The Bank of Israel ("BOI") has released a draft of the Proper Conduct of Banking Business Directive on the implementation of open banking standards. According to this draft Directive, banks and credit card companies will be required, subject to their customers' explicit consent, to enable licensed and supervised third parties to obtain access to customers' bank accounts in order to retrieve information or execute transactions. The draft has been issued two years after the enactment of the Increasing Competition and Reducing Concentration in the Banking Market Law. Similar to the draft Directive, this Law requires financial institutions to enable service providers to have access to customers' financial information.
The objective of the proposed Directive is to set the grounds for "open banking" in Israel and to strengthen the control of private clients over their financial information and bank account management. The draft Directive covers the duties and obligations of banks and credit card companies including information and cyber security protection requirements, consent management requisites and risk assessment tools. According to the draft Directive, banks and credit card companies will be required to provide other regulated financial institutions with access to account information on the customer's behalf, subject to the customer's consent. Such access shall be granted without charge and without any contractual obligations arising between the disclosing and receiving institutions.
Due to the sensitivity of financial information and the increased risk in disclosing such sensitive personal information, the draft Directive instructs the board of directors and senior management of banks and credit card companies to conduct a thorough risk analysis, specifically with respect to the areas of information and cyber security, privacy, fraud, legal, money laundering and strategic risks. The draft Directive also deals with issues of consent management, including how consent should be provided, obtained, retained and withdrawn, and which information should be provided to the customers before obtaining the required consent.
Moreover, the draft Directive sets out service level rules, to which financial institutions will need to adhere to when providing services to other regulated financial institutions in their roles as data consumers and transaction initiators. Banks that grant access to financial information will also need to draft policies regarding the service level provided to third party suppliers. Discrimination between suppliers will be prohibited.