NPPA sets ‘write access’ rules for Open Banking third parties

NPPA sets ‘write access’ rules for Open Banking third parties

Enabling ‘write access’ for third parties through the Mandated Payments Service (MPS), a core capability of the New Payments Platform, could spark a flurry of innovation in payments services from fintechs and paytech developers, a submission from the NPPA has revealed.

In response to Treasury’s Inquiry into Future Directions for the Consumer Data Right (CDR), real-time payments infrastructure provider NPP Australia (NPPA), which oversees the MPS, has confirmed it will support third parties to securely initiate payments from customer bank accounts using the Service.

The MPS, currently in development, was first announced as part of NPPA’s inaugural roadmap published in October 2019.

Recognised as a “core foundational capability”, the MPS is an extension of the NPP and is said to give customers “greater convenience, more visibility and control over payments arrangements”, as well as the ability to “more easily move bank accounts between providers”.

Creating a new ‘write access’ power was identified as the initial focus of the Future Directions inquiry, chaired by King & Wood Mallesons partner Scott Farrell, examining how the CDR “can be built upon to support a thriving digital economy with consumers at its centre”.

With the MPS in effect, a digital payment arrangement – or a ‘mandate’ – can be created in advance, which effectively authorises third parties such as utilities, telcos, or buy now, pay later (BNPL) providers to pull funds directly from their bank account.

The mandate, while initiated by a third party, is captured through a customer’s banking channel and given in-built security controls; here, mandates can also be viewed, modified, managed, and moved between accounts at different financial institutions.

In a nod to fintechs, the MPS’ new ‘write access’ payment powers will supposedly unlock a host of new applications and offerings; merchants will also benefit, being able to initiate in-app e-commerce payments.

Another use case cited by NPPA is on behalf of payment services – for instance, a cloud accounting software provider can be authorised by their corporate banking customer to manage finance functions and payroll, with MPS touted as a “better alternative to current direct debit payments”.

Pivotal features of the MPS & CDR alignment

NPPA further detailed the technical and operational considerations for its MPS capability.

A key feature of the MPS is its ease of access, where third parties require only one access point to NPP infrastructure to effectively initiate payments from “any one of 67 million (and growing) NPP enabled accounts”.

This, supposedly, differs from payments initiation systems in many international markets, including the UK where third parties must integrate with multiple financial providers to reach customer accounts across different institutions.

NPPA has also offered a “range of additional access options” for third parties seeking to use the NPP for payment initiation.

“These options include connecting to the NPP indirectly as an MPS user via an NPP participant, as a client of a connected institution, as an identified institution or directly as a connected institution (which does not require an ADI licence),” the payments body explained.

“Third parties can choose the most appropriate access route according to their business needs.”

Of note, the new MPS capability requires no additional technology spend from the 90 organisations already plugged into the NPP.

On the payments front, the MPS leverages features and protections – specifically, fraud prevention, liability allocation, and risk management processes – already built into clearing and settlement messages exchanged by NPP-participating financial institutions.

Meanwhile, API connectivity, which the NPPA flagged as the key interest for third parties seeking to leverage the payment platform’s capabilities, will be available for the MPS, building on the payments platform’s existing API framework that aligns to ISO 20022 standards.

NPPA further revealed plans to make MPS API testing available for third parties on its revamped API sandbox, launched in March in collaboration with payments giant SWIFT.

While still nascent, NPPA anticipates that financial institutions will progressively release more APIs that adhere to the body’s API framework, thereby “supporting a degree of [market] consistency”.

Moving forward, NPPA aims to align its NPP API framework to the Consumer Data Right’s API framework, citing opportunities to leverage the regime’s security guidelines.

Indeed, CDR alignment is a key factor for the NPPA in finalising its MPS ground rules, especially for customer-related processes such as mandate authorisation and onboarding; these processes will observe consistency in language and criteria with the ACCC’s CDR guidelines.

Progressing with Open Banking and Australia’s data right

Moving forward, all NPP participating financial institutions will be expected to “implement technical and operational processes” for MPS functionality by 3 December 2021. This includes support for customer authorisation of new mandates, as well as reviewing and processing mandate payment initiation requests.

Crucially, the body noted, the scheduled delivery date should be “viewed in the context of uncertainty caused by Covid-19”.

While Open Banking ‘write access’ is but part of the equation, the Treasury’s inquiry will further explore how the CDR forges foundations for the growth of the digital economy in years to come.

The inquiry will also examine measures to streamline customer consent with digital identity, and the potential for emerging data systems to eventually generate export earnings for Australia.

The Inquiry into Future Directions for the Consumer Data Right will culminate in a report by Farrell, delivered to Treasury by September 2020.

Meanwhile, Open Banking – the first cab of the rank for Australia’s CDR – is slated to launch this July, requiring banks to share product reference data with accredited data recipients. Smaller institutions, however, have been granted a temporary extension due to the impacts of Covid-19.