Open Banking Overview
A developer-oriented guide to open banking standards across regions. Covers PSD2 in the EU, the Open Banking Standard in the UK, FDX and CFPB Section 1033 in the US, screen scraping vs API access, Third Party Provider (TPP) roles, consent management frameworks, and Strong Customer Authentication requirements.
What Is Open Banking
Open banking is a regulatory and technology framework that requires or encourages banks to share customer financial data with authorized third parties through standardized APIs, with the customer's explicit consent. It replaces screen scraping (where third parties log in as the customer) with direct, secure API access.
The shift from screen scraping to APIs improves reliability (no breakage when banks change their UI), security (no credential sharing), and data quality (structured responses instead of HTML parsing). Most jurisdictions are phasing out or explicitly prohibiting screen scraping as API coverage increases.
PSD2 (European Union)
The revised Payment Services Directive (PSD2) is the regulatory foundation for open banking in the EU. It mandates that banks (Account Servicing Payment Service Providers, or ASPSPs) provide APIs for authorized TPPs to access account information and initiate payments. Key provisions:
- Mandatory APIs: Banks must provide dedicated interfaces (APIs) that TPPs can use to access account data and initiate payments.
- Strong Customer Authentication (SCA): Two-factor authentication required for accessing accounts and initiating electronic payments. Factors: something the user knows, has, or is.
- 90-day re-authentication: AIS (account information) consent must be re-authenticated every 90 days.
- Passporting: A TPP licensed in one EU member state can operate across the entire EEA.
- Liability shift: Clear liability rules when payments are initiated by a PISP.
Open Banking Standard (UK)
The UK's Open Banking initiative was mandated by the Competition and Markets Authority (CMA) in 2018, requiring the nine largest UK banks to open their data. The Open Banking Implementation Entity (OBIE) defined a standardized Read/Write API specification, a Directory for TPP enrollment, and security profiles (FAPI-compliant).
Variable Recurring Payments (VRP) extend the standard beyond one-off payments, allowing TPPs to initiate recurring payments with pre-agreed parameters (maximum amount, frequency) without re-authenticating for each transaction. This is particularly relevant for subscription billing and sweeping between accounts.
FDX and CFPB Section 1033 (US)
In the US, open banking has been industry-led rather than mandated. The Financial Data Exchange (FDX) is a nonprofit that publishes a standardized API specification adopted by major banks, aggregators, and fintechs. FDX covers account data, transactions, and payment initiation, with a focus on user-permissioned data sharing.
The CFPB's Section 1033 rulemaking (proposed in 2023, with a final rule expected) will establish federal requirements for data sharing. Key provisions include consumer rights to access and share their financial data, requirements for data providers to make data available in machine-readable formats, and limitations on data use by authorized third parties.
TPP Roles
PSD2 defines three categories of Third Party Providers:
- AISP (Account Information Service Provider): Read-only access to account balances, transaction history, and account holder information. Used for budgeting apps, credit scoring, and affordability checks. Requires SCA at consent grant and every 90 days for re-authentication.
- PISP (Payment Initiation Service Provider):Initiates payments from a customer's bank account on their behalf. Used for e-commerce checkout, bill payments, and account-to-account transfers. Each payment requires SCA.
- CBPII (Card-Based Payment Instrument Issuer): Checks whether sufficient funds are available in an account to cover a card payment. Returns a yes/no confirmation without revealing the actual balance. Used by card issuers that are not the account-holding bank.
Consent Management
Consent is the foundation of open banking. Implementations must ensure that customers clearly understand what data they are sharing, with whom, for what purpose, and for how long. Key principles across jurisdictions:
- Granularity: Customers should be able to consent to specific data types (e.g., transactions but not identity) rather than all-or-nothing.
- Revocability: Customers must be able to revoke consent at any time, through the TPP or the bank.
- Time-bound: Consent has a defined expiry (90 days in EU, up to 12 months in Australia and Brazil).
- Transparency: The TPP must display the data being accessed and the purpose before requesting consent.
- Dashboard: Banks and TPPs should provide a consent management dashboard where customers can review and revoke active consents.
Regional Comparison
| Region | Framework | Regulator | Mandated | API Standard | SCA Required | Consent Duration |
|---|---|---|---|---|---|---|
| European Union | PSD2 / Berlin Group, STET, Polish API | European Banking Authority (EBA) | Yes (2018, revised 2024) | No single standard; Berlin Group NextGenPSD2 is most adopted | Yes (SCA via 2FA for access and payments) | 90 days maximum for AIS; re-authentication required |
| United Kingdom | Open Banking Standard (OBIE) | CMA / FCA / Open Banking Implementation Entity | Yes (2018, CMA Order) | OBIE Read/Write API Specification (standardized) | Yes (FCA rules aligned with PSD2 SCA) | 90 days for AIS; long-lived consents via Variable Recurring Payments (VRP) |
| United States | FDX (Financial Data Exchange) / CFPB Section 1033 | CFPB (proposed rule), industry-led (FDX) | Partially (CFPB final rule expected; FDX is voluntary) | FDX API (industry standard, widely adopted) | No federal SCA requirement; institution-specific | Consumer-controlled; CFPB rule proposes revocable consent |
| Australia | Consumer Data Right (CDR) | ACCC / Data Standards Body | Yes (2020, phased rollout) | CDR API Standards (government-defined) | Yes (institution-specific authentication) | Up to 12 months; granular consent management |
| Brazil | Open Finance Brasil | Banco Central do Brasil | Yes (2021, phased rollout) | Open Finance Brasil API Specifications | Yes (customer authentication via institution) | Up to 12 months; renewable with customer consent |
Disclaimer: This guide provides a technical overview of open banking standards and should not be treated as legal or regulatory advice. Requirements vary by jurisdiction and are subject to change. Consult the relevant regulatory bodies and legal counsel for compliance guidance.