Chapter 28: Quiz — RegTech APIs, Open Finance, and Interoperability
Instructions: Select the best answer for each question. The answer key with explanations follows the questions.
Questions
1. Under PSD2, which entity is authorized to read a customer's payment account data for information purposes, with the customer's consent, but may not initiate payment transactions?
a) Account Servicing Payment Service Provider (ASPSP) b) Payment Initiation Service Provider (PISP) c) Account Information Service Provider (AISP) d) Card-Based Payment Instrument Issuer (CBPII)
2. A fintech called ClearView is FCA-authorized as an AISP. It calls Verdant Bank's Open Banking API to retrieve a customer's account balance. Where does the primary AML obligation for ClearView's customer sit?
a) With Verdant Bank, because it holds the customer's payment account b) With ClearView, because it is the AISP with the direct customer relationship c) Jointly and equally with both Verdant and ClearView d) With the FCA, as the supervisory authority overseeing both parties
3. In the OAuth 2.0 Authorization Code Flow as implemented in Open Banking, a customer grants consent at the bank and receives an access token sent to the TPP. What is the primary security advantage of this flow compared to asking the customer to share their bank password with the TPP?
a) It is faster because it eliminates the need for strong customer authentication b) The customer's password never leaves the bank, and access is scoped and time-limited c) It eliminates the need for eIDAS certificate verification at every API call d) The TPP receives permanent access to all customer data without re-authorization requirements
4. PKCE (Proof Key for Code Exchange) is an extension to the OAuth 2.0 Authorization Code Flow. What specific attack does PKCE protect against?
a) Man-in-the-middle attacks on the TLS connection between bank and TPP b) Certificate spoofing where a malicious entity presents a forged eIDAS certificate c) Interception of the authorization code during its transit and use by an attacker d) SQL injection attacks on the ASPSP's consent management database
5. The Financial-grade API (FAPI) 1.0 Advanced specification, which underpins UK Open Banking, requires mutual TLS (mTLS). What does mutual TLS add to standard TLS that is relevant to compliance?
a) It encrypts the body of API responses in addition to the connection b) Both the client (TPP) and the server (bank) authenticate with certificates, not just the server c) It restricts API calls to a pre-approved list of IP addresses d) It increases the key length used in the session encryption to 4096 bits
6. Under PSD2, an ASPSP (bank) correctly denies access to a TPP's API request. Who bears liability for any resulting customer harm in this scenario?
a) The TPP, because it failed to obtain a valid access token b) The ASPSP, because it incorrectly denied access to a properly authorized request c) The customer, because they consented to share data with the TPP d) The national competent authority, because it authorized the TPP
7. A UK TPP presents an OBIE (Open Banking Implementation Entity) certificate when calling a UK ASPSP's API, rather than an eIDAS certificate. Why does the UK use OBIE certificates rather than eIDAS certificates for UK Open Banking?
a) OBIE certificates provide stronger cryptographic security than eIDAS certificates b) The UK left the EU and therefore UK TPPs are no longer eligible for eIDAS certificates c) OBIE certificates are issued for free, while eIDAS certificates require a fee d) eIDAS certificates do not support the FAPI security profile requirements
8. Maya Osei pulls up Verdant's API access log and discovers that a registered TPP has made 847 API calls in a single hour, accessing transaction data for 312 different customers — significantly above its normal pattern. What is the most appropriate immediate compliance response?
a) Suspend the TPP's API access token and initiate an investigation b) Send an email to the TPP asking for an explanation within five business days c) Report immediately to the FCA without investigating further d) Log the anomaly but take no action until the daily monitoring report is reviewed
9. Which of the following best describes the distinction between Open Banking and Open Finance?
a) Open Banking uses APIs; Open Finance uses file-based batch data transfers b) Open Banking covers payment accounts; Open Finance extends to all financial products including mortgages, pensions, and investments c) Open Banking is mandatory; Open Finance is always voluntary d) Open Banking applies to individuals; Open Finance applies to businesses
10. Under the GDPR, what right directly supports a customer's ability to receive a consent audit trail showing all TPPs that have accessed their data under Open Banking?
a) Right to rectification (Article 16) b) Right to erasure (Article 17) c) Right of access (Article 15) d) Right to object (Article 21)
11. The EBA's Integrated Reporting Framework (IReF) is designed to achieve which of the following?
a) Replace PSD2 with a new payments directive covering crypto-asset services b) Harmonize EU regulatory reporting requirements into a single data model and submission framework across member states c) Mandate API-based Open Finance data sharing across all EU financial products d) Create a unified EU sanctions screening database accessible via real-time API
12. A financial firm relies on downloading weekly bulk files from OFAC's website for sanctions screening. What is the primary compliance risk this approach creates compared to real-time API-based screening?
a) Bulk file downloads are not legally recognized as a valid sanctions compliance method b) There is a lag between a new designation being published and the firm's screening list being updated, during which the firm may transact with newly designated persons c) Bulk files cannot be processed by automated screening software without manual conversion d) OFAC does not permit bulk file downloads for firms with more than £1 billion in assets
13. Under the UK Open Banking standards, a TPP's consent for account information access expires after 90 days without re-authorization. The TPP's system fails to refresh the consent and continues attempting API calls after expiry. What response should the bank's API return, and what does this demonstrate?
a) HTTP 200 (OK), because the bank should not interrupt a customer relationship mid-session b) HTTP 403 (Forbidden), because the consent is no longer valid — demonstrating the enforcement function of the consent management layer c) HTTP 302 (Redirect), redirecting the TPP to the consent authorization page d) HTTP 200 (OK) with an empty response body, to avoid causing a system error at the TPP
14. Australia's Consumer Data Right (CDR) is notable in the global Open Banking landscape for which of the following characteristics?
a) It is the first purely voluntary Open Banking standard, relying on industry self-regulation b) It extends mandatory data portability beyond banking to energy and telecommunications, making it broader in scope than most other national Open Banking regimes c) It operates exclusively through screen-scraping rather than dedicated APIs, avoiding the need for bank API investment d) It applies only to credit products, excluding payment accounts from its scope
Answer Key
1. c) Account Information Service Provider (AISP) AISPs are authorized to read customer account data for information aggregation purposes. They cannot initiate payments — that is the role of PISPs. ASPSPs are the banks holding the accounts. CBPIIs issue card-based instruments.
2. b) With ClearView, because it is the AISP with the direct customer relationship AISPs hold the AML compliance obligation for their own customers. Verdant Bank satisfies its obligation by verifying that ClearView is a regulated entity subject to AML obligations, but it is not responsible for conducting KYC on ClearView's customer base.
3. b) The customer's password never leaves the bank, and access is scoped and time-limited The core security advantage of the OAuth 2.0 Authorization Code Flow is that the customer authenticates directly with the bank (not with the TPP), the bank issues a scoped access token, and the authorization has a defined expiry. The customer never shares their credentials with the TPP.
4. c) Interception of the authorization code during its transit and use by an attacker PKCE requires the TPP to generate a code verifier before the flow begins and prove knowledge of it during token exchange. Even if an attacker intercepts the authorization code, they cannot exchange it for a token without the code verifier, which was never transmitted.
5. b) Both the client (TPP) and the server (bank) authenticate with certificates, not just the server Standard TLS authenticates the server only (the customer verifies they are talking to the real bank). Mutual TLS adds client authentication: the bank also verifies the TPP's certificate, providing assurance that the entity calling the API is the authorized TPP and not an impersonator.
6. b) The ASPSP, because it incorrectly denied access to a properly authorized request Under PSD2, the liability framework places responsibility on the ASPSP when it wrongly denies access to a properly authorized TPP. The ASPSP must not obstruct TPP access when the TPP has valid authorization and a valid customer consent.
7. b) The UK left the EU and therefore UK TPPs are no longer eligible for eIDAS certificates Post-Brexit, UK firms lost access to EU trust infrastructure, including eIDAS certificates. The OBIE (Open Banking Implementation Entity) developed an equivalent certificate infrastructure for the UK, providing UK TPPs with certificates that serve the same authentication function in the UK Open Banking ecosystem.
8. a) Suspend the TPP's API access token and initiate an investigation An anomalous pattern of high-volume, multi-customer access significantly outside normal parameters is a potential indicator of unauthorized access or a security breach at the TPP. Immediate suspension of the access token prevents further data being served while the investigation proceeds.
9. b) Open Banking covers payment accounts; Open Finance extends to all financial products including mortgages, pensions, and investments Open Banking as implemented under PSD2 and the CMA Order is limited to payment accounts. Open Finance extends the same consent-based data portability model to the full financial product suite, including mortgages, savings, investments, pensions, and insurance.
10. c) Right of access (Article 15) GDPR Article 15 gives data subjects the right to obtain confirmation of what personal data is being processed, and by whom. When a Verdant customer asks for a record of which TPPs have accessed their account data and when, this is a data subject access request under Article 15, which the consent audit trail directly supports.
11. b) Harmonize EU regulatory reporting requirements into a single data model and submission framework across member states The IReF is the EBA's initiative to replace the fragmented national regulatory reporting requirements across EU member states with a common data dictionary and reporting framework, enabling consistent data quality and cross-border comparability.
12. b) There is a lag between a new designation being published and the firm's screening list being updated, during which the firm may transact with newly designated persons The fundamental risk of batch file downloads is temporal: a new designation published on a Monday afternoon may not be incorporated into the firm's screening until the following weekend's file update. During this window, the firm may unknowingly transact with a newly designated person. Real-time API-based screening eliminates this lag.
13. b) HTTP 403 (Forbidden), because the consent is no longer valid — demonstrating the enforcement function of the consent management layer An expired consent is legally equivalent to a revoked consent for the purpose of data access authorization. The API should return HTTP 403 (Forbidden), refusing to serve data without valid authorization. This is the consent management layer functioning correctly, as Maya noted in the chapter's closing vignette — "the system working correctly."
14. b) It extends mandatory data portability beyond banking to energy and telecommunications, making it broader in scope than most other national Open Banking regimes Australia's CDR is notable for being mandatory (unlike the US's market-led approach) and for its explicit multi-sector design, which has already extended into energy and is continuing into additional sectors. This breadth of scope distinguishes it from most other national Open Banking frameworks.