a. Data access interfaces

The XS2A rule enables third-party payment service provider access to customers’ payment account data on the condition that they a) identify themselves to the bankFootnote ¹¹ and b) communicate securely.Footnote ¹² According to Article 98(1)(d), the regulatory technical standards (RTS) on authentication and communication developed by the European Banking Authority (EBA) shall include:

To comply with the requirements relative to the communication session for access and transmission (sharing) of data between account servicing payment service providers (banks) and third-party service providers, the PSD2 requires the former to offer interoperable communication interfaces. According to the RTS, banks may choose to either make available a “dedicated” interface, developed for the purposes of providing access to accounts for third-party service providers, or to make available their standard interfaces used for authentication and communication with their users.

A dedicated interface constitutes a secure communication channel between a user’s bank and a third-party service provider offering open banking services. Article 30 RTS requires dedicated interfaces to have a minimal set of functions. These are (i) the authentication of the third-party service provider; (ii) uninterrupted communication between the service providers involved; and (iii) integrity and confidentiality of consumer data transmitted via this channel.Footnote ¹³ The RTS (Art 31) also allow banks to opt for making available their standard interfaces to third parties, so that the users can engage with third-party open banking services by authenticating and providing consent via the same interface that they use for online banking. However, citing security reasons, most banks to date have opted for a more expensive and complex option of dedicated interfaces based on open application programming interfaces (APIs).Footnote ¹⁴

Open APIs allow third-party providers’ software to interoperate with that of the users’ bank for the purposes of channeling users’ transactional data. Such open standard APIs allow third-party service providers to offer their services across the sector (i.e., to the customers of different banks) in the absence of a specific contractual arrangement with banks and at lower costs, thus benefiting from economies of scale.Footnote ¹⁵

b. API standards and interoperability

The API technology emerged as a substitute to screen scraping that came effectively under prohibition with the new PSD2 framework.Footnote ¹⁶ Although neither the PSD2 nor the RTS explicitly refer to the use of APIs, there is a consensus within the industry and policy makers that APIs are the best available technology for secure communication in open banking.Footnote ¹⁷

APIs thus got the leading role as the most appropriate technology capable of enhancing synergies between the service providers within the open banking ecosystem. Moreover, to ensure regulatory intervention does not impede further innovation, the higher levels of EU open banking framework – the Directive and the RTS – have not specified the standard, leaving it to the industry to define.

At this moment there are several standards that have been developed and offered to service providers across the EU. One of the most common standards is NextGenPSD2, developed by a coalition of EU banks called the Berlin Group, comprising around twenty-five institutions. Several national aggregators exist, offering solutions within one jurisdiction, as is the case in Spain, Italy and France.Footnote ¹⁸

a. Lack of interoperability (API fragmentation)

Lack of interoperability has been particularly pronounced in online payments, involving clusters of banks that do not offer interoperable communication interfaces across borders. Lack of standardisation and interoperability between functions and technical standards of banks’ APIs hamper third-party providers’ ability to scale up and offer competitive value proposition to their users. Third-party open banking service providers continuously face the need to establish a separate connection to every bank, which is resource-intensive and significantly limits their reach.Footnote ¹⁹

The impact assessment accompanying the proposal for the revised framework – Payment Services Regulation (PSR) – sums up the sources of inefficiencies that undermine innovation and competition in open banking. For one, the inefficiencies stem from the legal issues, including the complexity of the legal framework (different interfaces, including fallback obligations, possible fallback exemptions etc.) and divergent implementation and enforcement of the PSD2 requirements at national level. These legal issues led to technical problems due to insufficient detail and clarity about the expected performance level, and about API functionalities to be provided by banks to third-party providers.Footnote ²⁰

According to the impact assessment, the absence of a single API standard under the PSD2 and the RTS has been justified precisely by the considerations relative to promoting competition and innovation.Footnote ²¹ However, due to the lack of a clear standardisation mandate and eventually of a single standard,Footnote ²² banks in the EU may adhere to a different API standard that have emerged to date, with different ways of connecting. As mentioned above, this fragmentation impacts the API quality and delivery cycles, and it constrains third-party open banking service providers ability to cater for the needs of their users. According to the study on the application and impact of the PSD2, third-party providers of account information and payment initiation services are of the view that although the PSD2 model of XS2A via an open API model has enabled many new companies to enter the market, the implementation of the XS2A rule by EU banks has mostly been poor (with very few exceptions).Footnote ²³ As a result, a significant number of obstacles have now been built into the framework. The stakeholders observe that the APIs vary greatly from bank to bank, despite the fact that the latter claim to use the same standard.

b. Poor quality of API

The quality of APIs is conditioned upon three core characteristics. First, their availability, i.e., accessibility and responsiveness. Second, API performance, characterised by their latency (the time between the initiation of a request and the receipt of the response) and throughput (the number of requests an API can handle at any given moment in time). Finally, API security, i.e., their confidentiality and integrity.Footnote ²⁴

Some third-party providers submitted that they often do not receive the correct status feedback for their scheduled payment initiation service payments. According to these submissions, the availability of APIs remains patchy, the scope of the data being accessed remains unclear and the reliability of eIDAS certifications is inconsistent across the EU.Footnote ²⁵ This has resulted in increased costs and resources, which constitutes a major obstacle for open banking innovation in the EU.

In addition to the enforcement powers granted to national competent authorities under Article 30(6) RTS,Footnote ²⁶ the PSD2 framework introduced an EU-level mechanism for stakeholder dialogue. The efforts aimed at establishing the stakeholder dialogue have been important in addressing the insufficient implementation of interoperability obligations under PSD2. The EBA industry Working Group on API’s under the PSD2 was aimed at addressing the obstacles to open banking services connected to insufficient implementation of interoperability requirements.Footnote ²⁷ Active between 2019 and 2021, the working group held several stakeholder meetings in preparation for the implementation of the RTS (discussing API standardisation and the introduction of dedicated interfaces). In addition, the EBA issued a number of clarifications in response to the stakeholders’ questions and concerns, as well as the EBA Opinion on supervisory actions to call on national competent authorities to ensure the removal of obstacles to account access under the PSD2.Footnote ²⁸ Despite these efforts to bring more clarity into implementation and to enhance supervisory convergence, a number of interoperability-related issues persisted.

a. Lack of interoperability (API fragmentation)

Key changes introduced under the Commission’s proposal for a Payment Services Regulation (PSR)Footnote ²⁹ include the imposition of a dedicated interface for open banking data access and the removal of the requirement on account servicing payment service providers to maintain permanently a “fallback” interface.Footnote ³⁰ The proposal introduces additional requirements on dedicated interfaces concerning their performance and functionalities.Footnote ³¹

A number of implementation issues resulted from the flexibility given to banks by the “fallback” interface option as alternative to dedicated interfaces for secure communication. First, Article 30 RTS does not detail specific API standards, which has led to the emergence of multiple API standards and differences in application of these standards across the industry (API fragmentation).Footnote ³² As discussed above, this has resulted in increased costs and resources for the industry, with obstacles remaining to the seamless provision of open banking services across the EU.Footnote ³³

The fallback option was introduced under Article 31 RTS to accommodate the likely challenges that running uninterrupted API-based dedicated interfaces would cause. Thereby, the banks are required to make their standard online banking interface available for the purposes of providing third-party services, in case the dedicated interface is not available or malfunctioning. In its essence, the requirement aimed at ensuring that no obstacles are created for the provision and use of third-party services. In practice, however, banks’ underperforming APIs, paired with the flexibility in relying on fallback interfaces, led to inconsistent implementation and weak enforcement of the RTS requirements.Footnote ³⁴

Moreover, despite the API fragmentation, there is no unanimity amongst various stakeholders as to the need for a uniform API standard. Stakeholders are citing primarily potential negative effects on innovation and additional (significant) costs for the industry.Footnote ³⁵ The innovation-related argument here is a nuanced one. Many claim that further ‘top-down’ as opposed to industry-led standardisation would slow down or even prevent industry from innovating. Part of the argument concerns banks’ incentives to come up with additional API functionalities and features. That, the opponents of further standardisation suggest, would prevent banks from innovating and improving APIs, even upon third-party providers’ request. This is due to the requirement “that a certain use case must first be included in the API standard in order for it to be implemented in their interface.”Footnote ³⁶ The Commission appears to agree with these views, suggesting that the API standardisation remains industry-led, with the new PSR retaining minimum requirements for open APIs.Footnote ³⁷ Instead of amending the standardisation mandate, the Commission’s proposal focuses on removing currently existing obstacles to interoperability. This is the aim of a number of new explicit prohibitions under the PSR. For instance, under the revised framework it will be prohibited to provide a dedicated interface that does not support all the authentication procedures made available by banks to their users, or to impose a “redirection” or “decoupled” approach that adds additional steps in the user journey.Footnote ³⁸

b. Quality of API

Third-party service providers and a number of national authorities raise concerns about the fact that third-party providers continue facing significant obstacles with accessing accounts via the APIs developed by banks. Different stakeholders have stressed that there are poor quality APIs that have not been reviewed by national authorities in accordance with Articles 30(6) and 32(2) RTS, and that there are large differences in APIs across Member States. This resulted in limited cross-border activity and less choice for payment service users. Many stakeholders have been advocating for more API standardisation and better supervision and enforcement of banks providing the necessary conditions to ensure third-party access to user accounts.Footnote ³⁹

The proposed revised framework (under the PSR) aims at reducing regulatory complexity by constraining the flexibility given to banks in relying on their standard customer interfaces as a fallback option. This, however, only addresses part of the issue, as banks would remain in charge of further API standardisation and ensuring that these offer sufficient quality. With respect to the latter, the current proposal does not seem to add more detail to the minimum requirements to the open API performance that existed previously.

The above viewpoint is in line with the views shared by many in the industry that the reason for poor APIs lies in the lack of incentive for banks to invest in well-performing APIs, and not because of the lack of standardisation. In other words, not the absence of a single standard (as initially mandated under the PSD2) but the poor implementation of existing API standards poses the main problem. Hence the shift of the focus should be not on facilitating the emergence of a single standard (as was upon the launch of open banking), but on enhancing the quality of APIs based on several existing standards.

c. Lessons from PSD2

The API-related interoperability issues under the PSD2 can be attributed to three main shortcomings of the legal framework: insufficient incentives for payment “data gatekeepers” (i.e., banks), weak enforcement, and ambiguity with regard to regulatory requirements.Footnote ⁴⁰

The Commission’s response to these shortcomings focuses on better implementation through stricter enforcement, instead of a (renewed) standardisation mandate. The reason is that it appears to be “too late” to steer industry towards a single standard.Footnote ⁴¹ For one, mandating a single interoperability (API) standard at this stage would be too costly – the Commission concluded in its impact assessment that the development and transition to a new single standard would require an “excessively high implementation cost for banks (ASPSPs).”Footnote ⁴² Additionally, emerged standards are competing, and although the lack of a single standard has slowed the development of open banking, it did not halt it.Footnote ⁴³

One lesson from the PSD2 implementation of interoperability, therefore, is the importance of timing in regulating fast-evolving markets. Now, confronted with a new market reality, the efforts aimed at removing obstacles to interoperability in open banking are primarily aimed at improving the quality of APIs. The revision of the PSD2 offers another lesson on the available regulatory options to tackle the obstacles to interoperability. From the legal perspective, these options amount to clarifying minimum requirements to the functioning of dedicated interfaces, adding more detail to the required performance of APIs and narrowing down exemptions.

a. Data-related interoperability obligations

There are two complementary obligations that regulate the way gatekeepers may use data vis-à-vis third-party business users, and which are designed to create a level playing field.

One particular problem emerges when gatekeepers have a dual function in providing a core platform service and operating themselves on that service, in competition with business users. In that situation, they might take advantage of that dual role, to use data generated by their business users while exercising their activities on the core platform service (recital 46). To tackle this problem, Article 6(2) prevents gatekeepers from using, in competition with business users, data generated or provided by those business users while using the gatekeepers’ service that is not publicly available. This includes data deriving from customers of those business users.

Besides making sure that gatekeepers do not obtain an unfair advantage by using data generated by business users that is not publicly available, the DMA goes a step further and demands that gatekeepers share data, when requested by business users. This includes data provided or generated by the business user and their end users. In this regard, Article 6(10) establishes that:

When personal data is involved, according to recital 60 of the DMA, users must have given consent, where consent to such sharing is required under the General Data Protection Regulation.Footnote ⁴⁷ In order to implement this obligation, recital 60 also states that gatekeepers should put in place appropriate technical measures, for example high quality APIs or integrated tools for small volume business. Hence, this obligation entails some interoperability elements, which are further discussed in the section below.

b. Interoperability with third-party software applications and hardware and software features

Interoperability is a key component of contestability in the digital market. Gatekeepers may have an incentive to restrict the ability of end users to utilise third-party software on their hardware or operating systems. To ensure market contestability in this respect, Article 6(4) targets operating systems and sets outs that “the gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system.” Furthermore, it must be possible for users to access them through means other than the gatekeeper’s core platform services. Besides being able to run third-party software, users must be allowed to set them as their default. This must be technically enabled and facilitated by the gatekeeper. Gatekeepers do keep the right to implement technical and contractual measures necessary and proportionate to protect the integrity of their hardware or operating system. This includes design options needed to prevent unauthorised access and end users’ security.Footnote ⁴⁸

Article 6(7), applies to both operating system and virtual assistant gatekeepers and stipulates that they must ensure effective interoperability for service and hardware providers. In September 2024, the Commission opened proceedings under Article 20(1) of the DMA in view of specifying the measures Apple must put in place to effectively comply with its interoperability obligations under Article 6(7), concerning interoperability between iOS and connected devices, such as smartwatches, headphones, and virtual reality headsets.Footnote ⁴⁹ In December 2024, the Commission published its preliminary findings setting out the proposed measures that Apple should implement to ensure effective interoperability with iOS for connected devices and opened a public consultation on the proposed measures. The measures proposed are designed to ensure that “the interoperability solutions for third parties will have to be equally effective to those available to Apple and must not require more cumbersome system settings or additional user friction.”Footnote ⁵⁰

c. Number-independent interpersonal communications services

A further problem that the DMA tackles through interoperability obligations is the weak contestability of number-independent interpersonal communications services (NI-ICS). Article 7 of the DMA imposes on gatekeepers the obligation to ensure interoperabilityFootnote ⁵¹ of their NI-ICS with other providers. To achieve interoperability, gatekeepers need to provide “the necessary technical interfaces or similar solutions that facilitate interoperability, upon request, and free of charge.”Footnote ⁵²

The “basic functionalities” that need to be made interoperable, provided that the gatekeeper itself offers those functionalities to its own end users, are specified in Article 7(2). Following designation of gatekeeping status, interoperability must be provided for end-to-end text messaging between two individual end users, including the sharing of images, voice messages, videos and other attached files. In a second step, within two years from designation, this interoperability must be extended to groups of individual end users. In a last step, within four years, also end-to-end voice and video calls between two individual end users and between a group chat and an individual end user must be made interoperable.

The way the interoperability obligation in Article 7 is put into practice is the following: the gatekeeper publishes a letter of reference, in which it lays down the technical details and general terms and conditions of interoperability (including the level of security).Footnote ⁵³ The Commission may consult the Body of European Regulators for Electronic Communications to determine the compliance of the technical details and the general terms and conditions published in the reference offer.Footnote ⁵⁴ Other providers may then make a request for interoperability of some or all the functionalities, which the gatekeeper needs to comply with within 3 months, by making the requested functionalities operational.Footnote ⁵⁵ The gatekeeper may receive an extension from the Commission for the deadlines under Articles 7(2) and (5), if justified for effectiveness or security reasons.Footnote ⁵⁶

Now that we have looked at relevant obligations under the DMA, we will explore the tools the Commission has to shape their implementation.

a. Entering into dialogues

Under Article 8(3) DMA, at a gatekeeper’s request, the Commission may engage in a dialogue with a gatekeeper. The dialogue’s objective is to determine the adequacy of the measures that the gatekeeper intends to implement or has implemented to ensure compliance with relevant obligations. The dialogue allows the Commission to take into account the specific circumstances of the gatekeeper and to specify some of the measures that the gatekeeper concerned should adopt in order to effectively comply with obligations.Footnote ⁵⁷

Crucially, a dialogue can only be requested for implementation concerning obligations under Articles 6 and 7, and not Article 5. The reason for this is that the obligations under Article 5 are designed to be self-executing, leaving less discretion as to their implementation.

Whether or not the Commission decides to engage in such a process is at its discretion and is decided in line with the principles of equal treatment, proportionality and good administration. Furthermore, the Commission retains the ability to adopt a non-compliance decision and to reopen proceedings, including where the specified measures turn out not to be effective.Footnote ⁵⁸

b. Specifying through implementing acts

The Commission may adopt an implementing act, specifying the measures that the gatekeeper concerned is to implement in order to effectively comply with the obligations laid down in Articles 6 and 7.Footnote ⁵⁹ Implementing acts can be adopted for specifying the “form, content and other details of the technical measures that gatekeepers shall implement in order to ensure compliance with Article 5, 6 or 7” and the “operational and technical arrangements in view of implementing interoperability of number-independent interpersonal communications services pursuant to Article 7.”Footnote ⁶⁰

Furthermore, an implementing act can be adopted in order to exceptionally suspend, entirely or partially, an obligations under Articles 5, 6 or 7, if compliance with the obligation would endanger the economic viability of a gatekeeper’s operation in the EU.Footnote ⁶¹ Exemptions from specific obligations can also be granted via implementing act, if they are justified on public health or public security grounds.Footnote ⁶²

Finally, the Commission may use implementing acts to make commitments that have been offered by gatekeepers, in the context of a market investigation into systematic non-compliance, binding.Footnote ⁶³

c. Updating through delegated acts

The Commission may adopt delegated acts to supplement the obligations contained in Articles 5 and 6. The scope of a delegated act is limited to extending or specifying existing obligations.Footnote ⁶⁴ Delegated Acts should follow a market investigation into new services and new practices under Article 19.Footnote ⁶⁵ This can be used to determine whether new services should be classified as core platform services or to detect new practices that limit the contestability of core platform services or that are unfair. In order to add new services to the list or include new obligations, the Commission can submit to the European Parliament and to the Council a draft delegated act supplementing the DMA, or a legislative proposal to amend the DMA. For example, while Article 7 is currently limited to NI-ICS, the DMA creates the opportunity for the Commission to “evaluate if the scope of Article 7 may be extended to online social networking services.”Footnote ⁶⁶ Furthermore, it may propose to remove existing services from the list of core platform services or remove current obligations.Footnote ⁶⁷