What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
Fintech (2nd edition)
Since the transposition of the PSD2 in Belgium by the law of 11 March 2018, credit institutions must in principle open their infrastructure to authorised third party payment service providers, i.e. the account servicing payment service providers and the payment initiation service providers.
Account servicing payment service providers and payment initiation service providers are payment institutions in the meaning of the law of 11 March 2018. They must be authorised by the National Bank of Belgium prior to exercising their activities.
However, one important piece of legislation in relation to open banking, the Regulated Technical Standards 2018/389 of 27 November 2017 on Strong Customer Authentication (RTS SCA) has taken effect since 14 September 2019. These Regulatory Technical Standards contains the concrete rule on the opening of banking infrastructure. Only then will the open banking really enter into force in Belgium.
In practice, we foresee that certain if not the majority of Belgian credit institutions will not be ready by 14 September 2019 with an API which is tested and approved by the regulators.
To date, the concept of open banking has not been prevalent with financial institutions operating from within Bermuda. However, as the fintech industry and the development of financial technologies continues to flourish in Bermuda and become more sophisticated, open banking concepts may be developed in Bermuda in future.
On April 24, 2019, the Central Bank of Brazil (“Central Bank”) published Notice No 33,455 with the main guidelines regarding the implementation of open banking in Brazil.
So far, the Central Bank has defined open banking as “the sharing of data, products and services by financial institutions and other authorized institutions, by consent of their customers (...), through the opening and integration of platforms and infrastructures of systems of information, in a safe, agile and convenient way”.
Furthermore, it is worth mentioning that, although the implementation itself is not yet occurring (and it is predicted to begin in the second semester of 2020), Brazil already has some examples of how it would work. Last year, the Bank of Brazil launched a credit API (Application Programming Interface) in partnership with fintech BxBlue, which allows the customers to contract consigned credit through a 100% digital process, being the first institution to implement a process regarding open banking in Brazil.
Today, the use of the open application programming interfaces (APIs), that enable third-party developers to build applications and services around existing financial institutions, is not a current reality in Chile. Nevertheless, Banks in Chile, through the use of APIs, do share personal information about their clients with third-party service providers across private agreements, without a mandatory regulation that governs it. Thus, the parties operate under the rules of the free market economy and without government regulation.
However, there is a growing belief that Open Banking represents the future of banking. The idea is based on the premise that what’s intended is a collaborative and integrated financial services ecosystem. A financial services ecosystem where the processing of consumer’s personal information, such as financial information, is aimed primarily to improve the user experience of the owners of such information, through a diverse range of services.
In recent months, the CMF issued a document called "White Paper: general guidelines for crowdfunding and related services" (the “White Paper”), which indicates the general guidelines that the legislator should take into consideration when regulating Fintech companies.
Although the White Paper mainly focuses on crowdfunding, it also gave some general guidelines about online banking, especially regarding robo-advisors. The White Paper states that the regulation to come must establish the obligation to inform the client correctly or, in some cases, must prohibit certain activities in which conflicts of interest arise or are likely to arise, or where the objectivity is questioned. The White Paper also affirmed that it is appropriate to establish requirements for accreditation or suitability requirements for these service providers.
Concerning the stage of implementation of Open Banking in Chile, Chile is in the initial stage.
In this regard, the lack of regulation means there is an absence of barriers to hinder the entry of new actors but, on the other hand, it also plays against the financial industry and Open Banking since the same lack of regulation generates a certain level of distrust and uncertainty in the public. This is an issue in which the legislature must work together with the private sector, or at least with the concerns of the private sector in mind so that the legislation that arises is not dysfunctional and does not delay the significant progress that Fintech companies are having in Chile.
In the United States, while some financial institutions open their platform and data to third-party service providers (TPPs), open banking has not been formally mandated and required in a broader sense. TPPs have integrated with several financial institutions: some through APIs others through different means. In reality, the integration of banks and TPPs is becoming a necessity as the parties engage to facilitate a myriad of services, including payments, investment management, saving, and budget planners. In late 2017, in lieu of issuing regulations, the Consumer Financial Protection Bureau (CFPB) outlined principles for protecting consumers that authorize TPPs to access consumers’ financial data through open banking applications. Without regulations specific to open banking, such applications are subject to contractual requirements between TPPs and banks.
In the UK, open banking is facilitated by the PSRs, implementing PSD2, (see answer to question 1 above for more detail), and the work done by the Open Banking Implementation Entity (the “OBIE”) and other private entities and financial institutions seeking to implement its effect. The PSRs provide that an account servicing payment service provider – that is, the payment service provider maintaining a payer’s payment account – must allow access to AISPs and PISPs (together referred to as “third party providers” or “TPPs”).
AISPs – account information service providers
AISPs are given access to a payment service user’s account and transaction data, under certain conditions. This requirement applies to all account servicing payment service providers who make payment accounts accessible online, and can therefore include not only traditional banks but also e-money institutions and credit card providers. PISPs are given similar access, but practically speaking access will be limited to those payment accounts from which a credit transfer payment can be initiated.
The PSRs impose requirements on both the account servicing payment service provider and the AISP. The PSRs require that the account servicing payment provider:
- Must communicate securely with the AISP in accordance with the EBA RTS on SCA;
- Treat any request for data access from an AISP exactly it would a data access request from the payment account owner; and
- Not require the AISP to enter into a contract with it.
The PSRs require that AISPs
- Act only with the explicit consent of the payment service user (account owner);
- Ensure the confidentiality of the payment service user’s personalised security credential;
- Communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA;
- Restrict its access to designated payment accounts and transactions only;
- Not request “sensitive payment data”; and
- Not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested.
In this, the PSRs implement the requirements set out in PSD2; however, the PSRs definition of account information services is slightly narrower than that set out in PSD2. While PSD2 takes a broad view of account information service as the provision of consolidated information on one or more payment accounts, the PSRs narrow this by including in the definition the provision that account information thus obtained be provided “only to the payment service user” or “the payment service user and to another person in accordance with the payment service user’s instructions”. In other words, any AISP registered with the FCA in the UK will need to be able to provide the account information back to the payment service user and not simply route the information to a third party.
PISPs – payment initiation service providers
Similarly, account servicing payment service providers must execute payments initiated by PISPs. The PSRs impose requirements on both the account servicing payment service provider and the PISP. The PSRs require that the account servicing payment provider:
- Must communicate securely with the PISP in accordance with the EBA RTS on SCA;
- Make available to the PISP all information about the initiation of the payment transaction as well as all information the account servicing payment service provider has regarding the execution of the payment transaction;
- Treat any payment order exactly as it would a payment order requested directly by the payment account owner; and
- Not require the PISP to enter into a contract with it.
The PSRs require that PISPs
- Do not hold the payer’s funds at any time;
- Ensure the confidentiality of the payment service user’s personalised security credential;
- Do not provide any information about the payer to anyone other than the payee, and then only with the payer’s explicit consent;
- Identify itself to the account servicing payment service provider upon initiating a payment order and communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA (see answer to question 1 above);
- Not store “sensitive payment data”;
- Not request information from the payer except as necessary for the payment initiation;
- Not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested; and
- Not modify any feature of the initiated transaction.
OBIE – the Open Banking Implementation Entity
The EU-based PSD2 and PSRs were preceded by and are now in force concurrently with the UK-specific OBIE provisions. The OBIE was initially set up by the UK’s Competition and Markets Authority (“CMA”) in 2016 to deliver Open Banking to the UK, in response to a CMA report on the UK retail banking that found that established banks do not need to compete hard enough for customers, and that new entrants to the market encountered difficulty in obtaining access. The OBIE required nine major retail banks (known as the CMA 9) to develop application programming interface (“API”) standards to facilitate the payment service users’ access to their current account data. Standard implementation requirements for firms using these API standards have been published by the OBIE, with a view to aligning the firms’ APIs with the requirements and goals for establishing TPP access to accounts set out in PSD2. Additional information on the OBIE, including its Customer Experience Guidelines and Technical Specifications, can be found here.
The OBIE conducted a three-month managed roll-out in the first quarter of 2018 to test account access by third parties, following which account holders were able to obtain access to and share their account data with third parties. The OBIE is continuing to work with the CMA 9 to improve the existing APIs, and to introduce additional functionality to boost the uptake of open banking services.
As regards the more widely applicable PSD2 and PSR requirements around open banking, when the RTS on SCA comes into force, all account servicing payment service providers must provide access to TPPs, whether through dedicated interfaces (such as APIs) or by direct access to the customer account. Prior to the date when this comes into force, account servicing payment service providers must nonetheless provide access to TPPs pursuant to the PSRs, even where access cannot be provided through dedicated interfaces. This means that “screen-scraping” (i.e. a TPP using a customer’s own login details to obtain access to the relevant account) is permitted until the SCA fully comes into force, unless the account servicing payment service provider gives the option to the TPP of obtaining access through dedicated interfaces such as an API.
As regards the nature of the dedicated interface, the PSRs and PSD2 are neutral on the means of access; however, the FCA encourages the use of standardized APIs, such as those already developed by the OBIE, though many others are already developed and in use.
Implementation in practice
In practice, AISPs are already offering payment service users innovative products and services based on their account and transaction data, expanding quickly on the government’s initial, relatively narrow, vision for account information services, which saw AISPs providing dashboard services providing an aggregated view of accounts and income and expenditure analysis. In the event, UK-registered AISPs have gone further and are providing payment service users with services ranging from loyalty cashback services run entirely through the AISP to analysis of small and medium business cashflow needs to speedier and more effective credit analysis. In contrast to AISPs, PISPs have been slower off the mark, with the first UK-specific bank-to-bank payment through a PISP taking place only in June 2018.
The development of the OBIE APIs by the CMA 9 banks continues apace, with new functionality and scope being added in various releases. The Open Banking Standards are currently on Version 3.1.3, and apply to many of the products covered by PSD2 such as credit cards, e-wallets, prepaid accounts, currency accounts and other accounts that can be used to make payments, such as loans, mortgages and savings accounts, as defined in PSD2.
As for timing, the UK has effectively had a two-track implementation process as regards open banking. This has been driven by, in one case, the OBIE and the CMA Order, and in the other by PSD2. Details about implementation timelines are made available by the OBIE and can be found here.
Within PSD2 is the timeline for implementation of the RTS on SCA, which was due to come into force on 14 September 2019. However, on 13 August 2019 the FCA confirmed, in response to calls from industry, that it had reached an agreement with the EBA that it would undergo an 18-month implementation plan, under which the FCA would not enforce the provisions of the RTS on SCA against businesses until 14 March 2021, “where there is evidence that they have taken the necessary steps to comply with the plan”. As such, businesses (including card issuers) have an additional 18-month window to implement the processes and systems necessary to comply fully with the SCA requirements.
Colombian banks are sceptical to opening their interfaces to provide open banking services and client data due to commercial and security concerns. There are some limited initiatives by a few banks to open an API for access to client data. Financial Regulatory Unit (URF) is currently preparing a technical assessment with the purpose of reviewing regulatory tendencies in digital identity and open banking in order to identify obstacles and set a roadmap for an open banking initiative.
The FSC and traditional banks started to embrace “open banking” in 2019. In June 2019, Wellington L. Koo, the chairman of the FSC publicly announced that “open banking” will be implemented in three phases in Taiwan without amending any existing laws and regulations, similar to the Hong Kong model. The FSC will allow banks to work with third-party service providers for sharing the API. In the first phase, banks will share the “public information” of their banking products so that consumers may easily access to the product information of different banks without the need to access to the system of each bank. Consumers may check exchange rates of foreign currencies, interest rates of mortgage, terms and conditions of credit cards, etc. offered by different banks and easily compare the products offered by different banks. At the second phase, banks may share customer information with the consent of the customers. At such time, consumers can view and check their account information held by different banks via one platform without the need to access to the system of each different bank. At the third phase, banks will be able to share “transaction information” and consumers can easily conduct inter-bank transaction on one platform, such as "wire transfer" and "bill payment". The FSC requested the Bankers Association to stipulate the self-regulation guidelines for banks to co-work with the third party service providers. Meanwhile, with the support of the FSC, Financial Information Service Co., Ltd. (“FISC”) led a group of Taiwan banks launched an open API project and a group of 15 banks will soon be launching their opening bank services by allowing customers to check the "public information"...
Financial institutions are obliged to provide access to account data and payment initiation to licensed third party payment providers in accordance with the Danish Payments Act (In Danish: Lov nr. 652 af 8. juni 2017 med senere ændringer, om betalinger, med senere ændringer), on objective, non-discriminatory and proportionate terms. This is in accordance with the TPP-regime found in Revised Payment Service Directive (PSD2) directive.
Danske Bank has launched their own open banking platform (which is used by e.g. MobilePay, Nordic API Gateway & Minna Technologies). The same tendency is seen throughout the rest of the Danish banking-sector.
Switzerland not being a member of the European Union (EU) or the European Economic Area (EEA), it did not implement the EU Payment Services Directive 2 (PSD2). Swiss banks are sceptical and to not open up interfaces to their client data. Bank are criticised for that approach, in particular by fintech start-ups providing products based on having access to such data.
The PSD2 has been partially transposed in Spain and the Royal Decree Law has already mandated that the two new categories of payment services providers should have access to payment accounts in order to be able to provide their services, provided that the owner of the account has given explicit consent.
In particular, the Royal Decree Law provides that payment account users have the right to use third party payment services providers such as Payment Initiation Service Providers (“PISP”) and Account Information Service Providers (“AISP”). Therefore, Account Servicing Payment Service Providers (“ASPSP”), which are essentially banks, are obliged by law to provide access to the information of the payment accounts designated by the user and the corresponding payment operations.
However, it is important to note that the transposition of PSD2 is not yet finalised. On April 2019 the draft of the Royal Decree on the legal regime of payment services and payment entities was published but awaits final approval. The Royal Decree is intended to transpose the remaining content of the PSD2 into the Spanish legal system rescinding by then the Royal Decree 712/2010, of 28 May and related legislation.
By outlining the access for new market entrants, such as payment initiation service providers (‘PISPs’) or payment account information service providers (‘AISPs’) (together referred to as ‘third party providers’ or ‘TPPs’), the PSD2 is likely to make fundamental changes to the value chain of payments and redefine the current market of online banking and cashless payment in Europe.
In Germany, the ZAG transposes the respective PSD2 provisions (see answers to questions 1 und 2 above for more detail) regarding the right of access to the customers’ payment account (data) for PISPs and AISPs and related duties of banks / account servicing payment service providers as well as PISPs and AISPs. The – directly applicable – Delegated Regulation on strong customer authentication and common and secure communication under PSD2 (Delegated Regulation (EU) 2018/389 – ‘SCA-RTS’) contains further details in this regard.
Service providers that are planning to provide payment initiation services in Germany must obtain a respective authorisation or, respectively, – in case they only provide account information services – registration by the BaFin. Although PISPs and AISPs are subject to lower licensing requirements than (deposit-taking) credit institutions are, they must comply with a number of on-going regulatory requirements (see answers to questions 1 und 2 above for more detail).
The Korean financial authorities have announced their plan to introduce the open banking policy that would enable access to the transaction data and payment accounts held by the financial institutions including banks, payment according to payment instructions by the user, and access to information and account held by financial institutions through the open API method. Also, amendments to the Use and Protection of Credit Information Act (“Credit Information Act”) which address the access to information and amendments to the EFTA regulating payment according to payment instructions are presently pending before the National Assembly.
However, as such amendments have not been passed yet, it can be said that currently there is no legal obligation on the part of the financial institution to recognize third party service providers’ right to access the information or accounts held by it. That said, it is expected that the open banking service may be available prior to the passage of the said amendments as the Korean financial authorities, with the Korea Financial Telecommunications & Clearings Institute (KFTC) taking the lead, are guiding banks to jointly provide the open API-type opening banking service.
Currently open banking is not mandated by law which however will change once PSD II will be implemented into Icelandic law.
Efforts have however been made by government bodies to open up competition in the financial sector as evidenced by a decision of the Icelandic Competition Authority, wherein it concluded that information about the banks’ commissions, rates, terms and conditions should be publicly issued on the banks’ websites through an open API interface, of which third parties may benefit.
Very recently, an incumbent financial institution launched A2A payment solution available to fintechs which do not require the use of any other solution offered by that financial institution, marking a step towards open banking.
The recently enacted PSELF, following the PSD2’s regulation of payment services and the provision of new service providers such as Third-Party Providers (TPPs), which include PISPs and AISPs, has paved the way for new players and solutions to enter the open-banking market. Notwithstanding, the current market trend seems to be the adoption and development of these new services by incumbent banks and other well-established players, with newcomers having little to no expression or penetration thus far.The provision of these types of services entails the need for both PISPs and AISPs to access their clients’ transaction data and other account information and security credentials held with their payment service providers, including credit institutions, provided that these TPPs obtain the necessary consent from such clients. Access by TPPs must be extensive enough so as to allow TPPs to provide payment services in an unhindered and efficient manner and may only be denied by credit institutions on an objective, non-discriminatory and proportionate basis.
In this context, a September deadline has been set for banks to make their APIs available to TPPs. In the meantime, some banks in Portugal, such as BIG and BPI, have already launched services that allow their customers to access bank account information held with other credit institutions, therefore SIBS, engaging in direct competition with AISPs.
Apart from TPPs, the PSELF provides that any credit institution (whether incorporated in Portugal or in another Member State) and other entities regulated under PSD2 may also provide payment initiation and account information services.
As such, and leveraging on its unique position in the Portuguese payments market (as the manager and owner of the Multibanco network), SIBS has launched SIBS API Market, a platform in which 18 financial institutions take part and which allows said institutions to test their payment initiation and account information solutions, with the support of a specialized technical team, enabling access to and full usage of its infrastructure.
(a) UPI interface: One of the first steps towards open banking in India in the payments space was the introduction of UPI that allows users to perform inter-bank money transfers and pay retail merchants directly from one’s bank account. Through a set of application programming interfaces (APIs), the UPI framework ensures interoperability among existing players. Currently, banks can integrate with the UPI platform to provide money transfer services to their customers and PPI issuers have also been permitted to act as payment system providers in UPI. Almost all the major banks in India now provide UPI linked payment functionality.
(b) Account aggregators: Another step towards open banking has been the issue by the RBI of the Master Directions – NBFC- Account Aggregator (Reserve Bank) Directions, 2016 dated September 2, 2016 (Account Aggregator Master Directions) which seek to regulate access to customer’s financial data among banks, non bank and other financial players that provide financial services. The Account Aggregator Master Directions provide a regulatory framework under which NBFCs permitted by the RBI can aggregate customer’s financial information (with the customer’s consent) and share such information with other financial service providers. Currently, there is no account aggregator fully operational in India; however the RBI has recently issued in-principle approvals to 5 entities to commence account aggregation services. Under the Account Aggregator Master Directions, the in-principle approval is typically valid for a period of 1 year, during which the applicant entity must achieve operational readiness to commence operations in compliance with the Account Aggregator Master Directions.
Banks in Peru share the personal data of their customers with third-party service providers through the use of APIS. The latter is done voluntarily using private agreements. There are no laws mandating banks in Peru to share their customers’ personal data with third-party service providers.
However, there is a growing conviction that Open Banking represents the future of banking, if an integrated and collaborative financial services ecosystem is to be pursued, where the processing of consumers’ personal data, such as financial information, is primarily aimed at improving the user experience of the data subjects, through a wide range of services.
Open Banking is considered a trend in the payments ecosystem that was first introduced by the Mexican FinTech Law, and it is expected to be replicated by other countries in LATAM, including Peru. As a result, various agents that participate in the payments market, such as financial institutions, third party payment agents, and the Government itself, will have to take new legal approaches to address the new challenges that will arise from the development of open banking.
The open banking reform has not yet reached Israel. Most of the IT systems of banks are not adapted to it and there are no regulatory demands in this direction. We see publications of the Bank of Israel that may indicate its intention to consider applying this reform and understand that there are draft directives which are discussed internally but were not published to the public’s comments so far. We expect the Bank of Israel to circulate a draft to the public in the next few months. We also assume that the Bank of Israel will allow a long organization period.
As part of the “Shtrum Reform”, banks will be required to allow their clients access to aggregated information of all their credit cards (whether or not issued by the same bank). Additionally, banks will be required to allow access to information providers of banking-cost-comparison services.
Additionally, The Bank of Israel will force Shva to allow any entity that meets Shva system requirements to connect to the system and actually use its protocols and infrastructure. This requires Shva to publish its list of requirements.
Today, most of the commercial banks in Israel allow limited API access for very specific modules of them. Most banks allow access to a securities trading system via the API some allow also for foreign currency trading and some also allow API access for limited-scale information.
The core computer systems of many banks is proprietary and relatively old and the support of open-banking will require such banks to invest in substantial IT developments.
Open banking is still in its infancy. The implementation of PSD2 in Dutch laws and regulations was seriously delayed. It was only implemented recently, on 19 February 2019. The Dutch law implementation requirements dealing with security measures and strong customer authentication that need to be adhered to in respect of access to the account (XS2A) only took effect even more recently as per 14 September 2019, simultaneously with the effectuation of the European Regulation on Strong Customer Authentication.
For open banking purposes, XS2A is the most important innovation enabled by PSD2. XS2A entails the possibility for third party providers (such as AISPs, PISPs and other PSPs other than the ASPSP) to get access to online available payment accounts administered by ASPSPs subject to the explicit consent of the account holder. For the financial regulatory framework applicable to such third party providers, reference is made to paragraph 2.
XS2A was a heavily debated provision in PSD2. From the incumbent banks perspective, it is understandable. They are confronted with an enormous competition risk. The payment transaction data which were, to a great extent, an asset of the incumbent banks only, no longer come to the exclusive use of those incumbent banks since PSD2.These transaction data can – and will - now also be used by third party providers to offer customers new services and solutions.
One critical note should be made though: recent research shows that Dutch residents are not yet open minded as it comes to open banking. Dutch residents appear to put great trust in the incumbent banks and do not feel comfortable with granting third party providers the required consent to access their payment accounts (https://www.ey.com/nl/nl/industries/financial-services/banking---capital-markets/ey-open-banking-in-nederland).
In March 2017, the Diet enacted a bill amending the Banking Act to regulate “Electronic Payment Intermediate Service Providers” and facilitate open API (Application Programming Interface). The amendments, including relevant subordinate regulations, have come into effect on June 1, 2018. The amendments require entities that provide Electronic Payment Intermediate Services to register with the Financial Services Agency of Japan (the “JFSA”). Electronic Payment Intermediate Service Providers are defined broadly enough to include intermediaries between financial institutions and customers, such as entities using IT to communicate payment instructions to banks based on entrustments from customers or entities using IT to provide customers with information about their accounts that are held in banks. Under the amendments, financial institutions must adopt and make public the standards for decisions to enter into contracts with specific Electronic Payment Intermediate Service Providers. Financial Institutions must treat Electronic Payment Intermediate Service Providers that meet such standards in a fair and non-discriminatory manner. Financial institutions intending to enter into contracts with Electronic Payment Intermediate Service Providers are required to make efforts to develop an open API system within two years following the date.
As stated above, open banking is not mandated by law in Jersey as PSD and PSD2 have not been adopted in their entirety notwithstanding that elements have been incorporated in the SEPA Regulations in relation to Euro payments and payment services.
A watching brief is being maintained in Jersey on how the UK and its banks and financial institutions respond to open banking. The Jersey response is likely, to some extent, to be a reaction to the success or limitations experienced on the UK mainland. As noted above, many banks in Jersey are part of larger banking groups and may chose voluntarily to operate to the higher standard and observe open banking practices for commercial or operational reasons.
The PSA, which implements the PSD 2, grants the right to every payer, with an online accessible account, to use the services of payment initiation service providers and/or account information service providers. Furthermore, the account-holding payment service providers are now obliged by law to cooperate with the aforementioned service providers, i.e. grant access to transaction data, treat payments executed through a service provider equally to a payment executed by the payer or treat requests for data of a service provider, concerning the account of the payer, in the same way as those of the payer.
Due to the PSA only being in force since 1 October 2019 there is no information available about the status of the implementation, as yet.
Open banking in Mexico is soon to become a reality following the enactment of the Fintech Law and will be implemented in Mexico through the Application Programming Interfaces (“APIs”), allowing financial institutions to exchange financial data of their clients through open programming interfaces, respecting privacy and confidentiality under the provisions of the “Ley Federal de Protección de Datos Personales en Posesión de los Particulares” ‘Federal Law for the Protection of Personal Data Held by Private Parties’ (the “Data Protection Law”).
In accordance with Article 76 of the Fintech Law, FTIs, clearing and settlement houses, traditional financial institutions, money transmitters and credit reporting companies must develop APIs allowing connectivity and access to other APIs. The effective use of APIs is, unfortunately, dependent upon the issuance of the secondary regulation which is, up to this date, lacking.
PSD2 introduced an unprecedented disruption in the financial industry, reducing entry barriers for new players and removing technological barriers by urging banks to allow access to their clients' payment accounts data to authorized third parties.
Directive 2015/2366/EU ("PSD2") introduced in the 2009 Law strong customer authentication ("SCA") and Third Party Provider ("TPP") access rules allowing for the access to and the use of information on the availability of funds on a payment service user account held with another payment service provider, as well, as two new regulated payment services providers:
- Account Information Services Providers ("AISP"), which collect and consolidate information on the different bank payments accounts of a payment service user in a single place;
- Payment Initiation Services Providers ("PISP"), which facilitate internet payments by initiating a payment from the user payment account to the merchant account on the payment services user’s demand.
The requirements introduced by PSD2 oblige banks to make available (dedicated or "adjusted") interfaces to authorized third parties, i.e. service providers other than banks, that may access customer payment accounts with the customer consent to provide new types of payment services to them. Since its entry into force, clients are able to view all their bank payment accounts in a consolidated manner through their AISPs. In addition to the consultation services of an AISP, customers are able to initiate online payments via PISPs.
Banks had to provide a test environment of their technical interfaces facilitating data exchange by 14 March 2019, together with documentation to enable third party providers to test the banks’ technical interfaces with anonymized data.
Furthermore, the deadline to deploy live environment was September 2019. According to their external communication, most major banks operating in Luxembourg implemented these PSD2 requirements timely.
The concept of open Banking has just been introduced in Malta through the transposition of the PSD2 into Maltese Law, particularly through the introduction of a regulatory framework encompassing providers of account information services (‘AISPs’) and Payment initiation services (‘PISPs’). The latter third party providers may now be granted authorisation under the FIA, which is passported throughout other EU Member States.
The Personal Data Protection Act 2010 (“PDPA”) was gazetted in June 2010 and came into force in 2013. It regulates the collection, use, processing and disclosure of personal data and provide protection for an individual's personal information to be processed for the purposes of commercial transactions. Section 4 of the PDPA defines ‘commercial transactions’ as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”. The PDPA applies to all data users. Any information or data or a chain of information that allows a living individual to be identified are covered under the PDPA. Some examples of data that can be considered as personal data are name, address, identification card number and passport number. All individuals and organizations that process personal data in their dealings must comply with the rules set out in the PDPA. This would include any financial institutions. However, the Federal Government and the State are exempted.
Further, the Malaysian Communications and Multimedia Commission was created pursuant to the Malaysian Communications and Multimedia Commission Act 1998 as a new regulator for the communications and multimedia industry in Malaysia. At the same time, the Communications and Multimedia Act 1998 (“CMA”) was passed, to fulfil the need to regulate an increasingly convergent communications and multimedia industry. The CMA is based on the basic principles of transparency and clarity, more competition and less regulation, flexibility, regulatory forbearance, administrative and sector transparency and industry self-regulation. The CMA seeks to provide a generic set of regulatory provisions based on generic definitions of market and service activities and services. The jurisdiction of the CMA is restricted to networked services and activities only.
The CMA is complementary to the PDPA and should be used in the best interest of the people in terms of integrity and security of personal data of an individual. The promulgation of the personal data protection legislation was also mentioned in the CMA to ensure information security, and network strength and reliability.
According to the Open Banking Readiness Index published by Finastra, Singapore ranks the highest in Asia-Pacific in terms of Open Banking Readiness. As of the time of writing, a number of banks (both local and international) have allowed access to data such as transactions and credit card services, including Citibank, DBS and Standard Chartered Bank.
MAS’ Chief Data Officer David Hardoon has stated that MAS has opted to take an “organic” approach with regard to open banking. Instead of enacting laws and regulations, MAS has been encouraging banks to voluntarily enable third parties access to its data.
A number of banks such as DBS and Standard Chartered Bank have voluntarily made customer data available to third party developers. MAS is proactively encouraging other banks to follow suit, and has published guidelines in this regard, including an API Playbook setting out the benchmarks for Application Programming Interfaces (“APIs”) released by banks.
 https://www.finastra.com/viewpoints/market-insights/finastras-open-banking-readiness at page 18
There is no current legislation specifically governing open banking or requiring banks to share their data with open banking service providers. However, pursuant to Article C.2.5 and D.7.1 of the 2017 Regulations, the UAECB has the right to impose “Access” regimes and interoperability obligations on PSPs.
The UAE is one of the fastest growing markets in the Gulf Cooperation Council (“GCC”). The current use of open banking in the UAE is largely limited to e-wallets. Certain aggregation tools exist with respect to banks’ data however they are limited to specific banking services and are not widespread.
The use of open banking in the UAE is gaining traction with the continual advancements of e-wallets, mobile payments and real time transfers. The use of Etisalat Wallet, Apple Pay and Samsung Pay in the UAE, inter alia, evidence the presence of open banking. Also, Emirates NBD, a major bank in the UAE, had enabled open banking collaboration, having launched an API sandbox for fintech companies and other financial institutions registered in the DIFC. Five Fintech companies have graduated from this initiative with a “certificate of collaboration”.
Open banking services providers that possess funds at any point (or transference thereof) are categorized as payment (or money) services providers and must be licensed by the relevant authority.
Open banking is a system that provides software developers and related businesses with a network of financial institutions’ data through the use of application programming interfaces (APIs), which are established on the notion that individuals or entities might be willing to share their banking transaction details with third-party developers of APIs so that the individual end-user may enjoy more advanced and cheaper financial services. Although there are no specialized mandates or API standards for open banking in China, Chinese law guides the growth of open banking by imposing specific restrictions on the sharing of bank customer data. Thus, China has not (yet) provided for system-wide open banking or equivalent mechanisms like the U.K. may have done.
However, some major banks in China are beginning to develop some open banking services. For example, Shanghai Pudong Development Bank (SPDB) has developed its API Bank, through which SPDB embeds its banking services into Shanghai Port Service Office to process trade companies’ international payments or purchase orders online through the Shanghai Port Service Office platform in a matter of minutes. We believe China’s approach to regulating open banking will be pragmatic and organic, allowing industries to develop through experimentation and stepping in to tackle problems as they appear.