Europe might reasonably claim to be the 'cradle of Open Banking - after all, PSD2 and the UK's Open Banking Standard pioneered it. But, look around now, and open banking initiatives are popping up everywhere. It is not just a matter of replicating the European approach elsewhere. Jurisdictions are adopting their own approaches to Open Banking, reflecting their markets and policy objectives, and in some cases developing cross-industry approaches beyond financial services.
There are too many Open Banking initiatives to list them all, and they cross several dimensions, including implementation timelines; the range of products and services; and the type of institutions and third parties in scope. However, they all fall broadly into one of two categories: market-driven or regulatory-driven.
A number of countries, including India, Japan, Singapore, and South Korea, do not currently have formal or compulsory Open Banking regimes, but their policy makers are introducing a range of measures to promote and accelerate the take-up of data sharing frameworks in banking. In Singapore, MAS and The Association of Banks have published an API Playbook to support data exchange and communication between banks and FinTechs. In Japan, the FSA has established an authorisation process for TPPs, introduced an obligation for banks to publish their Open APIs policies, and encouraged banks to contract with at least one TPP by 2020. The majority of Japanese banks are taking this regulatory encouragement very seriously and are on track to fulfil the 2020 deadline.
The US have also opted for a market-led approach, but without any material government initiatives to support the development of Open Banking products and services. A recent US Treasury report recommended developing regulatory approaches to enable secure data sharing in financial services. However due to the highly fragmented and state-based nature of banking and banking regulation in the US, as well as a cultural aversion to ‘red tape’, there is little discernible appetite currently for taking this forward and issuing a common federal policy on Open Banking. The major US banks are well aware of the strategic importance of Open Banking and are developing API-based offerings, in contractual partnerships with third parties, as a way to attract new customers and maintain/gain competitive advantage. However, in the absence of an industry-wide API strategy, screen scraping remains prevalent as a way for TPPs to provide innovative services to customers without having to enter into a contractual agreement with each bank. This is costly and inefficient for TPPs, but also difficult for banks which remain solely responsible and liable towards their customers, including when TPPs use screen scraping without the bank’s knowledge by accessing the account with the customer’s bank credentials. Not to mention that screen scraping typically gives a TPP access to much more customer data than is often required to deliver the service the customer wants, increasing the risk for both the customer and the bank.
Outside the EU, two major jurisdictions have opted for a regulatory-driven approach: Hong Kong and Australia.
The Hong Kong Monetary Authority issued an Open API Framework in July 2018, setting out a four-phase approach for banks to implement Open APIs, starting with information sharing on products and services, and ending with sharing of transactional information and payments initiation services. Contrary to the EU approach however, while banks will be required to develop APIs, they will be able to restrict access to those TPPs with which they choose to collaborate.
But it is Australia that stands out for its innovative approach and scale of ambition. Like other Open Banking initiatives the Consumer Data Right Act (CDR), which is currently being finalised, will allow consumers to share their data with whichever authorised third parties they choose. The key difference however is that the CDR is a data policy initiative and not a financial services one. While it will apply to banks first, the CDR will subsequently apply to the energy and telecommunication sectors as well, and eventually it could be applied to any sector. The CDR is also the first Open Banking legislation to introduce the concept of ‘reciprocity’, which we explore further below.
Following the introduction of PSD2, banks have been vociferous about the lack of reciprocity between banks and third parties, especially BigTechs. This, they argue, amounts to an unfair and regulatory-driven ‘competitive disadvantage’ (although banks remain vague about how they would like to leverage BigTechs’ customer transactional data if they had access to it).
In fairness the EU GDPR does include a right to ‘data portability’ which could be leveraged to ensure reciprocity. In practice GDPR does not specify either the obligation to respond in real-time to data portability requests (e.g. in the UK firms have up to 30 days to respond), or any technical communication standard to transfer the data between organisations. Whereas the interpretation of the requirement may change over time, for the foreseeable future the data portability requirement will do little to support organisations wishing to provide innovative services to their customers based on a real-time data sharing ecosystem, in the way that Open Banking aspires to do for payments and payments data.
In Australia, the concept of reciprocity was introduced in the Open Banking review, which formed the basis for the CDR. The review noted that a system in which all eligible entities participate fully – as both data holders and data recipient – would be “more vibrant and dynamic” and promote greater competition. Both the review and now the CDR support the principle that an accredited data recipient in a designated sector should also be obliged to provide equivalent data, and in an equivalent format, in response to a direction from a consumer. However, determining what ‘equivalent data’ consists of for each sector remains a significant challenge. Australian regulators acknowledged that this issue requires further consideration and have proposed excluding reciprocity from the first implementation phase, due to start in July 2019.
Nevertheless, the principle of reciprocity looks likely to be enshrined in law once the CDR is finalised. While implementation will undoubtedly present challenges, it still represents a major step in a new and, for some, controversial, direction.
Open Banking in EU and UK may have started, principally, as way to promote competition in the payments and banking industry. But it is clear now that its impact is much broader. Open Banking promises to create a new data sharing infrastructure, which will form the basis of a much richer range of services and products across the whole of financial services, and critically, in other industries as well.
Against this background we believe data regulation will have a transformative impact on the shape and structure of financial services, particularly in the context of data sharing and portability. If it is clear that Open Banking and data sharing are blurring the lines between financial services and other industries, what is less clear is whether collaboration between financial services regulators and DPAs is sufficient to respond to these challenges.
Across the world, the EU GDPR has been seen to set a new gold standard for data protection. But although GDPR and PSD2 both went live in 2018, in hindsight it is clear that while the two policies share similar objectives in terms of data security and portability, the details were developed in silos and are difficult to reconcile in practice.
Australia on the other hand is again leading the way, as the DPA has been fully involved in the development of the CDR from the outset and are currently overseeing the development of API-based open communication standards to be adopted by firms in scope of the CDR.
However other jurisdictions, including the US, have been largely silent on whether they are planning to review their data protection regimes in light of the expected increase in data sharing due to Open Banking. The US silence is particularly worrying as the use of screen scraping, which as we mentioned remains wide spread, does not give customers any real control over which data they are sharing, nor does it establish a clear liability framework in case of data breaches or fraud. In the EU for example, while PSD2 technically does allow screen scraping the conflict with GDPR requirements is clearly steering banks towards the development of APIs communication solutions.
Open Banking initiatives remain in very early stages of implementation. More needs to be done by firms and regulators to raise consumer awareness and reach scale, even in jurisdictions such as the UK where Open Banking regulations are already fully in place. The creation of a safe and fully functioning cross-industry data sharing ecosystem will take even longer.
Yet, there is little doubt that markets believe that Open Banking, closely followed by a broader cross-industry data sharing ecosystem, are the way forward. As the boundaries between financial services and other industries break down, firms’ relationship with their customers, as well as the distribution of risk and liability between firms and sectors, are going to change fundamentally. To respond effectively regulators will need to break down their own sectoral and geographical siloes and put the protection and fair use of customer data at the top of their agenda.
On the other hand, any financial services firm wishing to participate successfully in this new environment will need to go through a radical review of its long-term strategy, as well as its technological and operational capabilities. Above all else firms will need to recognise that from now on putting customers fully in control of their ‘data lives' will be both a commercial and regulatory imperative.
This article was written by the EMEA Center for Regulatory Strategy.