By Andy Mills, VP EMEA, Cequence Security
Open banking hasn’t quite enjoyed the adoption rates envisaged with the Open Banking Impact Report revealing that 17% of businesses and just 11% of consumers use open banking services in the UK. There’s been steady growth since its introduction in 2018, but ultimately, uptake has proven disappointing, and that’s partly to do with how the initiative has evolved, as regulated by the Payment Services Directive (PSD2).
PSD2 mandates banks to share customer financial data with authorised third-party providers (TPPs) via AIS (access to transaction data) and PIS (the ability for third parties to initiate payment) using secure Application Programming Interfaces (APIs). The standard set out to create a more integrated payments market that would facilitate bank-to-bank transactions more securely but in reality, it’s seen the market evolve unchecked, leading to fragmented access.
Concerns saw the European Commission investigate and publish an evaluation report into PSD2 last year which found that, while APIs have helped address the inherent insecurity of screen scraping, which required customers to divulge their login credentials and bots to mine data to determine the user’s financial status, the technology has resulted in some unexpected problems.
Little incentive
One of the biggest issues is that banks have little incentive to make access easy. They can’t charge for data access but must put APIs in place. Consequently, the report notes that banks are choosing to “limit or at least complicate access to their data” and third parties claim implementations have “mostly been poor … with a significant number of obstacles built in”. Banks can charge for premium APIs, however, which has given rise to a two-tier system of basic and premium APIs.
Premium APIs provide AIS or PIS but do not need to be PSD2 compliant. They therefore see unlicensed third parties obtain access to similar that available to licensed APIs. This not only potentially undermines the standard but can place the unlicensed party at a competitive advantage because Premium APIs can offer services beyond those defined in PSD2.
Even where a basic API is used, PSD2 only specifies the performance criteria leaving banks free to modify them, so the same API can vary from institution to institution. This creates interoperability issues for third parties who then need to dedicate time and resources to developing individual connectors. As a result, the market has seen API aggregators spring up that build a single interface for multiple versions of an API and then market this.
No single solution?
Multiple API variants, two-tier access, and a lack of incentive to ensure basic access have seen the market suffer. The report notes that APIs “do not work properly. For example, third-party providers often do not receive the correct status feedback for scheduled PISP (Payment Initiation Service Provider) payments” and that “the availability of APIs remains patchy, the scope of the data being accessed remains unclear, and the eIDAS certification’s reliability is inconsistent across the EU.”
A number of solutions to these issues have been mooted. Firstly, the idea of a single mandatory API that prevents banks from rolling their own versions. The report showed some support for this, with 58% of those questioned in favour; however, concerns were also raised over whether this would stymy innovation. Others questioned if it was too late to put the genie back in the bottle, pointing out that while a multiplicity of APIs might have impeded progress it hasn’t prevented the evolution of open banking. At the other extreme, arguments have also been made to open up the market and allow premium APIs to compete and determine a dominant form of API.
It’s unclear exactly what action, if any, the EU will take but there does need to be a clearer business model. Banks are having to invest in and provide access to their data for free, and this has led many to look at how they can monetise access, such as by charging for real-time account-to-account transfers. But a draft proposal by the EC in October will outlaw such practices too, mandating that all instant payment services will need to be offered free of charge. This may be good news for open banking adoption as it could well see it used both digitally and physically for instore transactions, for example, effectively replacing the debit/credit card. But it puts banks back where they started, with little incentive to improve the API ecosystem. If we want to see open banking really flourish, we need to pay attention to the foundations it’s been built upon, and that means prioritising API functionality.