In our earlier article – The Open Finance Ecosystem & the Standards for Secure Identification & Sharing of Data – we provided an update from The Berlin Group1 announcing that they will be commencing work on a full OpenFinance API Framework. This will leverage the NextGenPSD2 API Framework technology and infrastructure investments, adding standardised extensions beyond the regulatory PSD2 scope.
The Open Finance API Framework
Open Finance is not driven by regulators but by technologies such as open APIs. An Open API is a publicly available application programming interface with programmatic access to a proprietary software application or web service – a set of requirements that control how one application communicates and interacts with another.
The OpenFinance API differs from the Open Banking core XS2A interface in several dimensions:
- The extended services might not rely anymore solely on PSD2.
- Other important regulatory frameworks which apply are e.g. GDPR.
- The extended services might require contracts between the access client and the ASPSP.
- The Open Finance API can address different types of API Clients as access clients, e.g. TPPs regulated by an NCA according to PSD2, or corporates not regulated by an NCA.
- While the client identification at the Open Finance API can still be based on eIDAS certificates, they do not need to be necessarily PSD2 compliant eIDAS certificates.
- The extended services might require e.g. the direct involvement of the access client's bank for KYC processes.
And access models are followed by this framework:
- PSU - Payment Service Use
- PISP - Payment Initiation Service Provider
- AISP - Account Information Service Provider
- PIISP - Payment Instrument Issuing Service Provider
Open Banking vs Open Finance API and the requirement for Qualified Certificates and Signature Creation Devices
Note: Qualified certificate profiles need to conform to ETSI EN 319 411-2
As development towards Open Finance standards is now taking place across the finance sector, sandbox environments are now underway. This means that first stage testing with synthetic data is likely to run to the first quarter of 2022 after which live customer data will be used in a beta testing phase until mid-year 2022. This represents an important step in bringing Open Finance standards for the sharing of savings, investment and pensions data in line with Open Banking, especially when it comes to security and transparency of data and user experience.
To provide the best security and protection of eIDAS certificates and private keys, Utimaco provides Qualified Signature/ Seal Creation Device HSMs for the purpose of protecting a certificate issuing infrastructure within an Open Finance environment.
1 The Berlin Group is a pan-European payments interoperability standards and harmonization initiative, consisting of almost 40 banks and financial service institutions from across the EU, with the primary object of defining open and common scheme- and processor-independant standards in the interbanking domain between Creditor Bank (Acquirer) and Debtor Bank (Issuer), complementing the work carried out by e.g. the European Payments Council. As such, the Berlin Group has been established as a pure technical standardization body, focusing on detailed technical and organizational requirements to achieve this primary objective.
Blog post by Dawn Illing.
About the author
Dawn Illing is a product development manager with over 25 years of product management experience in the banking, insurance and cyber security industries. By working internationally across EMEA, this has inspired her interest in cross-border digital identity and cyber security, including the interoperable requirements that necessitate successful delivery of digital product and market solutions.