Fintech Magazine's Essential Glossary of Open Banking Terms

Lately there has been a lot of attention on the growth of open banking in Europe and the UK. Open banking is an innovative practice that allows third party service providers to connect to users’ bank accounts to access financial information, and build services and products based on the gathered data. 

To fully understand open banking, it is imperative to grasp the meaning of the terms present within this fintech practice. A lot of the terminology in open banking refers to technologies and regulators that have shaped the industry and propelled it forward, and are rooted in its origins and history. 

Together with the help of Rolands Mesters, CEO and co-founder of Nordigen, we gathered the ultimate list of essential terms and abbreviations that will help both new users and existing professionals learn more about the vast universe of open banking.

A:

Account-to-account (A2A) - Payments made from one bank account directly to another (think - bank transfers, just executed automatically)

Account Information - Typically this includes 4 data points: (1) account holder's name, (2) account number, (3) account balance and (4) transactions.

Account Information Service Provider (AISP) - A business that has received a regulator-issued licence to (1) connect to bank APIs, (2) access account information with account holder's consent and (3) use the gathered information to provide a service. 

Application Programming Interface (API) - An interface (think - access point) that allows programs or applications to connect and communicate with each other. 

API Data - Data made available to an API user or third party provider (TPP) through the use of the API.

API Provider - A service provider that implements an open data API and provides open data via an API gateway.

API User - Any person, business, or organisation that develops web or mobile applications that can access data from an API provider.

Account Servicing Payment Service Provider (ASPSP) - A Payment Service Provider (PSP), such as bank or card issuer, that provides authorised access to bank account information.

ASPSP Brand - Any registered or unregistered trademark or other Intellectual Property Right provided by an ASPSP.

B:

Bank Coverage - The number of individual banks or bank branches that a TPP is connected to through APIs.

Business Identifier Code (BIC) - A unique address assigned to a bank that allows to identify banks within payment messages and financial transactions. The code is typically eight or eleven characters long. 

C:

Card Based Payment Instrument Issuer (CBPII) - A payment services provider that distributes payment instruments in the form of cards, that can be used for initiating payment transactions from an account held with another account servicing payment service provider (ASPSP). An example of this is an independent card provider that allows customers to link and pay from their bank accounts. 

Competition and Markets Authority (CMA) - Competition and Markets Authority is a non-ministerial government department from which originated the open banking proposal in the UK in 2017, following the Payment Services Directive (PSD) and the CMA Retail Banking report. The report found an issue with competition in the banking industry, with established large banks obtaining customers easily, while new banks struggled to attract clients. The bank monopoly created stagnation in the industry. CMA proposed an alternative pathway on how to increase competition and innovation within banking, with open banking being the solution. The proposal led to the implementation of open banking and the PSD2 directive. 

CMA 9 - The nine leading banks in the United Kingdom, as established by the Competition and Markets Authority (CMA) as part of the UK Open Banking initiative. They were chosen based on the amount of current personal and business accounts. These banks include: AIB Group (UK) plc trading as First Trust Bank in Northern Ireland, Bank of Ireland (UK) plc, Barclays Bank plc, HSBC Group, Lloyds Banking Group plc, Nationwide Building Society, Northern Bank Limited trading as Danske Bank, The Royal Bank of Scotland Group plc, and Santander UK plc.

CMA order - A Retail Banking Report put together by the Competition and Markets Authority (CMA), investigating issues within the banking industry in 2017. 

CMA Remedies - Proposed remedies within the Retail Banking Report to combat issues with competition within the retail banking sector. These remedies also included a requirement for the UK banking industry to adopt a subset of HMT’s proposals for open banking.

Competent Authority - Within open banking, a Competent Authority is a governmental body, regulator or supervisory authority, which is tasked with managing, authorising and registering providers. 

D:

Data Standard - Refers to the data standards issued by the UK’s Open Banking organisation in compliance with the CMA order.

Dynamic client registration (DCR) - DCR allows trusted third parties to register themselves with an ASPSP dynamically.

Directory - Refers to the OBIE directory, a core aspect of the open banking system which allows participants to request and grant access to customer financial data securely, using open banking APIs.

Directory Sandbox - A testing area within the OBIE directory, which allows developers to test applications and experiment before going live. 

E:

European Banking Authority (EBA) - An independent European Union authority that regulates and supervises the area’s banking sector. Their goals include increasing transparency within the financial system and identifying existing weaknesses. 

European banking authority regulatory technical standards (EBA RTS) - Regulatory Technical Standards put forth by the European Banking Authority, which consist of detailed compliance criteria set for all parties to help improve banking aspects such as data security, legal accountability and more.

Electronic identification, authentication, and trust service (eIDAS) - A European Union regulation established in 2014, which oversees electronic identification and trust services for e-transactions. 

European Payments Council (EPC) - Founded in 2002, the council consists of banks and banking associations, working together to support and promote safe, efficient and sustainable payments in Europe. The organisation’s main development is Single Europe Payment Area (SEPA), which is an initiative to simplify bank transfers in euro currency. 

F:

Financial conduct authority (FCA) -  The regulator for financial services in the UK, helping safeguard consumers, maintain industry stability and encourage beneficial competition between financial institutions and service providers.  

G:

General data protection regulation (GDPR) - A regulation in European Union law intended to enhance and strengthen data protection.

H:

Host card emulation (HCE) - HCE is the software architecture that allows accurate virtual replicas of various electronic identification cards, such as virtual bank cards. 

I:

International Bank Account Number (IBAN) - The IBAN refers to an internationally agreed-upon method for identifying and differentiating bank accounts across different countries to improve communication and processing. The IBAN consists of alphanumeric characters, and changes based on the country where the bank account is located. 

M:

Mandatory ASPSP - Refers to account servicing payment service providers that are required to enrol in open banking according to the CMA order. 

Modified customer interface (MCI) - The method used by third-party providers, payment initiation service providers and account information service providers to access bank accounts via an online portal instead of APIs. 

O:

Open API - Also called a public API, this is an application programming interface which is a free and publicly available way for developers to access private software applications. 

Open Banking Ecosystem - All of the elements that make it possible to conduct open banking services are referred to as the "open banking ecosystem." This covers API standards, governance, systems, processes, security, and procedures used to assist participants.

Open Banking Implementation Entity (OBIE) - The Open Banking Implementation Entity, also known as Open Baking Limited is the organisation responsible for defining and developing the needed APIs, security, and messaging standards that form the basis of open banking. The organisation does this in collaboration with the CMA9 banks and other stakeholders.

Open Banking Services - Open banking services provided to participants by Open Banking, which includes the provision and maintenance of the Standards and open banking directory.  

P:

Participant - Refers to an entity or individual that currently participates in the open banking ecosystem, be it an API provider, API user, account servicing payment service provider, or third-party provider.  

Payment Initiation Services Provider (PISP) - A payment initiation services provider, can access customer bank accounts with their consent, and initiate payments on their behalf directly from their accounts, without the use of a payment card.

Payment Services Provider (PSP) - Payment services provider is a more general term referring to a third-party company which enables businesses to accept online payments in a secure way. This includes AISPs, PISPs, CBPIIs and ASPSPs.

Payment Services Regulations (PSR) - Payment Services Regulations put forth in 2017, are the United Kingdom’s implementation of the PSD2 directive. These regulations affect but are not limited to banks, independent card issuers, account information service providers and payment initiation service providers. 

Payment Services User (PSU) - A payment services user is a person or legal entity which uses payment services in any way, as a payer or payee, or both. 

Primary Business Contact (PBC) - A representative nominated by an entity to be responsible for accessing the open banking directory on the behalf of the entity, as well as nominate other directory business users. This is typically a senior member of staff in charge of open banking systems and controls. 

Primary Technical Contact (PTC) - A representative nominated by an entity to be responsible for accessing the open banking directory on behalf of the entity, as well as nominate other directory technical users. This is typically a senior member of staff in charge of technical configuration. 

Point of sale (POS) - Refers to the time and place where a retail transaction occurred.

Q:

Qualified certificate for electronic seals (QSealC) - The certificate for electronic seals that is used for identity verification to safeguard transactional information from potential security attacks. 

Qualified trust service provider (QTSP) - A certification under eIDAS, which refers to service providers that are approved by a regulator to be able to issue certificates such as QWACs and QCSEALS. 

Qualified website authentication certificate (QWAC) - A qualified website authentication certificate (QWAC certificate) is a digital certificate that complies with the eIDAS Regulation's trust services requirements.

R:

Read/Write API - Refers to an application programming interface (API) which allows third-party service providers to request bank account information, such as transaction history, with the end-user’s explicit consent.  

Read/Write Data - Data including transactional information that is made available by account servicing payment service providers, in accordance with the read/write data standard. 

Revised Payment Services Directive (PSD2) - PSD2 is a European regulation that covers electronic payment services that was implemented in 2018. It is the updated version of the original Payment Services Directive (PSD1) and it focused on stimulating competition in the financial industry and enhancing the quality of services provided, while protecting the end user.

Risk-based authentication (RBA) - Risk-based authentication a security measure which uses an algorithm to assess each login attempt based on the likelihood of an account breach. If a login seems suspicious for any reason, RBA requests for the user to perform an additional identification check, for example through using biometrics, to verify their identity.  

S:

Screen Scraping - A legacy method for connectivity that requires account holders to share their bank passwords or access credentials with a TTP, which then stores the credentials to access the account holder's bank account through the online banking interface and copies the information from the online banking interface.

Small and Medium-sized Enterprises - Small and medium sized businesses based on the criteria provided by CMA, with a turnover of less than £6.5 million per year. 

Standards - Data and Security Standards that ASPSPs must follow in order to provide Read/Write APIs.

Strong Customer Authentication (SCA) - Strong Customer Authentication (SCA) is a rule that came into effect as part of the PSD2 regulation. It requires the process of authentication within financial services to be created in a way where two or more of the following security elements are used: knowledge (something the user knows, such as a pin code or password), possession (something the user has on them, such as a phone or application linked to their bank account) and inherence (something only the user would have on themselves, such as a fingerprint). The idea is that all these elements are independent from each other, and only the account owner will have access to all three. If one of the security elements were to be compromised, the rest of the security measures would still be protecting the account. 

Sweeping - Sweeping refers to the automatic transfer of funds between two accounts done for the benefit and in the name of the customer, such as between their personal current and savings accounts. 

T:

Third-party provider (TPP) - Third-party providers are companies or individuals, such as AISPs and PISPs who utilise APIs built in accordance with open banking standards to gain access to customers' accounts in order to provide account information services and/or make payments on the customer’s behalf. 

V:

Variable Recurring Payments (VRPs) - VRPs allow customers to safely connect authorised payments providers to their bank accounts, to make payments on the customer’s behalf within agreed-upon limits. 
Voluntary ASPSP - Account servicing payment service providers that have chosen to take part in open banking voluntarily, without being required to do so, to utilise open banking standards to develop their own APIs, access the open banking directory and take advantage of the related operational support services.