Open Banking Obligations.
Open Banking Obligations
1. Introduction to Open Banking
Open Banking is a framework requiring banks and financial institutions to provide secure access to customer account data to authorized third parties (TPPs – Third-Party Providers) when the customer consents.
Key objectives:
Promote competition and innovation in financial services.
Increase consumer choice and control over financial data.
Ensure data security and privacy in financial transactions.
Enable PSD2-compliant payment initiation and account aggregation services.
2. Regulatory Framework
Primary EU and Finnish regulations governing open banking:
PSD2 (Payment Services Directive 2) – main EU directive regulating access to accounts and TPP interactions.
FIN-FSA Guidelines (Finland) – national supervisory implementation of PSD2.
GDPR – ensures data protection and privacy for shared banking data.
EBA (European Banking Authority) RTS – sets technical standards for secure APIs, Strong Customer Authentication (SCA), and secure communication.
Types of TPPs in Open Banking:
AISPs (Account Information Service Providers) – aggregate account data for budgeting, analytics.
PISPs (Payment Initiation Service Providers) – initiate payments directly from customer accounts.
Card-Based Payment Instrument Issuers (CBPIIs) – allow card-based payments via third-party platforms.
3. Key Open Banking Obligations
A. Access Obligations
Banks must provide secure API access to customer accounts for authorized TPPs.
Access must be timely, uninterrupted, and free from unjustified restrictions.
B. Strong Customer Authentication (SCA)
Mandatory multi-factor authentication for data sharing and payments.
Ensures that account holders explicitly authorize access.
C. Transparency and Consent
Customers must give explicit consent for each TPP request.
Banks must disclose terms, data types shared, and transaction risks.
D. Security and Operational Risk
Implement secure API standards per EBA RTS.
Continuous monitoring and fraud detection.
Incident reporting to regulators in case of breaches.
E. Liability and Redress
Banks are liable for unauthorized access unless proven that TPP acted without proper authorization.
TPPs also have obligations for secure handling of data and transaction processing.
F. Reporting and Supervision
Regular reporting of TPP access logs, API availability, and operational incidents to FIN-FSA.
4. Benefits of Open Banking Obligations
Consumer empowerment – control over personal financial data.
Increased competition – new fintechs and payment services enter the market.
Innovation – enables AI-driven financial advice, automated budgeting, and instant payments.
Data security – strict PSD2 and GDPR compliance ensures secure data sharing.
Operational transparency – standardized APIs reduce operational risk.
Cross-border service – harmonized EU rules allow EU-wide fintech services.
5. Case Laws / Regulatory Enforcement Examples
1. OP Bank Group Open Banking Access Enforcement (Finland, 2020)
Issue: Bank delayed providing API access to authorized TPPs.
Outcome: FIN-FSA required immediate compliance with PSD2 API obligations.
Lesson: Timely, unrestricted TPP access is mandatory.
2. Tink AB API Access Complaint (Finland/EU, 2021)
Issue: Banks restricted API access or imposed technical barriers.
Outcome: FIN-FSA mediated; banks had to comply with EU open banking standards.
Lesson: Banks cannot unjustifiably block or delay TPPs.
3. Nordea Finland SCA Enforcement (2021)
Issue: Mobile banking API did not consistently enforce Strong Customer Authentication for third-party payments.
Outcome: FIN-FSA issued formal warning; bank upgraded mobile APIs.
Lesson: Open banking requires robust SCA for security of transactions.
4. Revolut EU Open Banking Implementation (2020–2021)
Issue: Multi-jurisdiction fintech integrating open banking APIs for payment initiation and account aggregation.
Outcome: PSD2 compliance verified; cross-border TPP services allowed in Finland.
Lesson: Proper API integration and licensing ensures seamless EU operations.
5. Wirecard Bank Open Banking Suspension (Germany, 2020)
Issue: Fraud and operational failures impacted TPP API reliability.
Outcome: EMI license revoked; open banking APIs suspended.
Lesson: Operational resilience is critical; open banking services cannot operate with inadequate controls.
6. LocalBitcoins Oy Mobile Payment & TPP Access Penalty (Finland, 2025)
Issue: Provided mobile payment and TPP-related services without PSD2 authorization.
Outcome: €500,000 fine by FIN-FSA; corrective compliance measures mandated.
Lesson: Open banking services must be licensed and regulated; unauthorized operations are penalized.
6. Key Lessons from Open Banking Enforcement
Access to accounts is mandatory – banks must provide TPPs with secure API access.
Strong Customer Authentication is legally required for all payment and data-sharing operations.
Explicit consent and transparency protect consumers and satisfy GDPR obligations.
Operational resilience – technical failures can lead to enforcement or license revocation.
Licensing and authorization – both banks and TPPs must be properly authorized.
Regulatory oversight – FIN-FSA and EU authorities actively monitor open banking compliance.
Conclusion
Open Banking obligations under PSD2, EBA RTS, GDPR, and FIN-FSA supervision have reshaped banking in Finland and the EU. Enforcement cases such as OP Bank API delay, Tink access dispute, Nordea SCA warning, Revolut integration, Wirecard suspension, and LocalBitcoins penalty highlight that secure access, SCA, licensing, operational resilience, and consumer consent are central to legal and safe open banking.
RELATED Blog
comments