Third Party Providers, commonly referred to as TPPs, represent the foundational pillars of the United Kingdom’s open banking ecosystem, serving as the authorized intermediaries that bridge the gap between traditional financial institutions and innovative digital services. Under the regulatory framework established by the Financial Conduct Authority (FCA), a TPP is an entity empowered to access a customer’s financial data or initiate payments from their bank account, provided the customer has given explicit and informed consent. This paradigm shift in financial services was catalyzed by the Payment Services Regulations 2017 (PSR 2017) and the Competition and Markets Authority (CMA) Retail Banking Market Investigation Order 2017, which sought to dismantle the monopoly that major banks held over consumer data.
By mandating that the UK’s nine largest banks—often called the "CMA9"—provide secure access to their data via standardized Application Programming Interfaces (APIs), the regulatory environment paved the way for TPPs to offer tailored financial products. Today, TPPs are categorized into two primary legal designations: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). While their functions differ, both are subject to rigorous oversight to ensure the integrity of the UK’s financial infrastructure.
The Bifurcation of TPP Functions: AISPs and PISPs
To understand the operational scope of TPPs, one must distinguish between the two types of services they are authorized to perform. AISPs are entities that have permission to connect to a user’s bank account and "read" the data within. This does not allow the provider to move money; rather, it allows them to aggregate information from multiple accounts into a single interface. Common use cases for AISPs include personal finance management apps that help users track spending across different banks, credit scoring services that use real-time transaction data to assess creditworthiness more accurately than traditional methods, and automated accounting software for small businesses.
In contrast, PISPs are authorized to "write" to the bank account, specifically by initiating a credit transfer on behalf of the user. This allows a consumer to pay for goods or services directly from their bank account without using a debit or credit card. By bypassing traditional card networks, PISPs can reduce transaction fees for merchants and offer a more streamlined checkout experience for consumers. These services are increasingly utilized in e-commerce, tax payments, and peer-to-peer transfers. It is important to note that a single TPP can be authorized as both an AISP and a PISP, provided they meet the specific capital and insurance requirements for both activities as mandated by the FCA.
A Chronological History of TPP Integration in the UK
The emergence of TPPs is the result of a multi-year regulatory effort to modernize the British financial sector. The timeline of this evolution highlights the transition from a closed banking system to a transparent, competitive marketplace.
- August 2016: The CMA publishes its Retail Banking Market Investigation report, concluding that older, larger banks do not have to compete hard enough for customers’ business. It mandates the creation of "Open Banking."
- January 2018: The Second Payment Services Directive (PSD2) and the UK’s Open Banking Standard officially launch. This marks the date when the CMA9 were required to make their data available to authorized TPPs.
- September 2019: Strong Customer Authentication (SCA) requirements begin to roll out, enhancing the security protocols TPPs must follow when accessing accounts or initiating payments.
- June 2021: The Open Banking Implementation Entity (OBIE) reports that over 3.5 million consumers and small businesses are actively using open banking-enabled services provided by TPPs.
- April 2023: The Joint Regulatory Oversight Committee (JROC), consisting of the FCA, the CMA, the Payment Systems Regulator (PSR), and the Treasury, publishes a roadmap for the "next phase" of open banking, focusing on expanding TPP capabilities into Variable Recurring Payments (VRP).
Technical Infrastructure and the Security of API Connectivity
The security of the TPP framework is built upon the rejection of "screen scraping"—a legacy method where users shared their actual bank login credentials with third parties. Under the current UK Open Banking Standard, TPPs access accounts through dedicated APIs. These APIs act as secure digital tunnels that allow the bank and the TPP to communicate without the TPP ever seeing or storing the user’s password or username.
When a user engages a TPP, they are redirected to their own bank’s secure environment (usually a mobile app or website) to authenticate their identity using biometrics or a passcode. Once the bank confirms the user’s identity, it issues a "token" to the TPP. This token acts as a digital key that grants access only to the specific data or payment action the user has authorized. This process is governed by OAuth 2.0 protocols, ensuring that the TPP’s access is limited, time-bound, and revocable. Furthermore, all TPPs must maintain professional indemnity insurance as a condition of their FCA authorization, providing a layer of financial protection for consumers in the event of unauthorized access or errors.
Market Data and the Scale of TPP Adoption
The growth of TPPs in the UK has been exponential since the 2018 mandate. According to data from Open Banking Limited (OBL), the number of active TPPs has grown from a handful of pioneers to over 300 regulated entities as of late 2023. These entities are not just fintech startups; they include established brands in retail, telecommunications, and big tech that have sought FCA authorization to enhance their financial service offerings.
Statistical insights into the ecosystem reveal a high level of engagement:
- User Penetration: As of mid-2023, approximately 1 in 9 UK consumers are active users of open banking services.
- Transaction Volume: PISPs initiated over 10 million payments in a single month during 2023, representing a year-on-year increase of more than 100%.
- API Calls: The infrastructure now supports billions of successful API calls per month, demonstrating the robustness of the technical framework maintained by the banks and TPPs.
Regulatory Oversight and the FCA Financial Services Register
For a TPP to operate legally in the UK, it must appear on the FCA Financial Services Register. This public database serves as the definitive source for verifying whether a company is authorized to handle financial data. The FCA monitors these firms to ensure they comply with data protection laws, including the UK General Data Protection Regulation (GDPR), and the specific conduct rules set out in the Payment Services Regulations.
The regulatory framework also empowers consumers with "consent management." Unlike traditional direct debits, which can sometimes be difficult to track, open banking consents are designed to be transparent. TPPs are required to provide a clear summary of what data they are accessing and for how long. Under current rules, consumers generally must re-authenticate their consent every 90 days for AISP services, although recent updates have introduced "continuous access" models with simplified re-confirmation processes to reduce friction while maintaining security.
Industry Perspectives and Official Responses
The reaction to the TPP framework has been largely positive from the fintech sector, though not without friction regarding the incumbents. Representatives from the Coalition for Open Banking have frequently advocated for more consistent API performance across the "Big Nine" banks, noting that downtime or slow response times from bank servers can hinder the user experience provided by TPPs.
Conversely, the banking sector has invested significantly in the infrastructure required to support TPPs. Official statements from UK Finance, the collective voice for the banking and finance industry, emphasize that while banks have met their regulatory obligations, the focus must now shift to a sustainable commercial model for "premium APIs" that go beyond the basic mandates.
The Joint Regulatory Oversight Committee (JROC) stated in their 2023 report: "The UK has led the world in open banking, but to maintain this lead, we must ensure the TPP ecosystem can evolve into ‘Open Finance.’ This involves expanding TPP access to include savings, investments, and pensions, creating a more holistic financial view for the consumer."
Broader Implications and the Future of Open Finance
The implications of the TPP framework extend far beyond simple budgeting apps. By fostering a competitive environment, TPPs are driving down the cost of financial services and increasing financial inclusion. For example, individuals with "thin" credit files—those who have not used traditional credit products—can use an AISP to share their rent payment history and utility bills with lenders, potentially unlocking access to mortgages or loans that were previously unavailable.
Looking ahead, the UK is transitioning from "Open Banking" to "Open Finance" and eventually "Smart Data." This evolution will likely see TPPs gaining authorized access to non-banking data, such as energy usage or insurance policy details, allowing for automated switching services that ensure consumers are always on the most cost-effective tariffs. The TPP model, proven successful in the banking sector, is now the blueprint for the digital transformation of the wider British economy. As the regulatory roadmap moves toward more sophisticated features like non-sweeping Variable Recurring Payments, TPPs are poised to become the primary interface through which the modern consumer interacts with their entire financial life.
