Community

NatWest’s findings show that UK businesses increasingly see open banking as a path to enhanced security, particularly to combat fraud. But trust in the system depends entirely on the integrity of the ecosystem.At Konsentus, our Q1 2025 TPP Tracker shows that only 51% of regulated UK third-party providers (TPPs) are authorised to initiate payments on an account holder’s behalf.

That’s significantly lower than in the EEA, where 67% of TPPs (239 out of 356) have this permission. While this may suggest reduced exposure in the UK, it highlights the heightened risk that comes with payment initiation, a more sensitive and fraud-prone activity, especially in a business context where transaction values are higher.

Real-time identity and regulatory verification is essential to ensuring only properly regulated, authorised parties are allowed to initiate payments. It’s one thing for businesses to say security is their priority; it’s another to have the infrastructure in place to make it a reality!

The FCA amendments to the open banking identification requirements have very clear next steps for both ASPSPs and TPPs.

 ASPSPs must assess what changes they need to make to their systems so they can accept at least one alternative form of digital certificate (in addition to eIDAS Certificates).  Any changes that need to be made must be implemented as soon as possible ahead of IP Completion Day. They also need to tell TPPs which alternative certificates they will accept as early as possible.

The amendments also clearly state that ASPSPs, without causing an obstacle, must “verify that the payment service provider is authorised or registered to perform the payment services relevant to its activities”.

For TPPs, the guidance is much simpler.  If their eIDAS certificates are likely to be revoked, they must have an alternative certificate(s) as soon as possible ahead of IP Completion Day.

As the ING study states, the success of open banking is largely down to convenience and trust, with trust being the determining factor.  The security involved in accessing data is critical to get right and the risks are high.

So, what are the risks for those involved?  For the customer they’re low.  However, for Financial Institutions the risks are high.  There are new players - third-party providers (TPPs) involved, and valuable consumer data being exchanged.  Once the account holder has given permission for their data to be shared with a TPP, it’s the responsibility of the Financial Institution to ensure nothing goes wrong. 

However, it’s complex and time consuming to identify these third parties, check they’re authorised to provide the services being requested and, to find the relevant passporting information.   All this needs to be determined at the time of the transaction request.

To verify a TPP’s identity and know its latest authorisation status, there are over 70 Qualified Trust Service Provider (QTSP) certificate revocation lists and 115 National Competent Authority (NCA) registers from across the EEA that need to be accessed to find this information.  Knowing how to interpret and standardise the data presents additional issues. Different languages, duplicated entries and missing information are just some of the issues that need to be taken into consideration.

It’s also important to ensure all checks and due diligence are performed using the latest available source data provided by the relevant National Competent Authorities.  If there is a disputed transaction or issue, the Financial Institution needs to be able to show it has used the relevant source data or face being liable for the transaction.  

With open banking services set to increase which will drive greater transaction volumes, data security and trust in the open banking ecosystem are paramount – without them customer loyalty and trust will quickly be lost.