Regulation Regarding Open Banking in the UK
Mar 30, 2022 - 7 MINS READ
Regulation regarding open banking in the UK
The Payment Services Directive is a European Union law that was enacted in 2007 and was revised in 2015. (PSD2). PSD2 went into effect in several EU member states under the Payment Services Regulations (PSRs). The Financial Conduct Authority (FCA) regulates open banking in the United Kingdom using these PSRs.
PSD2 and the subsequent PSRs granted consumers the ability to request that third-party provider:
- Payment Initiation Services or PIS – making payment on behalf
- gain access to their financial information (Account Information Services or AIS)
Prior to the Payment Services Regulations, none of these things was possible: bank terms and conditions frequently prohibited clients from utilizing a third-party provider to access their bank accounts.
Payment service providers, mainly banks, were compelled under the PSRs to open up their systems to third-party providers at the request of clients. This resulted in the creation of the legal and regulatory framework for open banking.
The PSRs, however, did not specify how institutions should offer that access. They simply specified that banks should provide a separate interface or method of accessing accounts through internet banking.
In the United Kingdom, the Competition and Markets Authority (CMA) established an additional layer of oversight for the country's nine major banks (which serve 99.9 percent of the UK population).
The OBIE collaborated with banks to create the Open Banking Standard, as well as user experience guidelines that instructed banks on how to establish robust consumer authentication (SCA). The Financial Conduct Authority currently regulates open banking in the United Kingdom (FCA). Only organizations that have been approved by the FCA are permitted to utilize open banking APIs to acquire financial records or initiate transactions on behalf of customers. The Central Bank of Ireland governs open banking in Ireland.
It is necessary to obtain regulatory approval to utilize an open banking service
There are two ways to obtain authorization to use open banking in order to deliver a product or service to your UK consumers. Depending on whether you wish to provide Account Information Services or Payment Initiation Services, the process varies slightly.
To offer Account Information Services to your clients
- Description
Join the ranks of Registered Account Information Services Providers (RAISP). To supply Account Information Services, you must register with the FCA directly as a Third-Party Service provider under the Payment Services Regulations/PSD2.
Become an agent for a regulated Third-Party Provider of Account Information Services.
- Accountability
You are responsible for PSD2 compliance, and you have duties to your customers, such as obtaining their permission to use their data and dealing with any complaints. You must have professional liability insurance (PII). You must continue to do your obligations, which include reporting to the FCA. The authorized Third-Party Provider is responsible for PSD2/PSR compliance and has duties to your customers, including obtaining their consent to access their information and addressing any complaints. To become an agent, you will still need to go through due diligence and regular compliance monitoring with your selected TPP.
- Technical accessibility
You have the option of integrating directly with the APIs of each individual bank. Maintaining these ties, on the other hand, can be challenging and time-consuming. As a result, some providers utilize an intermediary known as a Technical Service Provider—a firm that specializes in connecting to various banks and providing you with a single API.
You gain access to open banking APIs through your Principal Third Party Provider, which connects to all banks and provides you with a single API.
To offer Payment Initiation Services to your clients
- Description
To provide Payment Initiation Services, get directly regulated by the FCA as a Third-Party Provider under the Payment Services Regulations/PSD2.
Use an FCA-regulated Third-Party Provider (TPP) that can connect to your application or website and provide payment processing to your clients.
- Responsibility / obligation
You are responsible for PSD2 compliance, and you have duties to your consumers, such as obtaining their permission to make payments and dealing with any complaints. You must perform activities, such as reporting, that need the utilization of in-house compliance personnel. You must have an initial capital of €50,000 (or more if you provide certain additional payment services) and professional indemnity insurance (PII).
Your regulated Third-Party Provider is responsible for PSD2/PSR compliance and has duties to your consumers, including obtaining their agreement to commence payment and dealing with any complaints.
- Technical accessibility
You have the option of integrating directly with the APIs of each individual bank. Maintaining these ties, on the other hand, can be challenging and time-consuming. As a result, some providers utilize an intermediary known as a Technical Service Provider – a firm that specializes in connecting to various banks and providing you with a single API. You integrate with a regulated Third-Party Provider, who links to all banks and delivers the payment mechanism to your clients through integration into your app or website.
If you want to become an AISP or a PISP, you should do the following:
- To verify that your intended product or service is compliant, familiarise yourself with the second Payment Services Directive (PSD2) and the FCA's own recommendations.
- Check out which regulator oversees your industry. The FCA regulates open banking providers in the United Kingdom. If you want to provide services to clients in other nations or areas, you may need to apply to their regulators as well.
- Make sure your business model is specific and detailed, as it will be included in your application.
- Check that you are in compliance with all data privacy protection rules applicable to the geographical region of your client base. When interacting with EU consumers, for example, GDPR (General Data Protection Regulation) is mandatory.
- Ensure that all aspects of your firm, including IT, policy, and security, are in accordance with the applicable legislation.
- Put in place the required professional indemnity insurance.
- You will also require €50,000 in starting capital if you apply to be a PISP (or higher if they provide certain other payment services).
Once you're ready, you must apply to the FCA. This procedure might take up to a year.