FCW1GD_lo

Europe might reasonably claim to be the 'cradle of Open Banking'[1] - after all, PSD2[2] and the UK's Open Banking Standard pioneered it. But, look around now, and open banking initiatives are popping up everywhere. It is not just a matter of replicating the European approach elsewhere. Jurisdictions are adopting their own approaches to Open Banking, reflecting their markets and policy objectives, and in some cases developing cross-industry approaches beyond financial services.

Open Banking approaches outside the EU

There are too many Open Banking initiatives to list them all, and they cross several dimensions, including implementation timelines; the range of products and services; and the type of institutions and third parties in scope. However, they all fall broadly into one of two categories: market-driven or regulatory-driven.

Market-driven

A number of countries, including India, Japan, Singapore, and South Korea, do not currently have formal or compulsory Open Banking regimes, but their policy makers are introducing a range of measures to promote and accelerate the take-up of data sharing frameworks in banking. In Singapore, MAS[3] and The Association of Banks have published an API Playbook [4] to support data exchange and communication between banks and FinTechs. In Japan, the FSA[5] has established an authorisation process for TPPs[6], introduced an obligation for banks to publish their Open APIs policies, and encouraged banks to contract with at least one TPP by 2020. The majority of Japanese banks are taking this regulatory encouragement very seriously and are on track to fulfil the 2020 deadline.

The US have also opted for a market-led approach, but without any material government initiatives to support the development of Open Banking products and services. A recent US Treasury report recommended developing regulatory approaches to enable secure data sharing in financial services. However due to the highly fragmented and state-based nature of banking and banking regulation in the US, as well as a cultural aversion to ‘red tape’, there is little discernible appetite currently for taking this forward and issuing a common federal policy on Open Banking. The major US banks are well aware of the strategic importance of Open Banking and are developing API-based offerings, in contractual partnerships with third parties, as a way to attract new customers and maintain/gain competitive advantage. However, in the absence of an industry-wide API strategy, screen scraping[7] remains prevalent as a way for TPPs to provide innovative services to customers without having to enter into a contractual agreement with each bank. This is costly and inefficient for TPPs, but also difficult for banks which remain solely responsible and liable towards their customers, including when TPPs use screen scraping without the bank’s knowledge by accessing the account with the customer’s bank credentials. Not to mention that screen scraping typically gives a TPP access to much more customer data than is often required to deliver the service the customer wants, increasing the risk for both the customer and the bank.

Regulatory-driven                                                                                      

Outside the EU, two major jurisdictions have opted for a regulatory-driven approach: Hong Kong and Australia.

The Hong Kong Monetary Authority issued an Open API Framework in July 2018, setting out a four-phase approach for banks to implement Open APIs, starting with information sharing on products and services, and ending with sharing of transactional information and payments initiation services. Contrary to the EU approach however, while banks will be required to develop APIs, they will be able to restrict access to those TPPs with which they choose to collaborate.

But it is Australia that stands out for its innovative approach and scale of ambition. Like other Open Banking initiatives the Consumer Data Right Act (CDR), which is currently being finalised, will allow consumers to share[8] their data with whichever authorised third parties they choose. The key difference however is that the CDR is a data policy initiative and not a financial services one. While it will apply to banks first[9], the CDR will subsequently apply to the energy and telecommunication sectors as well, and eventually it could be applied to any sector. The CDR is also the first Open Banking legislation to introduce the concept of ‘reciprocity’, which we explore further below.

Reciprocity

Following the introduction of PSD2, banks have been vociferous about the lack of reciprocity[10] between banks and third parties, especially BigTechs[11]. This, they argue, amounts to an unfair and regulatory-driven ‘competitive disadvantage’ (although banks remain vague about how they would like to leverage BigTechs’ customer transactional data if they had access to it).

In fairness the EU GDPR[12] does include a right to ‘data portability’[13] which could be leveraged to ensure reciprocity. In practice GDPR does not specify either the obligation to respond in real-time to data portability requests (e.g. in the UK firms have up to 30 days to respond), or any technical communication standard to transfer the data between organisations. Whereas the interpretation of the requirement may change over time, for the foreseeable future the data portability requirement will do little to support organisations wishing to provide innovative services to their customers based on a real-time data sharing ecosystem, in the way that Open Banking aspires to do for payments and payments data.

In Australia, the concept of reciprocity was introduced in the Open Banking review, which formed the basis for the CDR. The review noted that a system in which all eligible entities participate fully – as both data holders and data recipient – would be “more vibrant and dynamic” and promote greater competition. Both the review and now the CDR support the principle that an accredited data recipient in a designated sector should also be obliged to provide equivalent data, and in an equivalent format, in response to a direction from a consumer. However, determining what ‘equivalent data’ consists of for each sector remains a significant challenge. Australian regulators acknowledged that this issue requires further consideration and have proposed excluding reciprocity from the first implementation phase, due to start in July 2019.

Nevertheless, the principle of reciprocity looks likely to be enshrined in law once the CDR is finalised. While implementation will undoubtedly present challenges, it still represents a major step in a new and, for some, controversial, direction.

The key role of data protection regulation

Open Banking in EU and UK may have started, principally, as way to promote competition in the payments and banking industry. But it is clear now that its impact is much broader. Open Banking promises to create a new data sharing infrastructure, which will form the basis of a much richer range of services and products across the whole of financial services, and critically, in other industries as well.

Against this background we believe data regulation will have a transformative impact on the shape and structure of financial services, particularly in the context of data sharing and portability. If it is clear that Open Banking and data sharing are blurring the lines between financial services and other industries, what is less clear is whether collaboration between financial services regulators and DPAs[14] is sufficient to respond to these challenges.

Across the world, the EU GDPR has been seen to set a new gold standard for data protection. But although GDPR and PSD2 both went live in 2018, in hindsight it is clear that while the two policies share similar objectives in terms of data security and portability, the details were developed in silos and are difficult to reconcile in practice.

Australia on the other hand is again leading the way, as the DPA has been fully involved in the development of the CDR from the outset and are currently overseeing the development of API-based open communication standards to be adopted by firms in scope of the CDR.

However other jurisdictions, including the US, have been largely silent on whether they are planning to review their data protection regimes in light of the expected increase in data sharing due to Open Banking. The US silence is particularly worrying as the use of screen scraping, which as we mentioned remains wide spread, does not give customers any real control over which data they are sharing, nor does it establish a clear liability framework in case of data breaches or fraud. In the EU for example, while PSD2 technically does allow screen scraping[15] the conflict with GDPR requirements is clearly steering banks towards the development of APIs communication solutions.

Looking ahead

Open Banking initiatives remain in very early stages of implementation. More needs to be done by firms and regulators to raise consumer awareness and reach scale, even in jurisdictions such as the UK where Open Banking regulations are already fully in place. The creation of a safe and fully functioning cross-industry data sharing ecosystem will take even longer.

Yet, there is little doubt that markets believe that Open Banking, closely followed by a broader cross-industry data sharing ecosystem, are the way forward. As the boundaries between financial services and other industries break down, firms’ relationship with their customers, as well as the distribution of risk and liability between firms and sectors, are going to change fundamentally. To respond effectively regulators will need to break down their own sectoral and geographical siloes, and put the protection and fair use of customer data at the top of their agenda.

On the other hand, any financial services firm wishing to participate successfully in this new environment will need to go through a radical review of its long-term strategy, as well as its technological and operational capabilities. Above all else firms will need to recognise that from now on putting customers fully in control of their ‘data lives' will be both a commercial and regulatory imperative.

 

Stephen Ley

Stephen Ley - Partner, Risk Advisory

Stephen leads the UK Payment Practice and co-leads the EMEA payment practice. He has more than 20 years experience in assurance and advisory services, specialising in providing technology risk and control services to the banking and payments industry. Stephen works with all parts of the payment eco-system including schemes, processes, acquirers, issuers, regulators, banks, payment institutions and market infrastructures.

Email | LinkedIn

David Strachan – Partner, Head of EMEA Centre for Regulatory Strategy

David is Head of Deloitte’s EMEA Centre for Regulatory Strategy. He focuses on the impact of regulatory changes - both individual and in aggregate - on the strategies and business/ operating models of financial services firms. David joined Deloitte after 12 years at the FSA, where in his last role, Director of Financial Stability, he worked on the division of the FSA into the PRA and the FCA.

Email | LinkedIn

Valeria Gallo_Professional_Picture

Valeria Gallo - Manager, EMEA Centre for Regulatory Strategy

Valeria is a Manager in the EMEA Centre for Regulatory Strategy. Her focus is on regulatory initiatives related to payments and FinTech. Valeria joined Deloitte in early 2012 from a global strategy consulting firm where she was the Business Operations Manager for the European financial services practice.

Email | LinkedIn

[1] Although it can take many forms, in essence ‘Open Banking’ involves allowing authorised third parties to connect, with customers’ consent, directly to the customer’s bank data.

[2] Revised Payment Services Directive (PSD2)

[3] Monetary Authority of Singapore

[4] Application Programming Interfaces: a set of protocols that defines how one application interacts with another, usually to facilitate an information exchange.

[5] Financial Services Agency

[6] Third Party Providers

[7] The action of using a computer program to copy data from a website, without having to identify oneself.

[8] Authorised third parties will only be receivers of data, and will not be able to initiate transactions (e.g. payments) on behalf of customers.

[9] Only Australia’s big four banks — ANZ, the Commonwealth Bank of Australia, NAB and Westpac — will initially be required to implement the CDR. The big four will be subject to a phased implementation starting from July 2019. All remaining banks will be required to implement Open Banking 12 months after the timeline for the major banks.

[10] What banks mean by ‘lack of reciprocity’ is that while they are required to share their customer data with authorised third parties, there is no framework which allows them to seek customers’ permission to request equivalent data from BigTechs.

[11] Google, Apple, Facebook, and Amazon

[12] General Data Protection Regulation

[13] Article 20 of the General Data Protection Regulation (GDPR) introduces a new right of data portability. This right allows for data subjects to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance.

[14] Data Protection Authorities

[15] PSD2 allows a restrained version of screen scraping: one where TPPs need to identify themselves to the banks and are responsible to prove to the relevant National Competent Authority that they are acting in line with PSD2 rules and the consent obtained from customers.

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.