On 12 November 2020, the Ukrainian Parliament published a draft payment services law (available in Ukrainian), that was prepared with the Ukrainian central bank (NBU). Among other things, the draft law would implement a regulatory framework for “open banking” similar to the EU’s PSD2 (Directive 2015/2366). PSD2 requires banks to share data from their clients’ payment accounts free of charge with third party providers (TPPs) without any underlying commercial agreement – thereby allowing TPPs to offer new payment services to consumers.

Paul Rohan, in his book “PSD2 in Plain English” has suggested that in practical terms, open banking requires banks to build and publish an “Application Programming Interface” (API).  An API permits a piece of software to read data from the system of the API publisher (in this case, a bank). Therefore, to comply with PSD2, a bank will publish an API, similar to publishing a website, and disclose relevant payment account data to all eligible TPPs.

Is the API economy an entirely new phenomenon in Ukraine?

Publication of APIs was not invented by the authors of PSD2; they were in use before the adoption of PSD2. For instance, many Ukrainian banks publish their own APIs to enable collaboration with the API developers’ community. In fact, according to one of the largest Ukrainian banks, it was the first bank globally to make a public API available for developers in September 2009, that is used today by approximately 5,000 API developers and clients in both Ukraine and abroad. Moreover, a number of banks publish a partner API, which is available to partner companies to facilitate commercial projects. In Paul Rohan’s view, a partner API is a stepping stone for a bank to offer a public API.

But the key difference between then and now is that before PSD2, the sharing of account data (i.e., publishing APIs) was not mandatory. In Ukraine, this particular aspect of PSD2 was the subject of much debate and controversy between the NBU and market participants. It was not clear until the publication of the draft law last November whether this requirement would be included in the text as opposed to a discretionary option.

It now looks like the Ukraine is to join those countries wanting to boost their digital economies by way of regulatory intervention – Article 54 of the draft law makes it mandatory for banks to share data with TPPs. As result, the Ukraine will join those jurisdictions pursuing the regulatory intervention path. In particular, it may be allocated to a subgroup of countries (e.g., Albania and Northern Macedonia) that implement PSD2 under their existing association agreements with the EU and its Member States. Another group of jurisdictions have non-regulatory initiatives coordinated by market participants without the intervention of the state (e.g. USA, Nigeria etc.). The chart below shows the dynamics in this space, however, as this is a dynamic scenario new jurisdictions may appear on this map as we speak.

Standardization of APIs

It is curious that Paul Rohan compares APIs with an electricity wall socket, which is an interface with an electricity supply, with predictable patterns of opening in the wall sockets, so producers of electric appliances know what to expect. Likewise, APIs are useful in this context because it is not straightforward to pull data from a third party system (i.e., from bank’s numerous information systems). A standard API can make the operation of a TPP easier in the sense that it need not worry about how to access data, but rather focus on building the service it offers to the consumer. In other words, API developers should know what to expect, in terms of API features, when developing software and avoid “reinventing the wheel” each time they want to obtain data from a particular bank.

PSD2 itself did not address this issue. Rather, it instructed the European Banking Authority to develop the requirements for common and secure open standards of communication (RTSs), i.e., only technical framework conditions with no interface standard. To help fill this gap of a common standard, a number of market initiatives have emerged in EU, including a group of European banks and payment service providers, the “Berlin Group,” whose API framework is called NextGenPSD2. Similarly, the draft Ukrainian law envisages that the NBU will adopt data security and communication requirements concerning end users, banks and TPPs when accessing consumers’ accounts. Apparently, the question of an API standard is about to emerge.

The NBU have indicated that (i) the “open banking” launch may be feasible in Ukraine in 2022 and (ii) that it would launch a market stakeholders working group shortly to consult on the issue of API standardization. It seems that one of the options to move this initiative forward might be to leverage existing market experience of tech savvy banks in developing an API economy.

Masym Hlotov
Author

Maksym Hlotov handles most of Baker McKenzie's payments practice in Kyiv and advises on all aspects of payments law. He acts for a number of service providers within the payments industry — assisting them in their regulatory, contractual, consumer protection and public policy needs.