However, as with all vibrant and progressive ecosystems, speed, security, and ease of use will determine open banking’s future success. That’s where SaaS comes in and plays its vital part.
Before we go into the specific role of SaaS and why it’s crucial for the future success of this booming vertical, it’s essential to look at the regulation itself.
PSD2 Open Banking gives Payment Service Users (PSUs) the legal right to share their transactional account data with regulated third party providers (TPPs). For this to be possible, the 6,000+ Financial Institutions providing transactional payment accounts that can be accessed online have to make their open banking APIs accessible to regulated TPPs. These APIs give TPPs the access required to either make payments on an account holder’s behalf or view account data and funds, both of which require the account holder’s prior explicit consent.
Access can only be denied if a TPP is believed to be unauthorised or fraudulent.
Article 68 (5) of PSD2 states that a Financial Institution “may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider”.
Open banking regulation has given rise to a new group of FinTechs who are seizing the opportunity to create innovative apps and products with the customer at the core of the offering.
At the end of 2019, 240 TPPs from across the EEA and UK were regulated to provide open banking services. A year later, this figure had increased to 450. This excludes the thousands of credit institutions that are also able to act in the capacity of TPPs. The near doubling of newly regulated entities demonstrates user demand for the innovative products and services that these organisations are offering – it is now down to trust and security in the ecosystem, along with ease of use, to drive volumes.
Open banking should be a more attractive proposition than card payments, both for the end-user and merchants. For the end-user, there are no card details to be remembered nor endless forms to be completed. For merchants, there is no clearing and settlement to go through, and, of course, merchant service charges are absent.
With the customer journey having all the ingredients for open banking to be a resounding success, making sure there is secure interaction been all those involved in any one transaction is paramount.
The ability for TPPs, many of whom may be unknown to these Financial Institutions, to request immediate access to valuable data and funds presents many challenges and risks – all of which must be addressed without introducing potential friction in the customer journey.
The main challenges are knowing if a TPP is who it claims to be and whether it is regulated to provide the services being requested at the time of the transaction request. The added difficulty of knowing which markets within the EEA a TPP is authorised to operate in is an additional challenge.
Financial Institutions have long been the trusted guardians of their customers’ data and funds. Although the open banking model means the customer now has ultimate control of their data, it is still primarily the Financial Institution’s responsibility to ensure nothing goes wrong.
Checking a TPP’s identity, its current regulated status, and the services, it is requesting to perform are essential but not easy tasks to complete.
Firstly, a Financial Institution needs to determine whether a TPP is who it claims to be. This is done by having real-time access to the 70+ Qualified Trust Service Providers (QTSPs) who can issue PSD2 eIDAS certificates. These eIDAS certificates contain the requisite information on a TPP’s identity and are used to secure communications between Financial Institutions and TPPs. They also digitally seal messages, ensuring the integrity of the concept and proof of origin.
However, an eIDAS certificate can have up to a two-year validity period. During this time, changes may have been made to a TPP’s regulatory authorisation status by its home Member State National Competent Authority (NCA). This introduces significant risk to the Financial Institution’s decision process.
eIDAS certificates also do not contain information on the countries a TPP is authorised to provide their products and services into under passporting rules. This information is held on the TPP’s home NCA registers. Between them, the 31 NCAs maintain over 115 databases and registers. Checking them at the time of a transaction request is paramount to prevent fraudulent TPPs from slipping through the net.
According to the Konsentus Q4 TPP tracker, every country in the EEA had at least 75 TPPs who could provide open banking services. These may not all be Home regulated TPPs. Take, for instance, Germany, which had 35 Home Regulated TPPs in December 2020 but also an additional 112 TPPs who could passport in their services. To do the requisite due diligence on all these TPPs would require having online access to all the databases and registers hosted by the NCAs regulating these TPPs.
Although we have undoubtedly seen a drop in passporting numbers over the past few months as a result of the UK TPPs no longer being able to passport their services into other countries, the numbers of regulated TPPs in each country remains high, and our data shows that cross border transactions are becoming the norm rather than the exception.
According to PDS2, for regulatory checking to be done in a frictionless way, it must be as performant as the online interface (the API) provided by the Financial Institution to its customers.
This means connecting to the 31 NCAs, interrogating over 115 separate registers in real-time, and connecting with all the QTSPs who issue PSD2 eIDAS certificates.
For a Financial Institution to do this successfully, in-house,is resource-intensive, costly and requires constant maintenance and upkeep, alongside product evolution for keeping pace with regulatory change.
However, the benefit of using a SaaS directory service for both eIDAS and regulatory checking removes this complexity. It provides Financial Institutions with the confidence and peace of mind that appropriate due diligence is performed. Their customers’ account data and funds are protected without introducing friction or obstacles in the user journey.
When a Financial Institution is presented with an eIDAS certificate by a TPP, if a real-time online connection can be made to all the legal sources of record, the Financial Institution can make an instant informed risk management decision whether, or not, to give the TPP access.
All this can be done behind the scenes without the end user even being aware of what is happening.
Open Banking has grown at a phenomenal rate over the past 12 months. Over seven hundred million open banking transactions were reported in the UK alone in January 2021 – more than double the previous year’s monthly figure.
There is also evidence suggesting a growing spectrum of innovative products and services being offered to the market. Apart from account aggregation capabilities, other solutions range from confirmation of funds and personal finance management to automated spending, accounting services and loyalty programmes.
Anecdotal evidence from across the EEA also shows that although the UK may be ahead of the curve when it comes to volumes, it is only a matter of time before other countries also see significant monthly transactions.
Konsentus recently did some modelling (using post-Brexit data) to forecast open banking API volumes for the EEA from January 2021 to December 2022. The methodology was based on UK volumes as reported by OBIE and the Konsentus TPP tracker data.
OBIE’s API call volume was increased by 25% to reflect the UK market and set the UK API trend line. The total native and passported-in TPPs for each EEA NCA as of January 2021 was cross-referenced with the UK API trend line’s relative position. This determined the start point with volumes extrapolated based on the UK curve. API volumes were then adjusted as per the population in each country.
Findings suggest that in March 2021, the UK and EEA’s total volume was 1.2bn API calls – but that it would reach 7.1bn by the end of December 2022.
What is interesting to see is that six markets currently make up 95% of all open banking transactions. Over the next two years, more countries will see significant usage, with the overall share of the top six diminishing. By December 2022, 13 countries will be seeing more than 100m API calls per month, with the UK, Germany, Spain, France, and Italy all experiencing over 500m API calls per month.
With numbers set to accelerate, what happens if something does go wrong and who is responsible?
There is very little in PSD2 regulation about disputes and dispute management processing. Unlike card schemes where there are rule books to determine the processes and steps that should be followed for disputes, this is lacking in open banking – and is an additional reason why it is so crucial for Financial Institutions to correct checking procedures to minimise the risk of fraud. If something does go wrong, responsibility would typically reside with the Financial Institution.
Having a permanent record of all transaction requests is essential when it comes to dispute management processing. Konsentus Verify utilises Amazon’s Quantum Ledger Database (QLDB), based on blockchain technology, to power its immutable log. Every time the Konsentus Verify solution is called, a record of the transaction request and data lineage is preserved. The information cannot be altered and is locked on record. We act as an open and transparent conduit between the NCAs and our customers – Financial Institutions. The data cannot be altered without anyone knowing about it.
Using a SaaS solution protects Financial Institutions against regulatory changes, such as open banking to open finance. As the ecosystem evolves and there is a need to communicate with different regulated organisations in different ways, the same APIs can be deployed to talk with more organisations. There is no need to change what has already been put in place. As another example, if another country comes into Europe, a SaaS solution would proactively obtain the additional information, providing it alongside current data without any other heavy lifting from the Financial Institution.
With open banking set to evolve over the next few years, deploying a SaaS solution like Konsentus Verify removes the complexity of in-house design, build and maintenance of a TPP identity and regulatory checking solution. Players within the ecosystem can safely interact with the confidence that they are being protected against data loss, funds, and other associated risks.
Chief Commercial Officer and co-founder of Konsentus, Brendan is a recognised payments expert and thought leader. He previously held director roles at MBNA and Bank of America in addition to previously working at Datacard and Giesecke & Devrient UK.