Open Banking began on 13 January 2018 with the launch of PSD2. Industry pundits spoke about customers walking through a promised land of meaningful financial insights and competitive products, writes Aniruddha Maheshwari
The new Open Banking rules make it easier for consumers to compare services and switch to get better deals and more personalised products.
With the younger generation’s willingness to switch to an online-only bank, surely challengers would try to snap up customers. In turn, it was an opportunity for traditional banks to play to the advantages they already hold over their digital rivals.
Yet the big day came and went with less than a whimper. Only three large banks were ready with APIs 13 January. At the same time, institutions are concerned about a lack of consistent standards and question marks remain about data security and liabilities.
One year on, and nearly half of banks (41%) failed to meet the testing environment or ‘sandbox’ for third party providers (TPPs). Along with fears around the forthcoming strong customer authentication (SCA), permissions and data security, many argue that Open Banking is not just moving slowly but introducing risk into the financial system.
This raises a question: is Open Banking a promised land or wild west?
Welcome to banking’s wild west?
One of the biggest issues around Open Banking/PSD2 has been the nature of the technical standards and key areas where standards do not exist at all.
The problem here has been a lack of alignment between the European Commission (who lays out the broad direction) and European Banking Authority (which specifies and ratifies these standards). Due to differing views from each body, the standards aren’t really standards, they’re more guidelines with significant room for interpretation.
For example, on SCA the EBA has set a particularly high bar for use of authentication elements categorised as “inherence”.
While devices and software provided to the payer to read “inherence” elements must possess security features (e.g. biometric sensors), these features must: 1. Guarantee a “sufficiently low likelihood of an unauthorised third party being authenticated as the legitimate payment service user” 2. Guarantee “resistance against unauthorised use of the elements” through access to the relevant device and software. There is currently no guidance on the meaning of “sufficiently low likelihood”, or “resistance”.
With much open to interpretation and most merchants unable to penetrate the payments jargon, many expect merchants to implement full two-factor authentication from deadline.
And thus, there is a danger that the first-time consumers really hear about Open Banking will be when they can’t buy with one-click at Christmas.
And they’ll need to authorise third parties to access their account by providing log-in details, despite 10 years of online banking guidance advising the contrary.
Confused? Probably not what the regulators envisioned when devising PSD2 at the outset.
There is also a distinct lack of guidelines on permissions and consent for consumers granting access to third parties. While TTPs should be FCA authorised, consumers may not be able to easily differentiate between those that are and those that aren’t without checking the official roster.
Aniruddha Maheshwari is a Payment Consultant at Icon Solutions