a good thing!
Building a Great Open Banking Standard
The Open Banking Implementation Entity (OBIE) has built a great standard. What makes it even better is the suite of software and services that help banks and third parties reduce compliance risks and increase market adoption.
In January 2018, the UK’s largest current account providers (the CMA9) started to go live with Open Banking APIs based on version 1 of the standard developed by the OBIE. This was mandated by the CMA Order and can be considered a precursor to the requirement for all payment service providers (ASPSPs) in Europe to provide either a dedicated (i.e. API) interface or a suitably modified fall-back (i.e. screen scraping) interface by September 2019, so that regulated Third Party Providers (TPPs) can use these to provide payment services to end customers.
Version 3 will enable any ASPSP to meet their PSD2 obligations for the provision of a dedicated interface.
Version 3 of the OBIE standard was published in September 2018. This is a significant upgrade from v2, which ASPSPs went live with in the same month. It is a rich standard which contains detailed technical specifications for all PSD2 in-scope accounts, in all currencies, and is broken down as follows:
Version 3.1 of the OBIE standard is due to be published at the end of November 2018, which fixes a number of minor issues, allows for fund checks for PISPs and extends the request and response payloads of all APIs to cater to any type of corporate account.
OpenID Alignment
Critically, OBIE has now aligned further with the OpenID Foundation (OIDF) for the security model. OBIE has adopted the following specifications and is actively working with OIDF to finalise drafting. The OpenID Financial-grade API (FAPI) Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
The FAPI Working Group is also finalising drafts for:
This alignment with OIDF and the FAPI Working Group is critical to offer best-in-class security, protecting ASPSPs, TPPs and end customers. It also has significant support from many global vendors, thus reducing delivery costs and risks.
Customer Experience is Essential to the Success of Open Banking
The standard goes much further than technical specifications. Based on significant feedback from the industry since Jan 2018 and after further clarifications from the regulators over the last few months, OBIE has developed a comprehensive set of Customer Experience Guidelines.
These are concerned with the PSU journey from a TPP’s online app or browser, through authentication within the ASPSP domain and completion in the TPP domain.
They cover both redirect and decoupled authentication methods, with example journeys for all PSD2 use cases (AIS, PIS and CBPII). They define what an ASPSP (and in some cases, a TPP) must do in order to comply with PSD2/RTS and should do in order to meet market needs and deliver the best possible user experience.
Fig 1: Example decoupled authentication flow
The customer experience guidelines are based on three core principles:
In other words, these guidelines require ASPSPs to allow parity between TPP-driven interactions and direct PSU interactions, so that TPPs are not penalised by ASPSPs and can offer services which offer a great customer experience.
Certification is About More Than Compliance
Over the last year, OBIE has developed a suite of tools which allow ASPSPs (and now TPPs) to test that they have correctly built against the OB security profile. When the tester is happy they have passed all tests, they can submit results to OBIE, who will validate and publish a certification. OBIE also publishes (with the participant’s permission) notes explaining any failures and a planned fix date, in the event the participant wishes to communicate this to the ecosystem.
Fig 2: OBIE Security Profile Certifications (as of 12 Oct 2018)
OBIE is now extending the suite and certification process to cover:
OBIE will issue certifications which not only show conformance to the OBIE standard, but will also show which elements of the standard have been implemented over and above the regulatory requirements. This will allow ASPSPs to evidence conformance to the regulators. It will also allow ASPSPs and TPPs to demonstrate how they have met additional market needs by delivering a certain standard of customer experience.
This last point can be used by ASPSPs to promote where they have a best-in-class API and hence can help these ASPSPs grow customers and revenue via partnering with TPPs.
Where Next for the OBIE Standard?
OBIE has developed a standard which has been road tested by ASPSPs and TPPs since January 2018. Version 3 builds on this and now enables compliance with PSD2 and RTS regarding a dedicated interface. However, this only works if implemented well.
The OBIE Customer Experience Guidelines will help ASPSPs and TPPs deliver Open Banking products which offer best-in-class security and a seamless customer experience. The conformance tools and certification process will allow participants to prove that they have not only met regulatory requirements, but also how well they meet additional market needs.
And OBIE will continue to deliver a roadmap of agreed changes, with version 4 of the standard due to be published in March 2019. They will also continue to build out tools and services which help the Open Banking ecosystem gain wider adoption, such as a platform for reporting performance and availability.
Open Banking has the potential to transform payment services. It should result in personal and business customers being offered better ways to move, manage and make more of their money. Payment APIs could eventually provide a faster, more secure and lower cost alternative to card schemes.
Without standards, this would be much harder to achieve. But, as we’ve seen over the last year, standards on their own are not enough. Great standards need great implementation, along with a relentless focus on the end user—the customer.
To hear more about how secure, open standards are transforming the financial system, please join me at IDENTIFY London on October 16, 2018, where I will be participating in a panel on “Enhancing Customer Experience in Financial Services” and presenting along with RAiDiAM’s John Heaton-Armstrong during a session on “The Future of Open Banking through Standards Conformance and Certification”.