Open Banking: AISP, PISP & ASPSP Explained

Open Banking has been driving a spectacular impact on the financial world since January 2018, disrupting everything from payment solutions and budgeting tools to lending applications and credit analyses.

But what exactly do Open Banking providers do? Regulated providers construct and maintain the digital pipes that enable banks to securely request data and payments.

Open Banking is currently being used by individuals, lenders, and financial institutions to substitute the legacy manual and increasingly complex processes. The ability to collect and view insights derived directly from bank transaction data in real-time is extremely powerful, but it can be overwhelming for businesses that have never worked with this data before. Understanding how the technology works and what technology companies are doing with it can help you come up with new uses for it.

Open Banking relies on third-party providers (TPPs) who can provide two core Open Banking services through two separate FCA authorizations:

  1. Account Information Service Provider (AISP): a person who is authorised to retrieve account information from banks and financial institutions.
  2. Payment Initiation Service Provider (PISP): a person or entity who is authorised to initiate payments into or out of a user’s account.

Companies that want to be regulated as an AISP or PISP must go through a rigorous application process with the FCA. Some Open Banking providers can be regulated as both an AISP and a PISP, but many only have one.

AISPs and PISPs manage client consent required for Open Banking data access. This implies that each AISP and PISP explicitly state to the end-user what data will be handled, for how long, and with whom it will be shared. This digital consent journey also serves as the foundation for GDPR information processing for AISPs and PISPs.

Account Information Service Providers (AISPs) explained

An AISP is a company that has been granted permission to access an individual’s or SME’s financial institution account data. The UK’s nine largest banks are required by law to comply with the AISPs’ requests. The framework and technical specifications of Open Banking allow for the retrieval of years of transaction history in seconds.

What are AISPs capable of?

Being an authorised AISP means that a company can request permission to connect to a bank account and use the information from that bank account to provide a service.

Some AISPs do not have permission to access the bank account information as they are granted “read-only” permission. They can look but not touch, which means they can’t move a customer’s money.

AISP-related services and tools include price comparison, money management tools, faster and more accurate access to financial products, and speeding up manual processes such as applying for a mortgage or a loan, among others.

Examples of AISP applications include:

  • Money management tools: some AISPs collect financial data and disseminate it in a way that allows people to easily understand their financial situation, create a budget, and track spending. These new personal finance tools combine data from multiple bank accounts so that users can see their entire spending history in one place.
  • Loan applications: Some AISPs, such as Credit Kudos, use this same capability to allow customers to share financial information securely and quickly with a lender or broker. Lenders also use account information-derived data and metrics to improve credit and affordability decisions. This procedure expedites traditional underwriting by eliminating the need for lenders to manually compile and verify bank statements. Better insights benefit the lenders and can provide a better customer experience to the borrower.

Payment Initiation Service Providers (PISPs) explained

PISPs are authorised to make payments on behalf of customers rather than just viewing account data. PISPs accomplish this by initiating direct transfers to or from the payer’s bank account using the bank’s tools.

What are PISPs capable of?

Businesses that are authorised PISPs may request permission to connect to a bank account and initiate payments from the customer’s bank account.

There are a variety of reasons why you might want a business to initiate payments for you. For example, an app that helps you handle money in your multiple savings and current accounts to ensure you never go overdrawn and don’t have to pay potentially substantial overdraft fees. This type of capability is possible in retail, where you allow a company that you shop with frequently online to connect to your bank, so you get fast checkout and don’t have to re-enter card details for every transfer of funds.

Examples of PISP applications include:
  • Financial management tools: A few new money management and savings apps transfer a small proportion of someone’s balance each week to a savings account according to a predetermined process. Open Banking has also facilitated new tools that automatically transfer money between accounts on behalf of customers to avoid overdraft fees.
  • Business solutions: New tools integrate with back-office systems, allowing businesses to securely manage payments and collections, make real-time bank transfers, and gain greater payment visibility.

Account Servicing Payment Service Providers (ASPSP) explained

Account Servicing Payment Service Providers provide and manage payment accounts for payment service users (PSUs). ASPSPs have typically been banks and similar financial institutions including building societies, and payment companies.

The number of banks and building societies providing open banking services is increasing. Only the UK’s nine largest banks and building societies are required to make your data available through open banking now. Smaller banks and building societies also can participate in open banking.

ASPSPs release Read/Write APIs as part of Open Banking. These allow consumers to share their account transaction data with third-party providers, who can then initiate payments on their behalf. PSD2 requires all ASPSPs in Europe to participate in open banking and provide data access.

How do open banking and screen scraping compare?

Screen scraping (also known as credential sharing) is an old technique for gaining access to a customer’s bank account to retrieve transaction data. Screen scraping works as stated below:

The customer provides their login information to a third-party provider (TPP). The TPP uses these details to log in to the customer’s bank account. The TPP then copies or “scrapes” the customer’s bank data for use outside of the customer’s banking app.

Before open banking, the only way for apps to access customers’ bank accounts was through screen scraping. Online accounting software packages made extensive use of it. Open banking, on the other hand, is a more secure method because it does not require the customer’s credentials and is thus much more secure.

eIDAS certificate

Electronic signatures can have the same legal validity as handwritten signatures under a 2016 EU regulation. However, such signatures must meet the requirements of eIDAS (electronic Identification, Authentication, and Trust Services). eIDAS certificates enable ASPSPs such as banks in European open banking to identify and authorise API connections from Third Party Providers such as PISPs and AISPs. This is critical in preventing unauthorised access to bank accounts. Since Brexit, only UK-authorized Third-Party Providers can use eIDAS certificates.

Open Banking API providers and their requirements

There is no ‘official’ API for Open Banking. Instead, banks and Technical Service Providers provide their APIs that must adhere to the Open Banking Standard specifications released by Open Banking Implementation Entity (OBIE) which is an official organisation that supervises the Open Banking implementation in the UK. The Open Data API Specification governs how banks develop access endpoints for Third Party Providers (TPPs). It defines how TPPs can use a bank’s Read/Write API. You can find the list of Open banking API specifications on the OBIE website.

Read/Write API specifications

The Read/Write API specification is the primary API specification that governs how third-party providers should connect to banks. It enables Third Party Providers (TPPs) to obtain access to bank accounts for both read and write purposes, for example, fetching account balances and transaction details to make authorised payments. Through the Dynamic Client Registration process, banks allow the Third-Party Providers to enrol automatically without the need to authenticate each one manually. API performance, uptime, and reliability are critical for open banking. Since there is no single official open banking API and each bank develops APIs on its own as per OBIE specifications, the performance of the API of each bank may differ.

Macro Global’s Tavas Open Banking Product Suite and Solutions offers a bundle of solutions to any ASPSPs to extend beyond the scope of monetisation tore-engineer the bank’s portfolio and business model.

  • Identity and Access Management
  • Developer Portal and Sandbox Environment
  • Financial Grade Open Banking APIs
  • Strong Customer Authentication
  • Administration Portal
  • Modified Customer Interface- Fallback Arrangement
  • App2App Authentication
  • Regulatory Reporting

To learn more about how Macro Global can assist you in monitoring, managing, and mitigating the aforementioned challenges, please visit Tavas – Open Banking Product Suite and Solutions.

Try Macro Global’s

Tavas - Open Banking Product Suite and Solutions