January 22, 2019

How to Regulate Open Banking

The financial services industry is undergoing a revolution in how software solutions are manufactured and delivered to end customers. The services which we know as Open Banking enable individual customers and businesses to share their financial data with third parties. As a direct result, consenting customers can now benefit from a host of innovative applications for use outside of their bank’s ‘walled gardens’ – people with hearing issues might use an app which speaks their account balance to them, young graduates living on a tight budget might benefit from an app which helps them manage their finances and saves automatically, SMEs can quickly compare loan products from various banks to choose the most appropriate.

The banking industry, traditionally closed and secretive, is being forced to rethink its basic model to work in a more collaborative manner (with both banks and up-and-coming fintech startups). This response to customer demand comes of course with a plethora of challenges; issues of security, liability, business models and partnership at scale are all radically new dimensions unimaginable only a few years ago.

Today, as the technology matures and a number of banks begin to show the way forward in Open Banking, some regulators have stepped in to regulate (or at least provide guidance) for the rest of the industry. Gartner estimates that regulators in 50% of G20 countries will create an open banking API standards or gateways this year.

As more countries announce their intentions to engage with the Open Banking regime. Regulators and industry bodies around the world would be well advised to seriously engage with Open Banking in preparation for an imminent open future.

A bit of history…

It all began in Europe. Simon Redfern, founder of the Open Bank Project, and I started banging the drum of Open Banking some five years ago. Our ideas about openness, transparency and data sovereignty found echo in both the European Commission and the UK Treasury. As a result, we contributed significantly to the UK Treasury-commissioned Paper on Open Banking back in 2014 and to the UK Open Banking Working Group. The world’s first regulation mandating open APIs for the 9 largest banks in the UK became law as the result of these initiatives. Since then, further countries have jumped aboard the “bank-wagon” and have begun exploring Open Banking regimes suited to their local context (the latest is New Zealand, who debuted an industry API pilot led by Payments NZ in March 2018). We’ve kept a close eye on these developments and in some cases we’ve used our technology and expertise to help out.


Why Open Banking?

One thing that regulators around the world agree on is the fact that Open Banking is a formidable tool which can:

  • Foster increased competition in financial services and creating a level playing field
  • Drive innovation and unleash the full power of the fintech revolution
  • Ensure increased levels of security for customers and businesses
  • Make financial services more personalised and easier to understand and compare

Ultimately, regulators are striving for better, less expensive and more ‘fluid’ financial services for all.  Fluidity might mean making account switching easier or enabling an SME to more easily obtain a loan via a new fintech startup who, having been granted access to the organisation’s bank accounts, can look to make their offer based upon their specific analysis of the SME’s transactions and requirements. Open Banking should make any and all such customer use cases easier, safer and better for everyone.

Regulating Open Banking

Our team has spent the last few months reviewing various regulatory standards, legislations and working papers produced by regulators and industry bodies involved with Open Banking. This has helped us gain key insights into where markets are heading as well as an overview of the essential elements of a good Open Banking regime. We will share our results in a report later this year. As our work progresses though, I wanted to share some key findings. We’ve identified 5 dimensions which are essential to any Open Banking regime:

  1. Target: which institutions should be targeted by the Open Banking regime? UK regulators exclusively targeted the UK’s nine largest banks. In Australia, the regime will affect the four big banks first and will subsequently spread to the rest of the market. In the EU, PSD2 encompasses both retail and corporate banks. To achieve effective regulation, it is important to have a clear vision about which financial institutions, of what size and in which line of business are in the scope of proposed regulation.
  2. Top-down vs bottom-up: would the regime be legally mandated or is compliance proposed on a voluntary basis? Determining whether Open Banking is left to the market or is brought about through law is a crucial step towards implementation, and will have tremendous impact on all other dimensions.
  3. Assets to open up: which internal services should be opened to third parties? Should the openness be applied to core services such as access to accounts, transaction history and KYC, or limited to non-core services such as ATM, Branches & Products? Is it read-only services (e.g. transaction history) or should it also include payment initiation?
  4. Governance & Standardisation: are these services made open via a common interface or is each institution required to devise its own interfaces? Who decides about interface requirements and how does the standard evolve? Well-designed standard interfaces are more attractive for fintech, but a fixed standard might in some instances present a roadblock to innovation.
  5. Security & Liability: how is security handled? how are third parties vetted and authorised to have access? If something goes wrong, who is liable? How does authentication actually work and how is personal data stored and processed? Due to the sensitivity of the issue, security must be thoroughly addressed and strict checks and balances must be established. In this area, we note that related technology is maturing and industry standards such as OpenID Connect have emerged to begin to address these issues.

In Conclusion

Perhaps the best way to start grappling with these issues (and many others underpinning Open Banking) is to experiment in the open: cross-industry working groups, industry sandbox environments and hackathon events are all ideal tools to test and iterate solutions.

No two countries are the same, so figuring out the right approach to regulating Open Banking is always going to be tricky and really depends on the local context. However, today we have a wealth of information and experience internationally that we can leverage.

I’ll share more findings and learnings from our study next week in Auckland at the Point 2018 conference, New Zealand’s largest Fintech and payment conference. Come and say hi if you are around!

If you are not in NZ but interested in the subject nonetheless and would like to review our report on “how to regulate open banking” please do send me a note and I’ll share a draft with you.

Many thanks to Martin Gordon and Stuart Coleman for reviewing drafts of this.