By Kent Mackenzie, Director, Risk Advisory, Deloitte and David Goodbrand, Partner, Burness Paull
Kent Mackenzie, Head of Deloitte’s Fintech team and David Goodbrand, who heads law firm Burness Paull’s IP, technology and commercial team discuss open banking and what steps will need to be taken to ensure it's security.
The rapid advance of fintech has the potential to revolutionise the way we use and manage our finances. Already, for example, we can transfer money using internet banking or pay for things just by waving our phone near a contactless payment reader. But in the future, it could extend to so much more than that.
Managing, choosing and changing our mortgages, pensions, insurance policies and more could all be done more quickly and more effectively as providers big and small are able to serve up bespoke packages that exactly fit our requirements.
Many of these innovations are dependent on what’s known as “open banking”, which is set to take off in 2018 with the introduction of new regulations that will compel your bank to share your personal and financial data with third-party apps and firms with your permission. But how safe is all this?
It will all hinge on new legislation which will come bolted on to the new regulations, says David Goodbrand, who heads law firm Burness Paull’s IP, technology and commercial team in Edinburgh.
“Open banking is being introduced around about the same time as the new General Data Protection Regulations (GDPR) come into effect (May 2018). The GDPR implements an agenda of ‘accountability’ where businesses need to be able to show how they comply with data protection rules, and be more upfront with those affected by processing of their information,” he explains.
Kent Mackenzie, head of Deloitte’s Edinburgh fintech team also stresses the importance of GDPR. The success or otherwise of open banking hinges on it. “GDPR is going to have the biggest impact here,” he says. “And while we might all be in this data-rich environment, we’ve got to be really, really clear on how we respect the principles set up around GDPR.”
According to Goodbrand, financial institutions’ duty to keep customer data secure will be hard-wired into open banking. “The banks will be required to take a greater level of care when processing and sharing customer’s data, and therefore data accountability will be baked in to open banking from day one.
“So, for example, banks will be required to undertake privacy impact assessments prior to the launch of every new open banking project or technology development where personal data is being processed.”
Mackenzie adds that a big part of GDPR will be ensuring the customer whose data is being shared will be kept in the loop. “GDPR is very focused on ensuring that people’s data is handled in the right way and privacy is respected and security is at the right level and all that kind of stuff so it is THE piece of regulation that says, ‘Listen, Kent Mackenzie owns his data, and everybody that’s ever touching Kent Mackenzie’s data better be pretty clear about how they’re doing that and how they’re keeping Kent Mackenzie informed about the use of his data’.”
Meanwhile, any slip-ups on the banks’ part will be severely punished, says Goodbrand. “GDPR requires that banks must ensure that the contracts that they enter into with fintechs and other technology suppliers contain specific contractual requirements, in order to further protect customer’s data. If the banks fail to do this then in addition to any reputational damage they could suffer they will be liable to fines of up to 4 per cent of annual worldwide turnover or €20 million (whichever is the highest), as well as further sanctions from the FCA and other regulators.”
However, while both Mackenzie and Goodbrand are optimistic about security, Stuart Law, chief executive of Assetz Capital, one of the largest peer-to-peer business lenders in the United Kingdom, sounds a note of caution. With the fertile hothouse that is the fintech sector seeing start-ups springing up apace, Law singles out new businesses as being a cause for concern. “New fintech companies are very much targets in the early days as they are likely to have weak systems,” he says.
“The concerns surrounding security are very much the same as those that the big institutions have. Collectively the industry is working to address these and is continuously developing month by month.”