Open Banking PSD2 Payment Services API Regulation Fintech

Introduction

Open banking has transformed payment services globally, enabling third-party providers to access bank data and initiate payments. This article examines regulatory frameworks across major jurisdictions.

European Union: PSD2

Overview

Payment Services Directive 2 (PSD2) (2015/2366) revolutionized European payment services.

Key Features

  • Open Banking (Access to Account): Banks must provide API access to licensed third-party providers (TPPs)
  • Strong Customer Authentication (SCA): Multi-factor authentication for electronic payments; exemptions for low-value, recurring, or low-risk transactions
  • Licensing Categories: Payment Institutions (PIs), Electronic Money Institutions (EMIs)
  • Liability Framework: Banks liable for unauthorized transactions unless SCA bypassed; TPPs liable for their errors

Implementation

  • European Banking Authority (EBA) guidelines and RTS (Regulatory Technical Standards)
  • National competent authorities supervise and authorize PIs/EMIs
  • API standardization: Berlin Group NextGenPSD2 widely adopted
  • Revised Payment Services Directive (PSD3) proposed (2023); simplification, fraud prevention focus

United Kingdom: Open Banking and Beyond

Open Banking Framework

  • CMA Order (2017): 9 largest banks required to provide open banking APIs
  • OBIE (Open Banking Implementation Entity): Developed standards, specifications, and governance
  • FCA Authorization: PIs, EMIs authorized; AISPs (Account Information Service Providers), PISPs (Payment Initiation Service Providers)
  • Consumer Protection: Confirmation of Payee (CoP) mandatory; reimbursement for authorized push payment (APP) fraud (2024)

Future Framework

  • Smart Data (Future Framework): Expanding beyond banking to energy, telecom, other sectors
  • Digital Identity: Development of UK digital identity framework
  • Variable Recurring Payments (VRPs): Commercial VRP rollout for non-sweeping use cases

Australia: Consumer Data Right (CDR)

Framework

  • Consumer Data Right (CDR) applies to banking (2020), energy (2022), telecom (2024)
  • Data Holders: Major banks must provide API access to accredited data recipients
  • Accreditation: ACCC accredits data recipients; enhanced requirements for payment initiation
  • Action Initiation: CDR extended to payment initiation (2024)

Singapore: API Playbook and Open Banking

Approach

  • API Playbook (2020): Voluntary framework for financial institutions
    • Standardized API specifications for account information, payments, customer onboarding
    • Industry adoption through collaboration (bank-fintech partnerships)
  • MAS-SFA-ABS Collaboration: Industry-led implementation of open banking standards
  • PayNow: Real-time payment system; integration with open banking

Hong Kong: Open API Framework

Implementation

  • HKMA Open API Framework (2019): Phased implementation across 5 phases
    • Phase 1: Product information (completed)
    • Phase 2: Customer onboarding (completed)
    • Phase 3: Account information (in progress)
    • Phase 4: Transaction initiation (planned)
  • Commercial Data Interchange (CDI): Data-sharing platform for SME financing

India: India Stack and UPI

Digital Public Infrastructure

  • UPI (Unified Payments Interface): Real-time payment system; over 10 billion monthly transactions
  • Account Aggregator Framework (2021): Consent-based financial data sharing
  • Open Credit Enablement Network (OCEN): Digital lending infrastructure
  • Data Empowerment and Protection Architecture (DEPA): Consent-based data sharing framework

Key Features

  • Non-prescriptive regulatory approach; market-led innovation
  • Extensive adoption across merchant payments, peer-to-peer transfers
  • International expansion (UPI linking with Singapore, UAE, France)

United States: CFPB Section 1033 Rule

Proposed Rule (2023)

  • Consumer Data Rights: Financial institutions must provide consumers with access to their data
  • Scope: Deposit, credit card, transaction accounts; mortgages, loans
  • Data Recipients: Authorized third parties subject to conduct standards
  • Implementation: Final rule expected 2024-2025; phased compliance for different institution sizes

Current Landscape

  • Market-led open banking (Finicity, Plaid, Yodlee) with bank agreements
  • Faster Payments: FedNow (2023) real-time payment system
  • State-level initiatives (California, others considering data rights)

Key Legal and Compliance Issues

Liability Allocation

  • PSD2: Banks liable for unauthorized transactions (reimbursement to consumers)
  • UK: TPPs liable for errors causing loss (reimbursement to consumers)
  • Australia/others: Framework developing

Data Protection

  • GDPR (EU), UK GDPR, PDPA (Singapore), DPDP (India) apply to data sharing
  • Consent management: explicit, informed, revocable consent required
  • Purpose limitation: data used only for consented purposes

Security Requirements

  • SCA (EU) multi-factor authentication
  • API security standards (OAuth 2.0, OpenID Connect, FAPI profiles)
  • Penetration testing, security audits required

Practical Recommendations

  1. For TPPs: obtain appropriate licenses (PI/EMI/AISP/PISP) in target jurisdictions
  2. For banks: implement compliant APIs; meet SCA requirements; allocate liability appropriately
  3. Implement consent management systems compliant with data protection laws
  4. Develop robust security and fraud prevention controls
  5. Monitor evolving regulatory requirements across jurisdictions
  6. Consider joining industry working groups for API standardization