10 Challenges for Open Banking Regulators

Security should be at the heart of Open Banking, but a good framework leaves enough space for innovation without trading in consumer safety. At first glance, Open Banking may seem more of a threat than an opportunity. Any cybercriminal would dream of gaining access to customer banking data to perform all sorts of nefarious activities. 

Needless to say, successful data-sharing frameworks calculate this risk and include security measures that keep customer data safe. Regulators should define the vetting process and start thinking about where liability falls should something go wrong. But it’s not simple and linear. Some types of security issues can only be identified when market players initiate data-sharing. These new problems initially seem to be unforeseeable.

However, there’s a tool that fosters innovation while protecting consumers and market players from negative outcomes – the sandbox. Regulatory sandboxes provide a safe environment to test innovative products, services, and business models under a more relaxed regulatory environment. This prevents innovations from being stifled by high regulatory requirements and allows regulators to test the standards and services before implementing them.

Regulators use sandboxes for various purposes, such as allowing FinTechs to test their applications, testing and future-proofing newly created standards, or monitoring FinTechs while they interact with real customers. 

Regulatory sandbox regimes are cropping up around the world, from Africa and the MENA region to Asia Pacific. Regions are finding that the balance between innovation and safety may indeed lie in the sandbox.

One of the greatest challenges is adoption. 

When the European public first got wind of Open Banking, there were very mixed reactions. Some believed that such a regulation would only increase the danger of data breaches and fraud. Even Mick McAteer, a former board member of the UK’s Financial Conduct Authority (FCA), shared his disapproval and doubts regarding Open Banking. As far as the general public goes, anyone who has read a 2019 article about Open Banking has seen comments decrying this new technology, and it isn’t surprising.

The public’s understanding of data privacy and risks has significantly changed over the years. The Cambridge Analytica Scandal in 2016, where millions of Facebook users’ personal data was used without consent to aid political campaigns, reawakened a sense of privacy that the public had for long been dubious about. Consumers are now more aware that organisations with access to sensitive data may use it for other motives, with or without consent. 

Very few people knew about Open Banking when it first arrived. When they learned about it, it wasn’t love at first sight. Even now in 2023, according to NTT Data, a whopping 84% of UK consumers don’t believe Open Banking is safe, and 58% don’t understand it. In countries where Open Banking is either in its infancy or not officially launched yet, understanding and trust are even lower. 

For example, a report by the Financial Consumer Agency of Canada shows that only 9% of Canadian consumers have heard of open banking. Even after learning what it is, only 15% felt that they would participate in open banking.

Of course, any new technology or process usually meets doubts and fears. The only solution, aside from implementing secure measures, is to educate the public and help them understand how it works and what the benefits are.

That’s why, for example, Open Banking UK launched a consumer-focused YouTube campaign providing content that explains the benefits of Open Banking and why it’s safe.

Regulators often struggle to identify the risks posed by new technologies and the business models that they enable.

Technologies can die quickly and are replaced almost instantly. They can also transform at remarkable speeds. Some say the cloud revolution brought us here. By removing barriers to entry and allowing equal access to computational power, the cloud has significantly accelerated innovation. So much, in fact, that regulators find themselves behind on the innovation curve.

Regulations focused on technology are already complex to design and regulators often lack the technical expertise to fully understand how to regulate in a way that doesn’t stifle innovation or leave customers unprotected. What’s more, regulators may design a robust framework to gain control over a certain type of technology or service, just to find that the service has changed so much that the new regulation is already somewhat out of date.

An example of this is the recent boom in Artificial Intelligence (AI). According to Stanford University’s AI Index, until 2014, academia was at the forefront of releasing significant Machine Learning models. After that, the industry started taking over. 

In 2022, ChatGPT broke the record for the fastest-growing application in history with 1 million users in just 5 days. By comparison, Instagram took 2 and a half months to reach the same user count. In general, Generative AI reached over 100 million users just 2 months after ChatGPT launched, a growth rate that beats both smartphones and tablets.

Chart from Insider Intelligence, 2023

The AI explosion in 2023, especially among younger generations, is in part due to the newfound availability of data, lower barriers to entry, and a better understanding of AI. Google Trends clearly shows interest in the topic shooting up in 2023.

Google Trends: AI Interest Worldwide 2004 – 2023

This is great news for the AI industry, but there’s always a dark side to this speed. According to the AIAAIC database, AI incidents and controversies have increased 26 times since 2012. For example, 2022 saw multiple deepfakes (including Ukrainian President Volodymyr Zelenskyy’s surrender), 11 Tesla autopilot incidents, a chess robot breaking a child’s finger, and the list goes on.

AIAAIC Database: AI Incident count 2010 – 2023

Although AI is the most relevant example, this also applies to fintech, especially applications that leverage advanced technologies. Moreover, cybercriminals are always devising new ways to steal data and ultimately money, meaning that cybercrime is also in continuous evolution.

How can regulators keep up with such a fast-growing sector that’s saturated with unknown risks? 

Innovation will always be a few steps ahead. But authorities can avoid trailing far behind by keeping abreast of the most up-to-date technology trends, consulting with experts in the field, and evolving their frameworks with the changing tides of innovation.

As previously mentioned, authorities can also use sandboxes to monitor innovations and ensure they are always in the loop. 

Big Tech companies are confidently encroaching on financial services territory, blurring the lines between industries as they dd, but they always tend to fall right outside of the regulatory scope. Tech companies will eventually obscure the line between financial and non-financial regulations, creating either value or havoc – or both.

According to BIS, Big Techs have the potential to threaten financial stability. Their business is based on a mix of money-related and tech services and they can leverage a vast amount of customer data, helping them gain a competitive advantage that can lead to a dangerous concentration of power.

BIS Working Papers – Big techs in finance

Their competitive advantages place them in a particular position. They can quickly dominate markets, as seen in China where big techs processed payments equivalent to 38 percent of GDP, and can abuse customer data as seen in the previous points.

Already, the likes of Apple, Google, Amazon, Alibaba and Tencent, among others, are expanding their financial services offerings.

For example, Apple partnered with JP Morgan Chase to introduce Apple Pay in 2014 and didn’t stop there. In 2019, Apple joined forces with Goldman Sachs to issue the Apple Card, then again in 2023 to provide a high-yield savings account with an interest rate 10 times higher than the US average, which reached $10 billion in deposits in just 3 months. Apple’s offering now includes credit, BNPL, savings, credit rebates, and merchant payment tools. WhiteSight provides an in-depth analysis of this journey with its recent article: iPhone to iBank.

Google has been dabbling in finance for almost two decades now. After launching Google Wallet in 2011, the firm expanded into car insurance and mortgage comparison and even announced a partnership with a number of banks to introduce a new digital bank account. The plan was soon scrapped, though not for lack of opportunity. 

According to a Forrester report entitled Why Google Bank Won’t Happen, Google will still disrupt financial services even without becoming a bank. The real value that Google will bring to finance lies in the integration of new FinTech services with its ecosystem of tools such as Google Maps, Gmail, Google Play and Google Now. By avoiding the regulatory burden of traditional finance, Google can stay on its disruptive path without incurring regulatory consequences. However, it still has the potential to use transaction data and combine it with its own consumer data, and ultimately could become a financial hub. 

These new BigTech fintech services are complicated to regulate.

BIS outlines two main reasons Big Tech disruption can make regulation more complex.

1. Their business models may require competition and data privacy regulations, 
2. Welfare goals have to be considered, as opposed to just focusing on policy objectives.

As a result, regulation targeting Big Techs must take into consideration their unique features and mitigate new risks that are nonexistent or less prevalent in other institutions. By reason of this, regulators are seeing the need to build broader frameworks that can work between sectors and even to design regulations specifically for Big Tech firms that are embedding and providing financial services.

One cannot expect a small firm to follow the same framework as a large enterprise. Regulators must ensure a level playing field, not by enforcing the same rules for FinTechs as they would for banks, but by adapting the rules to the different organisational contexts. 

Many regions are “loosening the leash” through the use of regulatory sandboxes, while some countries such as Germany decided that no regulatory exceptions should be made for Fintechs. Such a double standard may appear to be unfair to traditional institutions, which will have to deal with more regulatory pressure. However, the lack of regulatory guidance and high pressure may deter FinTech companies and hurt the country’s chances of becoming a hub for innovation. Thus, some in Germany have identified a need for more regulatory leeway for FinTech companies.

The difficulty in regulating Fintechs also arises from their agility. Regulators will have to adapt their processes to monitor these fast and more flexible players. 

These qualities also create a challenge for Bank/FinTech collaboration. While banks are large, slow and risk-averse, FinTechs are small, fast and innovative. These polar opposites will have to find some middle ground if they are to bring any value to consumers.

There are two important factors to consider when it comes to traditional institutions.

1. Regulators have to decide which ones to regulate. This may seem simple at first, but is it?

When the Payment Services Directive 2 (PSD2) was first proposed, it focused on institutions offering payments and bank accounts. In 2023, the European Commission (EC) proposed a new framework for accessing financial data beyond payments (FIDA), thus including the wider financial system. Instead, the Fintech Law in Mexico and Brazil’s Open Finance set out to include additional financial services players, such as credit bureaus and clearing houses, from the start.

To take it a step further, the Australian Consumer Data Right (CDR) was first introduced to the banking sector, but expanded in 2022 to include the non-bank lending sector and will continue to expand into other sectors such as telecom and energy.

Including all financial services providers is ambitious and creates more opportunities for innovation, but going step by step is more cautious and allows regulators to adjust the initiative as they progress.

2. To encourage adoption, regulators should give thought to business incentives

Financial institutions aren’t often enthusiastic about sharing their data. Aside from security and technical challenges, it may seem that they’re giving away a competitive advantage and losing customers to new players, especially if they aren’t allowed to charge for API usage.

For example, despite the initial reluctance, most UK banks now feel more positively about the potential of Open Banking, likely because they are overcoming obligations and now have a better view of the business opportunities. Open Banking use cases haven’t always been clear and easy to imagine.

With FIDA, the EC enables data providers to seek compensation for implementing APIs so as to at least distribute the costs of implementation. 

In the Middle East, after studying regional market opportunities, the Bahrain Central Bank set out 8 use cases in the Bahrain Open Banking Framework (OBF). In Jordan, participating institutions are allowed to commercialise their APIs, though no rules have been specified yet.

Regulators must keep in mind that for traditional institutions, Open Banking is both an investment and a way to let in new competitors. Adoption will be easier if the incentives, use cases and business opportunities are made clear.

Like with any novelty, terminology is always an issue. There are always terms that need to be reconciled and definitions that need to be clarified. It isn’t rare to find the same word used in completely different ways due to its infancy.

For instance, even the term ‘open banking’ when written in lowercase may refer to the practice of data-sharing, while ‘Open Banking’ in uppercase may refer to the regulation.

There have also been debates regarding the true meanings of Bank-as-a-Platform and Bank-as-a-Service:

Banking as a Service is commonly accepted as a model that enables licensed banks to offer certain capabilities as services. This allows non-banking Third Party Providers to integrate financial services in their own products. 

With Banking as a Platform, the Bank integrates third-party services into its own offering. 

However, a brief search on the internet will show the range of definitions that both have been given. The financial services industry gets creative in its way of describing what it can do with APIs, but isn’t always able to reach a consensus on meanings.

It is easy to see how semantics and even case variants could be cause for misunderstanding. What should be done if terms are coined by the sector? What definitions should regulators use?

Finding common terminology facilitates communication between regulators and regulated organisations, as well as neighbouring regions, and makes sure that all players are speaking the same language.

But that’s not where the interpretation difficulties end…

Even when the regulations have been designed and promoted, the fintech community may have issues receiving them. In other words, regulations are written for lawyers, not “techies”.

IT departments expect libraries, toolkits, SDKs, and much of the technical terminology that they understand and are able to work with. 

For example, when it comes to defining guidelines, not enough focus is placed on the API. The UK provided the market with UX guidelines, but only on a surface level. The specifications referred more to the outcome and expectations rather than to the actual APIs. 

By consulting and collaborating with experts in the field, authorities can make their regulations developer-friendly and understandable. 

And when the technical guidelines have been written, what then? How will you ensure community engagement and quick adoption? Regulators must have clear, well-maintained, and well-documented specifications that the market can easily access. This means relying on best practices for publishing API standards using open collaboration platforms such as GitHub – which most developers are acquainted with – so that technical teams know what is being asked of them.

Of course, on the other side, TPPs must work with regulatory experts to understand the requisites for compliance. Collaboration with traditional institutions can also help in this regard.

A good way to start is by picking apart the open banking frameworks in other countries. The analysis of similar regions will produce insights that are relevant to the country in question. By examining the regulations, one can gain some inspiration to build a picture of a potential Open Banking regulation.

Examples of questions that are highly relevant when examining other frameworks are:

• Why did they propose this framework? What is the objective?
• Who proposed it? Is it the same body that will supervise?
• Which regulatory model are they using? Commander, Advocate, Architect, Diplomat. 

And last but certainly not least: What are the weak spots of this regulation?

The early identification of vulnerabilities and flaws in a framework will prepare regulators for missteps and, hopefully, prevent them altogether. 

When advising regulatory bodies, the OBP team uses an essential tool – The Open Banking Regulatory Canvas. 

The Canvas helps regulators outline the key aspects of their framework.

If you are at the start of your regulatory open banking journey, we suggest asking yourself these 12 questions.

1. What problems can Open Banking address in my region? 
2. What’s more important: The end goal or the way organisations get there?
3. Who should fall under the regulatory scope?
4. Should we tighten the reins or let them roam free? How strict should it be?
5. Will standardisation stem the tide of innovation? Who should be in charge of standardising?
6. Which services should we open up? 
7. Who are we opening the gates to? Which types of companies should have access?
8. How will we assess and vet Third Parties?
9. If something goes wrong, who is liable? 
10. Who are the major stakeholders and who should pay for implementation?
11. Should we think about pricing or should we forbid charging of any kind?
12. What is the most efficient way to oversee all of this?

That’s it. 12 questions that can help regulators see their future Open Banking regime in their mind’s eye.

Regulatory authorities aiming to transform their regions for the better through Open Banking and Open Finance will encounter hurdles. They will have to study Open Banking, introduce a feasible data-sharing framework, and ultimately decide the future of their region’s financial services sector.

Of course, there will be some regulatory hand-holding in the beginning. But regulators cannot hold all of the burden. Regulatory authorities, financial institutions, and new fintech players must collaborate to unlock the full potential of open banking data in financial services and bring benefits to their region. Are there more important challenges to add to this list? 

What challenges do regulators face?