Licenses, APIs, and security

Open banking made easy: everything you need to know to get started

If you’re active in the banking services industry, you’ve probably kept a close eye on FinTech in recent years. Its rise has given us game-changing products like affordable money transfer services, borderless bank accounts, and peer-to-peer lending platforms, to name but a few. It’s also given us open banking—the industry’s latest development—which is sure to have a big impact on companies and consumers alike in the near future. 

Open banking is the practice of sharing financial data, securely and with user consent, to third-party payment and banking service providers. Though it’s been around since 2016 in the UK, open banking was introduced across Europe with the revised Payment Services Directive (PSD2), a 2018 E.U. directive that added third-party payment service providers to the legal framework for banking services.

Giving third-party providers access to financial data means we’ll be seeing exciting developments in banking tools in the near future. It also means we’ll be seeing plenty of big opportunities for those who build them. In fact, there are quite a few early adopters already out there. But this shift won’t come without its fair share of risks and challenges. To find out why open banking matters, how it works, and what to look for before diving in, read on.

Why open banking?

Open banking was established with the end user in mind. The idea is to open banks to competition and improve the services they offer by creating new opportunities around financial data. Though open banking is made possible by legislation, its real promise lies in application programming interfaces, or APIs, which banks now have to share with licensed third-party service providers. In short, bank APIs provide programmatic access to all of their customers’ financial data. And with the passing of PSD2, any licensed company can now access them. This data is only shared with user consent, of course. 

If you’re building a financial services product, this is exciting for a few reasons. First of all, APIs allow you to avoid screen scraping processes, which are slow to use and expensive to maintain. APIs are also more secure, as they don’t require users to provide their banking credentials to anyone, but have the bank share information directly with your service. More broadly, these APIs mean that third-party companies no longer have to go through banks to get a complete picture of their users’ financial data via proprietary APIs. With a license and user consent, you can now access this kind of information directly, making it easier than ever to target, optimize, and innovate on the financial services you offer.

Open banking solutions for B2B markets: AISP vs. PISP.

Now that we’ve covered the basics, let’s have a look at what you need to get started. The first thing you want to determine is whether you’d need an account information service provider license (AISP), a payment initiation service provider license (PISP), or both.  

AISPs access user account information in a read-only way: they can view financial data, but they can’t modify it. An AISP license could help build a money management tool like MoneyHub, which uses machine learning to understand its users’ spending habits and build value through data analysis. It could also be used to create a loan application product like CreditKudos, which shares data gathered from a user’s account with a lender to facilitate the loan application process. 

PISPs differ from AISPs in that they can send and receive payments. PISPs have been leveraged to either start or enhance quite a few businesses, including Sofort, a real-time online banking and transfer service, and Trustly, which allows customers to pay for things online directly from their bank accounts. PISPs also open up plenty of unusual new possibilities, like Amazon’s short-lived but promising IoT service Dash, which allowed users to reorder a specific product at the click of a button, or Dave, a slightly scary app that pre-approves users for loans and sends them money whenever they’ve overdrawn their bank accounts. 

The advantage of AISPs over PISPs is that they’re much easier to access for newcomers. PISPs require significant capital and will have you working to overcome quite a few regulatory hurdles including liability, data protection, security, and insurance requirements. Making a final decision about which license to use (or deciding you need both) will depend on your specific business needs: if you only need to access your users’ financial information, an AISP will work just fine, but if you need to initiate payments on their behalf, you’ll have to go the extra mile and apply for a PISP. 

Which license is best for me?

Choosing between an AISP and PISP license will come down to a variety of factors that vary from business to business. You’ll have to consider the cost and ease of access of each option as well as its potential for building value within the context of your particular use case. If this seems daunting, remember that you can also partner with a company who has a license and build the rest of the product yourself.

Whether you’re starting out or trying something new, joining forces with a licensed company can be a good way to test the waters without taking on too much risk on your end. Say you’re an online merchant who accepts credit card payments. Dealing with potential chargebacks due to fraud can be a costly headache. If you have access to a PISP license through a service like Tink, it’ll greatly increase security, as customers will be paying directly from their accounts without having to enter their banking details on your website. Partnering with a third party can also help avoid dealing with PCI compliance, a legal hurdle required if any credit card numbers come into direct contact with your business. A licensed payment processor like Stripe, for example, can handle this for you.

That said, working with a partner isn’t right for everyone. First of all, third-party providers will charge for their services. Secondly, when working under someone else’s license, you become their agent and are responsible for operating compliantly and in accordance with their standards. If you were to build on someone else’s licensed platform to sell a product to third-party companies, for example, not only would you be legally bound to their terms, but your partners would too, as would their customers, and so on. This can create a messy legal chain you’d be better off avoiding if you plan on providing services to companies rather than individuals. 

What should I know about APIs?

As open banking is largely based on APIs, you’ll have to keep a few important technical considerations in mind when coming up with a business model, too. Though the open banking directive in the UK has a unified set of rules for banks to follow when sharing APIs, the PSD2 directive doesn’t specify how exactly European banks should share their data. And although certain standards do exist, you generally need to approach integration differently with each bank’s API.

One thing you want to focus on is the functionality of the API you’ll be using. As this process is so new, many banks are still changing and fixing their APIs. If you’re building a product around them, you can easily find yourself in a situation where something stops working from one day to the next. A good way to pinpoint risks before making any commitments is to use sandboxes, which are environments where you can try a bank or third-party license provider’s way of processing payments for free. Most banks offer one, as do aggregator companies like TrueLayer

Another big technical consideration is security. You want to build a product that gives you and your customers peace of mind, especially when dealing with financial services. Although most companies in the U.S. still use screen scraping, APIs are already the norm for security in Europe, despite the additional costs that licensing incurs. This seems to be the direction the industry is heading in overall as well: Plaid, a Silicon Valley start-up bought by Visa for over $5 billion, recently announced it had struck up agreements with a number of banks to start using APIs in its services.

Open banking: a tough learning curve with big potential. 

Though open banking is a promising new development, getting a product to market will come with a number of complex legal and technical issues that are hard to avoid. It’s important to do your research, understand the environment, and know what you want to get out of it. Don’t rush legal considerations like licensing and liability, prefer APIs over screen scraping when thinking about security, and remember to look closely at the functionality of whichever APIs you do end up working with. 

Here at Mooncascade, we have plenty of insight into the engineering process behind a host of successful FinTech products. We can use our knowledge of app and backend development to help you better understand the industry and apply our experience to your own use cases. To learn more about our expertise and what we can do to make your open banking product shine, get in touch today!

Published by Hanna-Mari Kirs

. Hanna-Mari is our Business Lead for European Markets. Previously part of the team at Monese, she has varied experience working in a rapidly changing startup environment across different roles and responsibilities. At Mooncascade, she helps our clients to stay on top of the competition and achieve their business goals.