With great power comes great… confusion!
Open banking is a revolutionary data and payments initiative, but there’s no denying it comes with a lot of strange new terms and even more perplexing acronyms.
Whether you’re starting to get to grips with open banking or have just come across a new phrase you haven’t heard before, our open banking glossary gives simple explanations of all the key terminology.
Let’s start with open banking itself:
Open banking is the process of giving third-party payment service and financial service providers access to consumer banking information such as transactions and payment history.
Open banking is the first step in a journey to become an open economy, where an end user is consenting to their data to work harder for them in many aspects of their life.
Open banking technology also enables a new payment method. Account to account payments driven through open banking speed up payments and offer a far more cost-effective method than traditional payment processes.
From a commercial standpoint, open banking’s many benefits include improving customer experience, unlocking new revenue streams and enabling more robust security.
For consumers, it provides more clarity, detail and control over finances. Opting in to open banking also releases new levels of financial freedom and opportunity; from more tailored product offerings to faster and fairer aster access to credit and financing.
Payments made from one bank account directly to another (just like bank transfers, but executed automatically).
Typically, this includes four data points: account holder’s name, account number, account balance, and transactions.
Account information services (AIS)
Enable businesses and institutions to share their data with other financial providers, banks, and third-party providers. AIS can be used for analysing customers’ account data to provide insights into financial behaviours.
Account servicing payment service provider (ASPSP)
Provide and maintain payment accounts for payment service users (PSUs). Traditionally, ASPSPs are banks and similar institutions.
The process of ensuring that only the authorised bank account owner can permit account access.
Application programming interface (API)
A set of routines, protocols, and tools for building software applications. Essentially, an API specifies how software components should interact.
API access token
A unique identifier of an application requesting access to data. It is the machine-level representation of an end-user’s permission to access their bank account. It unlocks secure communication with the bank API for accessing users’ account information or permission to initiate payments.
Data made available to an API user or a third-party provider.
The number of individual banks or bank branches that a third-party provider is connected to through APIs.
Competition and Markets Authority (CMA)
A non-ministerial UK government department responsible for strengthening business competition and preventing anti-competitive activities.
The nine largest banks and building societies in Great Britain and Northern Ireland, based on the volume of personal and business current accounts.
Originally implemented by the CMA in 2017 to instruct the CMA9 to set up an open banking implementation entity (OBIE) which would enable customers to share their transaction history data safely and securely with trusted third parties.
A governmental body or regulatory or supervisory authority responsible for the regulation or supervision of the subject matter of participants.
Confirmation of Payee (CoP)
Confirmation of Payee (CoP) is an account name-checking service primarily for bank and building society payments to help prevent fraud.
The process of collecting data from several sources and combining it. In the context of open banking, a digital banking app, for example, may collect information from a customer’s multiple bank accounts and present that information in a single dashboard.
The Open Banking Directory provides a whitelist of participants permitted to operate in the open banking ecosystem, as required by the CMA Order.
Dynamic client registration (DCR)
DCR allows trusted third parties to register themselves with an account servicing payment service provider.
European Parliament Economic and Monetary Affairs Committee (ECON)
An agency in charge of everything from the regulation of financial services to taxation and competition policies.
European Banking Authority (EBA)
A regulatory agency of the European Union. Its objective is to maintain EU financial stability and safeguard the banking sector.
Electronic identification, authentication, and trust services (eIDAS)
An EU-regulated set of standards for electronic identification and trust services for electronic transactions in the European single market.
To participate in the open banking ecosystem, banks and third-party providers need to prove their identity using cryptographic operations based around eIDAS certificates. The two certificates important for open banking are the Qualified Website Certificates (QWACs) and Qualified Certificates for Seals (QCSEALs).
European Banking Authority Regulatory Technical Standards (EBA RTS)
The European Banking Authority develops Regulatory Technical Standards which are submitted to the European Commission for endorsement. Regulatory Technical Standards are a set of detailed compliance criteria that cover areas such as data security, legal accountability, and other processes.
European Payments Council (EPC)
Founded in 2002, the council consists of banks and banking associations, working together to support and promote safe, efficient, and sustainable payments in Europe. The organisation’s main development is Single Europe Payment Area (SEPA), which is an initiative to simplify bank transfers in euro currency.
Financial Conduct Authority (FCA)
The conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms.
General Data Protection Regulation (GDPR)
A regulation from the European Parliament, the European Council and the European Commission to strengthen and unify data protection within the European Union (EU).
Know Your Customer (KYC)
A standard in the investment industry that ensures investment advisors know detailed information about their clients’ risk tolerance, investment knowledge, and financial position.
Entities that are required by the CMA Order to enrol in open banking.
Modified customer interface (MCI)
The method used by third-party providers, payment initiation service providers, and account information service providers to access bank accounts via an online portal instead of APIs.
National Competent Authorities (NCA)
Organisations with legally delegated or invested authority, or power, to monitor compliance with the national statutes and regulations.
(Or Public API) A free-to-use, publicly available application programming interface (API) that provides developers with programmatic access to a proprietary software application.
Open banking ecosystem
The open banking ecosystem refers to all the elements that facilitate the operation of open banking. This includes standards, governance, systems, processes, security and procedures.
Open Banking Implementation Entity (OBIE)
The delivery organisation working with the CMA9 and other stakeholders to define and develop the required APIs, security and messaging standards that underpin open banking.
Open Banking Working Group (OBWG)
Established in the UK in September 2015 by HM Treasury to determine how data sharing through open banking would work in practice. The group’s recommendations included standardised APIs to be used to share data and for open banking to adopt a decentralised system across different banks.
An envisioned future of the financial industry (which, to a degree, is already becoming a reality) where open banking APIs are used to cover more financial products, such as savings accounts, mortgages, even energy and phone subscriptions.
Data that anyone can access, use or share, such as information on ATM and branch locations, and product information for personal current accounts.
Payment initiation services
Enable third-party providers to initiate credit transfers on behalf of customers. The credit is held in the customer’s account with an ASPSP (account servicing payment service provider).
Payment initiation services provider (PISP)
Provides an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
Payment services provider (PSP)
An entity which carries out regulated payment services.
Payment services regulations (PSR)
The UK’s implementation of PSD2, established in 2017. Amended or updated from time to time and inclusive of the associated Regulatory Technical Standards as developed by the European Banking Authority.
Payment services user (PSU)
A person making use of a payment service as a payee, payer or both.
In addition to Open APIs, banks can offer premium APIs. These allow third-party providers to connect with them for a fee. Premium APIs might include optional features, such as access to savings and investment account transaction data.
Qualified Certificate for Electronic Seals (QSealC)
Used for identity verification at the application layer to protect transactional information from potential attacks. The person receiving digitally signed data can be certain about who signed the data and that it has not been changed.
Qualified Trust Service Provider (QTSP)
A trust service provider who provides one or more qualified trust services (QTS) and is granted the qualified status by the national supervisory body.
Qualified website authentication certificate (QWAC)
A digital certificate that complies with the eIDAS Regulation’s trust services.
Enable third-party providers, with the end customer’s consent, to request account information, such as the transaction history of personal and business current accounts, and/or initiate payments from those accounts.
Includes personal current account and business current account transaction data sets made available by account servicing payment service providers in accordance with the Read/Write Data Standard.
Read/Write Data Standard
Details the features and elements necessary to comply with the requirements for providing access to accounts.
In the UK and EU, third-party providers must re-authenticate the user’s consent to their bank a minimum or every 90 days to maintain the connection between bank and third-party provider.
Regulatory Technical Standards (RTS)
A set of technical compliance standards developed by the European Banking Authority that, once endorsed by the European Commission, need to be met by all parties. These standards cover topics such as data security and legal accountability.
Revised Payment Services Directive (PSD2)
The Payment Services Directive 2015/2366, as amended or updated from time to time and including the associated regulatory technical standards developed by the European Banking Authority and agreed by the European Commission and as implemented by the Payment Systems Regulator and including any formal guidance issued by a Competent Authority.
Risk-based authentication (RBA)
A security measure which uses an algorithm to assess each login attempt based on the likelihood of an account breach. If a login seems suspicious for any reason, RBA requests for the user to perform an additional identification check.
Initiated in 2004 by a group of major French banks to create a platform for the payments industry. The STET CORE platform processes billions of payments per year. STET also provides the open banking API for many important banks.
Strong Customer Authentication (SCA)
Authentication based on the use of two or more elements categorised as knowledge, possession, and inherence.
The automated movement of a customer’s funds between two accounts in their name. It is commonly used to help the customer avoid overdraft charges, repay a loan, or benefit from better interest rates.
Third-party provider (TPP)
Organisations or persons that use APIs to access customers’ accounts, in order to provide account information services and/or to initiate payments.
Technical service provider (TSP)
Companies that work with regulated providers to deliver open banking products and services.
Variable recurring payments (VRPs)
Enable customers to safely connect authorised payments providers to their bank account so that they can make payments on the customer’s behalf, in line with agreed limits. VRPs offer more control and transparency than existing alternatives, such as direct debit payments.
Entities that, although not obliged to enrol with open banking, have elected to do so to develop their own APIs and enrol onto the Open Banking Directory.
If you have any questions on the featured terminology or would like to discuss anything else in open banking, please get in touch.