MAGYAR NEMZETI BANK
4.5 OPEN BANKING AND OBSTACLES RELATED TO THE APPLICATION OF APIS So far, open banking, the great innovation of the PSD2, has been able to spread only to a limited degree, as the international regulation is not specific enough in terms of the application programming interface (API) to be implemented, on the one hand, and banks may hinder new actors in various ways, on the other hand. As of 14 September 2019, with the customers’ consent, banks have to provide access to customer data, which represent significant assets for them, and assign some of the online customer interactions, which are also valuable, to third-party providers. Nevertheless, some banks support third-party providers only up to the degree of minimum compliance with the law. In addition, banks can also hinder third-party providers’ activities in many ways. This is not necessarily deliberate, and may also originate from previous inappropriate practice or wrong interpretation of statutory instruments. The most frequent method of hindering is that banks design the API to be provided to third-party service providers in a way to cause inconvenience to customers who use it or to third-party providers. One of the inconveniences is when customer authentication is more complicated through API than it would be if the customer had access to his account through the bank (e.g. the bank requires more than two factors during customer authentication). A frequent obstacle is when the API enforces the typing in of the number of the payment account instead of selecting the account intended to be used for performing the payment transaction. In certain cases the bank requires further customer consent in addition to customer authentication for having access to the account, which is also an obstacle. In the case of open banking a basic principle is that the authentication procedures that are available for the customer upon the direct online access to the bank (biometrics, mobile application, text message, token etc.) have to be available through the API for the customers of the third-party provider as well, but this requirement is not always completely complied with either. It is also considered as an obstacle if the bank requires any complementary registration from the third-party provider in addition to the eIDAS certificate.52 There are cases that are not considered as an obstacle according to the law, but are deemed to be that by third-party providers. Related to that is the permissive rule pursuant to which in the case of account information service, following strong 52 53
72
customer authentication it is possible to access the balance and the account history for 90 days even without another strong customer authentication. It happens, however, that banks do not allow it. At the same time there is no legal obstacle to that, as ensuring it is not a requirement, only a possibility related to the exemption from strong customer authentication. The MNB worked out a complex action plan to support the spreading of open banking and remove the obstacles. Accordingly, it also issues an MNB recommendation about hindrance, and conducts sector-level API inspection. Obstacles are perceived not only in Hungary; it is a problem present at European level. Realising that, in June 2020 the EBA explained its position concerning obstacles in its European Banking Authority opinion, and the MNB formulated it as an expectation for the Hungarian banking sector in an executive circular dated 13 July 2020. Following the publication of the executive circular, during its payment audits and based on market feedback the MNB experienced that solutions that prevent and hinder open banking are still present, and therefore considered it necessary to take further steps in order to support the spreading of open banking. Accordingly, in 2021 the MNB launched a targeted API inspection with a technical focus, during which the API created by the 10 largest banks is examined in order to have a real ‘snapshot’ of the current state, thus allowing the central bank to take administrative measures if necessary. Moreover, in order to increase the predictability of the application of law as well as to promote the uniform application and the prevailing of the relevant legislation, the MNB prepared a recommendation in which it clarifies what practice it considers as an obstacle and good solution. After the professional consultations the MNB recommendation53 was published on 1 July 2021. With that, the MNB will withdraw the previous executive circular, and will also transpose its the contents, which are loosely related to obstacles, to the recommendation. Further, mainly standardisation steps may also be necessary to completely exploit the potential inherent in open banking. The market is uniform in the current regulatory environment, but access is fragmented both technically and from the process side as well, i.e. there is no uniform standard or scheme regarding the operation of APIs. Therefore, to build out relations with account providers, actors (including credit institutions) that provide account information services and payment initiation services need to implement as many separate improvements as many different API implementations exist
ompliance certificate regarding the licence to provide payment services under Regulation EU No 910/2014 on trust services (eIDAS) C https://www.mnb.hu/letoltes/10-2021-akadalyozasrol-ajanlas.pdf
PAYMENT SYSTEMS REPORT • JULY 2021
