Europe’s new API rules lay groundwork for regulating open banking

The U.S. banking system risks being left behind by the European Union and the United Kingdom when it comes to open banking.

The EU and the U.K. have both passed laws that explicitly require their banks to create application programming interfaces and open those APIs to third-party developers. And banks in the U.S. should take notice.

These new laws are paving the way to standardization for open banking which could lead to rapid innovation and a competitive advantage for the European banking system.

These new laws are also more friendly to fintech companies as it streamlines access to a growing network of bank data. Fintechs within the U.S. must create individual data sharing agreements with each bank partner, and the negotiations for each partnership can be resource intensive.

However, in the EU a fintech can get access to all bank APIs through registering as an account information service provider (AISP) or payment initiation service provider (PISP). This could create a situation where the U.S. may lose out on technology investments and see innovative financial professionals leave the nation to work in the rapidly advancing open-banking environment within the EU.

The new European laws will also encourage investment and innovation outside the U.S. by creating standards and reducing uncertainty for smaller tech companies. The EU’s second Payment Services Directive (PSD2) is compelling European banks to create best practices in APIs, vendor integration and data management.

For example, the European Banking Federation has made it clear that they believe the new PSD2 laws require banks to adopt APIs and move away from screen scraping. This interpretation favors companies that create bank APIs like Plaid, which recently said it would be acquired by Visa for over $5 billion.

Plaid has focused on creating a system of interfaces analogous to an open banking highway system by connecting developers and financial institutions using APIs to integrate banks with cutting-edge applications. However, this may put regional and community banks at a disadvantage as screen-scraping technologies are cheaper and have been in place for more than a decade.

The U.K.’s Competition and Markets Authority (CMA) requires banks to allow authorized third parties access to customer account data. The CMA created the Open Banking Implementation Entity (OBIE) in 2016 to deliver open banking.

The OBIE has since created standards for APIs, security, messaging and processes for managing disputes. The OBIE has also created the Open Banking Directory to register and supervise third-party providers. These initiatives may reduce uncertainty through standardization and make it easier for fintechs to create financial solutions.

There are currently no such requirements in the U.S. that mandate banks adopt open-banking standards, but there are none that expressly prohibit it either. Certainly, all banks must continue to abide by existing regulation, including consumer protection laws, fair banking regulations and privacy laws.

Implementing existing laws within an open banking business model will require legal interpretation and regulatory innovation. Examiners in the U.S. may find themselves temporarily in catch-up mode to their European counterparts.

Also, U.S. banks that embrace open banking may face regulatory uncertainty. At the very least, domestic banks must ensure that third-party applications using their banking services provide the appropriate disclosures to comply with consumer protection laws, and abide by fair banking regulations.

New privacy laws, such as the California Consumer Privacy Act, require that banks with customers in California balance data protection with data sharing.

Each open bank will have to establish a robust data management strategy that enables open banking while complying with the evolving privacy landscape. For example, U.S. banks are currently required to collect and store data related to anti-money-laundering laws.

Complying with these regulations can be done through thoughtful onboarding, robust partner monitoring, flexible data management and creating compliance APIs for every open financial service. Banks that move toward open banking will have to create third-party monitoring that incorporates compliance with laws that impact data sharing, data retention and privacy.

The regulatory environments for open banking between the United States and Europe are vastly different. While the EU and U.K. are requiring banks to adopt open banking, the U.S. leaves the decision up to the private sector. Because of this, the standards being created by the EU and U.K. could become the de facto practices for the U.S.

Finally, innovative third-party developers may gravitate toward the European and U.K. markets due to the clear standards and regulatory certainty for open banking. These factors may force American banks to keep pace with their European counterparts.

Editor's note: This BankThink is the fourth in a four-part series on open banking. The first explained the process to becoming an open bank, the second looked at common pitfalls with third-party vendors and the third examined the most common risks.

The opinions expressed in this article are those of the authors, intended for informational purposes only, and should not be attributed to Regions Financial Corporation or any of its subsidiaries or affiliates, including Regions Bank. Any representation to the contrary is expressly disclaimed.