Open banking is an evolving trend in many jurisdictions and authorities have responded by taking a broad range of actions in recent years. In its recent, the Basel Committee on Banking Supervision (the Committee) focused on aspects of Open Banking (OB) related to customer-permissioned data sharing where the customer initially grants permission to a third party firm (“third party”2) to access their data, either directly, or through the customer’s bank.
The Committee recognises the importance for banks and bank supervisors to understand these Open Banking developments and the implications for banks and banking supervision. Accordingly, the Committee decided to conduct monitoring work, particularly on developments in Open Banking and the use of application programming interfaces (APIs) that were highlighted in the Committee’s Sound Practices paper on “Implications of FinTech developments for banks and bank supervisors”.
The Committee gathered information on current practices from its members and had discussions with industry practitioners to examine how Open Banking is evolving across Committee jurisdictions and to identify potential implications for banks and bank supervisors.
Below are the key findings of Open Banking frameworks and related challenges identified for banks and bank supervisors.
Key findings of Open Banking frameworks
- Traditional banking is evolving into Open Banking
While the sharing of bank-held customer-permissioned data with third parties has been taking place for many years, increased use of digital devices and rapidly advancing data aggregation techniques are transforming retail banking services across the globe. This sharing of customer-permissioned data by banks with third parties is leveraged to build applications and services that provide faster and easier payments, greater financial transparency options for account holders, new and improved account services, and marketing and cross-selling opportunities. A number of Committee jurisdictions have adopted or are considering adopting Open Banking frameworks to require, facilitate, or allow banks to share customerpermissioned data with third parties.
- Open banking frameworks vary across jurisdictions in terms of stage of development, approach and scope
Authorities have either taken or are considering a range of actions related to Open Banking in their respective jurisdictions. Some jurisdictions have taken a prescriptive approach, requiring banks to share customer-permissioned data and requiring third parties that want to access such data to register with particular regulatory or supervisory authorities. Some other jurisdictions have taken a facilitative approach by issuing guidance and recommended standards, and releasing open API standards and technical specifications. Remaining jurisdictions follow a market-driven approach, currently having no explicit rules or guidance that require or prohibit the sharing of customer-permissioned data by banks with third parties.
- Open banking is still in the early stages of development in a number of jurisdictions. Approximately half of Committee members have not observed significant Open Banking developments in their jurisdictions. Given that Open Banking frameworks and initiatives are still in the early stages of implementation in many of these jurisdictions, notable activity or data on bank practices and market developments are yet to be observed.
- There are benefits and challenges with each approach to Open Banking when balancing bank safety and soundness, encouraging innovation and consumer protection. Jurisdictions taking a market-driven approach, with few requirements related to sharing of customerpermissioned data, nonetheless observed data-driven financial services with a range of consumer-centric options. Jurisdictions with more defined Open Banking frameworks noted the benefits and efficiencies of having clear and consistent expectations and standard APIs. However, it is unclear whether these Open Banking frameworks were driven by, or will drive, consumer demand and market developments.
- Open banking frameworks also vary in scope and requirements.
Some frameworks, such as the EU’s revised Payment Services Directive (PSD2), apply only to specific types of data, like payments processing data, and provide third parties with both “read” and “write” access to data and payment initiation. PSD2 does not prevent member jurisdictions from adopting a broader scope. For example, the UK’s Open Banking initiative additionally requires the inclusion of publicly-available information on branch and ATM locations, bank products and fees. In contrast, Australia’s framework provides “read-only” rights for data aggregation purposes and will eventually cover industries beyond banking, such as the telecommunications and energy sectors.
- Data privacy laws can provide a foundation for an Open Banking framework
Many jurisdictions that have adopted Open Banking frameworks also updated or plan to update their data protection and/or privacy laws. Data privacy laws in some jurisdictions are anchored on the principle that the customer owns their data and has the right to control it. Some other legal frameworks view banks, and sometimes third parties, as the data owner, but limit their rights to control the use of such data to the boundaries of the consent provided by the customer. Many jurisdictions’ consent rules also place restrictions on downstreaming data to fourth parties, and on reselling customer data for purposes beyond the customer’s initial consent.
- Multi-disciplinary features of Open Banking may require greater regulatory coordination
Within each jurisdiction, multiple authorities can have a role in addressing issues related to banks’ sharing of customer-permissioned data with third parties owing to the multi-disciplinary aspects of Open Banking. Relevant authorities may include, for example, bank supervisors, competition authorities, and consumer protection authorities, among others. Given the variety of authorities involved and various mandates of these authorities, greater coordination may be needed to address potential inconsistencies or gaps in regulation.
Identified challenges for banks and supervisors
- Open banking brings potential benefits but also risks and challenges to customers, banks and the banking system
Many banks would acknowledge that Open Banking has the potential to transform banking services and bank business models. However, banks and bank supervisors will have to pay greater attention to risks that come with the increased sharing of customer-permissioned data and growing connectivity between banks and various parties.
- Challenges of adapting to the potential changes in business models
Banks may face challenges in adopting strategies needed to remain competitive and profitable in the changing digital environment. Related challenges reported include increased competition and potential loss of revenue and deposits to new competitors, namely FinTechs, that offer financial services and other types of services (eg accounting, tax, financial advice and marketing).
- Challenges of ensuring data and cyber security in an Open Banking framework
Data sharing brings many benefits, but also results in a bigger surface area for cyber-attacks. Data collected by third parties, whether via screen scraping, reverse engineering or tokenised authentication methods through APIs, can be stolen or compromised. Furthermore, as more data is shared and with more parties, the possibility of a data breach increases and therefore effective data management has become more crucial.
- Some of the challenges hindering the development of APIs to share customerpermissioned data include the time and cost to build and maintain APIs and the lack of commonly accepted API standards
In jurisdictions where screen scraping or reverse engineering is still prevalent, banks are challenged with balancing security against ease of access. Banks generally prefer, or in some jurisdictions, are required to use more secure methods for sharing data for certain types of accounts, such as tokenised authentication through APIs, as opposed to screen scraping or reverse engineering. These secure methods enable banks to exercise greater control over the type and extent of data shared, and enable more secure access management and monitoring. Furthermore, APIs provide advantages for third parties and customers, including potential improvements to efficiency, data standardisation, customer privacy, and data protections. However, some challenges associated with the universal use of APIs remain. The time and cost to build and maintain APIs (particularly when done on a bilateral basis with multiple organisations), the lack of commonly accepted API standards in some jurisdictions, and the economic cost for smaller banks to develop and adopt APIs have been cited as challenges.
- Oversight of third parties can be limited, especially in cases where banks have no contractual relationship with the third party, or where the third party itself has no regulatory authorisation
Jurisdictions typically have standards for data transmission, storage and other information security requirements for banks, but most of these supervisory requirements are applied to banks and not necessarily to non-bank third parties that are part of Open Banking business models.
- There can be a wide range of third party arrangements in an Open Banking model. Third parties can include fintech firms directly servicing consumers, intermediary data aggregator firms and potentially other parties that may not have contractual relationships with banks. Third parties can also include non-contracted entities that are authorised or licenced by particular authorities. In jurisidictions with no defined Open Banking frameworks, the setting of specific requirements or expectations for these third parties may be challenging due to the absence of contracts with banks or other regulatory controls. Moreover, third parties may be able to further partner and share customer-permissioned data obtained from banks with fourth parties without the bank’s knowledge.
- In the absence of a contractual relationship, banks may find it challenging to exercise oversight and monitoring over such third parties. In many instances, the customer engages the third party firm directly, and therefore, the bank does not have a direct contractual relationship with the third party.
- Supervisory oversight of third parties can depend on each jurisdiction’s regulatory framework and on the contractual relationships between banks and third parties. Many bank supervisors enforce security and control requirements through outsourcing expectations for banks, but may have limited, or no direct oversight of third parties. Similar to banks’ own third party oversight challenges, depending on the jurisidction, bank supervisors similarly find it difficult to enforce their supervisory expectations in cases where banks do not have contracts in place with the third party or in cases where the relationships do not fall under existing supervisory expectations.
- Assigning liability in the event of financial loss, or in the event of erroneous sharing or loss of sensitive data, is more complex with Open Banking, as more parties are involved
With more parties and intermediaries involved in the provision of financial services in an Open Banking model, it is more difficult to assign liability and the amount of damages to the customer, if any. The level of clarity and granularity of regulations governing customer redress vary across jurisdictions and, in some cases, may not have been updated to take Open Banking business models into consideration.
- Banks may face reputational risk, even in jurisdictions where there are established liability rules
Many banks view themselves as custodians of their customers’ data and customers place great confidence in the banks’ ability to safeguard their data. In addition, customers often turn to the regulated entity (i.e. their bank) first with complaints and disputes, even if the third party is responsible for the erroneous transaction or data breach.
The Full report CLICK HERE
The post Basel Committee Open Banking report focuses on customer-permissioned data sharing appeared first on Payments Cards & Mobile.