The Open Banking regulation, first launched in January this year, has polarised industry opinion. While the regulation will usher in a new era of ‘openness,’ financial institutions are worried about its associated infrastructural and cultural implications.
While Open Banking adds new safeguards to the existing commercially managed consumer financial data ecosystem, there is a misperception that “openness” means less security and more risk to consumers. While this is not the case in general, asymmetric regulations do interfere with the intended protections.
The success of new Open Banking enabled services, is sharply underpinned by consumer trust that their data is secure when shared across the supply chain. Research by CREALOGIX Group, provider of mobile banking solutions, has revealed that 46 per cent of the consumers are concerned about the security implications of Open Banking, including identity theft and data breaches. And, when asked whether they thought Open Banking was a good idea, 69 per cent said no. This demonstrates how pivotal the trust and security are to the end user.
As different types of FinTech businesses take advantage of the ‘openness’ they must also be carefully assessed from a regulatory standpoint, ensuring that their data-protection systems are robust. These firms include the technical service providers that power many of the innovative services offered by financial institutions and fintechs alike.
Navigating new definitions
Unfortunately in the UK, the Financial Conduct Authority (FCA), has chosen to run with a much more restrictive definition of an AISP (Account Information Service Provider) than their EU & global counterparts. Their handbook stipulates that only consumer-facing companies can be defined, and therefore regulated, as an AISP. Therein lies a challenge for the industry.
The group of non-consumer facing service providers and data aggregators, who handle large amounts of consumer-permissioned data which powers apps behind the scenes remain, therefore, unregulated. If there were to be a breach, consumers would not be afforded the full protections available to them under the Second Payment Services Directive (PSD2) and Open Banking regimes.
This has, to date, gone largely ignored. An Economist Intelligence Unit report published in March of this year, found that while 71 per cent of senior decision makers within the banking industry are focusing their digital investment on cyber security, only 17 per cent are concerned about a third-party relationship vulnerability being exploited as a result of open banking.
The misuse, theft or loss, however, of such valuable customer data, would lead to a loss of trust in the innovative new consumer facing services that the ecosystem seeks to offer. Cross-selling consumers new services such as loans, ISAs and retirement products, as the report states, would become increasingly difficult if faced with such reputational damage.
Taking ownership through self-regulation
The ecosystem of providers therefore must place the burden on itself to ensure that consumer data is well protected. Apps powered by service providers and aggregators such as lending platforms must be verified for data security. Not all data that will power Open Banking is currently available via an API – providers must therefore take individual responsibility for auditing and examining that aggregator’s security and data privacy standards.
As the McKinsey Data Sharing and Open Banking 2018 report also highlights, “There are inherent risks in sharing data, however, which is why it is critical to develop processes and governance underpinning the technical connections. Although the core API value proposition lies in streamlining the systems integration required for data access, the need for guardrails to support protections for the privacy and security of personal data create a formidable infrastructure challenge.”
For small businesses, however, liability provisions for breaches, enforced on them by bilateral agreements by FinTechs and financial institutions would be burdensome. The staff education, rigour and skill needed to accomplish such a task would seem unreasonable.
Another option would be for front end providers to seek direct access to Open Banking APIs. However, this too may well be an inefficient and costly process, with providers needing to first seek regulation from the FCA. This could well hinder innovation, product development and time to market.
Many of the options remain to be seen and refined but if the industry and supply chain does adhere to security standards, the open banking model can facilitate a series of new and much more secure services, of value to both consumers and providers. As the same McKinsey report states, “If security is done well, it can deliver increased security through enhanced know-your-customer capabilities, identity validation, and fraud detection.”
Liability questions remain
Unless they specifically grant permission, the FCA cannot regulate service providers such as aggregators and those that do not provide consolidated views of transaction data. Yet, breaches could undermine long term innovation and progression. The industry only gets one shot at getting Open Banking right. It is the most significant – and potentially the most impactful – regulatory overhaul to touch the financial services industry in the last ten years.
Consumer data security now has to be considered through a different lens. As the Economist Intelligence Unit report finds, the financial institutions still need to understand it - as it applies to working with third party providers. Yet it’s no longer simply an issue for the banks to deal with. FinTechs companies and others in the supply chain should continue to demand their data providers have the most robust security procedures and systems in place. If they succeed in doing so, they will best benefit from the ability to integrate nonfinancial data with transaction data for new insights to shape new products.
Pressure from consumers will also help to ensure that all within the Open Banking ecosystem maintain a focus on data protection and hold themselves and third party providers accountable within it.
Matt Cockayne, expert on Open Banking, Envestnet Yodlee
Image Credit: MK photograp55 / Shutterstock