Chapter 28: Further Reading — RegTech APIs, Open Finance, and Interoperability

Primary Regulatory Sources

PSD2 and the EU Open Banking Framework

Directive (EU) 2015/2366 — Payment Services Directive 2 (PSD2) The foundational EU legislation establishing the Open Banking framework, including the rights and obligations of AISPs, PISPs, and ASPSPs. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366

Commission Delegated Regulation (EU) 2018/389 — RTS on Strong Customer Authentication and Common and Secure Open Standards of Communication The implementing technical standard that specifies SCA requirements and the technical standards for Open Banking API interfaces. This is the document that gives the PSD2 framework its technical teeth. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R0389

EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04) The EBA's clarification guidance on the RTS requirements, addressing the most common implementation questions from industry. Available at: https://www.eba.europa.eu/sites/default/files/documents/10180/2137845/6aef5f46-2e68-4ace-a5b5-8c319e8f5e8b/EBA%20Opinion%20on%20SCA%20and%20CSC.pdf

UK Open Banking Framework

Open Banking Limited — Open Banking Standards The definitive technical documentation for the UK Open Banking API standard, including the FAPI security profile, API specifications, consent object schemas, and implementation guides. Essential reading for any practitioner implementing or governing a UK Open Banking integration. Available at: https://standards.openbanking.org.uk/

CMA Retail Banking Market Investigation — Final Order 2017 The Competition and Markets Authority order that created the legal mandate for the nine largest UK banks to implement Open Banking. The order and its annexes define the scope, timeline, and governance structure for UK Open Banking. Available at: https://www.gov.uk/cma-cases/retail-banking-market-investigation

HM Treasury: Smart Data: putting consumers in control of their data and enabling innovation (Consultation 2021) The UK government's policy paper outlining the Smart Data initiative and its extension of Open Banking principles to energy, telecoms, and broader financial services data. Available at: https://www.gov.uk/government/consultations/smart-data-putting-consumers-in-control-of-their-data-and-enabling-innovation

EU Financial Data Access (FiDA)

European Commission — Proposal for a Regulation on a framework for Financial Data Access (FiDA) — COM(2023) 360 final The proposed EU regulation extending Open Banking principles to investment portfolios, insurance, and crypto assets. Essential reading for compliance professionals anticipating the next phase of EU open finance obligations. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2023%3A360%3AFIN

US Consumer Financial Data Rights

CFPB Rule on Personal Financial Data Rights (12 CFR Part 1033) The CFPB's final rule implementing Section 1033 of the Dodd-Frank Act, establishing consumer rights to access and share their financial data with authorized third parties. The US equivalent of PSD2, but with a different enforcement and standards-setting approach. Available at: https://www.consumerfinance.gov/rules-policy/final-rules/personal-financial-data-rights/

Australia: Consumer Data Right

Australian Competition and Consumer Commission — Consumer Data Right The authoritative source for Australia's CDR framework, including the Banking Data Standards, accreditation requirements for data recipients, and compliance obligations for data holders. Available at: https://www.accc.gov.au/by-industry/banking-and-finance/consumer-data-right

Regulatory Reporting APIs

EBA — Integrated Reporting Framework (IReF) The EBA's initiative to harmonize EU bank regulatory reporting into a single data model. The IReF consultation papers and data dictionary are essential for firms anticipating changes to their regulatory reporting obligations. Available at: https://www.eba.europa.eu/risk-analysis-and-data/reporting-frameworks/integrated-reporting-framework-iref

Bank of England — BEEDS (Bank of England Electronic Data Submission) Documentation for the Bank of England's electronic regulatory data submission infrastructure, including API-based submission capabilities for supported data collections. Available at: https://www.bankofengland.co.uk/statistics/data-collection-platforms/beeds

Technical Standards

OAuth 2.0 and OpenID Connect

RFC 6749 — The OAuth 2.0 Authorization Framework The IETF standard defining OAuth 2.0. The core specification for the authorization framework underlying all Open Banking consent flows. Available at: https://datatracker.ietf.org/doc/html/rfc6749

RFC 7636 — Proof Key for Code Exchange by OAuth Public Clients (PKCE) The IETF standard defining the PKCE extension to the OAuth 2.0 Authorization Code Flow. Available at: https://datatracker.ietf.org/doc/html/rfc7636

OpenID Connect Core 1.0 The OpenID Foundation specification adding identity layer to OAuth 2.0, enabling authenticated identity claims in the Open Banking consent flow. Available at: https://openid.net/specs/openid-connect-core-1_0.html

Financial-Grade API (FAPI)

FAPI 2.0 Security Profile — OpenID Foundation The current generation FAPI security profile, providing stronger security guarantees than FAPI 1.0 Advanced. The reference specification for implementations moving beyond the original UK Open Banking security profile. Available at: https://openid.net/specs/fapi-2_0-security-profile.html

FAPI 1.0 Advanced — OpenID Foundation The security profile on which UK Open Banking's initial implementation was built. Useful for understanding the existing production standard against which the FAPI 2.0 upgrade is measured. Available at: https://openid.net/specs/openid-financial-api-part-2-1_0.html

Industry API Standards

Financial Data Exchange (FDX) API Standard The US industry standard for consumer financial data sharing, developed by the Financial Data Exchange consortium and increasingly referenced as the technical vehicle for CFPB Section 1033 compliance. Includes detailed specifications for account information, transaction history, and investment data APIs. Available at: https://financialdataexchange.org/fdx/standards/

Berlin Group — NextGenPSD2 XS2A Framework The pan-European Open Banking API standard developed by the Berlin Group, providing a common technical specification for PSD2 compliance across EU member states and reducing the fragmentation caused by each country's national implementation. Available at: https://www.berlin-group.org/nextgenpsd2-downloads

Compliance and Governance Frameworks

EBA Outsourcing Guidelines

EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) The definitive EBA guidance on when technology and service arrangements constitute outsourcing, and the compliance obligations that apply. Essential for the Exercise 5 analysis on API-based third-party relationships. Available at: https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) Addresses the management of IT security risks, including API security and third-party IT dependencies, within the outsourcing governance framework. Available at: https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management

GDPR and API Data Sharing

ICO Guidance on Data Subject Access Requests Practical guidance from the UK Information Commissioner's Office on how organizations must respond to Subject Access Requests — directly relevant to designing the consent audit trail described in Chapter 28. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

EDPB Guidelines 05/2020 on Consent under the GDPR The European Data Protection Board's authoritative guidance on what constitutes valid consent under GDPR — essential reading for understanding the relationship between Open Banking consent and GDPR consent. Available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en

Academic and Industry Research

Bank for International Settlements — Open Banking: How to Design It and Who Benefits (FSI Insights, 2019) A cross-jurisdictional comparison of Open Banking regulatory approaches, examining how different design choices — mandatory vs. voluntary, API standards vs. screenscraping, liability allocation — affect outcomes for consumers and financial stability.

McKinsey Global Institute — Open Data: Unlocking Innovation and Performance with Liquid Information An analysis of the economic value of data portability across sectors, with financial services as a central case study. Provides context for the business case underlying the Open Finance regulatory agenda.

Financial Conduct Authority — Call for Input: Open Finance (2020) The FCA's exploration of the case for extending Open Banking to the broader financial sector. Even though some of this analysis has been superseded by subsequent Smart Data legislation, the FCA's framing of the compliance and consumer protection considerations remains instructive. Available at: https://www.fca.org.uk/publications/calls-for-input/call-input-open-finance

Open Banking Limited — Open Banking Impact Report Annual reports published by Open Banking Limited providing statistics on UK Open Banking adoption (number of active users, regulated providers, API call volumes) and qualitative assessment of consumer and business outcomes. Available at: https://www.openbanking.org.uk/insights/

Practitioner Tools

OpenID Foundation FAPI Working Group The working group producing and maintaining the FAPI specifications. Meeting minutes, working drafts, and implementation guidance documents are publicly available and provide insight into the evolving security standard. Available at: https://openid.net/wg/fapi/

Open Banking Excellence (OBE) Hub An industry body resource providing practitioner-oriented analysis of Open Banking and Open Finance developments, including regulatory updates, technical implementation guidance, and case studies from live implementations. Available at: https://www.openbankingexcellence.org/

Financial Services Information Sharing and Analysis Center (FS-ISAC) — API Security Guidelines Practitioner guidance from the financial sector's information sharing body on securing financial API connections, including threat intelligence specific to the API attack surface. Available at: https://www.fsisac.com/