The ultimate guide to open banking lingo
Have you ever wondered what the Berlin Group is, what makes a sandbox, or what the difference between an ASPSP and AISP is? If you’re just beginning to familiarise yourself with how banking is changing for the better, all the different terms, names, and lingo might feel a little overwhelming at first.
Worry not, though! Despite what you may think, open banking terminology doesn’t need to be confusing. To help you along your way and get to grips with key terminology, the team at Klarna Kosma has put together this simple but comprehensive guide. Whether you’re a business owner looking to improve your product with Open Banking capabilities by integrating with the Klarna Kosma API or are just interested in learning a few key terms, this is the guide for you.
Without further ado, let’s get started!
Account Information Services - AIS
Account Information Services (AIS) provides customers with access to their bank and payment accounts with different account servicing payment service providers (ASPSPs) in a single place. It provides a global view of their finances to streamline the management of a wide range of tasks, such as income and expenses, risk analysis, direct debits, standing orders, and more.
Although AIS are provided by banks and payment service providers, companies like Klarna Kosma act as an aggregator to enable customers to access consolidated information about more than one bank account at a time.
Account Information Service Provider - AISP
Account Information Service Providers (AISPs) access bank account information, such as balance information and transaction history, with consent from customers.
AISPs work with partners like Klarna Kosma to access the data that has been authorized by the customer. For example, this could let customers view account information across multiple bank accounts in one place, such as an online portal or app.
Since Klarna Kosma is an open banking partner, additional banking and payment account data can be added quickly and easily, making it much easier for customers to manage their accounts and finances.
Account Servicing Payment Service Provider - ASPSP
Account Servicing Payment Service Providers (ASPSPs) provide and maintain payment accounts for customers. ASPSPs are usually banks, but the proliferation of Open Banking and developments in the fintech space has brought to market a vast array of non-banking institutions offering payment services.
Account verification is the process of verifying that a new or existing account is owned and is being used by a specified real individual or organization. Verification helps businesses verify the validity and ownership of sensitive personal accounts, e.g. for AML (anti-money laundering) or KYC (know your customer) purposes.
Application Programming Interface - API
An API is a way for different software services to communicate with one another and provides developers with a way to integrate third-party functionality within their own product and service offerings.
Take Apple, for example. Apple’s iOS operating system provides several APIs that developers can use to embed Apple services, such as search or Siri, within their own apps. Kosma's Open Banking offering is based on a single API.
API data is the information that is made available to a third-party provider using an open banking API.0.
An API provider is a service provider that is operating the API in order to allow an API user to integrate and control it. APIs typically return data or trigger actions that rely on the data that the API provides.
API User / API Client
An API user is a person or organization that develops apps for customers and uses the functionality or data from APIs to offer their services. Each API user has their own username and password that must be used to authenticate a task.
An API Client is the actual computer that executes the app or program that has been developed by the API User.
App2App redirection is the recommended method for strong customer authentication (SCA). An App2App redirect is a process whereby a customer is routed from a third-party payment app or an AISP/PISP to their bank’s app in order to complete the verification process during a transaction.
During an App2App redirect, the third-party app shares some initial information about how the customer wants to log in, and then the bank verifies the customer’s authentication details. Once authenticated, the customer is returned to the original third-party app to complete their transaction.
App2App redirects can only take place if the customer has both the third-party app and their banking app installed on their mobile device.
Authentication is a process whereby a customer’s identity is verified to make sure that the person conducting a transaction and/or accessing a payment account information is indeed them. In open banking, this is known as the ‘initial’ step when a customer attempts to access their account details.
Authorization means ensuring someone’s right to perform an action. In open banking, authorization is known as the ‘last’ step of a customer accessing their account details or completing a transaction. For example, a customer might be asked to authorize an AIS consent or to approve a bank transfer.
Bank connectivity is, at a basic level, about the integration towards a specific bank that an Open Banking aggregator or an AISP/PISP needs to complete in order to support this bank. The bank connectivity is used to communicate critical information about customer accounts and activities between the different parties electronically.
The 'Berlin Group' is a pan-European payments standards and harmonization initiative. The group works to develop and enhance common information standards and interoperability so financial data can be shared easily between financial institutions (e.g., to link banks and third parties).
The Berlin Group has established technical standards, such as NextGenPSD2 and XS2A that have helped to:
Provide third parties with uniform access to data and market opportunities.
Reduce complexity across the financial industry.
Save costs on development, implementation, and maintenance of technologies.
Provide faster access to open banking innovation for the public.
Business Bank Account
A business bank account is an account that helps entrepreneurs and sole proprietors separate their transactions from their personal finances.
Accounts can be opened in the name of the business, allowing payments to be made and received using the business’s name. Business bank accounts usually come with special conditions and benefits, like paperwork additional requirements, larger overdraft access, and accounting software integration.
Business finance is the raising and managing of funds that are needed for commercial purposes. It’s often seen among start-ups that are backed by venture capital firms, but it can also be used by established businesses for funding the expansion of existing operations.
Card-Based Payment Instrument Issuer - CBPII
A card-based payment instrument issuer is a payment service provider that issues card-based payment tools such as pre-paid debit cards. These cards can be used by payment service customers to authenticate and authorize transactions from a payment account held with another payment service provider.
Categorization identifies the type and purpose of a customer’s transactions based on the transaction amount, creditor bank account, description, and other metadata.
Klarna Kosma takes categorization a step further by making it easier to analyze and extract valuable insights from this data for use in processes like payment or loan credit assessments and personal finance management.
A competent authority is a regulatory agent or supervising body that has oversight of financial institutions, ensuring they behave responsibly and safely in the interest of the public and the wider market.
Competition and markets authority - CMA
The Competition and Markets Authority (CMA) is a non-ministerial government department in the United Kingdom. It’s responsible for preventing and reducing anti-competitive activities such as firms attempting to monopolize the market with their product and squeeze out everyone else.
Confirmation on the availability of funds - COF/CAF
COF and CAF are both abbreviations for confirmation on the availability of funds, which is a service that immediately confirms whether the payer has enough money available in their payment account for the execution of a card-based payment. The confirmation of funds on a payment account is provided by the bank to a company that offers card-based payments to the PSU.
Consent (PSD2 bank consent)
Consent is the authority from the customer for the bank and the third party provider to access the customer's bank account Consent defines the scope and duration of the access, e.g., to retrieve the balance and the transaction history of a checking account for a duration of X days. After consent has been granted, the bank account and its data can be accessed by the third-party provider without further customer interaction, as long as consent does not expire or is not revoked by the customer.
Corporate Bank Account
A corporate bank account is a type of business bank account that’s designed for corporations and larger businesses rather than individual entrepreneurs and sole proprietors.
Banks work directly with companies to provide financial products specifically designed for larger businesses such as loans, access to short-term credit, and savings and current accounts.
Coverage can refer to an area that a third party or service provider operates within, or the number of institutions they work with.
For example, Klarna Kosma has coverage of over 15,000 banks across 27 countries, making us a world leader in Open Banking and payment services.
Creditor Bank Account
In an account-to-account transfer or payment, the creditor bank account is the recipient of funds from the debtor bank account.
See also Debtor Bank Account.
Open Banking relies on data being securely shared or published through open APIs that allow third-party apps to access customer banking information.
Open banking data standards change from time to time in response to changes made by regulators and regional government bodies.
Debtor Bank Account
In the case of an account-to-account bank transfer or payment, the debtor bank account is the account from which the money will be deducted and sent to the creditor bank account.
See also Creditor Bank Account.
A demo product is a tangible presentation of the utility and value of your product and service to a prospective customer. It typically involves a demonstration of core features and capabilities.
Why not experience the power of Open Banking for yourself by using our demo? Log in to your bank and retrieve key information including your account number, balance, and recent transaction history.
Got a question about open banking or Klarna Kosma integrations? Head on over to our documentation site for more information and answers to frequently asked questions about getting started.
A digital identity is information that is used by a computer system to represent an external agent such as a person, an application, a device, or an organization. There are four core functions of digital identity: credentials, customer information, character information, and reputation.
A direct debit is an arrangement that enables a third party to automatically debit money from customers’ accounts on agreed dates, typically in order to pay (recurring) bills for goods and services.
The open banking directory is a list of regulated financial institutions and service providers that operate under the PSD2 framework. These include:
Account Information Service Providers (AISPs)
Account Servicing Payment Service Providers (ASPSPs)
Card-Based Payment Instrument Issuers (CBPIIs)
Payment Initiation Service Providers (PISPs)
A directory sandbox is a special version of the Directory that only lists financial institutions that offer a Sandbox in order to test the API integrations without connecting to any real bank account of a real customer.
Dynamic Linking Requirements
In open banking, payment initiation service providers (PISPs) and account information service providers (AISPs) must apply a series of strong authentication measures. AISPs are also forbidden from accessing any information other than the data necessary to run the permitted service.
Dynamic linking helps satisfy these measures and forms a part of the strong customer authentication (SCA) principles. PSD2 dynamic linking requires that:
Authentication codes must be unique to each authentication.
Codes are specific to the transaction amount and recipient to avoid reuse.
The amount and transaction recipient are clearly shown to the customer.
eIDAS certificates (QWAC and QSEAL)
After the third-party provider has been granted a PSD2 license by the EBA, a set of eIDAS certificates (electronic IDentification, Authentication, and trust Services) can be requested. These certificates prove the identity of the third-party provider and are used as an authentication mechanism for banks.
There are two types of eIDAS certificates, QWACs (qualified certificates for website authentication) that are needed to establish a secure, encrypted, and authenticated communication with the bank via HTTPS and QSEALs (qualified certificates for electronic seals) for signatures to verify the identity of the third party provider and to ensure the integrity of the data.
European Banking Authority - EBA
The European Banking Authority (EBA) is the independent European Union agency that ensures effective and consistent regulation across the European financial sector.
The EBA’s long-term goal is to establish a single European banking rulebook by adopting technical standards and guidelines across Europe. The EBA consults with industry panels like the Berlin Group on open banking standards and the future of the finance sector.
European Banking Authority Regulatory Technical Standards - EBA RTSs
The European Banking Authority (EBA) develops Regulatory Technical Standards (RTS).
RTS is a set of detailed compliance criteria for banking parties operating in Europe that cover areas such as data security and legal accountability.
RTS must be met in full once submitted and endorsed by the European Commission.
European Central Bank - ECB
The European Central Bank is the primary component of the Eurosystem and the European System of Central Banks as well as one of seven institutions of the European Union. It’s the central bank of the 19 European Union countries that have adopted the euro as their currency.
Financial Conduct Authority - FCA
Most countries have a financial conduct authority or another regulatory body that works to ensure honest and fair markets for individuals, businesses, and the economy. This is achieved by protecting consumers and financial markets and promoting competition.
The UK Financial Conduct Authority (FCA)
The French Autorité des Marchés Financiers (AMF)
The Dutch Autoriteit Financiële Markten (AFM)
The German Federal Financial Supervisory Authority (BaFin)
General Data Protection Regulation - GDPR
The General Data Protection Regulation (GDPR) is a set of rules concerning the processing of personal data. They came into force in May 2018 and are enforced by the European Union.
The GDPR is the primary legislation that regulates how companies use and protect the personal data of EU citizens by prohibiting the collection and sharing of personal data without explicit consent.
Hardware Security Module - HSM
The hardware security module (HSM) is a special ‘trusted’ computer network that performs a variety of cryptographic operations, e.g., key management, key exchange, encryption, and the generation of digital signatures. It has limited access to other data via a network interface that’s controlled by internal rules and actively protects cryptographic material.
JSON Web Token - JWT
The JSON Web Token (JWT) is an open data standard (RFC 7519) that provides a means for securely transmitting information between parties using a JSON object. The information can be verified and trusted because it contains a consistent header and payload format, combined with a unique signature.
JSON Web Key Set - JWKS
The JSON Web Key Set (JWKS) is a set of keys containing the public keys that are used to verify any JSON Web Token (JWT) issued by an authorization server and signed using the RS256 signing algorithm.
With more than 15,000 partner banks across 27 countries and more than 15 years of experience, Klarna Kosma is the definition of Open Banking.
Know Your Customer - KYC
Know your customer (or KYC) is a data security standard used in open banking to protect customer accounts and their balances. KYC requires institutions to verify a customer’s identity and monitor their activity to safeguard against fraud, theft, money laundering, and other financial crimes as defined by the EU 6th Anti-Money Laundering Directive (6AMLD).
Manual onboarding refers to any situation where an account or relationship is established using manual processes such as human data entry.
Multibanking enables customers to see all their different financial accounts, often from across multiple banks and platforms, in a single place. This provides customers with a full picture of their finances and enables them to exercise more control over their money.
The Klarna Kosma Multibanking product goes a step further with account aggregation to enable seamless customer management of financial accounts.
National competent authority - NCA
Each EU member state shall designate a competent authority to ensure compliance with PSD2. The selected authority shall supervise the implementation of PSD2 by the PSPs. It is usually the financial supervisory authority in each individual country that is the designated national competent authority.
Onboarding is a general term referring to a process where an account or relationship is established before any action can be taken.
An open API is a publicly available application programming interface (API) that provides developers with programmatic access to a software application or web service. Open APIs mean that anybody can interact with a piece of hardware or software and program new features and functionality for their own use.
This is in contrast with a closed API where permission from the owning entity is required to interact with the program.
Open banking connects banks, third parties, and other service providers, enabling them to simply and securely exchange data to benefit their customers. In essence, it enables third-party developers to build applications and services around existing financial institutions and products.
Open banking has the potential to revolutionize the way we manage our money and is a great way for customers and businesses to take control of their financial data. For businesses, it's about making the management of cash flow and receiving payments cheaper and easier. For customers, open banking allows greater transparency and access to innovative financial services.
Open Banking Ecosystem
The open banking ecosystem refers to the range of financial institutions and open APIs that customers can use to share banking data, control access to their bank accounts, and initiate transfers.
Open Banking Implementation Entity - OBIE
The Open Banking Implementation Entity (OBIE) is a UK institution created by the Competitions and Market Authority (CMA) to supervise the APIs, data structures, and security architecture that make it easier and safer for individuals and businesses to share their financial information.
Open Banking Services
Under open banking, banks allow access and control of their customers’ personal/financial data to third-party service providers.
Customers are required to grant their consent to provide third parties with access. After their approval, Third-party provider APIs can then use the data to perform a number of actions, including:
Analyzing the balance and transaction history to offer a range of financial service options.
Making new transactions or account changes on the customer’s behalf.
Connect their business to third-party bank accounts across the world.
Use transaction history to understand risk.
Broadly speaking, open data is data that anyone can access, use and share in a secure and controlled way. Governments, businesses, and individuals can use open data to bring about social, economic, and environmental benefits. It is based on the idea that only the owner of the data should decide who has access to it.
In the context of open banking, open data is based on the idea that only the owner of the data should decide who has access to it. Open data is a revolutionary way of framing the relationship people have with traditional financial institutions. In essence, open data returns the ownership of data back to the customers it refers to and enables third-party providers to build value-added services that benefit these customers.
Open finance is the next step in the open banking journey.
In the European Union, PSD2 only regulates access to payment accounts without compelling access to customers’ entire financial footprint like credit usage, mortgage history, and investment portfolio.
The possibility to access these accounts will determine the next step in open banking evolution—i.e., open finance.
Open banking participants are those who participate and contribute to the open banking ecosystem. These include:
Licensed third-party providers (TPPs) that integrate with bank APIs
Companies that use TPPs to offer innovative solutions
Customers as final beneficiaries of open banking services
Regulators, who supervise the ecosystem to be self-sufficient and secure
Klarna Kosma partners have access to our portal where they have access to a holistic view of their operations and control. Our partner portal is also a way for partners to reach out to Klarna Kosma to ask questions, optimize their integration, and solve issues.
A payment is an action or process of paying someone or something, or someone or something being paid by a payee.
Klarna Kosma’s competitive product offering gives partners cheaper payment options, provides more payment methods to customers, and is a cost-effective way for third-party providers to collect payments from their customers.
Payment Initiation Service - PIS
Payment initiation services (PIS) are financial services allowing banks and other financial institutions to initiate transfers. PIS uses internet banking to make payments online, and PIS services help to initiate a payment from the customer’s account by creating an interface and automatically filling in the data needed for the bank transfer, such as account information and transaction figures.
Currently, PIS only facilitates transfers between payment accounts and cannot be used for investment portfolios, or loan or mortgage accounts. Anyone who is eligible to initiate payment from a bank account can do so via the API endpoint of their bank.
PIS has many applications, such as:
Payments between individuals (P2P payments): Allowing a person to make a direct transfer from one bank account to another, instantly and from any device. P2P PISs can be used to make direct payments between customers on collaborative and social economy platforms. PIS is also applicable to payments between businesses (B2B) and payments to businesses (P2B).
Automatic and conditional payments: One of the fastest growing banking operations is automatic transfers from one bank account to another. However, PIS aims to go a step further by allowing customers to schedule transfers conditional on customer-defined parameters. For example, making it so that a company can make variable payments to employees who work overtime.
PIS-only refers to banks that do not require a preceding AIS before they can initiate a payment.
Banks often only allow payments when a range of account details of the customer are provided. However, requiring customers to enter their IBAN can cause errors, adds complexity, and waste time. The solution is for an AIS to be requested first, list the available accounts, and then allow the customer to select the account they intend to pay.
If this initial AIS can be skipped, and the bank prompts the customer with an account selection in PIS instead, it is called a “PIS-only”; providing account selection and payment initiation in the same flow.
Payment Initiation Service provider - PISP
A payment initiation service provider (PISP) provides payment initiation services (PIS) and can enable transfers to any IBAN or domestic bank account number. If a customer completes a transaction, a PISP will initiate a payment by accessing the customer’s bank account and triggering the transfer using the details provided.
Payment Service Directive 2 - PSD2
PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure in Europe, boost innovation, and help banking services adapt to new technologies. PSD2 is evidence of the increasingly important role that APIs are playing in different financial sectors.
Payment Service Provider - PSP
A payment services provider is an entity that carries out regulated payment services, including AISPs, PISPs, CBPIIs, and ASPSPs.
Payment Services Regulations
The Payment Services Regulations (2017) are UK regulations equivalent to PSD2 that protect consumers if they become a victim of debit or credit card fraud. The regulations place legal requirements on banks and outline customer rights to a refund.
Payment Services User - PSU
A payment service user is a person or organization (customer) who uses the Open Banking services as a bank account owner. The users are eligible to access these services at their bank and for their respective accounts only. Because of this, the user always has to pass authentication and authorization.
Primary Business Contact - PBC
A primary business contact (PBC) is an individual nominated by an entity to have access to the directory and will be able to nominate other directory business customers. PBCs are always formal points of contact and senior staff members responsible for systems and controls related to open banking.
Primary Technical Contact - PTC
Primary technical contacts are individuals nominated by the entity to have access to the directory and can nominate other directory technical users. PTCs are the main point of contact on technical configuration and senior staff members with responsibilities for the management of open banking digital identities.
A PSD2 API is a dedicated interface that an ASPSP provides licensed TPPs access to for those TPPs’ offering payment services to customers. The dedicated PSD2 API differs from other customer-facing interfaces provided by the ASPSP, because it is solely for the purpose of TPP use-cases, while the ASPSP’s other customer-facing interfaces can be used by the ASPSP themselves, e.g. online banking portal or mobile banking app.
The read/write API is a core component of open banking because it handles all access requests for transfers and account data. When describing the permission model, it is therefore important to keep in mind that customers are interacting with the bank through a third party.
Read/write data includes personal current account and business current account transaction data sets, made available by ASPSPs in accordance with the Read/Write Data Standard.
Where a customer or organization has their money returned, typically because the goods or services it bought were not satisfactory.
Regulatory technical standards - RTS / RTS on SCA and CSC
Regulatory technical standards for strong customer authentication and common and secure open standards of communication between ASPSPs, payment initiation service providers (PISPs), account information service providers (AISPs), and PSPs. The RTS provides more specific rules concerning the application of SCA and TPPs’ use of access interfaces (e.g. PSD2 APIs) provided by the ASPSPs. CSC stands for common and secures open standards of communication.
Risk management is the process of identifying, monitoring, and managing potential financial risks together with the identification of relevant procedures in order to mitigate the potential impact they may have on an organization.
Klarna Kosma has a range of products in place to ensure effective risk management, including credit risk assessments, credit scoring, and risk assessments for B2B financing.
A sandbox is an isolated testing environment (often also called a playground) that enables developers to run and test programs without affecting the production application, system, or platform on which they run. In the case of a program failure in the sandbox, the productional operational business (e.g. customers or partners) is not affected. A sandbox usually allows simulating different scenarios on purpose to verify that the integration handles them correctly.
Software developers use sandboxes to test new code safely and find potential flaws. Cybersecurity professionals also use sandboxes to test potentially malicious software that could cause damage.
Sofortüberweisung (short Sofort)
A payment method available since 2005, Sofort was the first payment provider to allow customers to initiate bank transfers via a technical interface.
Partners itemize transaction charges, like goods and delivery, and customers authorize payments directly on Sofort’s interface. Sofort is the most widely used Open banking-based payment method for European Partners.
In 2014, Klarna acquired Sofort and in 2022, Klarna Kosma was launched as an Open Banking brand, making it one of the most experienced players in the Open Banking space.
Sepa Credit Transfer - SCT
The SEPA Credit Transfer scheme enables any individual or business to easily move money from one account to another. Although SEPA transfers generally cost the same as local domestic bank transfers, some banks may charge an extra fee for them.
Sepa Credit Transfer Instant - SCT_INSTANT
The SEPA Credit Transfer Instant scheme enables the electronic transfer of up to EUR 15,000 in funds in less than 10 seconds.
A standing order is an instruction a customer gives to their bank that allows fixed recurring payments via the SCT scheme to a person or organization. They provide customers more control over their payments as they can cancel them at any time, unlike direct debits.
Strong Customer Authentication - SCA
A set of regulations that were introduced in 2019 to improve the security of payments and limit fraud during the authentication process.
They apply when a customer:
Initiates an electronic payment transaction.
Accesses their payment account online.
Carries out any action remotely that may imply a risk of payment fraud unless an exemption applies.
Strong customer authentication (SCA) involves the use of two-factor authentication for bank operations as well as a stricter definition of what counts as an authentication factor.
During your integration period with Klarna Kosma, you will have a specific account manager available to you who can answer questions and help you overcome any early challenges. Afterward, you can use our Partner Support page and get in touch via email or by using the Partner Portal for further assistance.
Sweeping is the automated movement of a customer’s funds between two accounts in their name, such as a current and savings account. It is commonly used to help the customer avoid overdraft charges, repay a loan or benefit from better interest rates.
Technical Service Providers - TSPs
Technical service providers (TSPs) collaborate with regulated providers to securely provision the financial data that fuels open banking-enabled products and services.
Third Party Provider - TPP
Open banking refers to the process of using APIs to open customers’ financial data up to third parties. This allows these third parties to design, build, and distribute their own financial products with innovative features.
Fintechs (Financial technology companies) are often called third-party providers (TPPs) in open banking. They can enable their customers to make better use of their financial transaction data, make payments directly from a bank account, or benefit from new card-based offerings. Parties other than fintechs can also be known as TPPs, such as app builders.
A transaction is an exchange of money for a good or service. Transactions are recorded by banks and payment initiation service providers (PISPs) to help customers understand their spending habits and account balance(s). An initiated bank transfer via the PIS results in a transaction that is shown as an entry in the transaction history of the bank account owner.
Variable Recurring Payments - VRPs
Variable recurring payments (VRPs) enable customers to securely authorize third parties to initiate payments from their bank account on an ongoing basis. This enables variable payment amounts to be collected on an ongoing basis and, when fully mandated, will act as a smarter, flexible version to direct debits.
VRPs allow authorized payment initiation service providers (PISPs) to make payments on the customer’s behalf, offering all the security benefits of an open banking single payment. VRPs can vary in frequency and value and, most importantly, remove the friction from recurring strong customer authentication (SCA) requirements.
VRP enables sweeping, allowing customers to build and better manage their personal finances.
Voluntary ASPSPs are those entities who, although not obliged to enroll with open banking, have elected to do so to :
Utilize the Standards and develop their own APIs.
Enroll in the Open Banking Directory.
Use the associated operational support services.