Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

CMA order puts onus on industry to set detail of open banking standards

The detail of new open banking standards will be left up to banks to coordinate, the Competition and Markets Authority (CMA) has said.02 Feb 2017

The CMA has issued its final order (67-page / 701KB PDF) outlining how recommendations it made following its retail banking market investigation should be implemented, including those it made at the time on open banking

Two new open banking standards will have to be developed under the CMA's order. A new 'read-only data standard' and a 'read/write data standard' must be developed by the UK's nine largest banks by 13 January 2018 – the same date that PSD2 is due to be implemented in the UK. The Treasury separately outlined its plans to implement PSD2 on Thursday.

The new standards are intended to allow businesses and consumers to share their own transaction data from their current accounts with other banks and third parties and to manage multiple providers through a single app. 

The CMA's order requires the standards to be developed using open application program interfaces (APIs) and conform to standards on data formatting and security, including for authorisation and authentication.

"There is much debate across Europe on whether an API or screen scraping model is the best approach," financial services and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said. "From a security perspective, APIs are better, but the flexibility of screen scraping, and the fact that many services use it today, make it unlikely to go away."

According to the CMA's order, RBS, Lloyds, Barclays, HSBC, Santander, Nationwide, Danske, Bank of Ireland and Allied Irish Bank must set up an 'implementation entity' by 16 February to "implement, maintain and make widely available" the new standards.

The banks previously put forward plans for an implementation entity. The entity, according to those proposals, would not only comprise members from the nine banks but also feature representation from financial technology companies, smaller ‘challenger’ banks and businesses active in the payments market.

"The work of the implementation entity is well underway with working groups meeting regularly – given the aggressive timelines for technology change of this nature, every day counts," said McFadyen.

The CMA's order takes account of the fact that banks and other businesses in the payments market will be engaged in similar work to develop open APIs as part of their moves to comply with PSD2. PSD2 is the reformed Payment Services Directive finalised by EU law makers last year. PSD2 must be implemented into national laws across the EU by 13 January 2018.

The CMA said its timetable for implementing the new UK standards on open banking will not change to account for ongoing PSD2 initiatives, but its order does require the UK open banking standards not to "include provisions that are incompatible with the requirements in PSD2".

In an explanatory note (62-page / 1.97MB PDF) released alongside its new order, the CMA said it "sees clear benefits to the effectiveness of" its open banking standards if the read/write data standards is "developed in such a way that it will assist the full range of payment accounts and payment services providers covered by PSD2 to comply with those obligations".

The CMA said: "We are conscious of the European Banking Authority’s (EBA) role in setting regulatory technical standards [under PSD2] and are aware of the draft regulatory technical standards [the EBA has released] on common and secure communication. Wherever possible, the CMA encourages parties to implement the read/write standards in such a way as to facilitate the smooth implementation of PSD2."

"In seeking to achieve this, the implementation entity will need to give particular attention to the views of payment service providers subject to PSD2. We do not think that this alignment of standards should compromise the agreed timetable and project plan. It may, however, be necessary to proceed on the basis of draft EBA regulatory technical standards with flexibility to make adjustments to the read/write data standard once the EBA’s regulatory technical standards are finalised," it said.

Alasdair Smith of the CMA, who chaired the regulator's retail banking investigation, said: "Open banking will make a transformational change to banking for personal customers and small businesses. For the first time innovative and secure apps will provide personalised services and information to cover all financial needs in one place, and make it easy for people to find out what bank account is best for them."