Weitere ähnliche Inhalte
Ähnlich wie Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 25, 2018 (20)
Mehr von FinTechLabs.io (9)
Kürzlich hochgeladen (20)
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 25, 2018
- 1. © Open Banking Limited 2018
Open Banking
Lessons from the UK
July 2018
Ralph Bragg
Ecosystem Technical Architect, Open Banking Limited
- 2. © Open Banking Limited 2018 2
INTRODUCTION
Tasked with delivering the Open Banking API standards and security architecture
The CMA9 are the UK’s nine largest current account providers: AIBG, Bank of Ireland, Barclays, Danske, HSBC, Lloyds
Banking Group, Nationwide, RBS and Santander
The Open Banking Implementation Entity (OBIE)
OBIE was set up
by the CMA
in September
2016
A world leader in
the implementation
of the Open
Banking Remedies,
assisting in the
delivery of the first
APIs
A private body
whose
governance,
compositionand
budget was
determined by the
CMA
Funded by the
CMA9 and
overseen by the
CMA, the Financial
Conduct Authority
(FCA) and Her
Majesty’s Treasury
- 3. © Open Banking Limited 2018 3
INTRODUCTION
Four broad categories of standards and information necessary for the API economy
OBIE Creating Banking Standards
IDENTITY
A “WHITE LIST”
OF TRUSTED
PARTICIPANTS
AND CUSTOMER
RELEVENT
OFFERINGS
REFERENCE DATA
”OPEN DATA”
API
BANK PRODUCT
DESCRIPTIONS
ATM LOCATIONS
USERS DATA
“READ WRITE”
API
ACCOUNT
INFORMATION
PAYMENTS
OPEN BANKING UK OPEN BANKING UK
SECURITY
“MATURE OPEN
SECURITY
STANDARD”
INCLUDING
CONSENT AND
AUTHORIZATION
OPEN BANKING UK, STET,
BERLIN GROUP, ISO 22022
OPEN BANKING UK
- 4. © Open Banking Limited 2018 4
INTRODUCTION
The only body in Europe mandated to ensuring nationally consistent implementation to realize an ecosystem not
just enable participant compliance
OBIE Building an Ecosystem!
IDENTITY
A “WHITE LIST”
OF TRUSTED
PARTICIPANTS
AND CUSTOMER
RELEVENT
OFFERINGS
REFERENCE DATA
”OPEN DATA”
API
BANK PRODUCT
DESCRIPTIONS
ATM LOCATIONS
USERS DATA
“READ WRITE”
API
ACCOUNT
INFORMATION
PAYMENTS
SECURITY
“MATURE OPEN
SECURITY
STANDARD”
INCLUDING
CONSENT AND
AUTHORIZATION
ENSURE CONSISTENT IMPLEMENTATIONS FOR ALL BANKS and THIRD PARTIES
- 5. © Open Banking Limited 2018
OBIE scope v PSD2
5
INTRODUCTION
Mandated common
and open standard
for CMA9
Open Data
Directory/Whitelist
RTS (SCA and secure
communications)
Account Info + Transactions
Payment Initiation (Same Day
Payments)
Personal and Business Current
Accounts
£GBP
Recurring & Future Dated Payments
All payment enabled accounts
(inc cards, savings, loans)
All currencies & FX
Advanced payments (e.g. SCA exemptions, Status, Refunds, Conf of Payee)
Support + Testing/Certification + Dispute Management
Original OBIE scope
PSD2 scope – STET, Berlin Group
Extended OBIE scope
- 6. © Open Banking Limited 2018
The Open Banking Timeline (Read/Write)
6
INTRODUCTION
PSD2 Comes
into force
Mar
2017
Jan
2018
Aug
2018
Mar
2018
Mar
2019
Sep
2019
Open Data v1
Sep
2016
OBIE
created
RTS application dateRTS published RTS testing
Open Data v2
Jul
2017
Read/Write v1
Read/Write v2
Read/Write v3
Read/Write v4
- 7. © Open Banking Limited 2018
What’s in each version
OPEN BANKING UPDATE
V1 (Jan 18)
• AIS (Account &
Transaction Data)
• PIS (Single Immediate
Payments only)
• PCA/BCAaccounts in
GBP
V2 (Aug 18)
• Extended AIS all PSD2
accounts (e.g. cards,
savings, mortgages)
• Still only GBP
V3 (Mar-Sep 19)
• AIS and PIS for all
PSD2 accounts and all
currencies
• PIS for multi-auth,
FDP, SO, bulk/batch,
international/FX
• CBPII fund check API
• Decoupled flows
• Enhanced CX
guidelines and
checklists
V4 (Sep 19)
• Notification of
revocation
• TB and SCA
exemptions (inc
Variable Recurring
Payments)
• Other TBC…
OB Directory (eIDAS compliant) + Support + Dispute Management
- 8. © Open Banking Limited 2018
What does it look like?
Open Banking in Action
- 9. © Open Banking Limited 2018
Yolt – Starling demo
9
OPEN BANKING APIs
- 11. © Open Banking Limited 2018
Learnings from the UK – Consistency
and Conformance
Why standards alone are not enough
- 12. © Open Banking Limited 2018
Over 2,000 representatives covering regulators,
banks, fintechs/third parties, consumer
organisations, consultancies, and technology
providers.
Defined need to share documentation, then
obtain and process structured feedback from all
stakeholders at pace.
Transparency and collaboration
12
LEARNINGS FROM THE UK
Using smart online tools (e.g. Confluence
and Slack) provides transparency and
helps governance, allowing more people to
contribute and shows evidence that
everyone has been listened to.
- 13. © Open Banking Limited 2018
Example: Exemptions from Strong Customer Authentication
Merchants/TPPs want a one-
click seamless customer
experience (long lived consent
for payment)
Regulations are open to interpretation
13
LEARNINGS FROM THE UK
Regulations allow for payments
to a trusted beneficiary where
the customer does not have to
authenticate every time
But this is optional - there is no
requirement for banks to allow
for this, and thus many do not
want to
Specific end customer use cases or outcomes would help banks, third parties
and regulators understand measure compliance and speed up adoption
- 14. © Open Banking Limited 2018
Example: 9 Banks Use 6 Vendors / Security Solutions
The oAuth 2.0 Authorization
Framework does not have a
conformance process.
3 Banks 1 Vendor diiffered in
their interpretation of a clause
from an 8 year old specification
that had a significant impact on
interoperability
Standards are open to interpretation
14
LEARNINGS FROM THE UK
The Open ID Foundation
Financial Grade API Working
Group is too imminently publish
a new Implementors Draft with
clarifications on several
clauses.
Field lengths are typically not
defined and thus open to
interpretation
The Open Banking API
specifications undergo several
iterations and corrections
during design and
implementation phases.
- 15. © Open Banking Limited 2018
Open Banking Directory…
Standards alone are not enough
15
LEARNINGS FROM THE UK
Liability
Liability cover to protect against
trading with un-regulated entities.
Dispute Management
Managed service to resolve issues
between ASPSPs and TPPs.
Support
Including access to sandboxes,
testing tools and certification.
Identity
Participants (ASPSPs and TPPs)
can manage own identity records,
including named contacts. Provides
a searchable marketplace of all
regulated entities.
Trust framework
Enables participants to on-board
once (using their eIDAS cert if
available), create and manage
additional software statements and
certificates to represent each brand.
Dynamic Registration
Common standards which enable
TPPs to automatically discover and
connect with each ASPSP, negating
the need for TPPs to manually on-
board with each.
Additional support services…
- 16. © Open Banking Limited 2018
Conformance and certification, a big step forward.
16
OPEN BANKING IDENTITY CHALLENGE
- 17. © Open Banking Limited 2018
Conformance and certification, a big step forward.
17
OPEN BANKING IDENTITY CHALLENGE
When an individuals and an organizations reputation is open to public scrutiny the quality of
implementations significantly increases.
- 18. © Open Banking Limited 2018
Implementations may vary
18
OPEN BANKING IDENTITY CHALLENGE
Data Sourced from OpenWrks - June 2018
Regulators need to ensure that all participants understand the sprit of “Open
Banking / Open Everything” and be prepared to enforce compliance with the spriit
of the program not just the letter of the law.
- 19. © Open Banking Limited 2018
The Open Banking Directory –
Lowering Barriers to Entry
The identity platform and marketplace for financial institutions
and trusted third party providers
- 20. © Open Banking Limited 2018
Problem statement
20
THE OPEN BANKING DIRECTORY
These parties also need an
easy way to discoverand
securelyconnect with each
other.
Consumers need a single
view of solutions in the
ecosystem,so they know
who to trust.
Criticalfor any financialAPI ecosystem…
Regulated parties need
absolute certainty regarding
the identity and real-time
validity of each others’
permissions.
- 21. © Open Banking Limited 2018
How it works – Transient Federated Trust
21
THE OPEN BANKING DIRECTORY
1. Participants (ASPSPs and TPPs)
register with their local National
Competent Authority (NCA).
2. They then enroll on the OB Directory
(automated using their existing
eIDAS certificate if available).
3. The service runs daily checks
against all NCA registers across 28
EU Member States.
4. Participants can self-serve to issue
and manage their software
statements and software certificates.
- 22. © Open Banking Limited 2018
Multi market ecosystem with no directory
22
THE OPEN BANKING DIRECTORY
NCA 2TPPs ASPSPs
QTSP 2
NCA 1
QTSP 1
NCA 3
QTSP 3
- 23. © Open Banking Limited 2018
Multi market ecosystem with directory
23
THE OPEN BANKING DIRECTORY
NCA 2TPPs ASPSPs
Directory
NCA 1 NCA 3
Single view across all markets
Simplifies connection
Reduces cost and risk