Open Banking began on 13 January 2018 with the launch of PSD2. Industry pundits spoke about customers walking through a promised land of meaningful financial insights and competitive products. The new rules make it easier for consumers to compare services and switch to get better deals and more personalised products.
With the younger generation’s willingness to switch to an online-only bank, surely challengers would try to snap up customers. In turn, it was an opportunity for traditional banks to play to the advantages they already hold over their digital rivals.
Yet the big day came and went with less than a whimper. Only three large banks were ready with APIs on the 13th January. At the same time, institutions are concerned about a lack of consistent standards and question marks remain about data security and liabilities.
This raises a question: is Open Banking a promised land or wild west?
Welcome to banking’s wild west?
One of the biggest issues around Open Banking/PSD2 has been the nature of the technical standards and key areas where standards do not exist at all. The problem here has been a lack of alignment between the European Commission (who lays out the broad direction) and European Banking Authority (which specifies and ratifies these standards). Due to differing views from each body, the standards aren’t really standards, they’re more guidelines with significant room for interpretation.
For example, on SCA the EBA has set a particularly high bar for use of authentication elements categorised as “inherence”. While devices and software provided to the payer to read “inherence” elements must possess security features (e.g. biometric sensors), these features must:
1. Guarantee "sufficiently low likelihood of an unauthorised third party being authenticated as the legitimate payment service user";
2. Guarantee "resistance against unauthorised use of the elements" through access to the relevant device and software.
There is currently no guidance on the meaning of "sufficiently low likelihood or "resistance"
With much open to interpretation and most merchants unable to penetrate the payments jargon, many expect merchants to implement full two-factor authentication from deadline. And thus, there is a danger that the first-time consumers really hear about Open Banking will be when they can’t buy with one-click at Christmas. And they’ll need to authorise third parties to access their account by providing log-in details, despite 10 years of online banking guidance advising the contrary.
Confused? Probably not what the regulators envisioned when devising PSD2 at the outset.
There is also a distinct lack of guidelines on permissions and consent for consumers granting access to third parties. While TTPs should be FCA authorised, consumers may not be able to easily differentiate between those that are and those that aren’t without checking the official roster.
This raises the question of what happens if an unauthorised transaction is processed. In theory, it should be relatively simple. If the bank is at fault, they refund the consumer. If the TPP is liable they must indemnify the bank immediately. Problems will arise, however, if neither the bank nor TPP accepts liability. How does this get resolved successfully for the consumer?
Open Banking also raises concern around data sharing and security. TPPs run their own security controls and are now responsible for securely protecting any shared personal/account related data they process, requiring rigorous audit and security checks. Increasingly tokens are being used to encrypt data as well as verify identities but their ‘pass-key’ nature also makes them a particularly attractive target for cyber criminals. Attackers can replay the same token, in more than one transaction and in different time periods, to gain unauthorised access to account details.
Open Banking own goals
These issues are compounded by many banks’ lukewarm embrace of Open Banking. For example, some banks are reluctant to promote Open Banking as that naturally leads to using TPPs, many of which could be direct competitors. They are anxious that new digital banks, with superior UXs, will begin to look attractive when side by side with legacy-constrained offerings. Compounding this is uncertainty over the impact of Open Banking combined with real-time payments. Given the subscription model economics and lack of interchange fees, this could lead to double disruption as account-based payments become more attractive than card-based payments. With profit margins on payments already wafer thin, a deluge of demand may tip already profit-poor payments into a major cost-centre for banks. And, for those banks who have yet to re-architect, high micropayment volumes particularly at peak times could seriously impact operational resilience.
With Ovum recently announcing that “banks must now serve a whole new customer segment: developers” to succeed in the Open Banking era, APIs should be at the very top of banks’ lists. Unfortunately, PSD2 guidelines have allowed banks to implement APIs differently. TPPs and Account Information Service Providers (AISPs), are unable to connect to multiple banks with a single API so they must support additional API types. This in effect creates a technical firewall for TPPs restricting service innovation.
As these practical compromises eat away at the promise of Open Banking, the industry could find itself facing a period of chaos, where rather than building a collaborative ecosystem, players face continual battles to seize ownership and stake their claims on customer accounts. With the lack of clear and distinct ‘laws’, this ‘wild west’ of financing, could tempt some banks to put their technical and marketing power behind restricting TPPs access and limiting their appeal. In this way, taking minimal effort, ‘compliance-only’ approach to PSD2 and open banking regulations.
Winners will own customers, not accounts
With Open Banking, accounts could soon be relegated to the role of “where the salary goes”. These fund-hubs would link to other third-party accounts where all the exciting services happen. This may even precipitate something of an arms race in the industry, as banks look to offer an array of API-based products so that third-parties can deliver new service experiences. Thankfully, there is a large and growing number of banks that see Open Banking as integral to their strategy. These banks understand that trying to inhibit access to customer accounts is a race to the bottom. It will be the institute that uses Open Banking data combined with other data sets to offer insights, offers and utility that inspires loyalty who will win out. But most importantly, these banks appreciate that to succeed, they don’t need to own the account, only the customer. Unless they do, we’ll continue to sleepwalk into the wild west and not the promised land of Open Banking.