The Basel Committee on Banking Supervision has published a report on “open banking” and the use of application programming interfaces. The term “open banking” refers to the sharing and leveraging of customer-permissioned data by banks with third-party developers and firms to build applications and services, including for example those that provide real-time payments, greater financial transparency options for account holders, marketing and cross-selling opportunities. Application programming interfaces are software intermediaries that enable information to be exchanged between applications. In the case of open banking, APIs are used to facilitate the transfer of information between mobile banking applications and a bank’s servers. Open banking reverse engineers this process to harvest information about the original communication using the customer’s authentication credentials. Screen scraping is another technique, involving the extraction of customer-permissioned data from websites using a customer’s authentication credentials. These methods of open banking are not secure from the customer’s perspective, as the third party that carries out the data harvesting retains the customer’s authentication details.
The Basel Committee’s report therefore focuses on customer-permissioned data sharing in open banking and the use of APIs. Its key findings were:
- Traditional banking is evolving into open banking as a result of the increased use of digital devices and improving data aggregation techniques;
- Open banking frameworks vary across jurisdictions – in some jurisdictions, there has been no significant open banking development; in those jurisdictions where it is more developed, there is divergence between authorities that have taken prescriptive approaches requiring registration with regulatory or supervisory authorities and those that have adopted a facilitative approach by issuing guidance and standards;
- Data privacy laws can provide a foundation for an open banking framework as they determine the approach that the relevant jurisdiction takes to data protection and privacy, although in some instances data privacy laws are being updated to take account of open banking frameworks;
- Multi-disciplinary features of open banking may require greater regulatory coordination;
- Open banking brings potential benefits through transformation of banking services and business models but also risks and challenges through enhanced connectivity between banks and third parties;
- There are challenges in adapting to the potential changes in business models, primarily through increased competition from FinTechs offering financial services;
- There are challenges in ensuring security in an open banking framework;
- The time and cost required to build and maintain APIs and the lack of commonly accepted standards are hindering the development of APIs;
- Oversight of third-party service providers can be limited;
- Assigning liability in the event of financial or data loss, or erroneous sharing, is more complex with open banking as more parties are involved; and
- Banks engaging in open banking may face reputational risk through failures in handling their customers’ data.