As Europe's open banking market develops, investors bet on APIs
London-based open banking software vendor TrueLayer has raised $7.5 million to help it expand into Europe and take advantage of opportunities from PSD2, but that growth must be tailored to a market that is still in its infancy.
The company wants to use its open banking API platform, which integrates bank and third-party applications, to ensure that PSD2 leads to cross-border portability of bank customer data across Europe. But even though PSD2 took effect in January, the market is still a blend of pre- and post-open banking products with no clear standard for their use.
TrueLayer offers a single API platform to connect third-party financial application providers (TPPs) to any bank, based on customer consent. The company will use its new venture capital investment to expand across Europe, starting with Germany and France. Additionally, TrueLayer will substantially grow its team and develop new products.
The new funding, from previous investors NorthZone, Anthemis and Connect Ventures, brings TrueLayer’s total funding to $12 million since the firm launched in late 2016.
Initially, TrueLayer is focusing on banking data integration with its first product, the Data API. “Payment transactions are on our radar, but we're currently not in a position to announce anything further,” said Rob Bownes, a spokesperson for TrueLayer.
TrueLayer is authorized by the U.K.’s Financial Conduct Authority as an Account Information Service Provider (AISP) and a Payment Initiation Service Provider (PISP). Under PSD2 and the U.K.’s Open Banking regulations, an AISP license allows access to bank customer data, while a PISP license grants access to the customer’s account to initiate payments. In both cases, customers need to give explicit consent.
Under TrueLayer’s Payment Initiation license, its forthcoming Payments API could enable third parties such as online retailers to have consent-based access to customers’ bank accounts in order to take payments for goods and services. This would provide e-commerce merchants and service providers with a lower-cost alternative to accepting credit or debit card payments.
Via TrueLayer’s Data API platform, TPPs can connect with banks via the U.K. Competition and Markets Authority’s Open Banking protocols, PSD2, or via credential-sharing . Its interface offers data and account aggregation so that, with a customer’s consent, TPPs can view the customer’s bank accounts and credit cards, check their balances and access transaction history. This enables TPPs to verify identity and account ownership using the customer’s existing data to make credit decisions and approve new account applications.
Francesco Simoneschi, TrueLayer’s CEO, said his company doesn’t provide screen-scraping. “We use credential-sharing as one way of gaining access to bank accounts,” he said. “We mainly use private APIs to connect with the bank's service behind the scene. The issue with ‘screen scraping’ is that the term refers to both the legal framework and the technical implementation. ‘Credential-sharing’ is a better term, as it encompasses a broader spectrum of possible technical implementations.”
Simoneschi noted that credential-sharing complies with PSD2 as a fall-back alternative in the event that banks are non-compliant. “We provide access to Open Banking in the U.K. and we'll continue to support any other PSD2 and Open Banking interface in the future,” he said. “We also support a variety of challenger banks, also connected via open APIs.”
“Credential sharing is a nice term, but, from a bank perspective, it’s a terrible idea,” said Tim Sloane, vice president payments innovation at Mercator Advisory Group.. “A bank customer has one user ID and password, and most banks explicitly state in their Terms and Conditions that the customer will be held liable if they share those credentials with others.”
The U.K.’s Financial Conduct Authority stated in November 2017 that, following the launch of PSD2, all U.K. banks must remove any ban on customers sharing their credentials with regulated AIS and PIS providers from their T&Cs. The FCA also said that U.K. banks cannot hold consumers responsible for unauthorized transactions just because they have shared their credentials with regulated AIS and PIS providers.
Sloane said that FIs wouldn’t trust the claim that a third-party service used by TrueLayer (quovo.com, Envestnet, Plaid, etc.) would never suffer a breach or misuse the credentials. “Once into the online banking system, there are two mechanisms for accessing the customer data: a file transfer or screen-scraping,” said Sloane. “Some banks offer to download user data into an Excel file, a standardized format file or a file designed for a specific budgeting/accounting software solution like Intuit. If they don’t offer a file transfer, then it’s screen-scraping - the process of reading the HTML/XML/formatting characters that the browser uses to render the screen to identify the data elements required.”
Sloane said that PSD2 and Developer websites being made available by U.S. banks should slowly but surely make “credential-sharing” and screen-scraping a thing of the past, but this will take years. “Mercator strongly urges banks to establish a standard Web Development API platform that identifies data that the bank will enable to be shared,” he said. “We also recommend they develop contracts/T&Cs for partners that will have access to the API. Each partner can identify the data they want access to and the purpose. The bank should control the user agreement, T&Cs and pricing to make this available.”
Sloane said that banks need to extend the user interface in their online/mobile banking app so that customers can specify what data they want to share and with whom. “The request is registered and confirmed with the user,” he said. “The consumer can subscribe/unsubscribe using the bank interface at any time. If/when a user unsubscribes, they are notified as to what happens with the data already shared. The data is no longer transferred to the partner and the partner is notified about this.”
Since January 2018, when PSD2 was introduced, TrueLayer has announced several U.K. open banking integrations including U.K. challenger banks Monzo and Starling Bank as well as for third-party financial application providers Zopa, ClearScore, Canopy, Plum, Emma Technologies, Anorak and CreditLadder.
TrueLayer’s integration with Monzo and Starling enables the banks’ customers to share their account data with TPPs offering services such as income verification tools, lending products and aggregated financial dashboards.
U.K peer-to-peer consumer lending platform Zopa uses TrueLayer for income verification, while rental marketplace Canopy uses TrueLayer to update its customers’ rental information with its RentTracking tool.
Plum uses TrueLayer to connect its Messenger-based PFM chatbot with Monzo and Starling Bank accounts, and Anorak uses the platform to provide more accurate insurance quotes. PFM app provider Emma uses TrueLayer to give customers access to all their financial data at multiple financial institutions.
U.K. property renters can connect their bank to CreditLadder, which uses read-only access via TrueLayer to report their rent payments to credit reference agency Experian. By verifying their rent payments, CreditLadder-registered tenants can obtain access to better rates on mortgages, loans, credit cards and utility bills.