In 2019 PSD2 came into force in the EU and bank account aggregation has quickly become widespread across the continent.
We’re already seeing large banks such as BBVA and NatWest implementing it within their tech stack, and it’s only a matter of time before it’s considered the norm rather than the exception.
Due to its growing use, we thought it would be useful to shed a little light on what account aggregation is, how it works behind the scenes and why it’s useful for financial institutions, merchants, and customers.
What is account aggregation?
Account aggregation is the process by which a third party gathers financial information from one or more bank accounts, collects it in one place, and makes it available to other systems. It’s the first pillar of the Open Banking movement and essentially makes it easy to display financial data from different accounts in separate financial institutions in one place.
The technology has many applications, such as risk-oriented credit analysis, financial scoring, or making accounting easier for businesses by gathering data from all their accounts in a single location.
The data can be output in various formats, such as JSON arrays which are readable and usable by other applications, or in spreadsheets which can be used for manual analysis, accounting, and other tasks.
You may like: How we built an aggregation service that goes beyond PSD2
Regulating financial data aggregation
Account aggregation deals with private financial data of companies and individuals, so it is essential to guarantee the security of the information at all times to avoid it being used in a manner that is harmful to the interested parties.
Fortunately, PSD2 is very strict on these matters and establishes rigid guidelines to guarantee user safety.
The objective of the directive was to liberalize the market for online payments and associated services, including obtaining financial information through account aggregation. But it was also to regulate the participation in this space and create standards that apply to all parties to ensure that the user is protected at all times.
In terms of security, this translates into the requirement that organizations providing bank account reading services must implement what is known as Strong Customer Authentication (SCA). SCA is an authentication protocol that demands that a user provides a minimum of 2 out of three unique authentication factors: something they know, such as a PIN code or password; something they possess, such as a mobile phone or hardware token; and something they are, such as a fingerprint or retinal scan.
Together, these factors create a high barrier of access to a service and go a long way towards preventing fraud.
At the same time, the organizations that provide these services are strictly controlled under PSD2. Before PSD2, bank aggregation services existed in a sort of legal limbo. They were not illegal, but there was no standard regulation governing who could offer them and under what conditions. Back then, the most common method to obtain data was screen scraping.
Under PSD2, screen scraping has been relegated to the role of ‘fallback mechanism’, that is, the backup connection method TPPs use when connection to the banks’ APIs fails or the data provided is insufficient to service a certain use case (more on the limitations of PSD2 here).
Either way, the companies providing these services now must be regulated by their competent national authority (generally a national bank or financial regulator) to continue providing account aggregation services, and those that do so without the proper authorization are subject to heavy fines.
To this end, PSD2 introduced two new figures: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). This second figure, AISPs, is the one that applies to companies that offer account aggregation and bank reading services.
In addition to transforming the online payments ecosystem by enabling new types of products and services, PSD2 enables a more stable connection between banks and third parties, which provides several benefits as we’ll see below.
Read more: The banks leading Europe’s Open Banking API landscape
How does account aggregation work?
The data contained in a bank account is private and belongs to the account’s owner. However, there are scenarios in which the owner might want it to be accessible to a third party to be able to receive certain goods or services. A common use case would be to perform a risk analysis when a person requests a loan from a credit institution.
In such cases, the account holder can provide the access credentials to their online banking platform to a third party, who can then access that person’s account and obtain the information they need to provide them with different services.
The information is accessed using the API of the bank where the account is located. Banking APIs use a specific nomenclature for requests so third parties can access different kinds of information depending on their specific needs.
Some commonly used data categories are the balance of the account, a list of bank statements within a specific period, or the data of the owner of the account.
The request specifies which bank is to be read (“bank_id”) and provides a user and password. In a real reading, these would correspond to the online banking credentials of the person whose data is to be read and analyzed.
Having received the correct credentials, the bank authorizes the request and returns the information requested in the call to the application.
A request like the one in the above image would return the following data:
- The account owner’s name (“account_owner”)
- The account’s IBAN code (“iban”)
- The bank cards associated with the account (“cards”)
- The bank loans associated with the account (“loans”)
- A list of all statements (“statements”) between 1/1/2018 (“start_date”) and 25/10/2018 (“end_date”)
In most cases, the bank’s response will take the form of code, and the receiver will be responsible for formatting the data appropriately to be able to process it and integrate it into their business processes.
Depending on the purpose of the data, it will be treated to adapt to the company’s specific use case:
- Pure data output in JSON format, readable by applications to integrate into the business processes of a company.
- Export in one of several formats (PDF or CSV for example), some of which are useful for integration in other processes or analysis systems.
- Recreate the data in a visual interface for viewing, such as an analytics dashboard.
Connection channels under PSD2
How can financial institutions connect using account aggregation through PSD2? There are two main ways: APIs and screen scraping. Let’s look at both of these.
Dedicated Interface (API PSD2)
With dedicated APIs, companies can access two sources of data: bank statements and owner current account balances. This connection can only happen if the third party is a licensed AISP, and uses a connection gateway such as Redsys.
Bank APIs offer stable connections that can be maintained for up to 90 days with the user’s permission and an encrypted authentication token. The main advantage of using a dedicated API interface is that it’s stable and fast. The main disadvantage is that the scope of data is limited to only two data sources.
Direct Connection (fallback mechanism)
Screen scraping acts as a fallback mechanism and is the method that was used before APIs and Open Banking first appeared.
With screen scraping, the third party collects the user’s login information (username and password) and essentially “logs in” as the user. Similar to a web crawler bot, the third party then crawls the user’s bank account and gathers the relevant information while simulating the user’s behavior within the account.
The main advantage of this method is that there is no real limit to how much information the third party can gather. They can gather personal information, debit and credit cards, loans, savings, and any other financial products.
The biggest issue with screen scraping is that it requires significant maintenance work to keep the system running well. When a bank updates its online banking interface, the third party must adapt its system to recognize whatever new elements have been added and to potential layout changes.
Currently, PSD2 recognizes scraping as a “fallback mechanism” if an API doesn’t work. If a third party requires loan data to provide its services, then it will need to screen scrape. If it just needs basic account information, then using a dedicated API is enough.
At Unnax, we help companies and third parties use both dedicated APIs as well as screen scraping. Each channel is appropriate for different requirements, and in some cases we use both at the same time.
Main benefits for consumers, companies, and banks
Account aggregation benefits all parties involved: consumers, financial services companies, and banks.
It allows consumers to manage money a lot more quickly and efficiently: it’s much easier to make financial decisions when you can see all your account balances on one screen, rather than having to log into each separate app.
Financial services companies benefit by learning more about their consumers’ financial habits. Being able to access the correct information and in real-time also facilitates the customization of products and servicing consumer needs. For example, gathering information to offer a loan is a lot easier through account aggregation than requesting PDFs and Excel spreadsheets.
Read more: Everything you need to know about payment initiation
What about the benefits for banks? At first glance, it might seem that account aggregation does not benefit banks since it forces them to give away their most precious resource: customer data. But actually, account aggregation allows banks to grow a more loyal customer base by becoming the preferred customer service.
If a customer has to choose between a bank that offers all their pensions, savings, and investments on one screen and another bank that just shows their balance, the customer will choose the former.
Account aggregation is an opportunity for banks to level up their customer experience, encourage customers to spend more time on the app, and build a better relationship with their customers.
Furthermore, thanks to PFM (personal financial management) applications built on aggregation technology, banks now have a way to capture clients from their competitors.
Most bank-owned PFMs allow customers to add bank accounts from other institutions. This gives the bank visibility of how their customers are engaging with competitors. For example, the bank can know if their customer has a mortgage or an insurance policy at a competing institution, and make highly personalized offers to convince them to bring those financial products over, such as slightly lower interest rates or reduced monthly payments on their policy.
Therefore, aggregation can be a powerful tool for banks to learn more about their customers and to market their products to them more effectively.
You may like: Why Banks are adopting Account Aggregation to stay relevant
Use cases & examples
Companies can use the information gathered from a person’s bank account to eliminate many uncertainties from their decision-making processes and apply it to all sorts of use cases.
With account aggregation, a company could perform a credit risk analysis of the account owner and decide whether or not to grant them a loan based on their financial health. It would help answer questions like: What is the average balance of the account? How much income and expenditure does the account owner have? Does the account holder have significant debts? Are there any observable risk factors, such as spending on gambling or numerous and elevated credit card bills?
Below, we list some potential applications of account aggregation technology:
- Credit risk analysis to evaluate loan requests: using account aggregation, the loan issuer can know if the requester is solvent and financially healthy.
- Consumption habits analysis: list of historical transaction data gives insight into what a person spends money on, where they spend it, when, and more. This information can be used for marketing purposes and to create more personalized offers that speak to customers more directly.
- Bank account consolidation: a company’s accounting processes can be simplified significantly through account aggregation, as it allows all the company’s financial data to be consolidated into a single format and viewed in a single location.
- Personal finance apps: known as PFM’s, or Personal Financial Managers, these apps use account aggregation to extract the user’s financial data from their bank accounts and provide various services such as automated savings, financial advice, personal spending analysis, etc.
- Financial management applications for businesses: BFM’s, or Business Financial Management applications. They fulfill a similar function as PFM’s: making financial management of a business easier by collecting all relevant data and presenting it in a single place to make it easy to use and act upon.
The UK, the first country to implement Open Banking, now has more than 2.5 million consumers and businesses using Open-Banking enabled products, and the API call volume increased to 6 billion in 2020. Although PSD2 is now fully in force in Europe, many banks and financial institutions are still catching up with the current requirements and are therefore not fully taking advantage of the opportunities that come with the new directive.
Account aggregation helps banks and financial institutions understand their customers’ finances better, customize products and services to meet their needs, and therefore make more data-driven decisions. Those who decide to implement the new directive successfully will hold a big advantage over those that are still making decisions based on incomplete information.