Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Open Banking

Main Content

Open Banking: A Practical API Licensing Primer

This post is the fourth and final in a series discussing Open Banking, its implementations, and its implications. The start of the series is here, and all of the posts in the series are available here.

In the United States, “open banking” does not yet mean that bank account and transaction data can be freely accessed on standardized terms—though it may in the future. For now, those who allow financial data to be accessed through APIs can impose their own conditions on that access. As we have described in this blog series, without further regulatory invention, in the U.S. API access is principally a contractual matter. For these purposes, we will refer to “providers” as those making API data available and “users” as those intermediaries accessing that data in order to deliver services to consumers or other clients. Although bank partnerships are subject to established contract standards, we will focus in this post on key issues that arise specifically in the course of the API licensing and access process.

Image by mohamed Hassan from Pixabay

APIs made available for free may be provided pursuant to “licenses” or may alternatively be provided pursuant to a “terms of use” document that sets forth the conditions under which use is permitted. Under either approach, if the user refuses to accept the terms, then use is barred. APIs made available for a fee may also be governed by “terms of use” but these terms may be negotiated as a license or service agreement. There, traditional assumptions about bargaining power often play out, with the dominant players typically demanding conformity.

Gating Considerations for API Access Terms

Particularly when the API license is presented as a take-it-or-leave-it agreement, the terms are often written to protect the provider from any liability for an offering from which the provider derives no or limited direct financial benefit. Users that will be paying for access may do so on a “per transaction,” “per user,” or some other basis; when the user pays money, the user understandably has more leverage over other contract terms. Either way, prospective users need to consider at least the following:

Read More

How is Open Banking Regulated?

How is Open Banking Regulated?

April 25, 2019

Authored by: Barry Hester and John Bush

In previous posts in our BankBCLP.com series on this topic, we’ve attempted to define “open banking” and the ways in which it is attracting increasing industry attention through open APIs.  As our series continues, we describe how open banking is or may be regulated, as well as its critical licensing and intellectual property implications in practice.

As we have previously described, at least in the United States, “open banking” is more of a sweeping term of art than a distinct practice or product.  As a result, its legal and regulatory implications are potentially wide-ranging.    

Image by mohamed Hassan from Pixabay

In the United Kingdom, “Open Banking” is a more precise legal term for a sharing framework that the Competition and Markets Authority (CMA) has introduced for the stated purposes of increasing competition and expanding customer control over financial data.  In 2017, the CMA began to implement this framework by requiring the nine largest banks and building societies in the U.K. to begin sharing certain customer information with registered third-party providers (with customer consent).  In its earliest stages, this data sharing requirement was limited to data specific to the institution, as opposed to its customers, such as branch and ATM locations.  Subsequent stages have focused on transaction histories and even payments APIs.  These stages provide an early look at some of the more tangible consumer-oriented use cases for open banking.  For example, third-party applications can facilitate real-time bank location or price comparison shopping.

Importantly, under Financial Conduct Authority (FCA) implementing rules, the providers to whom this access is granted must be approved as a form of payments business or specialty service provider in the U.K. or in another jurisdiction under certain passporting provisions.  In any case, this will subject the provider to direct supervision and examination by a U.K. or EU regulator.  This framework dovetails with the European Union’s revised Payment Services Directive (PSD2) data security regulation in that these registered providers must specifically demonstrate PSD2 compliance.  The CMA is touting Open Banking as a secure, transparent means of providing consumers with more control over their finances. 

Other jurisdictions are taking a similar, top-down approach to open banking.  Australia is mandating that its four largest banks make certain banking information available on a “read only” API basis beginning July 2019.  India’s Unified Payments Interface (introduced August 2016) is an open API-based platform for real-time payments.  It ties to the government’s policy goals of minimizing the use of cash, promoting digital identity, and leveraging mobile devices in a rapidly developing economy.  Hong Kong published an open API framework in July 2018.  On the other end of the spectrum, China and Singapore are taking a more industry-driven approach.  China’s extensively cashless and mobile economy is incorporating open banking as a market response, rather than by regulatory mandate.

Read More

Open Banking: What are Open APIs?

Open Banking: What are Open APIs?

April 11, 2019

Authored by: John Bush and Barry Hester

This post is the second in a series discussing Open Banking, its implementations, and its implications.  Part 1 is here.

APIs or “Application Programming Interfaces” are everywhere in ecommerce, and they provide the building blocks in the primordial soup of innovations that may stem from open banking. 

Image by mohamed Hassan from Pixabay

Among other roles, APIs provide a protocol allowing one computer system to talk with another.  For example, The Weather Channel (“TWC”) has invested heavily in providing detailed meteorological information and forecasts by region.  TWC could conceivably require people to visit its website as the exclusive way to access this information.  Instead, however, TWC permits some of its information to be accessed automatically across apps, websites, and services and in ways third-party developers can predictably map (e.g., certain tagged data reflects values like “75°F” or “Partly Cloudy”).  TWC has determined such use advances the TWC business plan.  Conversely, the developers of apps, websites, and services have determined using the TWC API is superior to reinventing what TWC has accomplished—or not offering weather information at all. 

Without an API, a third party could create a bot to visit the TWC website and automatically “scrape” the information, but such an approach poses risks.  First, even a slight change to the TWC website could cause the bot to misunderstand which data it is supposed to scrape.  Second, such an approach raises contractual and copyright risks.  See, e.g., Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp.2d 1096 (C.D. Cal. 2007) (granting injunctive relief on grounds that defendant infringed copyright and terms of use through automated screen-scraping of Ticketmaster’s site in order to facilitate its own large-volume ticket brokerage).  Third, this conversion step fails to capture the richer, more reliable, and more on-point data TWC is willing to make available via its API. 

Read More

What is Open Banking, and What are its Implications?

This post is the first in a series discussing open banking, its implementations, and its implications. 

“Open banking” is a phrase that has been coined to capture a current theme in financial sector innovation – one that some say is going to revolutionize banking.  For years, banks have given their customers increasing access to account information.  Now, with open banking, the access is opening to the point where customers can potentially obtain financial services in entirely novel ways, and the customer’s expectations of their bank may shift. 

Image by mohamed Hassan from Pixabay

The push to open consumers’ financial data goes back decades.  In the 1990s and 2000s, financial institutions began giving customers online access to their accounts—and instantaneous access to information previously reserved for monthly statements. Card-based transactions gradually shifted away from signed papers with carbon copy receipts to electronic devices.  With rapid access to financial information, debit cards that could immediately draw on bank accounts became more feasible.  Meanwhile, third-party vendors, such as Intuit, Microsoft, and Checkfree, were among the providers who encouraged institutions to go even further by making financial data available in a format that could be imported into their software; their work led to the promulgation of the Open Financial Exchange (“OFX”) data stream format, among others. 

In the past 10 years, the priorities in data exchange have incorporated the agenda of government proponents.  Notably, in 2016, a U.K. regulatory authority required the country’s nine largest banks to allow certain registered third-party developers to access certain customer data.  In 2018, the European Economic Area began implementing the Second Payment Services Directive (“PSD2”), including its goal to provide financial data through a central register.  In the United States, the Consumer Financial Protection Bureau has expressed its view that consumers should have timely, secure, and transparent access to their financial account information and to data sharing opportunities.  During this same time, digitization has accelerated to unprecedented levels in all facets of life and commerce, and data privacy risk awareness and regulation has emerged. 

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.