What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
To date, the concept of open banking has not been prevalent with financial institutions operating from within Bermuda. The implementation of the Personal Information Protection Act 2016 (PIPA) in Bermuda later this year may potentially deter Bermuda banks from pursuing open banking concepts. PIPA governs how personal information may be used by an organisation which must be in a lawful and fair manner and outlines individuals’ rights in relation to their personal information used by organisations. However, as the fintech industry and the development of financial technologies continues to flourish in Bermuda and become more sophisticated, open banking concepts may be developed in Bermuda in future.
There is no current, or proposed, legislation to mandate open banking in the Cayman Islands.
The open banking method, also known as application programming interface banking (API Banking) is currently implemented in Cyprus in line with the provisions of the PSD2 and operates through platforms established by the following local banks:
- Bank of Cyprus
- Hellenic Bank
Implementation of API Banking in Cyprus in practice is currently at a ‘sandbox’ stage of development and is not popular in the market.
In accordance with the TPP-regime in PSD 2, the Payments Act stipulate that operators of payment accounts will be obligated to grant access to account information and payment initiation to authorised TPP-companies. However, the actual obligation to grant access will not be effective until September 2019. Consequently, the Payments Act will facilitate open banking in the Dan-ish market once all provisions are fully effective.
Meanwhile, both Danske Bank and Nordea have launched their own individ-ual API-testing platforms to be used by TPPs requesting data from those banks. To our knowledge, these testing platforms are being heavily used al-ready by fintechs. Furthermore, Danish fintech company Spiir under the business name Nordic API Gateway has launched their own API gateway on which any TPP will be able to communicate with the vast majority of the banks in the Nordic region in order to deliver their services to the end users. This platform is based on Spiir's own original model for communicating with Danish banks as an account information provider.
With respect to open banking in Denmark, it is important to understand that apart from the largest banks like Danske Bank and Nordea, all other banks uses an external, central data provider for its backup systems. Currently, there are only three such data providers operating in Denmark; SDC, BEC and Bankdata. Consequently, linking up to the vast majority of banks in Denmark requires only five points of contact.
Finland was among the first Member States to implement PSD2. The Payment Services Act, implementing PSD2, requires banks to provide access to their customers’ bank accounts to authorised third party service providers, subject to the customers' consent.
This requirement is fostering open banking and overall boosting a more open financial sector in Finland. Many fintechs are currently putting up new services utilizing PSD2, but also larger banks have taken steps towards open banking.
However, customers will have to wait for the new services in a larger scale, as PISPs will first need to receive authorisation and AISPs register with the FIN-FSA. Also existing payment service providers have to demonstrate to the FIN-FSA that they comply with PSD2 requirements before offering new services.
Most importantly, there is a delay in offering new services, because the security-related provisions of PSD2, as specified in the Technical Standards on Strong Customer Authentication and Common and Secure Communication (SCA-RTS), are not yet applicable and will take effect only after a transitional period in September 2019.
During the transitional period banks are not yet required to provide dedicated interfaces to allow third party service providers to access customer accounts, but interim solutions for the account access are currently being developed and assessed in Finland. In addition, the FIN-FSA has encouraged all parties to comply with the SCA-RTS as soon as possible, i.e. already during the transitional period.
The legislative framework of open banking has recently been changed. Indeed, Articles 66 and 67 of the DIRECTIVE (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, (DSP2) introduced, on the one hand, a right of access to the payment account for payment initiation service providers and, on the other hand, a right of access to the data of the payment account information service providers. DSP 2 thus constitutes the legal basis for this trend towards the opening up of information systems, in particular by allowing market access for payment service providers to new providers.
As a result, it gives account information service providers, a legal basis for bank account aggregation services, since from now on the user has the right to allow access to their payment accounts to a third party.
On the other hand, it enables payment initiation service providers to create a bridge between a merchant's website and the payer's account manager's payment service provider's online banking platform to initiate internet payments on the basis of a transfer.
The data management or analytic and research services are mainly supportive services to enable the banking industry to cope with their business and the grow-ing regulation. As such it is widely made use of. For providing data and risk management or analytic and research services there is no authorization require-ment in general, as long as it is just an ancillary service in order to provide bank-ing and business services.
Open banking is mandated by PSD2. Gibraltar has implemented PSD2 by enacting the Financial Services (Payment Services) Regulations 2018. These regulations came into force in January 2018 and apply to payment services provided in or from Gibraltar. The following activities, when carried out as a regular occupation or business activity, are payment services –
(a) services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account;
(b) services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account;
(c) execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider–
(i) execution of direct debits, including one-off direct debits;
(ii) execution of payment transactions through a payment card or a similar device;
(iii) execution of credit transfers, including standing orders;
(d) execution of payment transactions where the funds are covered by a credit line for a payment service user–
(i) execution of direct debits, including one-off direct debits;
(ii) execution of payment transactions through a payment card or a similar device;
(iii) execution of credit transfers, including standing orders;
(e) money remittance;
(f) payment initiation services; and
(g) account information services.
Open Banking is not mandated by law in Malta. The full transposition of the PSD2 into Maltese law is still underway and will likely be completed by end of 2018.
As part of the implementation of the Increasing Competition and Reducing Concentration in the Banking Sector in Israel Law (Legislative Amendments), 5777-2017 (the “Shtrom Law”), an open API interface will be launched by the BOI, allowing access to the customer’s checking account. This is currently in the process of being implemented via the Supervisor of Banks at the BOI. Similarly, under the Shtrom Law, a mechanism will be introduced for comparing costs among banks for various services, which will allow service provider license-holders to receive information regarding the tariffs and prices offered by the various banks to their clients. In addition, the Minister of Finance and the Governor of the BOI have publicly stated their intention to introduce a centralized computer system to service new banks. To the best of our knowledge, the aforesaid systems are still in their preliminary development stages.
Additionally, under the provisions of the Credit Information Law, 5776-2016, the BOI is working to create a central database that will include credit data (both “negative” and “positive” credit scores of private customers) for the use of the various market entities. The BOI is currently working to establish the technological infrastructure for this database, concurrently with receiving data from the various entities that are already required to transfer data for use in the database.
In March 2017, the Diet enacted a bill amending the Banking Act to regulate “Electronic Payment Intermediate Service Providers” and facilitate open API (Application Programming Interface). The amendments, including relevant subordinate regulations, have come into effect on June 1, 2018. The amendments require entities that provide Electronic Payment Intermediate Services to register with the Japan Financial Services Agency (the “JFSA”). Electronic Payment Intermediate Service Providers are defined broadly enough to include intermediaries between financial institutions and customers, such as entities using IT to communicate payment instructions to banks based on entrustments from customers or entities using IT to provide customers with information about their accounts that are held in banks. Under the amendments, financial institutions must adopt and make public the standards for decisions to enter into contracts with specific Electronic Payment Intermediate Service Providers. Financial Institutions must treat Electronic Payment Intermediate Service Providers that meet such standards in a fair and non-discriminatory manner. Financial institutions intending to enter into contracts with Electronic Payment Intermediate Service Providers are required to make efforts to develop an open API system within two years following the date.
Open banking in Mexico is soon to become a reality following the enactment of the Fintech Law and will be implemented in Mexico through the Application Programming Interfaces (APIs), allowing financial institutions to exchange financial data of their clients through open programming interfaces, respecting privacy and confidentiality under the provisions of the Federal Law on Protection of Personal Data Held by Private Parties (the ‘Data Protection Law’).
In accordance with Article 76 of the Fintech Law, Fintech institutions, clearing houses, traditional financial institutions, money transmitters and credit bureaus must develop APIs allowing connectivity and access to other APIs. The characteristics of the transactions carried out by the APIs servers, shall be subject to the general provisions issued by the Bank of México for this purpose, which to date are still pending publication.
British Virgin Islands
Open banking is not prohibited under BVI law. However, there is no presently no legal framework such as PSD2, which operates in other jurisdictions, implemented in the BVI. Most BVI operating banks are FDIC registered/Canadian and would most likely adapt the market practice in the USA. Whilst both Canada and the USA have taken steps to recognise open banking, in many cases, they lag behind the EU in this area of innovation. It is expected that once these markets fully embrace open banking, banks in the BVI will fall in line.
SSEK: Under Indonesian law, banks are subject to banking secrecy/confidentiality obligations, which are regulated by Law No. 7 of 1992 regarding Banking, as lastly amended by Law No. 10 of 1998 (the “Banking Law”). Under the Banking Law, banks and their affiliates are obliged to keep confidential information regarding its depositing customers and any sums deposited by such customers. This confidentiality obligation does not cover information provided by non-depositing customers.
However, this initial confidentiality of bank customers’ personal data can be bypassed for certain reasons. Under the Banking Law and BI Regulation No. 2/19/PBI/2000 regarding Requirements and Procedure to Grant Written Orders or Approval to Disclose Bank Secrets, information covered by the banking confidentiality obligation can be released:
a) for taxation purposes;
b) to settle a bank’s receivables that have been given to the State Receivables and Auctioning Agency (Badan Urusan Piutang dan Lelang Negara) or the State Receivables Committee (Panitia Urusan Piutang Negara);
c) for the purposes of the court in criminal cases;
d) for the purposes of the court in civil disputes between a bank and its customer;
e) for the exchange of information between banks;
f) on the written request, approval, or authority of the depositing customer; and
g) on the request of the valid heir of a deceased depositing customer.
For disclosures as mentioned in points (b) and (c), the disclosing bank must first obtain an order or written approval from the head of BI. The person or entity receiving the disclosed information would depend on the circumstance justifying such disclosure (e.g., other banks in the case of point (e); the heir in case of point (g); the police, prosecutors, or the court in the case of point (c) or (d)).
Due to the fact that the PSD2 has not yet been transposed to national law, no current third party providers are currently acting in the Portuguese market, rendering the open banking market status in Portugal technically inexistent.
The U.S. has lagged behind other countries in the promotion and adoption of open banking standards. Currently, U.S. laws and regulations do not require banks to make transaction data available to non-bank payment service providers.
Financial institutions can be compelled to share information with the public or law enforcement. Under the Bank Secrecy Act (amended by the USA PATRIOT Act), a law enforcement agency investigating terrorist activity or money laundering may request, through FinCEN, that financial institution provide information to the agency regarding specific people or entities.
In the summer of 2018, the U.S. Department of Treasury published A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation, which set out the Treasury Department's vision for the integration of the fintech and traditional banking sectors. It is the first government agency to publicly advocate for the adoption of open banking standards to allow non-bank fintech's access to bank transaction data.
The current use of open banking in the UAE is generally limited to e-wallets. However, such use is gaining traction with the continual advancements of e-wallets, mobile payments and real time transfers. Etisalat Wallet, Apple Pay and Samsung Pay, among others, evidence the presence of open banking in the UAE.
Open banking services categorized as payment (or money) services providers must be licensed by the relevant authority. However, to the extent open banking service providers do not possess funds at any point (or transference thereof), such categorization would not apply.
As of the date of preparation of this material the Ukrainian legislation does not provide making banking transactions by the unauthorized services providers and their access to the bank secrecy. Authentification and verification of the client shall be performed exclusively by an employee of the bank. The financial monitoring shall be conducted by the bank either. Thus, the principles of the open banking may not be used in Ukraine yet.
The Law of Ukraine "On electronic trustworthy services" comes into force as of 07/11/2018 and this law provides the opportunity to use the outside services for electronic authentification of a client.
In addition, the draft law of amendments to the Law of Ukraine "On payment systems and transfer of money in Ukraine" is currently under consideration of the Ukrainian Parliament. As envisaged by the amendments, it is proposed to allow payment transactions to be made by third-party service providers.
In general, the amendments being currently developed are aimed at adaptation of payment services regulation in Ukraine in accordance with Directive (EU) 2015/2366 (Directive PSD2).
Switzerland not being a member of the European Union (EU) or the European Economic Area (EEA), it did not implement the EU Payment Services Directive 2 (PSD2). Swiss banks are sceptical and to not open up interfaces to their client data. Bank are criticised for that approach, in particular by fintech start-ups providing products based on having access to such data.
‘Open banking’ as a concept for all kinds of financial data has not been uniformly implemented in India. However, UPI can be considered to be a form of ‘open banking’ for digital payments. It is a system developed by India’s nodal retail payments organizations, the National Payments Corporation of India (NPCI) and it allows for customers of UPI enabled banks to seamlessly make peer-to-peer and merchant payments through payment apps operated by third parties using the NPCI’s infrastructure. Application portability has been provided by separating the ‘Payment Services Provider’ (PSP) bank with the customer’s remitting bank and the recipient receiving bank. For instance, a customer of Bank A can use the UPI application of Bank B to send money to a customer of Bank C. While the payment processing and settlement functions continue to be done by banks, several applications are being designed and marketed by third party app developers after entering into tie-ups with banks. Examples are, Google Pay, WhatsApp Pay and PhonePe who have tied up with a host of banks such as ICICI, HDFC, Axis Bank, Yes Bank etc.
In the UK, open banking is facilitated by the PSRs, implementing PSD2, (see answer to question 1 above for more detail), and the work done by the Open Banking Implementation Entity (the “OBIE”) and other private entities and financial institutions seeking to implement its effect. The PSRs provide that an account servicing payment service provider – that is, the payment service provider maintaining a payer’s payment account – must allow access to AISPs and PISPs (together referred to as “third party providers” or “TPPs”).
AISPs – account information service providers
AISPs are given access to a payment service user’s account and transaction data, under certain conditions. This requirement applies to all account servicing payment service providers who make payment accounts accessible online, and can therefore include not only traditional banks but also e-money institutions and credit card providers. PISPs are given similar access, but practically speaking access will be limited to those payment accounts from which a credit transfer payment can be initiated.
The PSRs impose requirements on both the account servicing payment service provider and the AISP. The PSRs require that the account servicing payment provider:
- Must communicate securely with the AISP in accordance with the EBA RTS on SCA;
- Treat any request for data access from an AISP exactly it would a data access request from the payment account owner; and
- Not require the AISP to enter into a contract with it.
The PSRs require that AISPs
- Act only with the explicit consent of the payment service user (account owner);
- Ensure the confidentiality of the payment service user’s personalised security credential;
- Communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA;
- Restrict its access to designated payment accounts and transactions only;
- Not request “sensitive payment data”; and
- Not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested.
In this, the PSRs implement the requirements set out in PSD2; however, the PSRs definition of account information services is slightly narrower than that set out in PSD2. While PSD2 takes a broad view of account information service as the provision of consolidated information on one or more payment accounts, the PSRs narrow this by including in the definition the provision that account information thus obtained be provided “only to the payment service user” or “the payment service user and to another person in accordance with the payment service user’s instructions”. In other words, any AISP registered with the FCA in the UK will need to be able to provide the account information back to the payment service user and not simply route the information to a third party.
PISPs – payment initiation service providers
Similarly, account servicing payment service providers must execute payments initiated by PISPs. The PSRs impose requirements on both the account servicing payment service provider and the PISP. The PSRs require that the account servicing payment provider:
- Must communicate securely with the PISP in accordance with the EBA RTS on SCA;
- Make available to the PISP all information about the initiation of the payment transaction as well as all information the account servicing payment service provider has regarding the execution of the payment transaction;
- Treat any payment order exactly it would a payment order requested directly by the payment account owner; and
- Not require the PISP to enter into a contract with it.
The PSRs require that PISPs
- Do not hold the payer’s funds at any time;
- Ensure the confidentiality of the payment service user’s personalised security credential;
- Do not provide any information about the payer to anyone other than the payee, and then only with the payer’s explicit consent;
- Identify itself to the account servicing payment service provider upon initiating a payment order and communicate securely with the account servicing payment service provider in accordance with the EBA RTS on SCA (see answer to question 1 above);
- Not store “sensitive payment data”;
- Not request information from the payer except as necessary for the payment initiation;
- Not use, access or store any information for any purpose other than the provision of the account information service that the payment service user has explicitly requested; and
- Not modify any feature of the initiated transaction.
OBIE – the Open Banking Implementation Entity
The EU-based PSD2 and PSRs were preceded by and are now in force concurrently with the UK-specific OBIE provisions. The OBIE was initially set up by the UK’s Competition and Markets Authority (“CMA”) in 2016 to deliver Open Banking to the UK, in response to a CMA report on the UK retail banking that found that established banks do not need to compete hard enough for customers, and that new entrants to the market encountered difficulty in obtaining access. The OBIE required nine major retail banks (known as the CMA 9) to develop application programming interface (“API”) standards to facilitate the payment service users’ access to their current account data. Standard implementation requirements for firms using these API standards have been published by the OBIE, with a view to aligning the firms’ APIs with the requirements and goals for establishing TPP access to accounts set out in PSD2. Additional information on the OBIE, including its Customer Experience Guidelines and Technical Specifications, can be found here: https://www.openbanking.org.uk/providers/standards/
The OBIE conducted a three-month managed roll-out in the first quarter of 2018 to test account access by third parties, following which account holders were able to obtain access to and share their account data with third parties.
As regards the more widely applicable PSD2 and PSR requirements around open banking, 14 September 2019 is the deadline by which all account servicing payment service providers must provide access to TPPs, whether through dedicated interfaces (such as APIs) or by direct access to the customer account. This is the date on which most of the provisions of the EBA RTS on SCA become applicable; prior to this date, account servicing payment service providers must nonetheless provide access to TPPs pursuant to the PSRs, even where access cannot be provided through dedicated interfaces. This means that “screen-scraping” (i.e. a TPP using a customer’s own login details to obtain access to the relevant account) will continue to be permitted up until the deadline, unless the account servicing payment service provider gives the option to the TPP of obtaining access through dedicated interfaces such as an API.
As regards the nature of the dedicated interface, the PSRs and PSD2 are neutral on the means of access; however, the FCA encourages the use of standardized APIs, such as those already developed by the OBIE, though many others are already developed and in use.
Implementation in practice
In practice, AISPs are already offering payment service users innovative products and services based on their account and transaction data, expanding quickly on the government’s initial, relatively narrow, vision for account information services, which saw AISPs providing dashboard services providing an aggregated view of accounts and income and expenditure analysis. In the event, UK-registered AISPs have gone further and are providing payment service users with services ranging from loyalty cashback services run entirely through the AISP to analysis of small and medium business cashflow needs to speedier and more effective credit analysis. In contrast to AISPs, PISPs have been slower off the mark, with the first UK-specific bank-to-bank payment through a PISP taking place only in June 2018.
The development of the OBIE APIs by the CMA 9 banks continues apace, with new functionality and scope being added in various releases. The most recent update to the Open Banking Standards, Version 3.0, was released in September 2018, which, amongst many other things, expands the scope broadly to include products covered by PSD2. This includes: credit cards, e-wallets, prepaid accounts, currency accounts and other accounts that can be used to make payments, such as loans, mortgages and savings accounts, as defined in PSD2. Version 3.0 thereby enables compliance with PSD2.
As for timing, the UK has effectively had a two-track implementation process as regards open banking. This has been driven by, in one case, the OBIE and the CMA Order, and in the other by PSD2. Details about implementation timelines are made available by the OBIE and can be found here: https://www.openbanking.org.uk/wp-content/uploads/Open-Banking-Revised-Roadmap-July-2018.pdf
Unlike various other European jurisdictions, screen scraping is not allowed in the Netherlands. This ban on screen scraping is based on a landmark court decision in 2014. Obviously, as a result of the PSD2, account information service providers (“AISPs”) and payment initiation service providers (“PISPs”) will be granted access to a customers’ bank account (“XS2A”).
Although the implementation of the PSD2 has been seriously delayed, all major Dutch banks are testing their newly designed application program interfaces (APIs) for PSD2. Currently, it’s still unclear when AISPs and PISPs will be allowed to use the banks’ PSD2 APIs.
Open banking in China so far is a pure business initiative of the banks. There are no laws or regulations generally compelling, encouraging, restraining or prohibiting open banking in China. However, if a bank wants to offer open banking options, it must comply with various administrative regulations, rules and policies issued by the China Banking and Insurance Regulatory Commission. These laws regulate the risks in association with the outsourcing services relating to the information technology or routine operating process.
Currently, there is no legislation governing open banking in Taiwan. In the past, banks shared a strong mistrust of FinTech companies. For instance, there was an interbank budgeting and personal finance App by which users could connect to their bank accounts and track all the financial movements thereof. Although the business operator insisted that users provided their bank accounts and passwords voluntarily, and such App neither hacked the banks’ network firewalls nor stole their customers’ login credentials, the Bankers Association still suggested its member banks not to cooperate with such business operator. However, a positive shift in attitude among banks occurred at the end of 2017. Several banks have commenced to build their API ecosystems and cooperate with FinTech companies. The FSC also required the Bankers Association to assess the feasibility of introducing open banking and releasing customer information to third-party services providers in Taiwan.
The Personal Data Protection Act 2010 (“PDPA”) was gazetted in June 2010 and came into force in 2013. It regulates the collection, use, processing and disclosure of personal data and provide protection for an individual's personal information to be processed for the purposes of commercial transactions. Section 4 of the PDPA defines ‘commercial transactions’ as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”. The PDPA applies to all data users. Any information or data or a chain of information that allows a living individual to be identified are covered under the PDPA. Some examples of data that can be considered as personal data are name, address, identification card number and passport number. All individuals and organizations that process personal data in their dealings must comply with the rules set out in the PDPA. This would include any financial institutions. However, the Federal Government and the State are exempted.
Further, the Malaysian Communications and Multimedia Commission was created pursuant to the Malaysian Communications and Multimedia Commission Act 1998 as a new regulator for the communications and multimedia industry in Malaysia. At the same time, the Communications and Multimedia Act 1998 (“CMA”) was passed, to fulfil the need to regulate an increasingly convergent communications and multimedia industry. The CMA is based on the basic principles of transparency and clarity, more competition and less regulation, flexibility, regulatory forbearance, administrative and sector transparency and industry self-regulation. The CMA seeks to provide a generic set of regulatory provisions based on generic definitions of market and service activities and services. The jurisdiction of the CMA is restricted to networked services and activities only.
The CMA is complementary to the PDPA and should be used in the best interest of the people in terms of integrity and security of personal data of an individual. The promulgation of the personal data protection legislation was also mentioned in the CMA to ensure information security, and network strength and reliability.