Products Account InformationPayment InitiationVirtual POSPayment GatewayPay by LinkMarketplace PaymentsDirect Debit SystemReconciliationCard VaultCash Flow ManagementAdvisory & Licensing Solutions Business Finance E-Money / Wallet E-Commerce Industries KobAI Soon Pricing RESOURCES Documentation API Reference Open Banking Guide Security & Compliance Supported Banks Blog Success Stories About Contact
Log in Try Free
BLOG

International Open Banking Regulation

EU Payment Services Directive 2007/64 (“PSD1”), which began to apply in 2009 across the European Union and in Iceland, Norway and Liechtenstein, created the legal basis for payment service providers that would compete with banks in the payments space. PSD2, which expanded PSD1’s scope, entered into force on 12 January 2016 and gave a legal footing to two new payment services within open banking:

  • Payment Initiation Services (PISP): initiating a payment order, at the user’s request, in relation to an account held at another payment institution; and
  • Account Information Services (AISP): providing consolidated information online about one or more of the user’s accounts held at other payment institutions.

Member states were also given until 13 January 2018 to transpose this directive into their domestic legislation. Under PSD2, all providers offering payment initiation or account information services must be authorised by the competent authorities in their own countries under the conditions set out in the directive, and must be registered with the European Banking Authority (“EBA”), which is responsible for the application of rules on financial institutions in the EU. One of the most important points introduced by the new rules is that data sharing under open banking is no longer left to banks’ initiative — banks are required to share data.

PSD2 also sets out a series of obligations for PISPs and AISPs. Where PISPs and AISPs act solely to provide these two services, they do not hold customer funds and so are not subject to capital adequacy requirements; nonetheless, to ensure they carry out their activities without disruption, they are expected to take out professional indemnity insurance — the minimum amount of which is set by the EBA according to the size of the activity — or provide a comparable guarantee. In addition, both types of provider must have no access whatsoever to credentials such as usernames and passwords that would allow login to the relevant bank’s system, and must communicate with all parties through secure means. Both AISPs and PISPs must obtain the customer’s explicit consent before providing the service, and — just as in Turkish law — the customer has the right to withdraw that consent or limit its scope at any time. PISPs must also inform the customer about each transaction, while AISPs may only access the information provided to them by the bank. In terms of liability, PISPs are jointly responsible with the customer’s bank for the complete and timely execution of the payment.

Some obligations to which AISPs and PISPs are subject:

  • Obtaining authorisation from the relevant country’s competent authority
  • Registration with the relevant register in the member state
  • Professional indemnity insurance
  • Restricting access to user credentials
  • Ensuring secure communication
  • Obtaining explicit consent

In the EU, as PSD2’s complementary regulation, the Regulatory Technical Standards (“RTS”) — which set out the technical standards for authenticating customer information and securing communication in payment services — also determine the measures to be taken on matters such as data sharing, transaction security and the interfaces to be used. This legislation setting out the technical measures entered into force in the EU on 14 September 2019.

It would not be wrong to say that the United Kingdom actually led the way in implementing the open banking services that are PSD2’s biggest innovation. Through the Open Banking Implementation Entity (OBIE), established by the Competition and Markets Authority (CMA) — the UK authority for competition and consumer protection — many initiatives were carried out to guide the financial sector on data sharing and transaction security in open banking. Moving ahead of all other countries, the UK put into force, as of January 2018, the standards for the APIs and similar channels to be used for data sharing under open banking.

Open banking has also recently begun to find a place in the legislation of various countries, led by new regulations and by regulatory authorities and industry associations. For open banking to become widespread, data sharing by banks is — as in the EU — mandatory in some countries that have regulated open banking infrastructure, such as Japan and Mexico. In countries such as the US, China, Argentina, Singapore, Hong Kong and South Korea, sharing is encouraged but not mandated. On standardisation of the APIs and similar channels to be used for sharing, we see some EU member states — such as France, Germany and Poland — following the UK by creating their own standards.

Back to home
FAQ

Frequently asked questions

How is open banking regulated internationally?

In Europe, the PSD2 directive made open banking mandatory; the UK has its Open Banking standards and the US has the CFPB 1033 rule. All are based on consent, security and API access.

What is PSD2?

PSD2 (the second Payment Services Directive) is the EU regulation that requires banks to open account data and payment initiation to licensed third parties with user consent.

What do PSD3 / PSR bring?

PSD3 and the accompanying Payment Services Regulation (PSR) are an update to PSD2 aimed at strengthening API quality, fraud prevention and data-access rights.

What is FAPI 2.0?

FAPI 2.0 (Financial-grade API) is a high-security profile for financial APIs; it is built on OAuth 2.0 and secures data/payment access in open banking. Kobaküs conforms to this standard.

What is strong customer authentication (SCA)?

SCA is a security rule requiring the user to be verified with at least two independent factors (e.g. a password + phone approval); in open banking every access and payment is approved at the bank with SCA.

Does Türkiye align with these international standards?

Türkiye's framework rests on the same foundations as PSD2/Open Banking (consent, strong authentication, secure APIs). The Kobaküs infrastructure aligns with these international technical standards and suits multi-country use.