Compliance

Achieve compliance in the most regulated environments

Select Laws, Regulations, Standards, and Frameworks

Cybersecurity and Strong Authentication

Americas​

EMEA

Data Privacy and Protection

E-Signature

North America

EMEA

South America

Asia Pacific

Open Banking

EMEA

EU: PSD2: Payment Services Directive 2

Open banking promises to unlock innovation that will profoundly improve the banking experience and introduce new financial services. For example, Third Party Providers (TPPs) can provide applications that enable consumers to consult multiple bank accounts from a single application, or apps that make it easier for businesses to share data with their accountants.

 

Under PSD2, banks must offer an interface allowing TPPs to communicate with them. That way, if the consumer wants to use financial service providers other than the bank, these providers can gain access to the bank’s systems and serve the bank’s customers via the open communication interface.

 

The introduction of open APIs makes banks dependent on the security of the TPPs using these APIs.  Banks should adopt a number of technical and organizational security measures to address these and other threats. In the context of open banking, banks can mitigate risk in multiple ways:

 

  1. Use transaction risk analysis
  2. Choose the right authentication model
  3. Protect the communication channel with TPPs
  4. Request independent security audit reports from TPPs
  5. Avoid security vulnerabilities in the API implementation

To learn more, read this blog on Open Banking APIs Under PSD2
 

Bahrain: Central Bank of Bahrain (CBB) Rules for Open Banking

The Central Bank of Bahrain (CBB) has several rules in place regarding open banking. This includes a rule that Payment Initiation Service Providers (PISP) must have in place a strong customer authentication process. (Learn more about authentication)

 

The rules also imply that customers will share their login details directly with the third-party providers, rather than through a redirection-based mechanism where the customer is forwarded onto a login screen operated by their bank.

 

Account information service providers (AISPs) will be prohibited from accessing a customer’s information beyond that found in a designated account or from storing data for any reason other than providing the account information service “explicitly requested by the customer”.

Turkey: Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions

In November 2019, the amendments to Turkey’s Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 7192) were enacted. 
 

The original 2013 law provided the legal framework for payment companies, payment and securities settlement systems, and electronic money companies.

The revised law came into effect on 1 January 2020. It significantly enhances the existing law for open banking within Turkey.
 

To learn more: https://www.onespan.com/blog/financial-regulatory-landscape-in-turkey
 

Asia Pacific

New Zealand: Open Banking API Standards

Payments NZ is a payments industry group of banks, processors, and infrastructure providers. After a pilot lasting a year, the group published standards for APIs.

 

The standards are limited to APIs for payment initiation and account information services, but resemble open banking initiatives in other countries. 

 

The New Zealand Bankers' Association said the country’s banks “fully support” the common standard.

Hong Kong: Open API Guideline for Banks

The Hong Kong Monetary Authority (HKMA) published an Open API guideline for banks and financial institutions operating in Hong Kong.

 

In its initial stages, the framework focuses exclusively on retail banking, but if other banks find it appropriate, HKMA encourages them to extend the standard to other business lines.

Japan: Amendments to the Banking Act

In June 2018, Japan passed amendments to their Banking Act which put in place requirements for partnerships between financial institutions and fintech payment operators.

Republic of Korea: Amendments to the Electronic Financial Transaction Act of 2007

To increase competition and innovation in the financial services and fintech sectors, the Republic of Korea amended their Electronic Financial Transaction Act. The amendments obligate Korean banks to open their payment systems to third party fintech organizations as well as other banks.

 

This move provides the ability for customers to access their accounts at different banks and make payments from a single application.

Americas

Canada: Open Banking Consultation

The Department of Finance Canada set up an Advisory Committee to investigate the potential for an Open Banking policy in September 2018. The committee then released a consultation paper to drive public conversation on whether open banking would provide meaningful benefits; how risks related to consumer protection, privacy, and security should be managed; and what role government should play in any implementation.

US: Open Banking API

The Financial Data Exchange (FDX) is a non-profit financial industry organization and subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC). Its mission is to create a common, interoperable, and royalty-free standard that delivers to businesses and consumers secure access to their own financial data.

Mexico: LABORA

The National Digital Office (CEDN), in collaboration with the National Banking and Securities Commission (CNBV), C Minds, the Open Data Institute, and Dev.f led an industry-wide effort to develop an open banking standard. The standard focused in particular on the standardization of APIs and open data through the development of a pilot. 

 

​The pilot, branded LABORA, sought to confirm the viability of the implementation of an open banking standard in Mexico. It tested three to four endpoints and carried out a controlled implementation with expert users to evaluate the usability, interoperability, and value of existing APIs as well as the implementation of endpoints defined by the standard. 
 

The information contained on this page is for information purposes only, provided as is as of the date of publication, and should not be relied upon as legal advice or to determine how the law applies to your business or organization. It does not constitute legal advice. We recommend that you seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance.