European Union
Open Banking was initiated by the European Parliament in 2015, with the drafting of the revised Payments Services Directive, commonly known as PSD2. Unlike Open Banking in the UK, PSD2 requirements were vague, and as a result, the widespread adoption of a single standard has been difficult thus far. Currently, the most popular standard is the one created by the Berlin Group & its NextGenPSD2 Task Force. It offers four architecture models for authentication: redirect, OAuth 2.0, decoupled and embedded.
PSD2 entered into force on January 12, 2016, with a two-year deadline for EU member states to transpose it into national law. Two key 2019 deadlines (14 March and 14 September) have already passed for implementing the strong customer authentication requirement. However, in the UK, the FCA has announced that it will delay enforcement for 18 months where there is evidence that firms have taken the necessary steps to comply with the plan. Other countries, such as France and Denmark, are issuing similar extensions.
United Kingdom
The UK is considered the leader in Open Banking, implementing its Open Banking Standard in January 2018. It was a response to a report by the Competition and Markets Authority (CMA) indicating a lack of competition amongst big banks in the UK. The Open Banking Standard furthered PSD2 by specifically requiring banks to provide data to third parties via APIs (as of June 2019, 19 are enrolled). The Standard is determined by the Open Banking Implementation Entity, which approves participants and is doing business as Open Banking Limited, a non-profit entity. The Standard is based on OAuth 2.0 and OpenID/FAPI.
Australia
The relevant regulation in Australia is called the Consumer Data Right (CDR). It has begun with an Australian Open Banking pilot, but also has a broader focus that encapsulates numerous industries, with energy and telecom set to follow. (Ping Identity is the only vendor on the Advisory Committee for CDR). The focus is initially around transaction data only, and standards are close to coming out of draft status. The deadline for the “big four banks” to comply is February 2020.
New Zealand
In New Zealand, Open Banking efforts have been led by the industry, with government encouragement (or threat of regulation, depending on how you see it). It’s starting off with two major banks and two fintech companies. A key driver is to reduce credit card transaction fees to 0%. The standards process supervised by Payments NZ now also involves access to account data and uses OAuth and OpenID/FAPI.
Singapore
The Monetary Authority of Singapore (MAS) has released a playbook with API standards, but has made adoption by banks voluntary. So far it’s been limited to established banks. The standard is based on OAuth 2.0 and OIDC and benefits from the national identity card system (NRIC), which has more widespread digital use and adoption versus other countries. Standards development is being facilitated by MAS in conjunction with the major banks.
Japan
The spirit of Open Banking in Japan can be described as collaboration, versus the usual regulatory approach of other jurisdictions. The Japanese Banking Act initiated in May 2017 introduced a framework for Electronic Payments Intermediate Service Providers (similar to PSD2) and forecasts that at least 80 banks open APIs by 2020. However, the number of APIs thus far has been low, as the focus has not been to increase competition, but rather to improve operational efficiencies.
Hong Kong
The Hong Kong Money Authority launched the Open API Framework in January 2019 with a four-phase approach to Open Banking-related initiatives. The initial phase is for banks to publish open APIs for third-party providers to access ‘read-only’ information on products and services. The second phase involves processing applications for financial products. The next phases cover individual account information and transactions, respectively.
United States
There has been no serious government-sponsored Open Banking policy in the United States, but several federal agencies have issued non-binding guidelines, including the Financial Institutions Examinations Council (FFIEC) and the Consumer Financial Protection Bureau (CFPB). Instead, there has been an industry-led approach most notably with the Financial Data Exchange (FDX) composed of 30+ members, including many leading financial institutions. The FDX has published its own API, which is based on FAPI.
Many forward-thinking U.S.-based financial institutions are looking to emerging Open Banking standards around the world and leaning into open API business models as an innovative way to fight back against data aggregators’ insecure screen-scraping practices.