PSD2: the precondition for open banking
PSD2 and Open Banking are often mentioned in the same speech. Although they do not mean the same thing, the two terms are nevertheless closely linked: After all, the revised Payment Services Directive 2 (PSD2) marks a major step towards Open Banking. It provides for banks in Europe to open up to third parties, so-called Third Party Providers (TPP). PSD2 thereby removes barriers for potential new participants in the financial market and lays the foundation for a colorful ecosystem of Fintech service providers and banks. Specifically, the directive stipulates that all banks in the EU area must implement modern “RESTful” APIs and make these certified TPPs available. This undertaking opens up numerous opportunities, but at the same time it presents banks with new challenges. They must ensure that bank customer data (or so-called Payment Service Users “PSUs”) are adequately protected against unauthorized access. In addition, the PSD2 APIs must be integrated into the banks’ core systems, which have sovereignty over the data concerned. In the project with our partner SOBACO, the management of several clients was also a central requirement, as they operate their platforms for a large number of banks. However, the exact technical requirements will be the subject of a separate blog post.
Standards in Europe
Unfortunately, not all PSD2 is the same: there are several ways to technically implement the directives. We have decided to base our product ubix2b on the NextGenPSD2 framework of the Berlin Group. The Berlin Group is a European initiative that defines technical norms and standards based on European jurisdiction. To prevent all European banks from developing proprietary systems for PSD2 compliance, this initiative has created the NextGenPSD2 task force. The aim was to define a de-facto standard for the implementation of the requirements formulated in PSD2 and at the same time to allow consumers of the new interfaces to participate. The result was the above mentioned NextGenPSD2 framework. This defines how the new APIs look like and which security features protect access to personal data. Specifically, the NextGenPSD2 framework includes APIs in the areas of Payment Initiation Service (PIS), Account Information Service (AIS), Payment Instrument Issuing Service (PIIS), Signing Baskets Service (SBS) and Common Services. These API services are complemented by a so-called Consent Management, which controls the permissions for access to individual resources. This allows bank customers to control which TPPs are granted access to their data. In order to prevent potential information leaks, communication takes place exclusively between bank customers and the bank. TPPs therefore have no access to data of bank customers before they have given their valid consent.
ubix2b: all in one platform
These general conditions had to be applied in the project with SOBACO. Our goal was to implement all APIs prescribed by PSD2 in a secure and stable manner. In addition, the solution had to be as easy as possible to integrate into the existing infrastructure of the respective bank. Finally, these considerations led to the open banking platform ubix2b, which meets all the above-mentioned requirements by means of various components.
In the figure, the consumers (TPP & PSU) of the new PSD2 APIs are shown on the left, while all variable elements of the architecture are marked in light yellow. These components play a critical role in the interaction of the systems and each has a very specific purpose. At the same time, they differ from bank to bank and can be exchanged accordingly. It was therefore particularly important for ubitec to design the specially developed components (orange) in such a way that they ensure the greatest possible compatibility. The core of these developed systems are the various PSD2 APIs for the recording of payments (PIS), the retrieval of account information (AIS) and the confirmation of funds (PIISP). However, these can also be replaced by any APIs – depending on the needs of the respective bank. Another central component of ubix2b is Consent Management. This guarantees that only those TPPs authorized by the customer can access the bank data. As a further element in the platform, the so-called core banking adapter ensures that data can be communicated and exchanged at all. Last but not least, the open banking platform also includes a sandbox adapter. It allows third parties to check their applications with test data in a sandbox environment. Especially this PSD2 specification is a nice example that the new requirements make sense: After all, there is nothing more annoying than having to integrate a completely unknown system.