Account Information Service Providers vs. Grandfathering in the wake of Open Banking: What you need to know

Open Banking came into effect on January 13th 2018. So why didn’t everything change overnight? And why is there still so much confusion over the regulations and permissions involved with APIs? In a sentence, the reason is that the rules for the roll-out, or transitional, period, are complicated.

Banks have now begun their managed roll out, or ‘beta’ period, to test their APIs with FCA regulated third parties who have permissions as Account Information Services Providers (AISPs). All banks must provide their APIs by September 2019, and the UK’s nine biggest banks and building societies – the CMA9 – must have their APIs ready to go by April 2018. Meanwhile, until an API is available for AISP third parties, banks must allow screen-scraping by ‘grandfathered’ third parties only.

Third-party applications which were using screen scraping as part of their business model before January 2016 are considered to be ‘grandfathered’ and can screen scrape and aggregate banking information until September 2019. However, these third parties will not have access to banking APIs until they are regulated as AISPs. Screen scraping is the least satisfactory way to gather financial data, and ideally should be the last resort for these third party applications – APIs provide the most reliable and up-to-date service that can be offered to customers.

However, according to the FCA, any bank that has provided a publicly available API to those who are AISP regulated is within its legal right to block screen scraping. This means that if a third party application is still using screen scraping and is relying on grandfathering rights to gather financial data over the period to September 2019, the bank could block it if it provides its API at any time before then. It is the third party company’s responsibility to get AISP regulated and start connecting to APIs as and when they become available.

Therefore, third parties who are relying on their grandfathering rights to provide a service to their customers with the intention of carrying on until September 2019 might get a very nasty surprise at any time between now and then.  Whenever a bank decides to block screen scraping, they might have to cut their services short and leave their customers floating. (There is a view in the industry that banks won’t block screen scraping before September 2019, but it’s important to be clear that they do have every right to, and third parties should be aware and ready for this.)

And then what about challenger banks like Starling and Monzo? Challenger banks have APIs, but they don’t conform to the Open Banking Standard, and they don’t have to allow screen scraping. So if a third party plans to aggregate financial data for the CMA9 and also for the challenger banks, becoming AISP regulated and setting up APIs is the only way to do it.

Either way, no matter if the API is coming from the CMA9, a challenger bank, or any other bank for that matter, third parties still have to code around it to integrate it into their technology. It’s not as simple as flicking a switch, and customers of these third parties should be aware that APIs can only be set up as fast as they become available, and as quickly as developers can incorporate them. This means that third parties are at the mercy of banks, and have to set up APIs in a way that is accommodating for everyone involved. For instance, since getting AISP regulated, Moneyhub has now started testing six of the CMA9’s APIs for customers using the app and has started setting up challenger banks as well.

Bear in mind, too, that not everyone who applies to be AISP regulated gets approved. Third parties need to have strict internal and external security procedures and frameworks in place, and to meet the very latest customer authentication models. For instance, at Moneyhub we had to provide extensive detail of our security protocols, such as our compliance with ISO-27001 information security procedures, and our use of the OAuth 2.0 and OpenID Connect standards to enable token based authorisation for all our internal services, ensuring that we don’t rely on perimeter security alone. These are just two examples of the lengths required to become AISP approved, and what is needed to have a realistic opportunity of gaining AISP regulatory approval. Some third parties in the market today that are screen-scraping accounts have already been rejected, and the FCA has said it only expects to see 15-20 companies with AISP regulations in the UK.

 

By Alice Dingle, Content Curator at Moneyhub Enterprise