They say you're more likely to change who you're married to than who you bank with, but the advent of Open Banking and proliferation of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) has provided increased opportunities for a dalliance, financially speaking. But how confident can we be that our financial data is being adequately protected? And what steps can be taken to increase user trust and uptake in Open Banking?
In this article, I take a look at some of the common concerns and misconceptions about Open Banking and explore how it can be used as a tool to enhance trust in financial institutions of all sizes and empower consumers to take control of their financial data.
What are the perceived problems?
After years of having to conquer the fortress of retail banking security processes and procedures – god forbid you forget the third letter of the name of your favourite childhood pet – it is understandably somewhat alien to consumers to have the ability to grant small start-ups, they might never have heard of, access to their banking and financial data. Increased consumer awareness of financial scams has unfortunately coincided with an increase in their sophistication, and financial data – what you spend, where you spend it, how much you spend – is incredibly personal and sensitive.
Research conducted by Forrester1 in 2018 backs this up. It found that 82% of those surveyed expressed concern over their data being breached as a reason for holding them back from sharing their financial data, and 48% listed data and cybersecurity concerns as negatively impacting their opinion of Open Banking.
Are these actually problems?
Banks have an immense wealth of data on their consumers stretching back many years but have historically done very little with this data, whether for their own benefit or for the benefit of their customers. Often this is because the data is stored in a variety of different incompatible formats and is sitting in clunky legacy banking systems that cannot always interface well with newer technologies. This is where AISPs and PISPs come in.
Although they do not necessarily need to have banking licences, AISPs and PISPs have to be registered with or authorised by the Financial Conduct Authority (FCA). This means that they will have already been subject to significant regulatory scrutiny during the authorisation stage and will continue to be subject to ongoing regulatory obligations, filings and inspections.
It is fair to say that smaller and newer entrants to the market may not be as well equipped to protect against sophisticated and large-scale cyber-attacks despite being technologically agile. However, the buck ultimately stops with the banks (who have to invest a lot of time and money in cyber security) to ensure that data is only shared with third parties able to guarantee the security of that data. The mass transfer of data between entities relies heavily on the use of APIs, which are likely to become a focal point for cyber-attacks and bad actors as the entry and exit points for consumer data.
One of the key drivers behind the implementation of Open Banking was to give consumers more control over their financial data, more options in terms of what they can do with it and more oversight of where it's going, who is using it and for what purposes. Customers have to give their explicit consent to grant third parties access to their financial data and can even time limit that access.
In the Treasury Committee's report into IT Failures in the Financial Services Sector2, Alison Barker (the Director of Specialist Supervision at the FCA) stated that although there are risks inherent in opening up the financial sector only 0.2% of issues that had been notified to the FCA related to Open Banking.
What can be done?
If you are or are thinking of using Open Banking APIs to offer new products or services to consumers, there are steps you can take to help build trust.
- Make sure you have the correct authorisations and permissions from the FCA, the ICO, any relevant European equivalents and any other regulatory authority who may have supervisory powers.
- The Open Banking Implementation Entity has published its Standard, which comprises a whole host of recommended standards3. This includes API specifications, security profiles and operational guidelines that deal with the technical issues arising from account providers' obligation to give AISPs and PISPs access to customers' data with their consent.
- Make sure you have considered your GDPR and other data protection and privacy obligations. Know whether you are a controller or processor (or both), what your lawful basis is or bases are for processing the personal data, how you intend to deal with and honour data subject rights, how you are going to collect any consents you need and comply with your transparency obligations.
What does the future look like?
Globally Open Banking is taking shape in different forms. In Australia for example, the mandate on banks to share consumer data is set to be rolled out to energy and telecoms providers as well, expanding the potential use cases beyond financial data. It will be interesting to see whether consumers have the same concerns granting access to their water bills as to their spending habits. Elsewhere in the world similar open banking initiatives continue to focus on the unbanked and underbanked.
Open Banking in the UK continues to grow at pace. In February 2020 there were 204 regulated providers, 61 of which had at least one proposition live with customers4. By May 2020, only three months later, this had increased to 249 regulated providers, 77 of which had at least one proposition live with customers5. The data also shows that a lot of the new propositions are linked to helping address issues arising due to Covid-19. Fintechs have a unique ability to rapidly process large datasets and test and roll out new propositions in a way that the traditional banking sector simply does not.
As more roads in and out of traditional banks are built, more and more data is created to travel on those roads. Cyber security will be vital to ensure the continued success of Open Banking and the building of customer trust in the companies that use it.
Footnotes
1. https://www.scmagazineuk.com/meeting-security-challenges-open-banking/article/1583160
2. https://publications.parliament.uk/pa/cm201919/cmselect/cmtreasy/224/224.pdf
3. https://standards.openbanking.org.uk/
4. https://www.openbanking.org.uk/wp-content/uploads/infographic-mockup-v6.pdf
5. https://www.openbanking.org.uk/wp-content/uploads/MAY-infographic-1.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
