After our previous posts on PSD2 timelines and the role of the EBA in determining its technical detail, the question has been asked who will define the open APIs which banks will be required to implement under the directive. The somewhat underwhelming answer is that we are not certain. Following its industry consultation, the EBA is off for a period of naval gazing to consider the responses it has received in order to help it draft its technical standard on strong authentication and secure communication. No doubt chief amongst them will be whether the EBA itself will be defining the open API specifications.
The EBA are caught in two minds on this issue. On the one hand, they understand that open APIs are critical to PSD2 and clearly need to be defined and agreed upon by the industry. On the other, they feel that by being too prescriptive, and defining the APIs themselves, they threaten to undermine the cooperation and innovation that they are keen to foster throughout the industry. The initial noises coming from them is that they are of a mind to let the industry agree upon them first before they rubber stamp them. But what industry body could achieve that consensus on a pan-European basis?
OBWG to the rescue
The answer is probably none. So we may have to look to the UK’s Open Banking Working Group (OBWG) to provide a solution. This body was assembled in 2015 at the behest of the UK Treasury, with the coordination of the Open Data Institute (itself established by Sir Tim Berners-Lee, initial inventor of the world wide web), to deliver a framework for open banking and data sharing via APIs for the UK’s banking industry. The joint industry/government initiative recently released its report on establishing the framework for an Open Banking Standard for the UK alongside a timetable for implementation.
At first glance its objectives look quite familiar. To allow data sharing via an open standard (API) in order to facilitate innovation in the financial services industry. So far, so PSD2. Indeed the initiative was set up with one eye on the forthcoming changes from PSD2 on the horizon. But in pre-empting PSD2 it also goes a few steps further, namely to put the UK at the vanguard of setting and implementing open banking standards globally, to establish a competitive advantage for the UK’s banking industry in this new environment, and ultimately to influence how the final drafts of the PSD2 technical standards will look.
And certainly it is not too difficult to see that final point coming to pass. The OBWG has explicitly stated in its framework that it will define the API technical standards and architecture necessary to deliver its Open Banking Standard. This goes a lot further than the EBA has stated that it will, or seems prepared to, for its own PSD2 API standards. The 150 or so OBWG members spanning banks, payments companies, FinTech start ups and other relevant experts seems to be exactly the sort of industry body the EBA would like to delegate this technical detail to. Indeed, the EBA is one of the consultative bodies the OBWG has said it will work with when defining its own standards.
There are however some subtle differences between the Open Banking Standard proposals and that of PSD2. One is their respective motivations. PSD2 has as its main focus payment initiation services whereas the Open Banking Standard is more concerned with ownership and openness of banking data. Granted the two overlap, but payment initiation is less of an immediate priority for the OBWG (although they do address it).
Another difference is in timings. It is intended that the framework for the Open Banking Framework will continually evolve and be rolled out over the next 5 years. Within that there are ambitious (its own words) timelines to be met for defining and releasing the necessary API standards. These timelines don’t perfectly align with those proposed for PSD2, especially if we take January 2018 as the date at which the directive comes into effect at a national level.
But as we saw in our previous post, the dates for the RTS on Authentication and Secure Communication are a moveable feast and may only come into force sometime in the calendar year 2019. This would loosely tie up with the Open Banking Standard dates, especially those for write access (i.e. payment initiation). Either way, if these are the best timelines the most progressive national opening banking initiative in the EU can give, the EBA will have a job on its hands ensuring other countries also comply to those same dates. You can view our timeline comparison here.
UK at the helm?
So with the UK stealing a march on much of Europe on open banking, might we see the API standards that come out of its Open Banking Standard ultimately being adopted by the EBA as the standard bearer for the PSD2 APIs? It’s certainly possible. For such forward thinking initiatives on a national level (and operating at scale) are thin on the ground across the EU, and the EBA would welcome all the industry assistance it can get when defining these API specifications.
If this proves to be the case, EU banks from Finland to Portugal wishing to get ahead on their open API strategies would be well advised to stay close to this framework.