Products Account InformationPayment InitiationVirtual POSPayment GatewayPay by LinkMarketplace PaymentsDirect Debit SystemReconciliationCard VaultCash Flow ManagementAdvisory & Licensing Solutions Business Finance E-Money / Wallet E-Commerce Industries KobAI Soon Pricing RESOURCES Documentation API Reference Open Banking Guide Security & Compliance Supported Banks Blog Success Stories About Contact
Log in Try Free
BLOG

How does Open Banking work?

To understand how open banking works, it helps to first touch on the secure intermediary that makes it possible: the Application Programming Interface, or “API”.

In short, an API can be defined as “intermediary software that lets two applications communicate with each other.” For financial services, an API is a technology that lets an application built on a financial institution’s website be used by different programs belonging to third-party providers — while keeping code and user credentials confidential. Within open banking, the financial information that banks hold about a given customer is opened — subject, of course, to the customer’s consent and authorisation — to third-party firms, making it possible to offer the customer a range of financial services.

In some countries, “screen scraping” — reading the information belonging to a particular person on a website and using it on another platform — is already used for many types of online services (for example air travel and accommodation), including financial services. For financial services, however, this method requires the customer to share with third parties the credentials and passwords needed to log into their bank’s online banking system. That creates serious security issues, such as breaches of data security and difficulty for banks in distinguishing fraudulent transactions. Even so, the method continues to be used for financial services in many countries.

In Türkiye, the main obstacle to applying such a method to financial services stems from the obligation that Banking Law No. 5411 imposes on banks not to disclose customer secrets to third parties. Even where laws create an exception to this obligation — or where, with the customer’s consent and the customer’s separate request and instruction following the 20 February 2020 amendment to the Banking Law by Law No. 7222, information may be shared in certain cases — the sharing must be limited to the stated purposes, and only as much data as those purposes require may be shared, in line with the principle of proportionality. Given that, with screen scraping, the customer credentials shared and the customer-secret data accessible to third parties are unlimited and therefore disproportionate, applying data sharing via screen scraping to financial services in Türkiye would inevitably raise legal problems.

Let’s return to the API. This is precisely where secure interfaces such as APIs become important for delivering open banking services to customers. EU Payment Services Directive 2015/2366 (“PSD2”) — which laid the foundations of open banking in Europe and, indeed, globally — generally left the choice of technology to the parties. But the regulation setting out PSD2’s technical standards states that a secure, dedicated interface (such as an API) must be used for the data access banks provide to third parties under open banking. Similarly, in Türkiye, the “Regulation on Banks’ Information Systems and Electronic Banking Services,” which entered into force on 1 July 2020, defined open banking services for the first time and also referred to sharing via APIs.

APIs are secure because the customer’s credentials cannot be learned by third-party providers, and because data sharing takes place only to the extent the customer requests and for the period the customer permits — keeping control of the data entirely with the customer, who owns it.

Reaching broad agreement that open banking will be carried out over secure interfaces such as APIs is unfortunately not enough to implement it properly. Here, it is important that the sharing done over these interfaces be subject to a certain standard. As with PSD2, regulations recently created in the United Kingdom — a pioneer of open banking — have begun to shape the standardisation of data sharing.

Many financial institutions around the world have opened their APIs to keep up with the financial-technology revolution. As elsewhere, in Türkiye some financial institutions have opened their APIs unilaterally and are running API-gateway trials, while some banks prefer to open their API portals via technology companies. At the same time, both banks and fintech companies have expectations around clarifying issues such as standardisation of data sharing, data security, and the products and services that open banking will cover.

Back to home
FAQ

Frequently asked questions

How does open banking work step by step?

The user selects their bank in an app → authenticates and approves consent on the bank's secure screen → the app accesses only the permitted data/action via the bank's API. Every step is based on consent and strong authentication.

What role do APIs play?

APIs let apps talk to banks in a standard, secure way. Kobaküs unifies 850+ banks' APIs behind one standard interface, so you don't integrate with each bank separately.

Do I share my bank password with a third party?

No. Authentication always happens at your own bank; the app only receives a secure access token and never sees your password.

How long does consent last?

Consent is time-bound and scoped (e.g. for specific accounts and a set period). It must be renewed when it expires, and you can cancel it anytime.

Is the data real-time?

For most banks, balances and transactions are near real-time; you can pull data on demand or refresh it periodically during the consent window.

Where does Kobaküs sit in this flow?

Kobaküs is the secure infrastructure layer between your app and the banks. A licensed partner holds the AISP/PISP role that requires a license, while Kobaküs provides the technical connectivity, standardization and security.