Until only a few years ago, the concept of open banking was virtually unknown. But it really started making headlines back in 2015 when the EU revised its Payments Service Directive and adopted PSD2. This new directive set out to protect consumers whilst making online payments and at the same time, to promote the development and use of innovative online and mobile payments - precisely where open banking fits in.
The concept of open banking perfectly describes the notion of disruptive technology - in this case wreaking havoc on the old and weary dinosaur that is the traditional banking and payments industry. Hence the emergence of challenger banks and the so-called ‘neobanking’ movement -- agile financial institutions that leverage the open banking push and who today represent some of the fastest-growing Fintechs around.
Compared to traditional banking, open banking is based on the notion of collaboration. It sets out to provide banks with a secure way to exchange financial data and services with third-party providers (TPPs) - for example, fintech companies. The nuts and bolts to how this all works relies on customers giving consent to having their financial data accessed and/or shared by these TPPs, and banks providing technologies such as open application programming interfaces (APIs) to bring things to life.
So now that open banking has arrived, what can we say about its overall adoption? Has it spread across the globe? As a disruptive technology, how are its inherent security challenges being addressed, and what impact has been seen on any regulatory frameworks?
- These are the best accounting software (opens in new tab) right now
Open banking begins life in the UK and across Europe
In the UK, open banking started to make an appearance when the likes of Revolut, Monzo, Atom, and Starling came to the market in around 2013 and between them managed to raise billions in funding. A recent report suggests that London-based Revolut witnessed more app downloads in 2020 than Monzo and Starling Bank combined - an illustration of the fierce competition between UK’s fintechs. In the case of Revolut, such high download numbers give testament to its efforts at global expansion.
The UK (and the rest of Europe) are generally regarded as pioneers in the world of open banking, having been the first to set up their own frameworks and API standards. The UK saw the launch of the Open Banking UK legislation back in January 2018. Overseen and managed by the Competition and Market Authority (CMA) on behalf of the UK government, it was widely seen as an effort to enhance competition and innovation in the financial services sector. Soon after the introduction of this legislation, the so-called CMA9, a group composed of the 9 biggest financial institutions in the UK, set about working with the Open Banking Implementation Entity (OBIE) to deliver open banking. This collaboration ended up delivering a framework that covered technical, user-experience, and operational guidelines (including an API standard). Europe has generally been slower to embrace open banking compared to the UK, but is certainly catching up now. Many countries and banks have invested in this initiative, including Germany, Luxembourg and the Berlin Group, a collaboration of more than 40 individual banks that have even developed their own API standards to support implementation.
- Here’s our list of the best website builders for small businesses (opens in new tab) right now
What is happening in the rest of the world?
With the UK and Europe acting as trailblazers for open banking, other countries around the world have started preparing for the wider adoption of this standard; however, with a much slower rate of adoption. For example, in the US, open banking is more of an industry-led initiative, which has caused a certain amount of head-scratching seeing as there are no regulations with specific requirements for compliance. Many observers believe that it will take a push from the leading providers in order for things to speed up but at the same time, others believe that the US needs to implement some sort of open banking regulation in order for the initiative to reach its full potential.
Turning our spotlight on Latin America, Mexico was the first country to pass a fintech law in 2018 that sought to establish open banking standards. And whilst regulations are quite advanced, things are still moving quite slowly in the face of full implementation. With respect to South American countries, Brazil is moving fairly quickly since announcing its Open Banking intentions back in 2019. The country is adopting a very structured implementation approach which they have divided into four phases. The first phase concentrated on the sharing of data regarding participating institutions and the second phase, which is approaching its deadline, will focus on the issue of sharing customer data.
If we continue our journey over to the Asia-Pacific region, we see Singapore as an early adopter and regional leader of Open Banking and APIs. This largely comes down to the fact that the Monetary Authority of Singapore (MAS) provided an open banking framework, and together with the Association of Banks in Singapore (ABS), they have delivered an API Playbook to guide financial institutions when it comes to developing an open API architecture. And over in Australia, they have gone as far as writing open banking into their Consumer Data Rights (CDS) law. Implementation has been divided into phases and the full data transfer for consumers should be available by February 2022.
Open, but secure banking
Clearly, the state of open banking and its adoption varies greatly from country to country. There are some major differences when it comes to things like standards, guidelines, or regulations to follow. In this way, the overall implementation of open banking becomes unduly complex and slow. It is therefore likely to take some time before we see open banking as a global standard. Open banking’s very core goes against the grain of the traditional security approach in banking. In the old world, customer data and all operations are kept within very highly controlled environments; in contrast, open banking seeks to facilitate access to this same customer data.
So while open banking is very much the future for financial services, it’s clear that it will herald some unique security challenges. Namely, one key challenge that arises from the very nature of open banking is addressing new threats that come via the banking application’s client endpoint (the user’s device or browser, for example).
One often unaddressed aspect of client-side security is exposed source code. After companies publish their websites and mobile applications, any potential attacker is free to go through the source code, analyzing the behavior of the application and looking for possible security weaknesses.
Another key threat to these applications comes in the form of web supply chain attacks. Much is being said these days about these attacks, which have been used to breach thousands of private and public organizations. The reality today is that most web and mobile applications are relying extensively on third-party code. These pieces of code used during the application development process can be breached by attackers to covertly plant a backdoor into the application, putting user data at risk.
Ensuring that open banking operates with security front and foremost will require the adoption of improved client-side security - not only with the implementation of strong customer authentication but also with application shielding and real-time web page monitoring. These layers of security will serve as global enablers of open banking and help to herald a new era for the financial industry.
- These are the best free software for small businesses (opens in new tab) available now
Rui Ribeiro, CEO, and Co-Founder, Jscrambler (opens in new tab)