Paths and progress to open banking vary globally. For instance, in countries like the USA and Canada regulators make public pronouncements on the importance of openness in consumer financial services and make statements of intent, whereas in countries like Brazil or Japan, where open banking transposes to a national law, and in India, UK, or the Australia where the ability to conduct open banking has acquired legal status.
Listed below are the key regulatory trends impacting the open banking theme, as identified by GlobalData.
Further increases in data require further work on structures and processes to manage, control, and disseminate data. Data catalogues that enable people across internal silos to discover and use data and the insights it enables become more important. A transition to an open data economy will also require that banks invest in advanced analytics tools that enable them to aggregate external datasets and customer-mapped data. Perhaps, banks will need to drive data-sharing and data-driven decision-making across the business, making use of machine learning (ML) and artificial intelligence (AI) to enrich insights.
Regulators worldwide are fixated on various dimensions of fair treatment in the aftermath of the pandemic, but particularly issues of affordability and informed decision-making for consumers. Open banking-enabled data makes product comparison easier and can help give customers more transparency around options and risks.
Open banking data can also help expand access to financial services. For example, lending to small and medium enterprises (SMEs) is always the first to fall off during times of crisis, as their limited credit histories make them hard to assess. Expanding access to these firms can contribute as much as 33% of gross national product in developing economies, yet effective lending to this segment is disproportionately dependent on alternative data sources.
How to handle consent and permissions
Big questions remain around how to handle consent. Initially, there was talk of incumbent banks deliberately inserting friction into this process to impair the services of third parties. For example, making multiple requests for consent, or requiring online verification instead of using one-time passcodes (OTP). In some markets, that has come to pass. But it is also true that sometimes friction can build trust and reassurance – and the perception of security. Combining that with their KYC processes, and the data concerns around Big Tech, banks are in a strong position to be the data custodian.
Wells Fargo launched a ‘control tower’, which gives customers visibility into what data is being shared with who, when, and how, alongside the option to turn that sharing ‘on’ and ‘off’. More broadly, the rising importance of digital identity and consent-handling for data-sharing has created a clear captive market for banks that are able to leverage their long-standing reputations for security and trust. It will also lead customers to demand a clearer return for their consent on data or wealth.
Banks may need to manage hundreds of partners in the open data economy. Doing this effectively will require metrics to distinguish between tactical and strategic partners. Service-level agreements are particularly important with smaller fintech partners, given that the incumbent bank partner will be bearing the greater reputational risk in the event of a service outage. Therefore, it is critical to understand how such an outage can occur and who is liable when it does occur, as well as establish an agreed process for recovering performance.
Amazon guarantees so-called ‘four nines’ (99.99%) availability, meaning only 52 minutes and 36 seconds of downtime across the entire year. Few smaller players can replicate those terms , forcing banks to negotiate on a case-by-case basis.
Regulatory limits to ‘platformification’
Open banking has enabled a variety of direct-to-consumer (D2C) business models for niche fintech providers that otherwise would have struggled to gain a foothold in the market. Yet it is also true that open banking reduces barriers to entry for global platforms in banking and allows them to extend their data and scale advantages into retail banking.
Big Tech in the US is no longer in a golden age of ‘lite-touch’ regulation but has faced various regulatory headwinds and consumer distrust. Meanwhile, regulators are clearly wary of the unconstrained rise of Eastern fintechs and the systemic risk posed by unregulated global firms in general, something that regulators in China appear to be waking up to, given the recent suspension of Ant Group’s listing in Hong Kong and the introduction of regulatory supervision of a number of its business units, including the lending platform business.
Other countries emulating European top-down model
As many countries around the world emulate the top-down adoption model in Europe, we anticipate many of the same types of issues. For example, negotiating an industry-wide standard is so difficult it might never actually happen, or it could end up being so watered down it represents little actual progress.
Banks are understandably wary about opening up application programming interfaces (APIs), as they would be liable for a data loss that they don’t have complete control over. But it is also true that banks have historically resisted aggregation for competitive reasons and that the current agenda creates an almost endless range of delay tactics.
They can repeatedly object to standards on the grounds of security and reliability. If standards are agreed, incumbents can deliberately misinterpret them, requiring online banking authentication instead of one-time passwords (OTPs), creating ‘friction’ through multiple consent requests, or denials of service for load-balancing purposes.
Unlike screen-scraping, APIs are a chargeable product and a new revenue stream for banks. They give banks more control over what data is shared, when, and how.
Moving towards a third payment service directive (PSD3)
While PSD2 has driven progress in Europe, it is also true that there is much still to be done to move beyond the mandated regulatory minimum APIs of the regulation, to a deeper and broader set of premium services that cover different data sets and use cases. Meanwhile, ongoing resistance and delay tactics from some incumbent banks will drive a more precise and concrete specification of API standards, directory services, and infrastructure (PSD3).
In the US, it seems unlikely that ongoing disputes between aggregators and incumbents can be resolved without intervention by regulators, at least to provide clarity on what is expected; therefore, top-down guidance can be expected in 2021.
This is an edited extract from the Open Banking 2021 – Thematic Research report produced by GlobalData Thematic Research.