1. UK Open Banking
PSD2 and GDPR Forum
Amsterdam 19 Feb 2018
Gary Farrow
Head of Architecture
Open Banking
2. 2
Start of the Open Banking Journey
AUG
2016
CMA publishes report on its
investigation into the UK’s retails
Banking Market
SEP
2016
Open Banking Implementation Entity
formed to deliver Open Banking
PSD2 and GDPR Forum
To make
Open
Banking a
reality in
the UK
OBIE
defines
Open
Standards
and
Processes
…making it
possible to
share
information
securely with
third parties…
…who will create
information and
value add
services for
consumers and
small
businesses
Business Drivers
• Increase competition
• Enable new and smaller
Banks to grow
The OPEN BANKING Remedy
• Enables retail customers
and small businesses to
share their account
information securely
3. PISPOpen Data AISP
3
Regulatory Overview
CMA Order
• ATMs & Branch locations
• Personal Current Accounts
• Business Current Accounts
• SME Lending
• SME Credit Cards
• Payment
Initiation
• Account
Balance
• Confirmation
of Funds
PSD2
• Strong Customer
Authentication
• Exemptions
• eIDAS / Security
Framework
OPEN BANKING UK
RTS
• Account
Information
• Transaction
History
PSD2 and GDPR Forum
4. 4
Our Journey So Far
MAR
2017 Open Data Launches
JUL
2017
Account Information and Payment Initiation
specifications issued
PSD2 and GDPR Forum
OCT
2017 Open Banking Directory live
JAN
2018
Open Banking managed rollout begins for
regulated participants.
Release 1
Aligned to the CMA Order
Aligned to the CMA Order & PSD2
Enrolment of future regulated
participants begins
To facilitate 3rd party enrolment and
de-risk the introduction of Open
Banking
5. ASPSP
5
PSD2 and GDPR Forum
Open Banking Eco-System
Open Banking
Directory
+
Other NCAs
Participants
1. Registration
2. Enrolment
3. Authorisation
Status
Digital
Identities
Digital
Certificates
4. Self-Service
PISP AISP
Signed Identity
Statements
Open Data
Payment
Initiation
Account
Information
6. 6
Strong Customer Authentication Flow
2. API : Request PI or AI
PSU
5. Authorise PI or AI
1. Consent to PI or AI
ASPSP
1st and 2nd factors
supplied to the ASPSP
Transfer to / from the
ASPSP
PSD2 and GDPR Forum
3. Authenticate PSU
4. Select Payer Account(s)
Key Concept
• Consent takes
place in the TPP
Domain
• Authorisation
takes place in the
ASPSP Domain
PISP AISP
7. 7
PSD2 and GDPR Forum
Consent and Authorisation Model
Consent Authentication Account Selection Authorise
PSD2
• PSD2 consent model
• Given to the TPP
• RTS Strong Customer
Authentication
• Data clusters concept
ensures the AISP requests
only the information they
need to perform their
service
Dynamic linking for PIS
binding, Payer, Amount, TPP
and Beneficiary
GDPR
• Lawful basis of processing is,
for example, “Contract”
• Lawful basis of processing is,
for example , “Legal
Obligation” under the CMA
Order & PSD2
• Data minimisation through
obfuscation of account
details from the TPP
A helpful step for providing
consumer clarity and ensuring
transparency
8. 8
Our Future Journey
DEC
2017 Amended CMA Order
FEB
2018 Release 2 Specification
PSD2 and GDPR Forum
Amended Order Timetable
PSD2 Items
Items
Governance and Funding
Ongoing Standards
Development
• Extension for Open Data
• Future Dated Payments
and Standing Orders
• Confirmation of Funds
• PSD2 Accounts
• RTS Exemptions
• International payments
• Multi-authorisation
Evaluation
• Reverse Payments
• SCA Flows -
redirection
embedded / de-
coupled
• Bulk and batch
payments
Amended Order Timetable
PSD2 Items
Governance and Funding
Items for longer term consideration