Building The World’s First Open Banking Standard
- Open Banking
- 10.01.2023 08:55 am
Why Was Open Banking Needed?
To appreciate the importance of the UK standard, we must first understand the background of its creation. Since the emergence of the internet, financial services have been changing. Customers no longer have to visit branches and can interact with their accounts online through internet banking and, more recently, mobile apps. This catalysed innovative players to give customers a combined view of their finances which no longer required a one-to-one interaction with their bank.
The concept of customers granting third-party access to their bank account has been around for roughly 20 years in applications such as lending, personal finance and wealth management applications. Legacy models were typically based on ‘credential sharing’ and ‘screen scraping’, requiring customers to give their username and password to a third party, who would then impersonate the customer and screen scrape their account.
This approach had a number of problems. Firstly, it was inherently insecure because it encouraged users to share passwords, which is widely acknowledged as bad practice since it makes users much more susceptible to phishing scams. Secondly, there was no concept of a trust framework to ensure only regulated firms had access to such data and to put controls in place to limit access to the parameters of consent granted by the user. Lastly, building screen scraping applications was complex, expensive to maintain and, once delivered, these applications often proved unreliable. The approach to data sharing needed to change.
Towards the end of the 2000s, the UK Government started getting serious about open data. It began publishing large sets of open non-personal data and launched midata, which was one of the first legislative drivers to open up data from banks as well as telcos and energy companies. In 2014, HM Treasury’s Open Data Institute published the Fingleton Report, which mistakenly claimed that “the cost of implementing data access is unlikely to surpass £1 million for a bank”. Financial institutions were “less confident” about costs and expected them to “be much higher”, the report noted.
Then in 2016, the Competition and Markets Authority published its pivotal Retail Banking Market Investigation, which aimed to improve customer outcomes and boost competition by enabling smaller, newer banks to challenge larger incumbents. One of the key recommendations in this report was open banking, which would boost competition by requiring banks to grant third parties open access to their data. In parallel, the PSD2 was taking shape in Europe.
The CMA’s report was followed by an Order which was stricter than PSD2, requiring the CMA9 banks (AIB, Bank of Ireland, Barclays, Danske, HSBC, Lloyds, Nationwide, NatWest and Santander) to participate in the creation of the Standard, leading to the formation of the OBIE and the development of the UK open banking standard.
“The CMA order was very much designed to make banks work harder for their customers,” Huw Davies, CCO and Co-Founder of Ozone API, said. “There was some immediate pain, but in the longer-term, it has been a tremendous catalyst for growth and innovation, which is very positive for the ongoing health of the industry.”
Creating the Open Banking Standard
One of the key requirements of the CMA Order was the creation of the OBIE - which was and is funded by the CMA9 (although it is due to be replaced by a new and currently unnamed organisation). This is where the founders of Ozone API met and worked together for the first time.
Chris Michael, CEO and Co-Founder of Ozone API, led the teams which created the UK open banking standard. He was also Chair of the UK Open Banking Technical Design Authority and Open Banking API Forum, collaborating with other standards bodies and market initiatives globally.
Chris said: “We worked with banks, fintechs, and other technology companies in a very collaborative manner to develop the Standard. At first, we had very positive engagement with both banks and fintechs. We were all trying to achieve the same goal: coming up with a standard that enables real, working use cases.
“The attitude of banks changed when they realised how complex, difficult and expensive it was to build open banking infrastructure. Many of the banks had started off thinking it would be a straightforward compliance exercise. They underestimated the challenge.”
Banks needed to do more than simply implement an API layer. Behind the scenes, they had a lot of work to do in order to make their core systems, web and mobile banking apps ready for APIs. The Regulatory Technical Standards (RTS) that went alongside PSD2 were confusing and overly prescriptive in certain areas, actually preventing many use cases. This led the banks to push back against aspects of the CMA Order which they regarded as out of the scope of the PSD2 or an extension of its intent.
To move forward, the team drafted the standard iteratively and enabled collaboration by putting these drafts out for peer review on a regular basis. All the work was carried out in public, with Chris chairing over 200 open workshops between January 2017 and March 2021, which were attended virtually or in person by more than 2,000 individuals across the industry. Every decision and draft specification was published in Confluence, and all stakeholders were encouraged to provide feedback on this platform - which was also made freely and publicly available to ensure transparency and prevent one firm or person from influencing the standard to suit their own agenda.
The team also went through a process of devising use cases and building working prototypes which vividly showed banks the benefits of open banking and drove a renewed focus on building a standard that enabled those key use cases.
“We saw a big shift,” Chris Michael said. ”Banks started to realise that open banking is a good thing - and it's beneficial for them as well. We iterated through many different published drafts, inviting feedback and then creating new versions. This collaborative model was very powerful, leading to the creation of a standard that much of the rest of the world has now built on.”
Chris and the team took a very different approach to other standards bodies and open banking initiatives around the world. Many of these were set up by banks or collections of banks, leading to a governance model in which banks decided on what they were willing to do and then wrote a standard which suited them. The team brought banks and fintechs into the room with leading experts in technologies, including identity, security and access management, to co-create the standard. Throughout the process, everyone working on the project focused on the use cases which would be unlocked by open banking and ensured the standard would enable them.
The approach was open and transparent from the outset, which was not the norm at the time. The standard was published under an MIT open licence – the most open of its kind - during an era when many bodies around the world regarded publishing standards as a risk which could encourage fraudsters. Today, it is well-known that open approaches are the most effective way to build standards.
Freddi Gyara, Co-Founder & CTO of Ozone API, was Lead Architect of the UK standard. He said: “The journey and output were unique. Every draft was published as soon as it was written and thrown open for public commentary. There were more than 2000 comments from over 100 users on some of the initial drafts. It didn't slow down after that.
“This approach was quite unique in the banking industry. We decided to collaborate and co-create the standard in the public eye.”
Why was the Open Banking Standard unique?
Before the UK standard, API specifications have typically been designed to support a model where there is a single publisher of the API and multiple consumers. Google Maps works this way. Google publishes the API, and millions consume it.
The OBIE had to create an ecosystem which allowed multiple participants to play the role of publisher. This created challenges and raised difficult questions. Which aspects of the standard should be mandatory? What should be made optional? How could banks be given enough flexibility when implementing the standard to accommodate the unique ways they operated?
For example, banks each have different basic policies, such as daily payment limits, which may also be different in varying account types. Some banks allow a future-dated payment to be scheduled over the weekend, for instance. Others do not, meaning that a recurring payment that falls on a bank holiday will be paid on the previous or subsequent working day. This variation had to be understood in order to find commonality without losing the specificity of the standard.
The open banking pioneers overcame these challenges with their collaborative approach, which involved a wide variety of stakeholders and included experts from banks and technology companies, many with decades of diverse experience. This endeavour was difficult in its own right, requiring significant process innovation in terms of how the standard was published and reviewed.
Work began in October 2016, and the first draft of the standard was published just two months later, between Christmas and New Year. The OBIE grew from a standing start to roughly 100 employees. The delivery of the standard was achieved quickly and effectively.
The Open Banking Sandbox
After the standard was published, it became clear that banks required assistance with building their API interfaces to comply with it. Before the market went live, Ozone API delivered a reference implementation of the standard in the form of a sandbox for building and testing. This allowed third-party providers (TPPs) to test their own applications against a reference bank and enabled the development of conformance tools designed to help institutions implement and test their open banking APIs. The next step after the sandbox was the delivery of a platform which gave banks the ability to implement high-performance APIs which comply with the requirements of the markets they operate in and to let them go beyond compliance.
Chris said: “We rather naively assumed we could just publish a standard and banks would be able to configure their API platforms and core systems to comply with it. We soon saw that many of the banks were struggling. They needed specialist open API technology.
“We thought initially about launching a bank and realised that that wasn't such a great idea. So we launched our first product, which was an open banking sandbox or reference implementation which was more than just a sort of dummy set of APIs: it was a fully transactional, fully working platform.”
As Ozone API’s founders worked on the standard and the sandbox, they quickly realised the scale of the opportunity ahead, that the open banking and open data opportunity was likely to be global and game-changing.
Freddi Gyara added: “Firstly, it became apparent straight away that this was not going to stop with banks. Even before we talked about open finance, we could see the transformative nature of what was happening, and it became evident that other industries would follow the same approach.
“We very clearly understood that although open banking started off as an exercise driven by legislation and regulation, that was not where it was going to end up. The future lies in APIs that can be monetised by the banks - premium APIs. We knew that innovative new propositions that could ride on top of this open banking wave would offer real financial benefits to both banks and TPPs, as well as the end customers of course. This was the direction of travel in the marketplace, and it has continued over the last few years.
“As the attitude towards open banking in the UK shifted from ‘this is never going to work’ to ‘this is actually happening and there are published standards’, the interest from other countries started ramping up. We knew open banking would become a global phenomenon.”
Global Open Banking
The worldwide growth of open banking has accelerated over the past five years. A key component of the UK standard was the collaboration with the OpenID Foundation to develop the Financial Grade API (FAPI) profile, which defined the security model underpinning this standard. This FAPI profile has also become the basis for most other open banking and open finance standards around the world.
In 2019, the Consumer Data Right (CDR) started to go live in Australia, drawing influence from the UK but enabling a different set of use cases, and with a roadmap extending to other financial services and other sectors, such as energy and telecommunications. Then in 2020, Bahrain was one of the next markets to publish a standard and has drawn significant influence from the UK.
Brazil emerged as a global leader after moving from open banking to open finance in two years. And a few months ago, Saudi Arabia published its own Open Banking Framework. These are just some examples, as we are seeing open banking and open finance starting on every continent.
Five years ago, Ozone API’s founders were among the first to predict this global growth. They also observed a growing need for banks to seek external assistance in building open APIs to comply with mandates and move beyond those mandates.
“I don't subscribe to the idea that banks are not great at tech - there are absolutely brilliant banks and people out there,” Freddi Gyara added. “But they've never been set up to work in this universe where organisations are talking to each other. So it was something that was technically new.
“Banks have huge data estates. It's like trying to move a large battleship in the middle of the sea. It's not an easy manoeuvre at the best of times. Implementing open banking was like trying to move the battleship and change its hull at the same time. We knew that there was going to be a demand from the banks for technology that makes this easier and cheaper for them to achieve.”
The Future of Open Banking
The next step forward lies in markets expanding the scope of open banking to open finance. For customers, it is limiting only to be able to see a selection of their accounts. They are demanding a total financial picture and the ability to manage money more effectively. However, open finance is not the final destination. The industry is now anticipating the dawn of a much wider open data economy which involves the opening up of access to data which will unlock more and more innovative propositions and use cases across industries.
Huw Davies said: “The shift towards open banking and open finance is going to transform the world. It's going to be massively impactful and can enable so much in terms of end-customer propositions, tackling problems like financial inclusion, and driving economic growth. Yet it has to be built on good technical foundations.
“Open banking requires an investment in infrastructure. For certain use cases and applications, it's now the de facto and default way of doing things. For example, a business once had several options about how to connect bank accounts to its cloud accounting platform. The default way of doing this is now through open banking APIs.
“We're now seeing a wide range of new customer-facing propositions which leverage this access to help them do things better, whether that's budgeting, reducing debt, or improving savings. This sort of behavioural change is building really well. There is a lot of innovation and increasing adoption.”
Lenders are now using open banking and open finance to make better credit decisions by leveraging access to account information to gain a deeper, better understanding of a customer's income and their ability to afford debt repayments. We are seeing exponential growth in the payments side of open banking and the initiation of account-to-account payments, which is taking a little longer to achieve wider adoption. The HMRC “Pay By Bank Account” is a leading example of a payment use case. The rollout of Variable Recurring Payments (VRP) over the next year will create many more. Open banking will continue to enable lower-cost, faster payments, which are more reliable than legacy payments with a reduced fraud risk.
Freddi Gyara added: “We are still in the very early days of open banking and have not even begun to see the really big innovations taking place. So if we are comparing our progress to the dawn of the internet, we're still at the point where Netscape launched its first browser.
“When open banking becomes transparent to the user, we will know it has been properly adopted. Consumers don’t say: ‘I'm using EMV to make my chip and pin payment.’ They don’t know what's going on behind the scenes, technically. When this happens for open banking, it will have arrived in the mainstream.”
The Road Ahead For Banks
Financial institutions that want to ride the open wave are now partnering with innovative fintechs capable of delivering the technology to drive the innovation and use cases at scale. This partnership model will become increasingly important in the medium to long term.
Chris Michael, CEO of Ozone API, said: “I think the future is about banks knowing how to approach technology. Rather than trying to build everything themselves or using large, expensive legacy platforms, they should be using more modern agile platforms like Ozone API but also partnering with fintechs. That partnership model is so important.
“This isn't just about financial services. Banks and fintechs are going to be the key to unlocking other sectors and moving beyond the sharing of financial data. Retail, for instance, is an extension of that, but many other sectors can benefit. For centuries, banks have been institutions which help individuals or businesses manage, protect and look after their assets. That's valuable for any sort of asset, including data. Banks have a really important role to play in this new open data ecosystem, but they shouldn't try and do it themselves. They should partner with fintechs and use best-in-breed agile technology.”
Five years of open banking is a major milestone. Yet the journey is only beginning. Everyone involved in the creation of the UK open banking standard should be extremely proud of what they have achieved. By the time the 10th anniversary comes around, the results of this work will be even more significant than they are today. The true revolution is yet to come, and Ozone API is here to help banks and financial institutions that wish to go beyond compliance and realise the commercial opportunities of open APIs.