One Year In: Who Has Capitalised on Open Banking Opportunities

Regulation and Compliance

Neira Jones

Apr 24, 2019

Open banking opportunities -- happening slowly but surely

Well, it’s finally here, isn’t it? After a few years of industry debate over the finer points of the 2nd Payment Services Directive (PSD2), an implementation date of January 2018 (although some, like the Dutch, have been slightly late), we should now be more familiar with Open Banking. After all, it is supposed to bring about more competition, innovation and security, for the benefit of consumers at large. Did the consumers notice? Research suggests not yet, as consumers are largely unaware, banks are largely late and Third Party Providers (TPPs) still feel they have to fight their corner. But it’s still early days, and some may argue that incumbent banks have to contend with very complex infrastructures, but all claim to be able to meet the new deadlines agreed with the Competition & Markets Authority:

The last Open Banking deadline, as can be seen above, was on 13th March 2019 for the CMA9 to be ready for interface testing. The next deadline for banks to implement the specification is 14th September 2019, so let’s watch this space...

But to recap, what was all the fuss about? Essentially, Open Banking was brought about by PSD2. Open Banking is also the term used in the UK for the enactment into UK law of the directive. The term “Open” essentially refers to the opening up of what were previously closed banking infrastructures into a fairer and more competitive ecosystem.

Having said that, the last year saw a few interesting developments, from credit risk, to lending with MortgageGym and M&S, investments with Zopa, accounting with FreeAgent and of course the numerous payments developments, with Klarna, not forgetting the more traditional players, with Natwest, BBVA, HSBC, Lloyds Bank, Santander and many others, whilst not forgetting that Open Banking is not just for the financial services sector.

In the UK, Open Banking is an initiative by the Competition & Markets Authority (CMA) which launched in February 2017. The UK’s largest banks (the CMA9), RBS, Lloyds, Barclays, HSBC, Santander, Nationwide, Danske, Bank of Ireland and Allied Irish Bank were mandated to provide a new “read-only data standard” and a “read/write data standard for third party to access information. Yolt (as an Account Information Service Provider, AISP) and Lloyds Bank (as an Account Servicing Payment Service Provider, ASPSP) were first to make a successful account information transaction in January 2018. In June 2018, Token became the first licensed Payment Information Service Provider (PISP) to complete an end-to-end transaction using Open Banking APIs with Santander (as the ASPSP).

In order to enable competition and innovation, the CMA required that the standards to be developed by the CMA9 used Open APIs and conformed to standards on data formatting and security, including for authorisation and authentication. This is why new entrants, who generally do not have the capabilities or resources to develop separate interfaces (or API connectivity) to numerous banking private APIs, were now able to connect to numerous banks using just one standard (at least per EU country, but that’s another story...). And indeed, in the UK, the TPP registrations are coming fast and furious with 118 TPPs registered as at 19th April 2019...

For those who have been observing the market closely, it becomes apparent that incumbent banks will naturally fall into four separate categories depending on the strategy they choose to implement Open Banking:


When I present this diagram to the delegates on my Payments 101 training course, the usual answer for the “Vegetate” option is “Do Nothing.” Of course, you will have realised by now that “Do Nothing” is not an option, as for everything regulatory. This option simply means that banks will only do the strict minimum not to fall foul of their compliance obligations with PSD2, and they will simply open up their infrastructures through APIs (XS2A) or a modified online banking interface to cater for TPP authentication. This, to the most limited extent possible, enables TPPs to execute payment initiation & account information services, and is a purely defensive strategy, where banks act as ASPSPs for payment initiation and account information.


This second option is a little bit more sophisticated. This is where banks (ASPSPs) realise that they have in fact invested in a whole new infrastructure for third party access to payment services, but that they can use that very same infrastructure to develop & expose new services through APIs that go beyond basic payment initiation and account information services. Whilst this is still a defensive strategy, and is still mostly focused on compliance, it can potentially generate new revenue streams for banks, leveraging account information and, for example, digital identity (after all, we still trust the banks...).


Whilst this option is still focused on compliance (as one must), banks (as ASPSPs), suddenly realise that as they have just developed a whole new infrastructure to give access to potential competitors, those very same bank competitors have done exactly the same thing! This is when they begin acting as Third Party Providers themselves (yes, banks can be both ASPSPs and TPPs!). Here they also add an offensive strategy by offering (basic) payment initiation & account information services to other institutions, such as Barclays, and many others.


This last option, as you may have guessed, is the Holy Grail of Digital Transformation. It combines all previous stages, enabling third parties (whatever they may be) to build applications & services around the bank. This is where banks are poised to become true digital players, based on open APIs/ interfaces, competing for customer relevance and ownership, and start creating ecosystems.

But how well prepared are banks to emerge out of their chrysalis? According to Juniper, none as yet, although BBVA is making some pretty good headway.

Of course, Open Banking and Real Time Payments as new industry drivers also bring new challenges, including fraud and cybercrime, which I explored in this previous post, and this one.

But if we focus on innovation and competition in the payments industry, the story wouldn’t be complete if we didn’t look at Big Tech and their strategies. Technology companies, unlike banks start with a digital foundation. Building ecosystems is not new to them, this is what they do. Look at Amazon (does anyone think that Amazon built the Echo to become a hardware manufacturer?), or Alibaba. Essentially, their starting point is Strategy Number 4 “Own It”. So where do they go from there? Well, in my view, not up to some mythical “Strategy Number 5”, as they have to come down somewhere in the middle.

Why, may you ask? Simply put, a digital ecosystem trying to enter a heavily regulated industry (e.g. payments), invariably falls in the scope of the applicable regulations. We saw this happen in 2014 when eBay split from Paypal. Essentially, eBay wanted to remain an unrestricted ecommerce marketplace, and Paypal, as a payment company, would always be subject to increased regulation (amongst other factors, of course. But more recently, Alipay’s parent company Ant Financial announced that technology services — not payments — will be its main business in the future.

Conversely, banks are used to being heavily regulated and are striving to become more technology led, and Christine Lagarde, MD of the International Monetary Fund, warned of banks’ digital struggles.

Where will banks and Big Tech meet up in the future to reach a happy medium? Your guess is as good as mine.

Related topics

Global Payments Open Banking

Posted by

Neira Jones

Neira Jones is an independent advisor and international speaker, partner for the Global Cyber Alliance, and ambassador for the Emerging Payments Association.
Browse all posts
footer curve