Open banking – heralding the dawn of open finance?

Cash management, Regulation

Open banking – heralding the dawn of open finance?

November 2019

As open banking gains traction, regulators are turning their attention to the next stage of development. Regulatory expert Polina Evstifeeva reviews initiatives which have driven the industry forward and asserts that frameworks for enabling the exchange of data and encouraging open finance could unlock further benefits

Open banking initiatives around the world have catalysed the development of a new ecosystem beyond payments and information services. Regulators globally acknowledge the benefits and the potential of opening up banks’ systems and certain clients’ information to third party providers (TPPs) to encourage competition and innovation.

The most noticeable initiatives have emerged from regulators with a strong agenda to drive reform, as evidenced by Europe’s second payment services directive (PSD2) and UK open banking, driven by the UK’s Competition and Markets Authority (CMA). The introduction in September 2019 of regulatory technical standards (RGS) on strong customer authentication (SCA) marked a further major milestone for open banking in Europe, following several years of intense work by the industry on PSD2 implementation programmes.

But regulatory approaches vary globally, with no consensus on whether open banking should be mandatory. Also, there are no established standards for application program interfaces (APIs), the technology underpinning open banking, or the certification and authentication of TPPs.

 

Opening regions

As the first edition of the Deutsche Bank white paper ‘Regulation driving banking transformation’ noted, PSD2 is the major driver of Europe’s move towards open banking (see box out: What is PSD2?). In Asia, the Monetary Authority of Singapore (MAS) has proactively encouraged financial institutions to develop and share their APIs openly, while Hong Kong also supports open banking. Asian regulators have broadly promoted similar initiatives as a means of driving competition and creating efficiencies, with a strong focus on industry collaboration.
In North America, a report by the US Treasury issued in summer 2018 recognised the need to remove legal and regulatory uncertainties that obstruct data sharing agreements. It also suggested the market, should lay the foundations for open banking and not the government. So while open banking in the US seems inevitable it is likely to have a different flavour to PSD2.

 

Polina Evstifeeva

Polina Evstifeeva

Head of Regulatory Strategy, New Ventures for Deutsche Bank’s Corporate Bank

Challenges

Analysing major opening banking frameworks emerging around the world, BIS’s November 2019 report ‘Open banking and APIs’ presented its key findings on the issue and the related challenges for banks and their supervisors.

While noting the great benefits that open banking brings, the report highlights the risks that come with the increased sharing of customer-permissioned data and growing connectivity between banks and various parties. In particular, BIS observes that data sharing results in a bigger surface area for cyberattacks as the data collected by TPPs can be stolen or compromised. As more data is shared and more parties get involved in handling the data, the possibility of data breach increases and makes effective data management more crucial. Lack of commonly-accepted API standards and limited oversight of TPPs were mentioned among other challenges.

 

API standardisation

Standardised open APIs encourage the development of a large-scale ecosystem where participants can provide interoperable services and mutually benefit from open banking. However, several challenges associated with the universal use of APIs remain. The time and cost for smaller banks and TPPs of adopting multiple technologies that would facilitate their connection to different APIs is a serious impediment for open banking.

In Europe, while PSD2 covers the scope of what it should deliver, the regulation doesn’t specify the details of the dedicated interface that TPPs should use to connect with banks.

Market initiatives are plugging the gap in response. But they too remain local in their scope, with the Berlin Group’s NextGenPSD2 initiative the only API standard to cross borders from its inception. Collaborative efforts such as these bring harmonisation of the API landscape. With many eyes on standardisation efforts in Europe decisions made here will reverberate globally, setting a clear precedent to pursue a global standard at international level.

 

TPPs oversight

For open banking to work in practice, it must be underpinned by a significant level of trust. On the one hand it means strong security standards for data storage, access and exchange; on the other, accountability of TPPs accessing clients’ data. Crucially, the banks should be able to verify that a party accessing client data or initiating payments is duly authorised to do so, and it is who they claim to be.

PSD2 provides two types of special authorisations for TPPs and introduces a central TTPs register, allowing banks to conduct necessary checks when an operation is being initiated through a TPP.
Given the number of transactions and payment services that are expected to be channeled through TPPs, state authorisation and registers should prove their reliability in building trust in open banking and its usage by clients. However, while the regulatory certification of TPPs is the preferable form, this isn’t the case in all jurisdictions.

 

Beyond PSD2 - Open finance

Open banking initiatives seem to be the first step in a much longer journey - the functionality built for it is re-usable and thus can be leveraged further to access broader data sets from other types of service providers.

Targeted data from various sources enables deeper insights about clients, and more accurate understanding of their needs. As the basis on which advanced analytics operates, richer data pools can drive insights, improve client experience and uplift financial services provision.
This opens up a new framework that can build on open banking - open finance, which goes beyond accessing bank account information.

For instance, it could enable clients to view their accounts from different suppliers in one place and help them manage savings, loans, investments and pensions. It could also facilitate switching products or transferring funds between products, to maximise the potential benefits from various providers. However, unlocking these benefits is contingent on releasing data from silos and making it available for sharing.

Looking to Europe from a regulatory perspective, the current handful of solutions fall short of a universal approach to enabling the re-use of all the data sets and gaining clients’ consent.*

Rules only go so far in establishing frameworks for mandatory disclosure of specific information by designated companies. PSD2 sets out the requirements to share data with TPPs are provided to banks; the type of data is also limited to banking accounts. GDPR is another example, and although it has general requirements when it comes to data portability, it is still limited by private data only.

What is PSD2?

PDS2 came into effect in January 2016 and mandated member states to transpose it into national law within two years.

The Directive also mandated the implementation of several guidelines and technical regulatory standards, including the most notable regulatory technical standard on strong customer authentication (see below) and secure communication. This has set the basis for the banks to allow third party access to clients’ accounts, with their consent, through an open interface. Industry consensus is that APIs, while not mandated, will provide the most secure and effective solution to this requirement.

Third party providers and third party provider register

PSD2 introduced new types of licence or authorisation for TPPs, allowing firms that are not credit institutions to initiate payments on behalf of banks’ clients and to access information from their account (subject to client consent). The bank, meanwhile is responsible for verifying that such providers really are who they claim to be. The European Banking Authority has introduced a TPPs register to facilitate such checks.

SCA and two factor authentication

Client transactions initiated through TPPs involve a step called strong customer authentication (SCA), which requires checking two or more elements from three: something only a customer knows (knowledge), possesses (possession) or is (inherence)). Payment transactions require additional dynamic linking of a transaction to payment amount.

Liability of TPPs

To protect clients from potential risks of using TPPs, PSD2 requires TPPs to maintain professional insurance. However, regardless of where the error lies, the rules oblige the banks to refund the transaction amount if the payment order has not been executed properly. The bank can reclaim the money from TPPs’ insurance, but this process could take time (especially in the case of disputes) and reimbursements may take even longer.

As the result, the data stored by many other companies that consolidate vast amount of clients’ financial data (including companies in other sectors) remains unavailable for clients’ sharing it with its bank or other market participants.

This situation may change, however. Aware of the potential of open finance, the UK FCA has established an advisory group to drive the future strategy of open finance building upon open banking by enabling similar access to a wider range of financial products. In a recently-delivered speech, the FCA’s director of competition, Sheldon Mills, announced that the FCA plans to launch an open consultation before the end of 2019 on how open finance might further develop and a suitable framework.

Conclusion

While implementation of the necessary infrastructure has been completed, it’s fair to say that we’re still at the beginning of the open banking journey. The results and full potential are set to be further explored over the next couple of years. With the infrastructure in place the industry will look into how best to re-use open banking for other business cases, while regulators will help the move to a more open environment in which clients can benefit of the more efficient re-use of their data for better services and bespoke financial solutions.

 

*This issue is examined in the recent second edition of the Deutsche Bank white paper ‘Regulation driving banking transformation

YOU MIGHT BE INTERESTED IN

This website uses cookies in order to improve user experience. If you close this box or continue browsing, we will assume you agree with this. For more information about the cookies we use or to find out how you can disable cookies, click here.