We hear a lot about the PSD2 Open Banking standard coming out of the European Union (EU), however in response to it, and getting out ahead of the regulation, the Open Banking effort in the UK is significantly pushing forward the banking API conversation, and establishing a blueprint for doing API banking that other countries should consider. Full version: https://streamdata.io/resource-library/blueprint-open-banking-standards-uk/

1. White Paper
A Blueprint For Open Banking
Standards In The United Kingdom
http://streamdata.io
Prepared by:
Kin Lane
API Evangelist
New York, NY
kin.lane@streamdata.io

2. There has been a lot of chatter regarding the Payment
Services Directive2 (PSD2) in Europe this year, as
the January 2018 deadline rolled around. While many
banks are still trying to put an API strategy in place, an
organization in the UK has been rolling out APIs for
their top banks. While the results of the effort won’t be
known for some time, the work out of the Open Banking
ImplementationEntity,providesthetechnicallystrongest
strategy for delivering APIs across Europe, and for that
matter, anywhere in the world to date.
As we work to map out the progress of PSD2 across
Europe, we wanted to pause for a moment and highlight
the traction regulators are getting in the UK, and break
down their approach into a blueprint that regulators in
France, Germany, and other EU countries can consider
as they work to get their banking industries up to speed
with APIs, and the PSD2 regulations. Up until now,
there has been a lot of talk around APIs in banking,
and FinTech innovation, but the UK provides us with a
real world example of how APIs can get done from the
top down. Providing a blueprint for not just banking,
but potentially any industry looking to increase the
competitive balance within an industry, and open up
data, content, algorithms, and other digital resources
to better service individuals, businesses, and even the
government sector.
The Open Banking Implementation Entity
When studying banking APIs in the UK, one advantage
is clear. They have a dedicated entity overseeing the
progress made by banks, when it comes to APIs. “The
Open Banking Implementation Entity was created by
the UK’s Competition and Markets Authority (CMA) to
create software standards and industry guidelines that
drive competition and innovation in UK retail banking.”
After publishing a report in 2016, which found that older,
larger banks do not have to compete hard enough for
customers business, and that small banks were finding
it difficult to compete in the market, the CMA proposed
a number of remenedies which included the Open
Banking entity, to help enable individual and business
customers to securely share their account information
with 3rd party providers.
We hear a lot about the PSD2 Open Banking standard coming out of the European Union (EU), however in response
to it, and getting out ahead of the regulation, the Open Banking effort in the UK is significantly pushing forward the
banking API conversation, and establishing a blueprint for doing API banking that other countries should consider.
The Open Banking Implementation Entity is governed
by the CMA, and funded by the UK’s nine largest banks,
including Allied Irish Bank, Bank of Ireland, Barclays,
Danske, HSBC, Lloyds Banking Group, Nationwide,
RBS Group and Santander. Open Banking is setup to
design and evolve the specifications for APIs which
banks can use to operate, and support secure, third
party access to account and payment data on behalf of
personal and business customers. Providing guidelines
for participation in the banking ecosystem, oversee the
management of the directory, and handle the process for
managing disputes and complaints.
Bringing Standards To The Banking API Space
Open Banking brings a standard set of banking API
specifications and data standards to the table, providing a
common interface which banks can implement to ensure
customers account and payment data is available in web
and mobile applications.When 3rd party developers are
building these applications, they don’t have customize
each integration with an individual banks, as they all
speak the same language, helping ensure applications
work with many banks, and customers can easily
migrate, switch, and sync their data between providers,
with the assistance of 3rd party application developers.
Read Or Write Account And Payment APIs
Open Banking gets right to the heart of the conversation,
andprovidesasetofAPIstandardsanddataspecifications
for interacting with personal and business accounts, and
allows for the initiation of payment transactions. The
set ofAPI standards allow banks to develop and provide
API endpoints that meet an agreed upon standard, which
enablesAccount Information Service Providers (AISPs)
A Blueprint For Open Banking Standards in the UK !

3. and Payment Initiation Service Providers (PISPs) to
build meaningful applications that customers can put to
use, augmentig the services that banks already offer.
The accounts API specification provides detailed
guidance on delivering the following API paths:
• Account Requests - Requesting a new account.
• Account Details - Information, and management of
account.
• Account Transactions - Working with specific
transactions.
• Account Beneficiaries - Understanding the
beneficiaries.
• Account Balances - Getting the balance of accounts.
• Account Direct Debits - Managing direct account
debits.
• Account Standing Orders - Working with account
standing orders.
• Account Product - Get details of the account
product.
The payments API specification provides detailed
guidance on delivering the following API paths:
• Payments - Working with payments that have
occurred.
• Payment Submissions - Submitting new payments
for accounts.
Open Banking provides detailed documentation for the
accounts and payment APis, with machine readable
OpenAPI definitions containing all the technical details
ofthesurfaceareaoftheAPI,andtheunderlyingschema.
Providing the centerpiece of any banking API, and
delivers on the vision of the PSD2
guidance. Allowing read and write
access to customers data, through
a secure, standardized set of APIs
across the banking industry.
This Open Banking guidance
provides access and observability
at the heart of the banking industry.
Leveling the playing field between large and small
banks, while also standardizing the way we describe
an account and payments across all banks. Following
through on banking regulations guidance in the UK,
through the adoption of open API specifications and
schema standards, and ensuring they are not just read
only, and actually allowing the writing to accounts, and
intiating actual real world payments.
Open Banking Security Profile
To secure the accounts and payments APIs, Open
Banking has employed the OAuth standard, which
requires all registered and approved 3rd party developers
to obtain secure tokens from each banking customer
before they can access their accounts, and initiate
payments. OAuth 2.0 is the foundational framework for
API security in Open Banking,
applied in conjunction with the
Financial API (FAPI), a working
in the OpenID foundation which
has created a draft standard for
configuration of financial grade
API security practices. Providing
asecuritystandardfortheplatform
that enjoys wider adoption and
usage beyond just the banking sector, allow applications
to reach a wider audience, and provide a diverse set of
banking soluton.
The usage of OpenID provides full accountability for
all participants, enabling service providers to prove
that they received the original request from the banking
API, but the banking API can also prove that the access
token that comes back was the token that was indeed
associated this specific payment. The combination
of OpenID and OAuth provides a complete identity
and access management solution, ensuring that banks
interests are protected, as well as the security and privacy
of the end customer, while still allowing trusted 3rd
party developers to access accounts, initiate payments,
and develope applications around data made available
via Open Banking APIs.
Open Data API Specifications
In addition to the read and write APIs for accounts and
payments, secured by OAuth and OpenID, the Open
Banking specification provides guidance on public
banking data assets that should be made available.
Providing up to date information about the latest
products and services provided banks, allowing 3rd
party developers to provide applications that go beyond
just end customer account and payment data.
Here are the five areas of public data API guidance
provided by Open Banking:
• ATMs - Details on the types and locations of ATMS
for each bank.
• Branches - The locaton and detials of all bank
branches.
• Personal Accounts - Details about the personal
account products from each bank.
• Business Accounts - Details about the business
account products from each bank.
• Unsecured SME Loans - Details about the
unsecured loan products from each bank.
• Commercial Credit Cards - Details about the
commercial credit card products from each bank.
Open Banking provides detailed documentation for
all six of the public API specifications, with machine
readable OpenAPI definitions containing all the
technical details of the surface area of the APIs, and
the underlying schema. Historically, this data is scraped
from banking websites, opening up all kinds of security