“It’s important to know why there is open banking,” began Fred Giuliani, head of information technology at Spuerkeess. After the 2008 financial crisis, the European Union decided to implement legislation to prevent such a crisis from happening again. This led to more capital requirements for banks, as well as more supervision and regulation, which made banks safer than before. But it also hindered competition, he explained.
To change this, new players--third party providers--were brought in. “These third-party providers were not subject to the same rules that banks are,” explained Giuliani. “The idea was to get a new actor on the market. And it would bring in innovation and bring more competition to the banking market itself. And that’s where open banking came.”
Customers can allow third-party providers access to their accounts, which enables them to access their bank accounts in other institutions or countries. Some fintechs emerged as competitors to banks, while others complemented banks--Revolut and N26 are some examples. But banks themselves can also serve as the third-party provider, said Giuliani.
The Payment Services Directive 2, or PSD2, has been in place since 2015. “But actually, what we call open banking--so the fact that banks have to publish APIs [application programming interfaces]--is really from 2019,” when another directive was put in place, said Anne-Sophie Morvan, head of business & legal affairs at Luxhub, an open banking API platform founded by Spuerkeess, BGL BNP Paribas, Banque Raiffeisen and Post Luxembourg. Luxhub has a technical platform where they make APIs compliant, standardise, securise and publish them.
An API is “a little tool that enables two systems to speak to each other,” she explained. APIs, for example, can allow account information service providers to retrieve data from a person’s bank account--subject to their consent. “If you have different banks, it can be very interesting to have an app in which you can see your different payment accounts, what is the amount of your payment accounts.”
Spuerkeess, for example, has a technology that enables clients to see several accounts in their web banking. “It is a big success,” said Morvan. “Every time I speak to people, and they don’t know anything about open banking in Luxembourg, I tell them, ‘Well, do you have an account at Spuerkeess or BGL or another large bank, where you’ve noticed you can aggregate your accounts?’” This is open banking, and “this is possible because you have a regulation that enables you to retrieve your data from another bank.”
“You can also initiate payments from outside of your web banking. In principle, when you do a wire transfer, you always have to login to your web banking, etc.” Morvan gave an example of how open banking could be used. “If you’re on Amazon, for instance, you want to pay for something, but you don’t have a credit card, you can use what we call a payment initiation service provider that enables you to initiate this payment--you do your strong customer authentication of your bank, and then your payment is initiated. It’s a wire transfer, but it’s not in your web banking, but from outside.”
Another example--age authentication via open banking APIs
However, Morvan noted that there are many banks that have decided to go beyond what is “mandatory” and have published other kind of APIs. In Luxembourg, this is unfortunately not the case; but banks in Germany, France and Spain have gone forward with these. “There are a large number who have decided that the data they have on their customers can have a huge value,” she said. “Of course, if a bank provides this data to a third party, this is subject of the consent of the person who is actually the owner of the data.”
For example, say that a person wishes to enter a gaming website that requires users to be 18 years or older. “If you’re a customer of Deutsche Bank, you can say, ‘Okay, let’s take my age based on my bank account.’ So if the website has integrated the API of Deutsche Bank, there is a simple check--you do your strong customer authentication with your phone, like usual, and then your age is validated because the bank does your KYC [know your client].”
Many banks have understood the value of all the knowledge and data they have and how it can benefit their customers. To continue the example with the gaming website, Morvan said, “If I am a Deutsche Bank customer, I can simply do a check. Whereas, what should I do if I’m not a Deutsche Bank customer? Well, I have to send a copy of my ID.” Sending a copy of the ID takes extra time and means a person is giving away more data.
“So this is, let’s say, open banking in an unregulated way. It’s legal, but it’s not mandatory,” said Morvan.