Open Banking vs. PSD2

When discussing about which standards to adopt for standardization of digital payment and account directives, the obvious main players are Open Banking (one of the main examples being the UK Open Banking) and PSD2 standards.

Both these standards were born out of the same necessity but their implementation and directives hold differences due to their origins.

Which of the standards are better and what are the differences between them?

That is a great question, as they both dictate how a bank can check the validity of a TPP and how the TPP can register to be recognised as a valid one.

As the steps for registering the TPPs can be an expensive and taxing experience, understanding the differences can help minimise misunderstandings and loss of time and money.

The first and obvious difference between the two standards is the fact that while UK Open Banking only covers the UK, PSD2 is a standard that was adopted by the European Economic Area and as such spans more than 25 countries.

Until Brexit came in place, PSD2 was also comprising the United Kingdom, something that now is not the case and was substituted by the UK Open Banking standard.

This also means that while PSD2 is a standard that is set in law, and that all banks in the EU have to legally abide by, for Open Banking that is not the case.

Another very important difference is that while UK Open Banking is an open standard regulated by the Financial Conduct Authority (FCA), PSD2 is a specific adaptation of Open Banking for the European market and is under the regulation of the EEA/EBA. FCA and EBA do have many interests in common and collaborate constantly to improve banking standards but they remain two separate independent governing bodies that need to be thought as such.

So, in short, the similarity is that any national Open Banking implementation has been so under the vigilance of a general financial governing body, and UK Open Banking and PSD2 are no different. The difference lies in the body in question and the scope: PSD2 relies on the EEA/EBA which spans 25+ countries while UK Open Banking relies on FCA which ‘only’ covers the UK.

Continuing on the subject, of course this means that also the registration of TPPs is ever so slightly different. In the UK, before providing open banking services, a TPP will need regulatory permission from the FCA or their National Competent Authority (NCA).

As directly mentioned from Fintechs they will need to demonstrate that you have a PSD2-compliant (yes, the UK still uses this term as originally, it was known as PSD2) business model and appropriate data privacy and security measures in place.

In the EU, for PSD2, the slight difference is that a TPP does not contact the EBA but goes directly to the National registers of authorised or registered payment and electronic money institutions under the Payment Services Directive of the country or countries in question and registers through that.

After which, they both (Open Banking UK and PSD2) require the TPP to have an eIDAS certificate that is signed by a Qualified TSP Certificate Authority from the interested countries of course.

This also means that major differences on how an ASPSP (eg. Bank) needs to implement the flow to check the validity of a TPP and also the identity of a customer: Open Banking implements the OAuth standard both for TPP and for Customer validation, while PSD2 allows for multiple possibilities: OAuth being one, but there are also Bank redirect, embedded and decoupled flows. Also, the way that the certificate of the TPP is checked differs slightly, where for PSD2, the ASPSP needs to check the TPP’s certificate validity and also their authorisation levels directly against the EBA registry while for Open Banking, the information in the certificate is enough and no secondary check is required.

On top of that Open Banking UK includes APIs for notification while PSD2 does not, but requires APIs for savings and loans, funds confirmation and signing baskets. Some are compulsory and some are not.

Last but not least, the big difference is the service that the standards require or expect banks to provide. This list changes and evolves as time goes by, but at the moment of writing this, both Open Banking and PSD2 require banks to expose services for Account information and Payment initiation.

This concludes the view on the two standards and how they differ to cater for their own ecosystems and user requirements. As this standard is more and more adopted worldwide, more and more of such forks will arise, all having similarities but also crucial differences to face local challenges.