APIs – what do they mean for payments? A briefing from Payments UK

Leading the way we pay

Contents Introduction

4

APIs – the basics

5

The Open Banking Working Group (OBWG)

6

Links between API proposals and PSD2

8

Impact of the changes on the payments industry and customers

9

What next?

10

"Payments UK was a key contributor on the OBWG as we wanted to make sure that the Group considered the potential of APIs to revolutionise customers’ payments experience and best support competition. "Critically there is also clear overlap between what an open API in banking can deliver and the emerging regulatory requirements from Europe in the shape of PSD2 and we want to avoid two separate solutions being developed to meet the same core challenges. An Open API in banking could also help the UK meet emerging policy and regulatory requirements." James Whittle Director of Industry Policy, Payments UK

APIs – what do they mean for payments? 3

Introduction The payments industry in the UK has been undergoing significant change for a number of years, from the services developed to benefit customers such as Faster Payments and Paym, to the increasingly varied range of providers entering the market. These changes have brought increased choice to customers and more competition between providers. This short report sets out our view on the next substantial development for the payments industry - the HM Treasury proposal for an open API in UK banking - and how it relates to the regulatory requirements of the revised Payment Services Directive (PSD2). Open APIs offer significant opportunities and challenges for the industry and although the changes involved go much wider than payments, the payments sector is well placed to take a leading role in their development and implementation. Open APIs could have a fundamental impact on the customer-bank relationship as well as alter the landscape of players and providers significantly.

One of the principal aims of Payments UK is to ensure that the industry achieves stakeholder alignment and consensus where possible. Ensuring that the growing payments industry, including FinTechs and other financial service providers, benefit from these changes is important for making sure that the future financial services environment functions well for customers.

4 APIs – what do they mean for payments?

We welcome further engagement on APIs with stakeholders of all kinds, not least European stakeholders, given the requirements for pan-European interoperability under PSD2.

APIs – the basics What is an API? An Application Programming Interface – or API – is a set of functions and procedures that allows access to data or a service in order to provide greater functionality to the app's user. It can be used to determine what functionality is available, how it must be used and what formats it will accept either as input or return as output. An open API is a means of accessing data based on an open standard; it is a public interface. An open standard is developed and maintained collaboratively and transparently, and can be accessed and used by anyone. The data accessed via an open API may be closed, shared or open data.

Open data refers to information that is publicly available, such as information on different products offered by a bank. An example of closed data could be a customer’s personal account history.

Why is the banking industry interested in APIs? The proposals for an open API in UK banking stem from a report by Fingleton Associates in Autumn 2014, Data Sharing and Open Data for Banks, which was published alongside HM Treasury’s (HMT) Autumn Budget Statement. The Fingleton Report concluded that “greater access to data has the potential to help improve competition in UK banking” and recommended that banks create standardised application programming interfaces (APIs) that would be accessible to third parties (e.g. FinTechs, developers and other corporates). In January 2015, HMT published a consultation on the Fingleton Report and in the March Budget HMT published a statement on their consultation and next steps, stating that it would commit to delivering an open API standard in UK banking and would set out a detailed framework by the end of 2015 for the design of the open API standard.

APIs are already widely used so the concept is not new and some banks in the UK are already exploring how they can be used in payment services. The open API concept could be used in a new way across the industry to open up opportunities for customers, businesses and financial organisations.

APIs – what do they mean for payments? 5

The Open Banking Working Group (OBWG) Payments UK's response to the Fingleton Report (jointly produced with the BBA and Innovate Finance) proposed creating a working group to bring together a wide range of relevant stakeholders to create the framework for the design and delivery of an open API in UK banking. This included banks, FinTechs, consumer bodies and government.

The OBWG's overall aim was to explore how data could be used to help people to transact, save, borrow, lend and invest their money.

The working group was formed of a range of experts from across FinTechs, banks, building societies, businesses, consumer organisations, government and regulators. Payments UK was an active member. The group finalised its report at the end of December 2015 and Introducing the Open Banking Standard was published in February 2016.1

OBWG objectives HMT supported this approach and in August 2015 the Open Banking Working Group (OBWG) was established with objectives to: • Deliver a framework for the design of an open API standard in UK banking focusing on personal and business current accounts; • Evaluate how increased levels of open data in banking can benefit consumers, businesses and society; and • Publish recommendations in a paper by the end of 2015 outlining how an open API standard can be designed, delivered and administered, alongside a timetable and implementation roadmap for achieving this.

1

Importantly, running alongside this industry-led work has been the knowledge that PSD2 will need to be implemented in the UK, which will introduce a significant change for customers and payment service providers (PSPs) alike by requiring the accessibility of customer data by third parties. The PSD2 is discussed in more detail further on page 7.

http://theodi.org/open-banking-standard

6 APIs – what do they mean for payments?

What did the Open Banking Working Group consider and recommend? As well as looking at the technical aspects of an open API, the Group explored critical issues such as governance, security, liability, standards, communications, regulation and legal requirements. The OBWG's final report2 sets out the framework for: • An open API for data that is shared (including, but not limited to, customer data). This would allow, for example, an individual or business to consent to a third party provider accessing accountlevel data stored with their bank or financial institution, including the ability to initiate payments (similar functionality to that required under PSD2); and • An open data API for market information and relevant open data.

2

The framework provides recommendations on the design and delivery of the open API, including:

How will customer protection be ensured?

• API standards (specifications informing the design, development and maintenance of the APIs) and data standards (rules by which data are described and recorded); • Security standards and policies, through which consumers' data will be protected from fraudsters and access rights can be securely delegated; • Governance, which will develop trust, provide issue resolution mechanisms and govern the standards; and • Developer resources, which will enable developers and third parties to innovate, educate and experiment. The conclusion of the OBWG's report is a proposal to implement, by 2019, an open API with all the associated governance and security in place, which will enable both 'read' and 'write' access to customer accounts on a permission end basis; and that 'open data' sets will also be made available via the API. The report suggested that work would be done on a phased basis so that functionality would begin to be available from the end of 2016.

The work of the OBWG on an open API in the UK was undertaken with full consideration of data and consumer protection issues and legislation. The aim of the API proposals is not to make personal or confidential data available as 'open data' - thereby protecting customers' privacy.

The OBWG proposals cover a variety of customer protection measures, including enhanced security, accreditation for firms, and the ability for customers to easily 'switch off' their permissions whenever they choose.

Recent research by Ipsos Mori3 confirms that a fundamental element of making the API ecosystem work will be effective customer education and messaging. There is a clear need to ensure that customers understand and have confidence in giving informed consent to third parties and know how they can withdraw consent should they want to. In addition, customers will also want to understand how they are protected if something goes wrong.

http://theodi.org/open-banking-standard

3

https://www.ipsos-mori.com/researchpublications/publications/1769/Open-API-Exploring-the-views-of-consumers-andsmall-businesses.aspx

APIs – what do they mean for payments? 7

Links between API proposals and PSD2 The key revisions to PSD2 are intended to promote the emergence of new players (e.g. FinTechs) and the development of innovative mobile and internet payments in Europe to encourage EU competitiveness worldwide. The overlaps with the work on API proposals are clear. The most significant implication of PSD2 is probably the paradigm shift in terms of accessibility of customer data to third parties. The key changes delivered by PSD2 in this respect are:

The PSD2 legislation essentially requires AS PSPs, such as banks, to allow authorised third party providers to have access to their customers' account information and to initiate payments on a customer's behalf when explicit consent has been given by the customer. Account servicing PSPs will also be forbidden from taking discriminating measures against third-party payments, such as giving them lower priority. In turn, the legislation requires third parties to authenticate themselves to the account servicing PSP and to have appropriate security in place.

• Giving payers the right to make use of 'Payment Initiation Services' (where a third party initiates a payment from a customer's bank account on their behalf) and 'Account Information Services' (where a third party has access to customer's account data in order to provide aggregation tools and other services); • Requirements for strong customer (and also dynamic transaction) authentication; • Regulatory technical standards on authentication and communication to be defined by the European Banking Authority; and • Requirements for Account Servicing Payment Service Providers (AS PSPs) to provide a 'yes' or 'no' confirmation of availability of sufficient funds to card based payment instrument issuers (PIIs).

8 APIs – what do they mean for payments?

The Payment Services Directive 2 (PSD2) is an updated version of the original Payment Services Directive designed to make cross-border payments as easy, efficient and secure as ’national’ payments within a Member State and to help develop the Single Euro Payments Area (SEPA). It also sought to improve competition by opening up payment markets to new entrants, thus fostering greater efficiency and cost-reduction. The revisions to PSD2 are intended to promote the emergence of new players (e.g. FinTechs) and the development of innovative mobile and internet payments in Europe to encourage EU competitiveness worldwide.

The main differences between PSD2 and the proposed Open Banking Standard are around scope, governance and timelines. Nevertheless, at a high level the requirements set out in PSD2 require 'secure communication' between account providers like banks and third parties in order to secure access to the data and to initiate payments. Many in the payments industry believe that the PSD2 requirements can best be met through the use of an API interface. Therefore, if taken forward, the work in the UK to create an open API in UK banking could mean that the UK would have some of the infrastructure in place needed to deliver the requirements of PSD2 in a way that delivers the good outcomes for both customers and industry. However, the UK is not operating in a silo and all organisations affected by PSD2 will have to comply with the rules that need to be established in Europe. Some of these rules are still being defined and this presents a challenge for the UK. In a worst case scenario, UK financial service providers might end up needing to create duplicate or parallel infrastructures with potentially complicated and confusing rules. Payments UK continues to work closely with the industry and government in an effort to avoid this.

Impact of the changes on the payments industry and customers The changes being driven by PSD2 and the Open Banking Standard (depending on how it gets taken forward) will undoubtedly have profound impacts on the industry, businesses and consumers. It's not easy to predict who the 'big winners' will be. These changes are part of an overall trend in banking towards increased digitisation and expectations by consumers that their 'banking' experience will more closely resemble the more 'high-tech' experience of digitally driven companies like that offered by social media, search engines and tablet/mobile providers. Customers expect services in real-time, with smooth and seamless interfaces, which are becoming increasingly personalised through intelligent use of data. The payments industry is working to rise to these challenges through Payments UK's World Class Payments vision. This has taken an evidence based approach to understand different customer needs. This work has led to the identification of 13 core capabilities that could transform the payments landscape and enable further innovation to be delivered in the competitive space. The firms that provide the types of services that PSD2 seeks to encourage can bring innovation and competition into the market.

For example, Payment Initiation Service Providers offer an additional, and sometimes cheaper, alternative for internet payments, and Account Information Service Providers allow consumers to aggregate their bank data from different accounts, thus providing them with a better overview of their financial situation and the ability to analyse their spending patterns, expenses and financial needs. The likely impact of PSD2 and the API proposals (if implemented) will be that, within five years, we can expect to see customers who are more confident about sharing their financial data with third parties in order to get access to new products and services. In turn this will drive increased innovation and competition, including the entrance of a variety of new players. In the payments space specifically, these changes may have an impact in terms of: • Overall changes in payment volumes; • Customer migration away from current payment instruments like cards; and • New approaches to customer security and fraud prevention (given that new players will be involved where previously it may have been limited to interactions between customers and their banks, and customer expectations will change).

APIs – what do they mean for payments? 9

What next? The Open Banking Standard report proposes a phased timeline for implementation; as a first step the report states that an entity should be established and mandated with the primary purpose of planning, designing and delivering future phases of the open banking initiative. With HMT having expressed its support for further work by the industry, we will continue to work with our members and stay closely involved with the implementation of this new ecosystem. We believe that it is in the interests of all players that the payments industry takes a leading role in the work to deliver an open API in UK banking that can be applied or is interoperable on a pan-European (and even global) basis; not only so that the opportunities of these changes can be realised properly by businesses, but also to ensure that those firms required to comply with PSD2 are not disadvantaged by conflicting implementations. In this way, the UK can lead the way in Europe and continue to be one of the foremost markets for FinTech and innovation. Using our experience, which includes implementation of major cross industry innovations, knowledge and the expertise of our broad membership, Payments UK will continue to work closely with key

UK and European stakeholders, including HMT and the Financial Conduct Authority, as well as the European Banking Authority on its work on Regulatory Technical Standards. We will also continue to work closely with UK and European industry stakeholders to ensure alignment as far as possible, given the importance of pan-European interoperability. It is vital that the regulatory and industry-driven changes complement each other. Payments UK continues to provide support to our members and the wider payments industry through our work to analyse the requirements emerging through PSD2 – leading to the implementation of any collaborative changes required. This is primarily being done through our largest member group, the PSD Working Group. Our work will include developing a UK guidance document for UK payment service providers on PSD2 specifically. We are also working with members to explore issues around the possible collaborative implementation of APIs.

If you wish to get involved with our work to help ensure changes in the UK are delivered fairly, openly and effectively, please contact us: [email protected]

10 APIs – what do they mean for payments?

Once a quiet corner of the financial world, the payments industry is transforming like never before. Technological advances, new players to the market, fresh regulation coupled with UK customers’ appetite for more convenient and improved services mean that change is inevitable and there is enormous potential for the UK payment markets to continue to lead the way.

Payments UK is the trade association launched in June 2015 to support the rapidly evolving payments industry. Payments UK brings its members and wider stakeholders together to make the UK’s payment services better for customers and to ensure UK payment services remain world class.

Payments UK 2 Thomas More Square London E1W 1YN T: 020 3217 8200 E: [email protected] paymentsuk.org.uk