Snippet: While planning our open banking ebook a few months ago, the need for a glossary arose. But scores of nearly identical open banking and PSD2 glossaries have existed online for years. We wanted – and needed – something a little less rudimentary.

To complement our popular open banking ebook, we needed a glossary. But scores of nearly identical open banking and PSD2 glossaries have existed online for years. We wanted – and needed – something better.

The end result: a visual glossary of elements that, in the pursuit of open banking, tells the story of an ecosystem both functional and effective, yet in a state of constant flux.    

Portraying the open banking ecosystem

With its several moving parts, dependencies, and descriptions, the open banking ecosystem is nothing short of complex. It involves the sharing of customer data with other financial institutions and third-party providers (TPPs), essentially removing barriers between competitors and enabling access to functionalities previously reserved only for banks.

PSD2, the second Payment Services Directive effective in Europe, for example, already requires banks to cooperate with TPPs and provide the necessary security. But reciprocity between banks and TPPs, or a lack thereof, has been of great concern to banks, especially under PSD2. Because PSD2 is regulatory- instead of market-driven, banks argue that giving their data away to their biggest competitors with nothing in return places them at a liability and competitive disadvantage.

The benefits of open banking are still immense, though, especially for consumers. Platform banking, a digital marketplace that relies on the sharing of customer data to offer both banking and non-banking financial services, is just one example of a product of open banking in full effect.



How is customer data obtained and shared?

Various role-players, programs and processes are involved in the collection of customer data. TPPs (third-party providers) play a central role in providing account information services, initiating payments, or both.   

  • AISPs (account information services providers), also called data aggregators, are TPPs authorized to access and view customer data and provide related services. AISPs cannot initiate payments.
  • PISPs (payment initiation services providers) are authorized to initiate payments at the request of a bank customer. This typically entails the creation of an electronic payment link between parties.
  • Customer acquisition services help banks and other financial institutions obtain new customers through methods including, but not limited to, customer referrals and loyalty programs.

Application programming interfaces (APIs) are the preferred method among banks and TPPs for accessing customer data. In short, APIs enable different pieces of software to communicate with one another, acting as a conduit of sorts for data transmission.

Screen scraping also enables access to customer data but involves the copying of data from a website using a program. Though technically allowed under PSD2, screen scraping conflicts with certain privacy laws and is not as secure as using APIs.

What about data privacy?

Privacy rights are upheld by several data protection laws including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in the United States, the Protection of Personal Information Act (POPI) in South Africa, and many others. 

Furthermore, consent by every payment service user (PSU) is required before any TPP can access their bank account or customer data. The process of obtaining consent is normally handled by the TPP. 

  • PSUs are users of a payment service, which can be payers, payees, or both.
  • Customer data comprises more than personal or financial details, but all identifiable information that can be used for account-related purposes or even to perform know-your-customer (KYC) and due diligence checks.

Data portability, often expressed as a consumer or privacy right, allows individuals to request access to their personal data, use it for their own purposes, and share it with whomever they choose.

Security behind open banking

Finally, various standards, protocols, and technologies exist to protect consumers’ interactions under open banking. These include:

  • Authentication, the process of verifying a pre-established identity in a digital context. Importantly, Entersekt’s customer authentication solution provides cryptographic attestation of a user’s presence.
  • SCA (strong customer authentication), which banks must provide to achieve compliance under PSD2. SCA, as defined in the European Banking Authority’s regulatory technical standards, is authentication comprising two or more of the following factors: knowledge, possession, and inherence. (Here’s a handy SCA checklist.)
  • 3-D Secure, a security protocol protecting card-not-present payments that not only meets PSD2 SCA requirements but ensures a desirable mix of passive and step-up authentication, depending on risk.

To download the full infographic as a PDF, click here. If you like what you see, you’ll also enjoy our open banking ebook, which explores why open banking is still a work in progress.  

Subscribe to our blog.

Cara Visser


Cara is a high-functioning content strategy and plain language addict whose self-proclaimed purpose in life is to fill the world with good, clean, meaningful content. She loves the challenge of simplifying and translating complex information, especially if there’s something new to learn along the way.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.