecosystem that has incredible opportunity but is growing ever more complex.
The Ozone Layer – An Interview On Open Banking Technology
In the latest instalment of the Ozone Layer, we discuss the technology behind open banking with Joao Martins the CTO of Yapily.
Following the recent launch of the API dashboard from Yapily (https://apiscore.yapily.com/) the performance of bank APIs has never been more in the spotlight! With third parties expecting API’s that are built in line with standards, that are available and high performing and end users expecting services to just work, the pressure is on for banks.
Freddi and Joao discuss the importance of performance and the technical considerations.
There will be more episodes of the Ozone Layer to come. If you have an idea for something you would like us to talk about with our partners and friends then please follow us on Linkedin and let us know.
Learn More About Open Banking Today
We have a range of useful learning materials for those looking to improve their knowledge of Open Banking. Select from our list below to continue your Open Banking journey:
- An Introduction To Open Banking
- What’s Next For Open Banking
- Tips for Implementing Open Banking
- Open Finance and Financial Inclusion
- The JROC Report
Ozone – The Open Banking API
At Ozone API we specialise in an ‘out of the box’ compliance package for banks and financial institutions, where open standards and regulations are easily managed.
Through our API, compliance can be achieved within weeks, saving banks and financial institutions valuable time and resources.
Reach out to a member of our team to discuss Ozone API today