View upward of a skyscraper from street level

Open Banking in Germany

It’s no understatement to say that Open Banking is transforming the way that financial institutions operate — and the way consumers move and use money. By empowering banks to share account information in a secure, standardized format with other authorized organizations, Open Banking is increasing transparency, facilitating collaboration and opening up new product opportunities.

While most of the world is striving to meet the so called “European standard for Open Banking” and aspire to implement directives similar to the Revised Payment Services Directive (PSD2), it is important to realize that Open Banking is still at a very early stage and is unfolding unevenly across the region.

The UK is still one of the largest providers of worldwide financial services, and its nine largest banks had application programming interfaces (API) in place already in 2018. Banks on the European continent, by contrast, didn’t launch them until September 2019. Adoption rates throughout the Nordic region are high — especially in Norway, where the Nordic API Gateway, now called Aiia, enjoys a penetration rate of 95% among retail and business accounts. In Germany, reports suggest that most APIs either don’t work, time out or make integration near impossible, which makes for an interesting challenge to say the least.

Open Banking implementation is highly influenced by the culture or mindset locally. While Germany is a country known for its orderly culture, and for being innovative, especially in the automotive industry where most of the patent applications are made, the banking sector’s adoption of the Open Banking framework is showing another viewpoint. Incumbent banks in the country are notoriously conservative and seem to be rooted in the mentality that few of their customers want to see their bank take big risks. The theory behind why Germans are facing the API challenges mentioned above could be rooted in the idea that they were being implemented to answer to a regulation as opposed to being linked to revenue generation.

The True Justifiable Reward

Open Banking has further enabled the fintech industry around the world and frankly supports competition by giving consumers the opportunity to pick convenience instead of feeling stuck with one bank. And yes, Open Banking can be seen as a disrupter to incumbent banks, but it could be argued that this disruption would have come either way. In fact, McKinsey argues in their white paper titled German banking returns to the playing field, that two out of three German banking executives think radical changes are required in the industry. Big organizations such as Deutsche Bank are working on driving change according to a recent interview with the Paypers. There seems to be a consensus that standing still isn’t an option.

Regulatory trends such as the European Revised Payment Services Directive (PSD2) have already been pushing banks to focus on automation, advanced analytics and security protocol to see productivity gains within payments. One requirement that benefits all parties involved is the Strong Customer Authentication (SCA) workflow as articulated in article 4 (30) by the European Banking Authority (EBA).

Implementing SCA requirements means that only using out of band (OOB) one-time passwords (OTP) sent by SMS or email will no longer be enough, something that many banks are still using today.

Secure codes or OTP sent through OOB are still widely used today and while many argue its validity to quality as part of the SCA workflow, according to Ecommerce Europe, it qualifies as the “possession” factor and would be a valid part of SCA if combined with a “knowledge” and or an “inherence” factor. However, without conforming to dynamic linking, it still poses a risk and could be compromised by way of a man-in-the-middle attack. OOB authentication is a highly insecure method that can easily be breached. OTP secure codes provided through offline authentication or simply moving to a push notification solution is a much better alternative that remains compliant with SCA in regard to challenge/response, and it offers a seamless journey to consumers. The big difference here is that those alternatives are secure and offer a full context with details on the transaction being authorized. It ensures that data and financial assets aren’t put at risk, which can come at a high cost to financial institutions who don’t take this seriously. This is where security and consumer experience go hand in hand.

Some Organizations Move Ahead of the Regulations

Regulations have evolved in tandem with Open Banking developments to reduce risk and protect against fraud around the world. The financial industry however stands at an inflection point and Germany certainly isn’t an exception here. As offerings expand and consumers demand more customization, choice and control, the companies that win will be those that go beyond regulations to align with customer needs.

Sparkassen-Finanzgruppe is one of the organizations leading the way in the country. They launched wallis, a central API portal that enables the collaborative development of innovative services and new business models for Sparkassen’s alliance partners and fintechs. The portal has now been granted a BaFin license, which significantly increases the company's sphere of activity. Thanks to this license, wallis receives permission to provide account information, payment initiation services and regulated services as part of their offer for partner companies and fintechs. A wallis representative recently shared that one possible application would be the integration and analysis of sales data for tax returns.

Banks and other financial institutions in Germany, have a lot to learn from Sparkassen-Finanzgruppe. Those that view Open Banking solely as a technology play or a threat will be vulnerable to disruption and this bank truly shows how Open Banking is to be taken as an opportunity.

HID Global has the required SCA solution to support a smooth Open Banking framework implementation and maintain compliance, read more about our consumer authentication solutions.

Want to learn more about Open Banking around the world? Take a look at this eBook that explains how going beyond regulations is what’s required to stay ahead.

Vaclav Maska is the HID Global Sales Lead for DACH and CEE in the IAM Consumer Authentication area. Vaclav is a multifaceted professional with extensive experience in driving business growth and continuity. He has extensive experience with financial institutions, advising on integration of SaaS technology to secure customer identity and ensure data protection based on local regulations.