PSD2 and Open Banking
Find answers to common questions that Plaid receives regarding PSD2 and Open Banking.
UK AND EU REGULATORY FOUNDATION
What is PSD2?
The revised Payment Services Directive (PSD2) went into effect on 13 January 2018 across the UK and Europe. PSD2 introduces new rights for certain third-party providers (TPPs) to directly access payment service users’ online payment accounts with their explicit consent, and requires Account Servicing Payment Service Providers (ASPSPs), such as a bank, to permit access through a dedicated interface built on APIs. These PSD2 measures are designed to open up the banking industry to new players and promote the development and use of innovative online services, while ensuring consumer protection.
PSD2 provides the legislative and regulatory foundation for Open Banking and other broader initiatives at a UK and European level relating to open access to payment accounts.
OPEN ACCESS TO FINANCIAL DATA
What is Open Banking?
“open banking” (lowercase O and B) refers to the practice of providing open access to financial data from financial institutions through the use of application programming interfaces (APIs). Open banking supports Plaid’s mission: to empower innovators by delivering access to the financial system.
In the UK, an initiative led by the Competition and Markets Authority (CMA) called “Open Banking” (uppercase O and B) mandated that nine of the biggest banks in the UK (the CMA9) grant third parties access to customer payment account data in a secure, standardised form, provided that the third party accessing the account has the customer's explicit consent to do so.
ACCOUNT INFORMATION SERVICE
What is AIS?
Under PSD2, an Account Information Service (AIS) is an online service that provides consolidated information to a user on one or more payment accounts held by that user with other payment service providers. Firms that are registered or authorised to provide account information services can, with the explicit consent of the end consumer, access their bank account to provide the end consumer with new products and services.
If you’re providing AIS, you will need to be registered or authorised by the Financial Conduct Authority (FCA) in the UK, or an equivalent National Competent Authority (NCA) in Europe, to provide AIS in order to benefit from PSD2 open access measures. This is because PSD2 only mandates ASPSPs to enable access to firms that are registered or authorised to provide AIS by the FCA in the UK, or an equivalent NCA in Europe.
What is PIS?
Under PSD2, a Payment Initiation Service (PIS) is an online service which accesses a user’s payment account to initiate the transfer of funds on their behalf with the user’s explicit consent and authentication.
Plaid is a Payment Initiation Service Provider, and offers Payment Initiation in the UK, enabling your users to make real-time payments without manually entering their account number and sort code, or leaving your app. These in-app payments allow your users to fund their accounts in a seamless and secure manner, and at a low cost. Payment Initiation is an easy way for users to fund their account, make online payments, and pay invoices all from your app or website.
Which businesses need to be registered or authorised to provide account information?
In the UK, the FCA provides guidance on the type of companies that need to be registered or authorised to provide AIS:
- A business that provides consolidated account information, such as a personal finance management tool, will generally need to be registered or authorised for the provision of AIS.
- Other businesses, such as those engaged in internal fraud detection or credit decisions and therefore are not providing consolidated account information, generally will not need to be registered or authorised for the provision of AIS.
You should closely review PSD2 and local legislation with your legal counsel to determine whether you need to be registered or authorised to provide AIS depending on your product and the reasons for which you are seeking AIS.
Are there alternatives to AIS registration or authorisation?
For customers not yet ready to apply for licensing, it’s possible to provide AIS to your customers by becoming an agent of Plaid. You will need to complete our agent application process, and if approved, we will apply to the FCA to register you as our agent. Get in touch with us to discuss if you are eligible and we will take you through the process.
Who needs an eIDAS certificate or an Open Banking certificate?
If you are accessing data from an ASPSP as a TPP, you need an eIDAS certificate to identify yourself. For example, when Plaid accesses an ASPSP using Open Banking APIs, we provide our eIDAS certificates to the ASPSP.
However, the FCA issued a statement on 17 January 2020 stating that “ASPSPs can also enable TPPs to use a certificate obtained from a provider of an API programme, so long as that provider only issues the alternative identification certificate to a TPP that has enrolled with the API programme using its eIDAS certificate to identify itself. The provider of the API programme should continue checking, on behalf of the ASPSP, the status of the TPP’s eIDAS certificate with the Qualified Trust Service Provider (QTSP).”
Plaid is regulated in the UK to provide access to financial data
Plaid Financial Ltd. is authorised by the Financial Conduct Authority under the Payment Service Regulations 2017 [Firm Reference Number: 804718 ] for the provision of payment services.
Account Information Service is an online service which provides consolidated information held by a payment service user with ASPSPs
The Financial Conduct Authority is the conduct regulator for financial services firms and financial markets in the UK
The nine largest banks and building societies in the UK and Northern Ireland, based on the volume of personal and business current accounts.
Third Party Providers are firms that are regulated for, amongst other things, the provision of AIS that use APIs developed to Standards to access customer’s accounts, in order to provide account information services and/or to initiate payments.
National Competent Authorities are organisations that have the legally delegated or invested authority, or power to perform a designated function, normally monitoring compliance with the national statutes and regulations (e.g. the FCA in the UK).
Account Servicing Payment Service Providers provide and maintain a payment account for a payment service users and, are entities that publish Read/Write APIs to permit, with customer consent, payments initiated by third party providers and/or make payment services users’’ account transaction data available to third party providers via their API endpoints e.g. a bank.