Blurring the lines
Creating an Open Banking data sharing ecosystem
Although Open Banking initiatives are gaining traction, the creation of a safe and fully functioning cross-industry data sharing ecosystem is still some way off. More needs to be done by firms and regulators to raise consumer awareness and reach scale.
While Europe might reasonably claim to be the 'cradle of Open Banking, open banking initiatives are popping up elsewhere. It is beyond the scope of this article to list all of the initiatives currently underway, but most fall into one of two categories: market-driven or regulatory-driven.
A number of countries, including India, Japan, Singapore, and South Korea, do not currently have formal or compulsory Open Banking regimes, but their policymakers are introducing a range of measures to promote and accelerate the take-up of data sharing frameworks in banking.
In Singapore, MAS and The Association of Banks have published an API Playbook to support data exchange and communication between banks and FinTechs. In Japan, the FSA has established an authorisation process for TPPs, introduced an obligation for banks to publish their Open APIs policies, and encouraged banks to contract with at least one TPP by 2020. The majority of Japanese banks are taking this regulatory encouragement very seriously and are on track to fulfil the 2020 deadline. The US have also opted for a market-led approach, but without any material government initiatives to support the development of Open Banking products and services.
A recent US Treasury report recommended developing regulatory approaches to enable secure data sharing in financial services. However due to the highly fragmented and state-based nature of banking and banking regulation in the US, as well as a cultural aversion to ‘red tape’, there is little discernible appetite currently for taking this forward and issuing a common federal policy on Open Banking. The major US banks are well aware of the strategic importance of Open Banking and are developing API-based offerings, in contractual partnerships with third parties, as a way to attract new customers and maintain/gain competitive advantage. However, in the absence of an industry-wide API strategy, screen scraping remains prevalent as a way for TPPs to provide innovative services to customers without having to enter into a contractual agreement with each bank. This is costly and inefficient for TPPs, but also difficult for banks which remain solely responsible and liable towards their customers, including when TPPs use screen scraping without the bank’s knowledge by accessing the account with the customer’s bank credentials—not to mention that screen scraping typically gives a TPP access to much more customer data than is often required to deliver the service the customer wants, increasing the risk for both the customer and the bank
Outside the EU, two major jurisdictions have opted for a regulatory-driven approach: Hong Kong and Australia.
The Hong Kong Monetary Authority issued an Open API Framework in July 2018, setting out a four-phase approach for banks to implement Open APIs, starting with information sharing on products and services, and ending with sharing of transactional information and payments initiation services. Contrary to the EU approach, however, while banks will be required to develop APIs, they will be able to restrict access to those TPPs with which they choose to collaborate.
But it is Australia that stands out for its innovative approach and scale of ambition. Like other Open Banking initiatives the Consumer Data Right Act (CDR), which is currently being finalised, will allow consumers to share their data with whichever authorised third parties they choose. The key difference, however, is that the CDR is a data policy initiative and not a financial services one. While it will apply to banks first, the CDR will subsequently apply to the energy and telecommunication sectors as well, and eventually it could be applied to any sector. The CDR is also the first Open Banking legislation to introduce the concept of ‘reciprocity’, which we explore further below.
Following the introduction of PSD2, banks have been vociferous about the lack of reciprocity between banks and third parties, especially BigTechs. This, they argue, amounts to an unfair and regulatory-driven ‘competitive disadvantage’ (although banks remain vague about how they would like to leverage BigTechs’ customer transactional data if they had access to it).
In fairness the EU GDPR does include a right to ‘data portability’ which could be leveraged to ensure reciprocity. In practice GDPR does not specify either the obligation to respond in real-time to data portability requests (e.g. under GDPR, firms in Ireland have 1 month to respond to a standard request), or any technical communication standard to transfer the data between organisations. Whereas the interpretation of the requirement may change over time, for the foreseeable future the data portability requirement will do little to support organisations wishing to provide innovative services to their customers based on a real-time data sharing ecosystem, in the way that Open Banking aspires to do for payments and payments data.
In Australia, the concept of reciprocity was introduced in the Open Banking review, which formed the basis for the CDR. The review noted that a system in which all eligible entities participate fully – as both data holders and data recipient – would be “more vibrant and dynamic” and promote greater competition. Both the review, and now the CDR, support the principle that an accredited data recipient in a designated sector should also be obliged to provide equivalent data, and in an equivalent format, in response to a direction from a consumer. However, determining what ‘equivalent data’ consists of for each sector remains a significant challenge. Australian regulators acknowledged that this issue requires further consideration and have proposed excluding reciprocity from the first implementation phase, due to start in July 2019. Nevertheless, the principle of reciprocity looks likely to be enshrined in law once the CDR is finalised. While implementation will undoubtedly present challenges, it still represents a major step in a new and, for some, controversial, direction.