“Open banking” is a term being used a lot at the moment, and there’s clearly a growing consensus among regulators that they want to inject more competition into their retail banking sectors, and that liberating customers’ data is a way to achieve this.
While jurisdictions vary as to how they are implementing this concept, “open banking” essentially involves opening up banking systems (specifically customer data) to third parties to allow them to provide services directly to customers.
Europe and the United Kingdom have the most established open banking frameworks in place at the moment, but similar regulation in Australia is imminent. Other jurisdictions are encouraging open banking, but doing so through a more industry-led manner.
In this report we profile the various approaches being taken to facilitate open banking, from emerging regimes to those already in operation.
Emerging Open Banking Regimes
- The EU regulates the sharing of consumers’ banking account data with third party payment service providers (PISPs and AISPs) through the revised Payment Services Directive (PSD2).
- PSD2 builds on the first Payment Systems Directive (PSD1) which was adopted in 2007 and provided the legal foundation for an EU single market for payments. PSD2 aims, for example, to improve the playing field for payment service providers (including new players), make payments safer and more secure, and protect consumers.
- Under PSD2, upon request from customers, banks and other account-holding payment service providers must grant registered/authorised PISPs and AISPs secure read and write access (including payment initiation) to the customer’s account data through open APIs.
- PSD2 came into force on 12 January 2018 (EU members had to adopt into their national laws by 13 January 2018).
- The European Banking Authority is responsible for issuing guidelines and recommendations to authorities and financial institutions on PSD2. It is currently drafting regulatory technical standards (RTS) for PSD2 which will take effect in mid-2019. In June 2018 it published an Opinion and a Consultation Paper on draft Guidelines in relation to the RTS on strong customer authentication and common and secure communication under PSD2 which will apply from 14 September 2019.
- The UK’s Open Banking regime is a response to a 2016 report by The Competition and Markets Authority (CMA) which found that there was a lack of competition among established, larger banks for customers’ business, in this environment and smaller and newer banks found it difficult to compete.
- The UK’s implementation of open banking builds on its PSD2 obligations by requiring that banks provide data to third parties in a standard API format.
- The UK’s Open Banking regime is implemented through the CMA’s Retail Banking Market Investigation Order 2017, which requires the UK’s nine largest banks to, upon request from customers, provide regulated providers access to customer’s banking data via a secure and standardised form.
- Third parties (AISPs or PISPs) that use published APIs to access customer data are authorised and regulated by the Financial Conduct Authority (FCA) and enrolled on the Open Banking Directory. As of 3 September 2018, there are 40 providers enrolled in Open Banking.
- The Open Banking Implementation Entity (OBIE) (set up by the CMA to deliver Open Banking), determines the specifications for the APIs that are being used to deliver Open Banking, creates security and messaging standards, manages the Open Banking Directory (which allows participants to enrol in Open Banking), produces guidelines, and manage disputes and complaints. OBIE is governed by the CMA and funded by the UK’s nine largest banks and building societies (Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group and Santander).
- Managed roll out of the Open Banking Directive began on 13 January 2018, when start-ups could apply to FCA to be authorised third parties to access APIs. The regulated providers have been able to offer open banking services to customers since 18 April 2018.
- An open banking regime is being introduced in Australia, with a phased implementation from July 2019.
- The open banking regime is part of the development of a national Consumer Data Right (CDR), which was announced by the Federal Government in November 2017 as a partial response to the Productivity Commission’s Inquiry into Data Availability and Use.
- The CDR will provide individuals and businesses with a right to access specified data held by them by businesses, and to authorise secure access to this data by accredited data recipients (eg, other banks, telecommunications providers, energy companies, or companies providing comparison services). A key feature of the right is that access must be provided in a timely manner and in a useful digital format which complies with the applicable standards.
- The Government plans to implement the CDR in designated sectors within the economy on a sector-by-sector basis, beginning with banking, energy and telecommunications. Banking will be the first sector to adopt the CDR, under the nomenclature, “Open Banking”.
- In August 2018, the Government released exposure draft legislation (Treasury Laws Amendment (Consumer Data Right) Bill 2018) to introduce the CDR.
Scope of Open Banking
- Upon request from a customer, banks (being all authorised deposit-taking institutions, other than foreign bank branches) will be required to share with the customer or an accredited data recipient information that has been provided to them by the customer if it is in a digital form, and does not relate to identity verification assessment.
- Banks must also share all transaction data from specified banking products via a dedicated API, but will also be automatically accredited to receive data under Open Banking.
- Only accredited data recipients may receive Open Banking data, with the Australian Competition and Consumer Commission (ACCC) determining the criteria for, and method of, accreditation.
- Standards will specify the way in which data is transferred, how it is described and recorded, and to protect the security of the data. The starting point for the standards for the data transfer mechanism will be the UK’s Open Banking technical specifications.
- There will be a phased implementation from 1 July 2019, beginning with the major banks:
- major banks will make data available on credit and debit card, deposit and transaction accounts by 1 July 2019;
- major banks will make data on mortgages available by 1 February 2020;
- major banks will make data on products available by 1 July 2020; and
- all remaining banks must implement Open Banking within 12 months of the major banks’ timeline.
- Open Banking will be implemented through amendments to the Competition and Consumer Act 2010, and will have a multiple regulator model, led by the ACCC. The Office of the Australian Information Commissioner (OAIC) will advise on and enforce privacy protections.
- The CSIRO’s Data61 will perform the role of a Data Standards Body to facilitate the development of technical standards. The standards will include transfer, data and security standard, but will allow supplemental, non-binding standards to develop (so long as they do not affect interoperability).
Other initiatives to improve competition
- The Government is lowering the regulatory barriers to entry for new and innovative entrants to the banking system by relaxing the current 15% ownership cap, and lifting the prohibition on the term “bank” by an authorised deposit institution with less than $50 million in capital.
- The Government has also announced that it will legislate to establish an enhanced regulatory sandbox to facilitate more innovation, promote greater competition and increased choice for Australian consumers. The sandbox will allow businesses to test for a period of 24 months a wide range of new financial products and services, allowing businesses to evaluate the commercial viability of new concepts without a licence but subject to meeting minimum consumer protection obligations.
“The Government is opening the door to new banking entrants and new financial products and services.
This will mean more choice and cheaper and better options for consumers.
The Government will introduce an open banking regime that will increase access to banking product and consumer data by consumers and third parties, if the consumer consents. This will empower consumers to seek out banking products better suited to their needs and create further opportunities for innovative business models in banking that enhance competition.” (Press Release of The Treasurer, “Building an accountable and competitive banking system", 9 May 2017)
- In July 2018, the Hong Kong Monetary Authority (HKMA) published its Open Application Programming Interface Framework (Framework) setting out a process and timetable for deploying Open APIs. It is compulsory for Hong Kong’s largest banks, although other banks will be able to join in future.
- The Framework has a four-phase approach to implementing various Open API functions, and recommends using existing international technical standards to encourage fast adoption and security.
- The four-phase approach to making open APIs available involves:
Phase I: Product and service information – third party providers (TPPs) can access banks’ product information (therefore helping financial product comparison sites)
Phase II: Subscription and new applications for products/services - banks will deploy core-banking open API functions to accept new account/product applications (eg, customer acquisition via TPPs)
Phase III: Account information - account information, retrieval by TPPs of account information, and other bank products such as bill payment history. Will also apply to investments and insurance policy details.
Phase IV: Transactions - allowing TPPs to process customer requests, such as funds transfers, bill payments, as well as relating to investments and insurance.
- The HKMA expects banks to make available Phase I Open APIs within 6 months of the publication of the Framework (July 2018), Phase II within 12-15 months, and to provide the HKMA with roadmaps and delivery dates for all of the Phases. The deployment timetable for Phases III and IV will be developed with industry over the next 12 months.
- Banks will retain control of the customer relationship and data, and can choose which TPPs to collaborate with. This is contrast to PSD2 and Open Banking in Australia, which requires (or will require) banks to share customer data (upon the customer’s request) with accredited parties. There are no rules yet as to TPP regulation and registration.
- The Open API Framework is part of seven initiatives announced by the HKMA in September 2017 to move Hong Kong into an era of “Smart Banking”. Other initiatives include an enhanced Fintech Supervisory Sandbox and closer cross-border collaboration in the development of Fintech.
“We hope that the framework will provide specific guidance to enable collaboration between banks and third-party service providers, and ultimately bring new experience of innovative, convenient and safe banking services to customers” Norman Chan, Chief Executive, HKMA
Emerging Open Banking Regimes
- The US has no existing or pending regulatory or legislative framework in effect for open banking. FinTechs have so far tended to access consumer data in the US by “screen-scraping”.
- In July 2018, the US Department of the Treasury published a report, “A Financial System that Creates Economic Opportunities, Nonbank Financials, Fintech, and Innovation” which explores the regulatory landscape for non-bank financial firms with traditional “brick and mortar” footprints, as well as newer business models employed by technology-based firms.
- While the report acknowledges the need to remove legal and regulatory uncertainties currently preventing financial services companies and data aggregators from establishing data-sharing agreements, it does not envisage an open banking model along the lines of the UK’s as the solution to this, as “[t]here are significant differences between the United States and the United Kingdom with respect to the size, nature and diversity of the financial services sector and regulatory mandates.”
- Instead, the report recommends that Bureau of Consumer Financial Protection affirms that Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (which states that financial services companies subjects to the Bureau’s jurisdiction are required to make available to a consumer, upon request, certain financial account and transaction data) also applies to thirds parties authorised by consumers, including data aggregators and fintech application providers.
- Furthermore, in regards to developing standard APIs, the Treasury believes that the US market would be better served by a solution developed by the private sector, with appropriate involvement of federal and state financial regulators.
- The Consumer Financial Protection Bureau (CFPB) has published non-binding Consumer Protection Principles (Principles) aimed at consumer-authorised financial data sharing and aggregation. The Principles advocate for giving consumers access to their own data in a useable format, allowing consumers to authorise read-only third party access, informed consumer consent, data security and dispute resolution.
- Certain industry groups have also developed guidance aimed at creating frameworks for open banking. For example the Electronic Payments Association (NACHA) created the API Standardization Industry Group, which has identified specific APIs for development, including some on data sharing.
- FinTechs have so far tended to access consumer data in the US by “screen-scraping”. However, some banks are developing open APIs that allow third party providers to provide some services.
- There are no compulsory open banking requirements in Singapore, but the government supports a number of voluntary initiatives towards an open data framework, for example:
- Finance-as-a-Service: API Playbook: published by Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore, the non-binding API Guidelines provide guidance to financial institutions, FinTechs and other entities in developing and adopting API-based system architecture.
- Financial Industry API Register: A list of open APIs available in the Singapore financial industry. Different types of APIs are registered, eg Transactional APIs which allow transactional services for payments, funds transfer, settlements etc and less sensitive APIs such as Product APIs, which provide information on financial product details, rates and branch/ATM locations.
- FinTech Regulatory Sandbox: Allows financial institutions and FinTech players to experiment with innovative financial products or services. MAS may provide regulatory support by relaxing its specific legal and regulatory requirements.
- SGD 27 million grant to promote artificial intelligence and data analytics in financial sector: A grant by the MAS to promote adoption and integration of artificial intelligence and data analytics in financial institutions.
- Private open data initiatives by financial institutions in Singapore include the world’s largest banking API developer platform by DBS, with 155 APIs at launch in November 2017 across more than 20 categories including funds transfers, rewards and real-time payments. It seeks to enable third-party developers to access APIs to integrate functionality into their own services.
- There are no compulsory open banking requirements in Japan, but the government has committed to supporting FinTech innovations and to promote the adoption of open APIs by banks and credit card companies (eg via policy measures and technical standards, and a regulatory sandbox). For example, Japanese Prime Minister, Shinzo Abe, has set a target of 80 banks to have open APIs by 2020.
- In June 2018, amendments to the Banking Act came into effect to facilitate open API architecture between financial institutions and FinTech firms. The amendments include:
- Introducing a registration system for Electronic Payment Intermediate Service (EPIS) providers to require registration prior to carrying out an EPIS
- Requiring that EPIS providers to have a contract with a financial institution before providing EPIS to customers
- Requiring financial institutions to establish and publish the standards which EPIS providers must satisfy in order to contract with the financial institution
- Requiring financial institutions seeking to contract with an EPIS provider to develop a system for the introduction of an Open API by June 2020
- There is no formal open banking regime in India, but the government is supporting a range of measures to promote competition in the banking sector.
- For example, The Reserve Bank of India authorised the National Payments Corporation to develop an instant real-time payment system (the Unified Payment Interface API) to facilitate inter-bank transactions. Regulated by the Reserve Bank of India, it is processing an average of 877 million transactions a month. All bank account holders in India can send and receive money instantly from their smartphones without needing to enter bank account information.
- The Government has also implemented a set of APIs through IndiaStack that allow governments, businesses and developers to access a technology platform via the Aadhaar national identity number system (for example, when a third party service provider needs to verify the identity of their customer, they can send the customer’s Aadhaar number and biometric information to the centralised database for verification).
- Payments NZ is coordinating trials of software that enables providers to make retail payments on behalf of their customers. The API pilot will test open banking and digital payments through two payment-related APIs:
- Account information – enabling the verification of account details and funds
- Payment initiation – enabling payments by connecting directly with the user’s bank
The results from the trials (expected to conclude in late 2018) will assist in designing a framework within which the APIs could operate.
- As part of its 2018 Federal Budget, the Canadian government announced that it will be conducting a review into the merits of introducing an open banking regime.
- There is no formal open banking regime in South Korea, but the government is encouraging some open banking initiatives, for example by launching a FinTech “open platform” in 2016. It is designed to offer standardised financial transaction programs, and includes all major banks and financial institutions. It allows them to, for example, build apps that include financial services from more than one company.
- The APIs contained in the program allow them to build services that automatically populate financial information for new customers.
Account Information Service Providers / AISPs - authorised entities that provide aggregation services related to payment accounts such as bank accounts. Put simply, they collect and consolidate information on the different bank accounts of a consumer in a single place. PSD2 allows AISPs authorised access to bank account data through an API. AISPs can be existing banking providers or third parties.
Application Programming Interfaces / APIs - a set of defined methods of communication between programmes enabling the exchange of information without the need to access the core of the programmes.
Open Banking – the opening up of banking systems to third parties to allow them to provide services directly to their joint customers.
Payment Initiation Service Providers / PISPs - regulated entities which enable customers to initiate payments without them having to directly access their bank account or use their debit or credit card. They stand between the payer and his/her online account, and facilitate the use of online banking to make internet payments by helping to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts, filling in the information necessary for a transfer (amount, account number etc) and informing the merchant once the transaction has been initiated. PSD2 allows PISPs authorised access to bank accounts through an API. These services can be provided by existing banks and payment service providers, or by third parties.
The Revised Payment Services Directive / PSD2 - an EU Directive which at its core requires banks to grant TPPs access to a customer’s online account/payment services in a regulated and secure way.
Third Party Payment Service Providers / TPPs - provide payment initiation services and/or account information services. AISPs and PISPs are examples of TPPs for PSD2.