An update on the API Evaluation Group

In January this year, the European Commission (EC) created the API Evaluation Group (API EG) with the support of the Euro Retail Payments Board (ERPB) of the European Central Bank (ECB). This industry body was tasked with creating new standards for application programming interfaces (APIs) for use in open banking.

APIs are the technical interface between banks and fintechs. They’re the foundation of Open Banking and since – at least in theory – they should be superior to ‘screen scraping’, they will be fundamental to the operation of many fintechs and payment specialists.

To ensure a level playing field and a workable technical basis for the European finance sector, whatever standards emerge for open-banking APIs must work for all parties: consumers, fintechs, banks and regulators.

It’s the job of the API Evaluation Group to formulate a set of recommendations describing what a standard that meets these requirements should contain. Once it has completed its recommendations, the national regulators can consider these in their decisions to grant exemptions for banks from providing PSD2-licensed Third Party Providers (TPPs) a fallback option in case their API does not perform as expected.

January: setting the terms of reference

On 29 January, the new group met for the first time to agree its terms of reference. The group elected as its co-chairs James Whittle, the director of international standards at the UK’s NPSO Ltd, and Oscar Berglund of online-payments specialist Trustly Group AB.

The members of the API Evaluation Group are:

• TPP representatives:
  • Aoife Houlihan, VP Communications & Public Policy, Klarna
  • Joan Burkovic, CEO, Bankin’
  • Ralf Ohlhausen, Business Development Director, PPRO

• Emil Johansson, API Network Manager, Swedbank (representing ESBG)
• Gijs Boudewijn, Chair Payment Systems Committee, The European Banking Federation (EBF)
• Marieke van Berkel, Head of Retail Banking & Payments, European Association of Co-operative Banks

• Jean Allix, Special Adviser, BEUC
• Pascal König, Ecommerce Europe
• Pascal Spittler, Business Requirement Manager, IKEA Group (representing EuroCommerce)

• Thaer Sabri, Chief Executive, Electronic Money Association
• Krzysztof Korus, Member, European Payment Institutions Federation

• Arturo Gonzalez Mac Dowell, President & CEO, Eurobits

Whilst the group cannot guarantee that using an approved API would exempt a bank from having to maintain the fallback of allowing access through its standard user interface. However, the co-chairs expressed their hope and expectation that using an approved API would increase the chances of gaining such an exemption.

The group agreed to report its progress to the ERPB by June 2018. By that time, it has committed itself to:

1. Define objective API evaluation criteria and guidance.
2. Evaluate ongoing API initiatives against those criteria and guidance.
3. Provide guidance on KPIs such as API security and performance requirements
4. Define the basic principles of a common testing framework
5. Communicate the results of this work to national competent authorities (NCAs).

The group scheduled meetings for each month until June 2018.

February: reviewing the API requirements

The group held its second meeting on 22 February. The main item on the agenda, was what the API standard would need to include if the market was going to accept it. In its discussion, the group considered the interests of the consumer and the various sectors of the payment and financial industries. It also took into account the opinions of the European Association of Co-operative Banks (EACB), the European Banking Foundation (EBF) and the ECB, all of which submitted written statements.

The group agreed the following actions:

• To define the obligations on all parties — bank, third-party payment provider and customer —clearly and explicitly in the API standard.
• Thaer Sabri of the Electronic Money Association agreed to write a paper outlining the interests and concerns of payment initiation services (PIS) providers.
• To commission an equivalent paper from the perspective of account information services (AIS). At the time, the task was not assigned.
• That the group would discuss the implications of anti-money-laundering (AML) and related requirements for the formulation of an API standard.
• To add an additional requirement to the standard, clarifying the processes and responsibilities necessary for gaining customer consent.

There were also two items which the group agreed to continue discussing later:

1. Whether or not the stipulation in draft requirement number 13, that the API must ensure that banks can share end-user identity information (name, ID number, DoB etc) legitimately falls within the scope of PSD2.
2. According to draft requirement number 17, payment initiation service providers (PISPs) should be able to initiate transactions without the use of strong customer authentication, if the transaction is low risk. The group is still discussing which party to the transaction should be able to make that decision.

The agreed next steps were to draw up a new version of the API requirements (draft version 5) and circulate this among API EG members, so that they could discuss it at the next meeting.