PSD2, Open Banking and OAuth 2.0 for API Security
Co-authored by:
Barry O'Donohoe, Senior Partner, RAiDiAM
Caren Havelock, Senior Manager, Ping Identity
Open Banking, Ltd. has recently announced the first set of technical security standards for the UK's Open Banking Standard, confirming the OAuth 2.0 family as the standard of choice for API security.
The introduction of Open Banking in the UK will transform banking as we know it. It's being watched closely by other European countries because the technical standards that emerge could become a reference point for their implementation of the upcoming European Union Payments Services Directive 2 (PSD2).
Read our press release to learn how Ping Identity delivers solutions for PSD2 and Open Banking compliance.
What is the Open Banking Standard?
Designed to improve choice for customers, create more competition and stimulate innovation, the Open Banking Standard is a regulatory mandate as part of a wider package of remedies set out by the UK Competition and Markets Authority (CMA) aimed at reforming the UK retail banking market.
The regulation requires that banks operating across the UK expose standard open application programming interfaces (APIs) that enable their customers to securely share their account data with other banks and third-party providers (TPPs) once they've given their explicit consent.
TPPs may include:
- Account Information Service Providers (AISPs) - any provider that wishes to aggregate information on one or more payment accounts held with one or more payment service providers who typically present customers with a single dashboard view of accounts. This is useful for upselling/cross-selling financial products among other things.
- Payment Initiation Service Providers (PISPs) - any organization that initiates a payment where the merchant consumes an API exposed by the bank in order to initiate payments on the basis of a credit transfer.
Today, each bank can define their own unique interfaces for TPPs to connect to their services. Standardizing on a common set of open APIs will make interoperability a lot easier. It'll provide TPPs with a much clearer understanding of what they need to do to connect with banks and provide more innovative online services and applications for customers using the data they would have access to.
What has Open Banking, Ltd. recently announced?
Open Banking, Ltd. is a new organization created by the CMA that's working with the 'CMA 9' (Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group, Santander), as well as smaller 'challenger' banks, fintechs, consumer groups and other parties, to define and develop the required API security and messaging standards that underpin open banking.
Open Banking has recently announced the first set of technical security standards for the UK Open Banking Standard, confirming the OAuth 2.0 family of protocols as the standard of choice for API security. OAuth 2.0 is a mature, industry open standard that provides customers with a secure mechanism for delegating scoped access to TPPs wishing to act on their behalf without the need to share their login credentials. Once a TPP is authorized by the customer, it can securely access their data and interact with their bank account through APIs exposed by their bank.
UK banks are required to implement the Open Banking Standard beginning with the 'CMA 9' starting January 2018, which is aligned with the upcoming PSD2 legislation.
To learn more about OAuth 2.0, read the Developers Guide to OAuth 2.0.
How does the Open Banking Standard relate to PSD2?
PSD2 is the product of a review of the original Payment Services Directive. It sets out a common legal framework for businesses and consumers when making and receiving payments within the European Economic Area (EEA).
There are four main areas covered across the directive: 1) a change in the geographic scope covering payments to and from EEA countries, 2) a prohibition in card surcharges across Europe, 3) third-party access to information, and 4) increased security of online payments and account access.
There's a great overlap between the latter two and the UK Open Banking Standard. The open banking initiative was set up with one eye on the forthcoming changes from PSD2 on the horizon. But in pre-empting PSD2, it also goes a few steps further, namely to expand PSD2 in terms of the data that must be made available and specify more explicitly how this is done (the Regulatory Technical Standards RTS for PSD2 are technology neutral).
With the UK leading the march of setting and implementing the Open Banking Standard nationally, the technical standards that emerge for open banking could become a reference point for other national authorities across the EU in their implementation of PSD2.
How will banks secure their own banking APIs?
Open APIs are the next step in a digital evolution that's breaking down traditional business and security barriers. A new approach is required to ensure security postures remain within risk appetite. An identity-centric approach is required to address the prospect of third-party applications interacting with API services to ensure that the correct level of authentication and authorization is enforced. This will be underpinned by open internal standards including OAuth 2.0 that enable a third party to securely obtain delegated authorization to act on behalf of a banking customer.
Equally important in all of this, the General Data Protection Regulation (GDPR) will be in full force by May 25, 2018 for all EU countries, including the UK despite Brexit being underway. This will present major implications for consumer identity and access management (Customer IAM) platforms in dealing with customer consent. Consents need to be freely given, specific, informed and unambiguous, and Customer IAM will be on the front lines in dealing with this. Fine-grained consent management and its enforcement on an API channel being consumed by a third-party client is non-trivial.
Beyond compliance, what opportunities does open banking offer for banks?
The provision of successful API channel services requires banks to focus on offering the best security user experience possible for their customers balanced against fraud risk. As more financial services and applications are provided by third parties, banks' customers will spend an increasing amount of time engaging in security and authorization activities, which will become a major part of the competitive landscape in the banking industry. These security platforms also offer a major opportunity for the marketing of additional financial products. For example, when a customer is being asked to select an account from which to pay for a purchase, banks could use this opportunity to offer a loan or credit agreement in real time or advertise other products for their customers.
A digital banking strategy with identity at its core is vital to not only remain competitive, but also quickly adapt and embrace new business opportunities.
Both Ping Identity and RAiDiAM have real-world, practical demos available that showcase a PSD2 and open banking complaint solution, and we're actively monitoring the regulatory technical standards being released to ensure that our solutions continue to be compliant.