What is open banking?
Banks are required by regulation (PSD2 in Europe, Payment Services Regulations (PSRs) and the “CMA Order” (aka The Retail Banking Market Investigation Order 2017) in the UK) to share customer financial data and accept payment instructions from authorised third parties.
This is done through APIs. Yapily connects to these bank APIs so you don’t have to.
The key difference from card payments: money moves directly from bank account to bank account with no card network intermediary. There are no interchange fees and no chargebacks.
The customer must explicitly consent to sharing data or authorising a payment. This is why “consent” is central to everything in open banking.
Key roles
| Role | Who | Example |
|---|
| PSU (Payment Service User) | The end customer who owns the bank account | Your user making a payment |
| ASPSP (Account Servicing Payment Service Provider) | The bank or financial institution | Barclays, Deutsche Bank, BNP Paribas |
| TPP (Third Party Provider) | The authorised company connecting to the bank on the customer’s behalf | Yapily (or you, if you are regulated) |
| AISP | Account Information Service Provider | Yapily for data access |
| PISP | Payment Initiation Service Provider | Yapily for payment initiation |
Yapily is regulated as both an AISP and PISP, enabling secure access to financial data and payment initiation across supported markets. If you are using Yapily Connect, Yapily holds the TPP licence on your behalf, reducing regulatory overhead and accelerating time to market.
How the authorisation flow works
- Your app asks Yapily to create a consent request (for data access or a payment)
- The customer is redirected to their bank’s login screen
- The customer authenticates (Strong Customer Authentication) and approves
- The bank redirects back to your app with an authorisation code
- You exchange the code for a consent token
- You use the consent token to access data or execute the payment
This is the most common flow (redirect). Some banks support alternative flows such as embedded or decoupled authentication. Yapily Hosted Pages handles all of these automatically. If you are using the Direct API, see User Authorisation Flows for details. AIS vs PIS
Account Information Services (AIS): Accessing financial data such as accounts, balances, and transactions. Consent lasts up to 90 days (UK) or 180 days (EEA). Yapily calls this Yapily Data.
Payment Initiation Services (PIS): Making payments from a customer’s account. Consent is single-use. Yapily calls this Yapily Payments.
The authorisation pattern is the same for both. The difference is what you do with the consent token after you have it. For AIS, you can make multiple API calls to retrieve different types of data over the consent lifetime. For PIS, you execute a single payment and then monitor its status.
Standards and why they matter
Open banking is not one global standard. It is a set of regional standards that all implement PSD2 differently.
UK has the UK Open Banking Standard (most prescriptive, most consistent between banks). Most of the UK banks (spearheaded by CMA9) implement the same endpoints with the same field requirements.
Europe has multiple standards: Berlin Group (NextGenPSD2), STET (France), PolishAPI, CBI Globe (Italy), and others. Each standard has different field requirements, auth flows, and bank behaviours. For example, payer details are typically required in Germany but not in the UK, and IBAN formats differ per country.
Yapily normalises all of this into a single API. But some differences still surface, such as which fields are required per country.
For more details on country-specific requirements, see:
What this means for your integration
For UK-only integrations, most banks follow the same standard and the experience is consistent. For multiple European countries, expect variation in required fields and auth flows. You do not need to understand every standard since Yapily handles the translation, but knowing that these differences exist helps you build more robust integrations. If you want to avoid dealing with standard-level differences directly, Hosted Pages is the recommended starting point.
Next steps
To access bank APIs, you need regulatory authorisation and bank registrations. If you are using Yapily Connect, these are handled for you. See Licensing & Registration to understand your setup options.
