Open Banking is a big buzzword at the moment. It is good to distinguish different aspects of it:
1) Regulation. What you heard as "PSD2" - is essentially a directive by European Commission and EBA demanding banks to open up access to accounts data and payment initiation. Neither it defines by what means this access should be provided, nor when it should be available - each European country Central Bank can decide on its own.
2) Technical Specification. Examples are OpenBanking UK specification or The Berlin Group - would be groups of banks or local regulators trying to define common standards. Think of interface definition that describes both APIs as well as journeys/workflows.
3) Compliance. In the EU some of the banks (mostly large ones) are now required to be PSD2 compliant, which means they would need to expose their APIs through the standards described above. In the US, where there is no such requirement - the only way to access the bank account is to emulate a browser.
4) Third-Party Providers or Aggregators (Plaid, Teller, Tink, SaltEdge, Bud...) - would essentially provide access to the accounts of multiple banks via APIs. If you look at Plaid in the US - their codebase is probably 50%+ screenscraping/user emulation scripts in order to retrieve your accounts from e.g. Bank of America. For the EU fin-techs its a bit better, but still depends per country (remember Berlin Group vs UK OpenBanking?).
> would be groups of banks or local regulators trying to define common standards
Why 'would be' just out of interest?
AFAICT Open Banking is an organisation that has been given a mandate by the UK government, through the competition and marketing authority, and is funded by the nine largest retail banks. In the UK it is the defacto standard, and compliance of the CMA 9 is mandatory.
While there is so far no consistent standard across the EU, at least within the UK this one is set and pretty much non-negotiable.
(Disclaimer - I have consulted with Open Banking and continue to do so, but of course I do not speak on their behalf)
-- edit --
I'm particularly interested in this -
> Third-Party Providers or Aggregators (Plaid, Teller, Tink, SaltEdge, Bud...) - would essentially provide access to the accounts of multiple banks via APIs.
As AFAICT this would be explicitly disallowed unless all the users of said APIs are themselves accredited. You can't just get accredited for PSD2/OB API use, then expose that information to non-accredited entities. If this is what Plaid are doing then I wouldn't expect their accreditation to last all that long.
The scenario is typically the following. After the EU Commission approves the directive, each country has to transform it into the national law and define the authority/approach/timelines. In the case of the UK, it's indeed the way you've described.
> As AFAICT this would be explicitly disallowed unless all the users of said APIs are themselves accredited.
In UK Plaid would have to follow the OpenBanking regulation indeed and provide access according to the consent of the account owner. In the US they are just storing your password and using it according to their privacy policy.
I'm not sure they would be allowed to provide access to another party at all, if the other party wasn't accredited, regardless of consent.
I'm sure they've looked into this with their lawyers, but acting as an escape route for banking data to non-approved entities is not likely to be smiled upon.
They are allowed to provide access but with a few stipulations:
Firstly, the consumer must be aware that they are sharing their data via Plaid (i.e. Plaid can't hide behind the scenes).
Secondly, there are certain exceptions for needing to be regulated by the FCA - particularly if you don't show any data back to the user.
In practice, it makes sense to be regulated by the FCA regardless because asking to share bank information/transactions with Plaid can turn users off and you're limited with what you can do with that data without being regulated/authorised.
I find that surprising, given the lengths OB go to to ensure that only registered, accredited entities can participate in using their APIs. I'm not saying you're wrong, just that I find it surprising.
(Source, I consult with OB and have a hand in their PKI, I don't speak for them and I'm not part of or informed well about anything to do with the regulatory environment)
"In the US, where there is no such requirement - the only way to access the bank account is to emulate a browser."
Not entirely correct. In the US, JPMorganChase, Intuit, and others have adopted the OFX standard (consortium-based, which provides #2) as a more secure, controlled API alternative to browser emulation.
like any other entrenched monopolist, Plaid shouldn't want OFX to make it easier for new entrants to enter. Building something to interact with OFX is easier than building a scraper.
1) Regulation. What you heard as "PSD2" - is essentially a directive by European Commission and EBA demanding banks to open up access to accounts data and payment initiation. Neither it defines by what means this access should be provided, nor when it should be available - each European country Central Bank can decide on its own.
2) Technical Specification. Examples are OpenBanking UK specification or The Berlin Group - would be groups of banks or local regulators trying to define common standards. Think of interface definition that describes both APIs as well as journeys/workflows.
3) Compliance. In the EU some of the banks (mostly large ones) are now required to be PSD2 compliant, which means they would need to expose their APIs through the standards described above. In the US, where there is no such requirement - the only way to access the bank account is to emulate a browser.
4) Third-Party Providers or Aggregators (Plaid, Teller, Tink, SaltEdge, Bud...) - would essentially provide access to the accounts of multiple banks via APIs. If you look at Plaid in the US - their codebase is probably 50%+ screenscraping/user emulation scripts in order to retrieve your accounts from e.g. Bank of America. For the EU fin-techs its a bit better, but still depends per country (remember Berlin Group vs UK OpenBanking?).