An AISP (Account Information Service Provider) is authorised by a National Competent Authority (NCA) to access the account and transaction information of individuals and businesses who have granted it permission do so. An AISP might use this access to provide an aggregation service, for example, allowing people to see several of their bank accounts in one place.
An Application Programming Interface (API) is a way for two or more computer programs or components to communicate with each other. It is a type of software interface, offering a service to other pieces of software.
A Challenger Bank is a type of financial institution that competes with traditional banks, typically offering innovative products, services, and technology-driven solutions. These banks often challenge the status quo of the banking industry by providing a customer-centric approach, lower fees, better user experiences, and advanced digital capabilities.
Section 1033 of the Dodd-Frank act gives consumers in the U.S. the right to share their financial data with authorized third party providers. Financial institutions holding data covered under Section 1033 must facilitate secure data-sharing that is not reliant on consumers sharing their credentials with any third party.
In the context of open finance, Consent Management refers to the process of managing an individual’s consent for the sharing of their financial data with third-party providers (TPPs). Consent is a fundamental principle of open banking, as it ensures that individuals have control over their data and can choose which third parties can access it. Typical consent management functionality would include the ability to view consent summaries, consent details and revoke consents or suspend access.
A2A Payment stands for Account to Account Payment. It is when a payment is made from an account held by an individual, or legal entity, directly to an account of another individual, or legal entity.
In the context of open banking data aggregation refers to the process of collecting and combining financial data from multiple accounts or institutions into a single, unified view. This is done through secure APIs, with the account holder’s explicit consent. Data aggregation is a core function enabled by Account Information Services (AIS) and is central to delivering the value of open banking.
When used in open banking, Account Information Service (AIS) refers to a regulated service that allows third-party providers (with the end-user’s consent) to access and aggregate financial data from a user’s bank or payment accounts.
An Account Provider is the organisation that provides a financial account to individuals, or legal entities, for the purposes of making payments and receiving funds. The actual term used can vary by country, for example in the UK it would be Account Servicing Payment Service Provider (ASPSP).
Financial Inclusion refers to the accessibility and availability of financial services and products to all individuals and businesses, especially those who are traditionally underserved or excluded from the mainstream financial system.
KYC stands for “Know Your Customer.” It is a process that financial institutions and other regulated entities use to verify the identity of their customers and assess their suitability for certain products or services. KYC procedures are designed to prevent financial crimes such as money laundering, terrorist financing, and fraud by ensuring that businesses have accurate and up-to-date information about their customers.
OAuth 2.0 is an authorisation protocol and is designed primarily as a means of granting access to a set of resources.
Open banking is a consumer-focused initiative that was introduced to provide consumers with more control over their data and who it is shared with, to achieve improved financial outcomes. That could relate to the speed of a transaction, an increase in visibility of their financial position, or the ability to access financial products. Open banking is a term that is used to cover the open banking infrastructure including: technical APIs, Standards, Customer Experience, and Trust Frameworks.
The term “Open Banking Ecosystem” refers to a network of interconnected financial institutions, third-party providers (TPPs), developers, regulators, and consumers that collaborate within an open and standardised framework for the sharing of financial data and the provision of financial services.
Open finance is the evolution of open banking, it aims to create a more interconnected and accessible financial ecosystem by facilitating the exchange of data and services among various financial institutions, fintech companies, and other third-party providers. This includes not only banking data but also data related to investments, insurance, lending, payments, and other types of financial services.
OpenID is an open standard and decentralised authentication protocol promoted by the non-profit OpenID Foundation.
PISP stands for Payment Initiation Service Provider. It is a type of third-party provider (TPP) defined under the Payment Services Directive 2 (PSD2) in the European Union and under separate regulations in other regions. PISPs offer services that enable consumers to authorise online payments directly from their bank accounts without the need for a credit or debit card.
PSD2 is the revised Payment Services Directive. It is a European Union directive that aims to regulate payment services and promote competition, innovation, and security in the European payments market. PSD2 was adopted by the European Parliament in 2015 and became applicable in EU member states in January 2018.
Regulators are people or bodies that supervise a particular industry or business activity.
RegTech, short for Regulatory Technology, refers to the use of technology, particularly software solutions, to help companies comply with regulatory requirements more efficiently and effectively. It encompasses a variety of tools and platforms designed to streamline regulatory processes, automate compliance tasks, and manage regulatory risks.
An Authorised Deposit-taking Institution (ADI) holds funds on behalf of consumers in Australia. It is an entity within the Consumer Data Right ecosystem that would act as a Data Holder to provide the information the consumer has consented to share.
SaaS stands for “Software as a Service.” It refers to a software delivery model where software is hosted centrally on the cloud and made available to users over the internet. With SaaS, users can access the software through a web browser without needing to install or maintain it on their local devices.
SCA, or “Strong Customer Authentication”, is a regulatory requirement introduced under the Revised Payment Services Directive (PSD2) in the European Union. SCA mandates that customers must undergo multi-factor/ two-factor authentication when initiating electronic payment transactions or accessing their payment accounts online. The term is used to describe an act that a consumer undertakes when verifying they are the rightful owner of the account/ payment method such as a bank account. SCA requires at least 2 distinct elements taken from one of the following three types of customer authentication ‘factors’:
Knowledge – Something they know e.g. a password
Possession – Something they have e.g. a trusted device
Inherence – Something they are e.g. a Biometric element like FaceID or Fingerprint
Screen scraping is a technique used to extract data from the display output of another program, typically a website or a software application.
In the context of banking and finance, screen scraping has been historically used by third-party financial apps and services to access account information from online banking websites or mobile banking apps. Users share their log in credentials, such as user name and password, with a third-party who then uses it to log into the user’s online accounts. Screen scraping exposes users to risks, lacks transparency, and is being replaced by secure, regulated API access under open banking frameworks.
An aggregator describes a business that enables a consumer-facing third party provider to connect with a central platform to access the open banking APIs of multiple data providers, sometimes across multiple geographies.
SOC 2 stands for Service Organisation Control 2. It is a framework for assessing and reporting on the controls relevant to security, availability, processing integrity, confidentiality, and privacy of a service organisation’s systems and data.
The practice of adhering strictly to published standards.
TPP stands for Third Party Provider. In various contexts, such as finance or technology TPPs offer services or solutions to consumers or businesses. These services are typically payment initiation or account information retrieval in the context of open banking. TPPs must gain the explicit consent of the individual or business in order to access their account information (AISPs) or to initiate payments (PISPs) and in most geographies must be authorised by a National Competent Authority, like a regulator or Central Bank.
AML stands for Anti-Money Laundering and is the set of regulations and laws that stipulate how businesses should manage risks associated with this area of financial crime.
Verification Of Payee, or VOP, is the process by which the payment account details of an individual or business that will be receiving funds is verified. This process utilises APIs to complete the verification.
A Variable Recurring Payment, or VRP, is an API that enables an individiual or legal entity to set up a recurring payment directly from their account, to a recipient account with variable limits. The amount, frequency, and other parameters, can be set within the payment consent, and authorised by the payer to enable recurring payments to continue as long as it is within the pre-agreed boundaries.
A Trust Framework is a set of rules, standards and processes for identity verification and data access, crucial to open finance ecosystems. The primary function of a trust framework is to allow the different parties in an open banking exchange to verify each others identity, ensuring data providers and consumers have full confidence in the identity of the party with which information is being shared. Trust Frameworks also help to establish fair and unbiased access where all participants have the same requirements for obtaining accreditation and gaining authorisation to operate within an open finance ecosystem.
A Technical Service Provider (TSP) typically refers to a technology company that may provide services to participants in an open banking ecosystem, such as account providers or third party providers, but without needing to be formally licenced to perform regulated roles. This could be a company who provides an API platform to a bank to expose open banking APIs but without needing to themselves be compliant.
Sweeping is the act of automatically moving money between two accounts held by the same individual or legal entity. In the UK the requirement to support sweeping applies to the largest 9 UK banks under the Retail Banking Market Investigation Order 2017 (often referred to as ‘The CMA Order’). In the UK sweeping is implemented through Variable Recurring Payment (VRP) APIs.
A Standard Setting Organisation, SSO, is the term given to the body responsible for creating open banking standards.
A Standard Body is the organisation or committee responsible for creating the open banking standard for that specific region.
SEPA Instant Credit Transfer – refers to speedy transactions that allow users to pay other businesses or personal users in real time. SEPA Instant Credit Transfers are expected to be processed in under 9 seconds.
In open finance, scopes specify the exact permissions a third party can access—such as account data or payments—based on what the user has explicitly consented to.
A Responder is the entity that responds to requests for consent, authorisation, data or payment initiation in the context of an open finance exchange.
A Requester is the entity that initiates a request for consent, authorisation, data or payment initiation in the context of an open finance exchange.
PSU stands for Payment Service User, this refers to the Account Holder (individual or business) who is using an open banking payment service.
A Payment Service Provider (PSP) refers to regulated open banking providers, including ASPSPs such as banks and financial institutions, PISPs, AISPs and CBPIIs.
A PI refers to a Payment Institution, an organisation that manages payment requests, and processing of these requests.
When referred to in open finance, Personal Financial Management (PFM) is a type of use case for financial data sharing that relies on a user having a single view of their finances via one user interface or dashboard. This could be across different products such as current accounts, lending or savings and investments. Open finance APIs are highly suited to supporting PFM use cases as they allow third party providers to access consumer financial accounts across multiple separate financial service providers.
In the context of open banking a Payment Initiation Service (PIS) is a regulated service that allows a third-party provider to initiate payments directly from a user’s bank account on their behalf, with their explicit consent. Payment Initiation Services are a key enabler of innovation in open banking, giving users more control over how they move their money.
Pay-by-Bank is a term for a payment method that enables an individual, or entity, to make a payment directly from their financial account to the financial account of the payment recipient. Typically pay-by-bank payments are initiated by PISPs via open banking APIs.
Open Data refers to certain data that is available for anyone to access through APIs. These open data APIs include data such as ATM and branch locations, as well as product details. Under certain regulations it is a requirement for mandated institutions to provide open data APIs based on a common data model. Additionaly open data can refer to data sharing beyond financial services such as within telco, health, and energy industries.
In the context of open banking, a Standard is created to provide guidance and/ or stipulate how open banking should be implemented in that specific region. Typically open banking standards include Security Standards, Functional Standards (including technical), Customer Experience, and Business/ Operational Standards. They provide the blueprint for compliant-implementation. Standards can be mandated (they must be adhered to if a bank or financial institution wishes to implement open banking), or optional (open banking is not mandated, and standards are more of a suggested best practice).
An Open Banking sandbox provides an environment, and data, for testing an implementation without having to use real data or be authorised by a National Competent Authority.
The Open Banking Directory Sandbox provides a test instance of the real directory so that third party providers can test their implementations before transferring to a production environment. Some account providers require third parties to register within the Open Banking Directory Sandbox in order to use their financial institution’s API sandbox.
A Directory is a tool that helps establish trust within an open banking ecosystem. It provides a lit of parties who are authorised to participate in the open banking ecosystem along with the role that they are authorised to play. Directories may (but not always) issue digital certificates to third parties to help them assert their identity.
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. The OIDF created the OIDC protocol to support the delivery of their objectives as a global identity standards body.
Open Banking Limited (OBL) is the UK’s current open banking API standards provider. It was originally created by the Competition and Markets Authority (CMA) to design and deliver an open banking specification which would promote fair competition in the banking sector. It now operates as a private entity funded by its members. OBL was previously referred to as the OBIE (Open Banking Implementation Entity).
OBIE stands for the Open Banking Implementation Entity. It was was tasked with overseeing the initial design and delivery of open banking in the UK. It is now referred to as Open Banking Limited (OBL)
A Model Bank is a ‘dummy’ bank that provides a test environment including test accounts and test data that simulates a real-word scenario of interacting with a data-holding institution. It enables end-to-end testing of APIs, and their expected responses, without exposing real account data.
An LEI (Legal Entity Identifier) is a code, or number, unique to a legal entity. It is used globally for entities involved in financial transactions.
Financial Data Access Framework – this extends open banking to open finance in the EU via extending data-sharing to insurance, investments and other financial data. It gives users the right to access or share their data with any regulated entitity (including TPPs, financial advisors, insurers and mortgage brokers). The deadline for implementation is 2026/2027.
FAPI (Financial-grade API) is a set of security and interoperability standards developed by the OpenID Foundation to ensure secure data sharing in high-risk financial environments. It builds on OAuth 2.0 and OpenID Connect, adding stricter requirements like mutual TLS, JWT-secured authorization responses (JARM), and Pushed Authorization Requests (PAR) to protect sensitive financial data and enable regulatory compliance (e.g., Open Banking, Open Finance).
An Electronic Money Institution (EMI) is a financial institution authorised to issue electronic money and provide payment services. They can also provide bank accounts and e-wallets. EMIs are similar to banks but are not authorised lend money.
A Developer Portal is where third parties/ fintechs can access documentation, specifications and other information that provides them with everything they need to connect to banks’ and financial institutions’ APIs for the purpose of integration. Under certain open finance legislation provision of a Developer Portal is mandatory if a bank or financial institution is exposing data using open banking APIs.
The developer interface is the API that enables open banking in the U.S. under Section 1033. It is a standardised API that allows authorised third parties—like fintech apps or data aggregators—to access a consumer’s financial data from a financial institution, with the consumer’s permission.
Data Subject is a term defined under the General Data Protection Regulation (GDPR) that refers to the individual or legal person to which any data is attributable.
Data Out refers to the process where banks, financial institutions, and/or fintechs expose data to third parties.
Data In refers to the process where banks, financial institutions, and/ or fintechs consume data from another source.
A Data Access Platform, is a term specific to the US region. The role of a Data Access Platform is to integrate with multiple data providers in order to enable third parties to connect to a single source when retrieving account information. Essentially it performs the same role as Data Aggregators do in other markets.
A Consensus Standard refers to an industry standard recognized and maintained by a standards-setting organisation in the U.S. which is in turn recognized by the CFPB in the context of the 1033 ruling.
A Conformance Test Suite (CTS) is a series of software tests, often created by API standards bodies, that API providers can use to check their APIs are working correctly and comply with the required open finance standards for that region.
Confirmation of Payee, or CoP, is the process by which the payment account details of an individual or business that will be receiving funds is verified. This process utilises APIs to complete the verification.
Commercial Variable Recurring Payments (CVRPs) enable businesses to take recurring payments from their customer’s financial account. The payments can vary providing they remain within the pre-set parameters such as maximum frequency, amount, cumulative total etc. ‘Commercial’ simply refers to the commercial agreement between the account provider and the third party that use this payment type in a business context. Whilst VRPs are free when used for sweeping between a users own accounts, CVRPs came into use when banks made this payment type available for other use cases such as merchant bill payment, e-commerce etc. Access to Commercial VRP APIs can be charged for by API providers in some regions like the UK where there is no regulatory mandate to provide them.
Confirmation of Funds (CoF) is an API service that can be called for a payment transaction to confirm whether the payer has sufficient funds in their payment account. Typically a Confirmation of Funds requester will send a payment amount to the payer’s Payment Service Provider (PSP) and get a ‘Yes/No’ response message to confirm the amount is available before any payment is made.
The Competition and Markets Authority (CMA) is a UK Government department responsible for promoting competitive markets and preventing unfair behaviour for consumers, businesses and the UK economy. The CMA conducted a review of retail banking that resulted in the top 9 largest retail banks within the UK being ordered to securely open up their data, this led to the launch of open banking in 2017 within the UK.
A Card-Based Payment Instrument Issuer is a type of third-party provider that has authorisation under UK and EU open finance regulations to perform Confirmation of Funds (CoF) API requests.
An ASPSP (Account Servicing Payment Service Provider) is a legal entity that provides a payment account to consumers and businesses, defined under certain global open finance regulations.
APP Fraud or Authorised Push Payment Fraud is when an individual is tricked into authorising a payment to a fraudster. This can take one of two forms: an individual intends to pay a genuine individual, but is deceived into paying someone else, or an individual pays the fraudster for what they believe is a genuine service or product that never materialises.
An API Platform is a comprehensive software solution that enables organisations to design, deploy, secure, manage, and monetise APIs. It provides all the tools and infrastructure needed to support digital connectivity, regulatory compliance, and ecosystem collaboration across industries such as finance, telecom, healthcare, and more. The Ozone API solution is an example of a market-leading Open API Platform.
