Innovation is usually the driver behind regulation, but with open banking, the disruption to the market is being urged forwards by regulators in an attempt to improve competition and customer engagement. Opening up and sharing access to financial data brings a number of risks, but also a number of opportunities, both for tech businesses and, if they engage early on in a meaningful way, established financial institutions.
Boosting competition and disruption
Open banking is one of the ways in which the UK government and the Competition and Markets Authority (CMA) are aiming to boost competition within the current account and (eventually) the wider banking market. Up until now, the CMA's Final Report on its Retail Banking Market Investigation (9 August 2016) found that banks had little to no incentive to be competitive in terms of price, products and service quality – either to gain new or keep existing customers. There are a number of reasons for this:
- consumers aren’t reminded to shop around for other current accounts on a regular basis – with insurance, for example, some customers do so on renewal. Generally current account holders remain loyal to their banks. This hasn’t changed much even since the introduction of CASS, the current account switching service (although changes are also being made in the hope of improving use of this service);
- both consumers and small to medium enterprises (SMEs) find it difficult to access and compare product information that is dependent on their individual account usage;
- SMEs are also unlikely to shop around for banking services, concerned about losing access to historical transaction data; and
- according to the CMA Report, SMEs often believe they are more likely to be offered the opportunity to take out a loan with the bank that knows them (perhaps mistakenly, given that the CMA report found that only 18% of all SMEs have a loan).
Although peer to peer (P2P) lending models and other alternative lenders (like Funding Circle and Amazon) have entered the market in recent years, open banking is a case where regulators are seeking to further drive innovation and boost competition. Initiatives to improve competition in SME banking have been introduced recently, but may already be faltering - it is reported that HM Treasury has started to consider whether the nine leading banks are complying with requirements to redirect SMEs to alternative sources of finance if they are declined for lending.
Open Banking Initiatives
The development of open banking could be a way of improving competition – initially in respect of current accounts, and later across lending and other financial services. The initiatives in the UK are two-fold:
- with PSD2 to be implemented by 13 January 2018, requiring banks and other payment service providers to allow account information service providers (AISPs) and payment initiation service providers (PISPs) access to personal banking data for the first time, and
- with the UK's domestic Open Banking regime being formally implemented with the Retail Banking Market Investigation Order 2017 (issued on 2 February 2017). This will be introduced in three stages over the next couple of years:
- firstly to require banks to share information in respect of prices, terms and conditions, and branch location;
- secondly, to adhere to open banking standards and share personal transaction data through APIs (to coincide with the PSD2 implementation date); and
- finally for the collection and publication of certain service quality data – with the aim of also upping customer and SME engagement (and responsibility for our own finances).
Regulation driving risk?
Regulation can only drive innovation so far – although regulators may have seen the potential of current developments to cause positive change, and are seeking to enable further change, supply must be met by demand: innovators will need customer uptake to make their business models viable. Innovators should, therefore, bear in mind that customers faced with new options for open banking may be wary of the risks that come with sharing such sensitive data. Security and effective customer communications will be a crucial contributor to any success of open banking.
Research carried out by Ipsos MORI and referred to in the Open Banking Standard (the framework document put together by the Open Banking Working Group established in 2015) indicates that nearly 40% of consumers reacted positively to the concept of sharing financial data - but 30% were against, and 30% were uncertain. Consumers need to know the benefits they'll receive in exchange for taking risks, and they want such risks to be limited – if they are giving consent to share their data, they expect the same levels of security banks would give, and they want redress for unauthorised transactions.
There is no doubt that open banking gives fraudsters additional openings, whether through the vulnerabilities of APIs that customers authorise third parties to access, or by conning customers into giving their details to them. Having said this, an API, controlled and regulated and which does not require a customers to share login details, will seem more secure in contrast to the screen scraping model currently operated by a number of businesses, which requires customers to give up their access data to a third party who 'impersonates' the customer and 'scrapes' data from the site. Under PSD2, the EBA has provided (in the draft RTS on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2)) that this will no longer be permitted.
Financial institutions and account servicing payment service providers will also be concerned about security, especially given that under PSD2, they are required to grant access to APIs even without a contract with the AISP or PISP. Without contracts or prior due diligence, institutions will need to rely solely on the FCA's (or other home state competent authority's) licensing standards and other rules set out in RTS, for example, those in respect of secure communications.
Aside from security, banks and payment service providers will also be concerned about liability for unauthorised payments – the HM Treasury's Consultation Paper on the implementation of PSD2 (issued February 2017) suggests that accounts servicers, generally banks, will be required to refund customers, and where the fault lies with the PISP, the PISP must reimburse the bank. This is another area where the government indicates the industry will need to develop its own standards and processes under the framework of the Open Banking Standard and, as such, is potential area for disputes.
But what if the relevant party isn’t required to be authorised as an AISP or PISP under PSD2? Such firms are known as 'third parties'. The Open Banking Standard suggests that an independent authority (that will take over from the Implementation Entity established to put in place the Open Banking Standard) will ensure standards and obligations are met, as well as vetting and accrediting third parties, imposing sanctions, and dealing with escalated complaints (given that these may be out of scope of the Financial Ombudsman Service). Third parties will also be required to hold professional indemnity insurance (although this may be a bit of a blunt instrument as it will be too late for the customer if they need to rely on it but is not in place). The establishment of some sort of regulator should offer some comfort, although it is unclear what form the independent authority will take and the powers it will have.
The FCA is alive to industry concerns, mentioning in its retail banking priorities contained in the 2017/18 Business Plan that open banking will be one of the (many) challenges facing banks this year and the regulator will be focussing on mitigating the risks of implementing open banking.
Innovative regulation is creating a number of opportunities, notwithstanding the associated risks. Aside from just being able to offer a one-stop shop for consumers to access all their financial data from varying financial institutions on a single platform, comparison sites will clearly be able to provide more tailored services utilising transaction data and offer customers a quicker, lower-friction experience by no longer having to require customers to plug in or update all their financial information each time they want to run a product search.
There are also suggestions that (despite the fear around opening up data) fraud prevention technology can use open banking APIs to better harness transaction history and spot patterns across either specific customers' accounts or across different products (and there is an exemption in the draft PSD2 RTS from the requirement to carry out strong customer authentication for transactions that have been analysed as low risk). This is potentially an area where the regulators' work on DLT could plug-in (for example, the Bank of England's accelerator has been considering several tools to identify anomalies in data sets and systems).
Open APIs would also create improved data trails, which could enable a whole raft of consumer-focused benefits to be realised, such as lenders offering competitive interest rates or debt advisers providing more tailored, 'on-the-go' advice to help with budgeting.
Nothing will ever be attempted if all possible objections must be first overcome
Measures like PSD2 and Open Banking are, of course, designed to disrupt, and one firm's opportunity is another's risk. But should banks really be worried? Aside from the regulatory changes and requirements imposed on them, there has been talk in the market that once consumers can access all their accounts in one place, they will no longer interact directly with their bank, perhaps forgetting the brand behind it. But is this likely? And why does it matter? Customers are already increasingly banking online anyway. Banks have extremely strong branding, and as mentioned, strong customer loyalty (despite the pricing and service quality meaning, some might argue, it is often unjustified).
But if banks (and a number of them are running their own innovation sandboxes or competitions) get it right, customers might prefer to use a bank-branded API - perhaps using their main bank to collate all of their financial information. Banks could have access to improved Big Data, and perhaps use this to develop ads or behavioural nudges to guide customers towards other products like mortgages or long term savings and investments. Further, they have the capital and funding behind them, they have the regulatory and compliance experience and they have the volume of customers (and the information on those customers). They still have a strong hand.
Public policy throughout the European Union and the UK shows a certain level of determination to kick-start competition, so we will see change in this space. As necessity is the mother of taking chances, banks are likely to use the advantages of their incumbent status and take a calculated risk to back APIs designed for open banking. Rather than seeing open banking APIs as creating competition, banks could be the competition. However, banks will need to further embrace the technology and Fintechs – designed around the technology and less around the financial, with no inconvenient legacy systems or patches - may already be ahead.