So it's the end of Day 1 at Money 20/20 US and one of the key topics that keeps coming up is Open Banking - this is something we saw at WIREDSmarter and Money20/20 Amsterdam and although the concept really originated in Europe and European legislation, it's something that's topical in the US and Asia as well. "Open Banking" is a term that's widely used but we thought it might be worth covering what it means, as well as the benefits and risks.
What is "open banking"?
The concept of "open banking" is that a consumer can allow service providers to access data that is held by that consumer's bank (or other payment account provider). Ultimately, it's a way of facilitating data sharing between banks and service providers, assuming the consumer has provided consent. Open banking provides the framework for this, without the consumer providing the service provider with log-in details for their bank account.
One key point is that these service providers need to obtain explicit consent from the consumer and the consumer can rescind its consent as well.
In Europe, PSD2 mandates access to account data (open banking by another name) in respect of two types of service:
- Account information - an online service to provide consolidated information on one or more of the consumer's payment accounts;
- Payment initiation - a service to initiate a payment order at the request of the consumer with respect to a payment account held at a bank or other payment account provider. This might not involve using a card issued by a bank but making the payments directly out of the account.
Under PSD2, entities providing these services now need to be authorised. Whilst this is obviously a heavier regulatory and compliance burden, the quid pro quo is that, at least hypothetically, banks can only refuse authorised providers access to the consumer's data in certain circumstances.
The UK is slightly ahead of the curve on open banking, as the Competition and Markets Authority published a report in 2016 which concluded that established banks do not have to compete hard enough for customers’ business, and smaller and newer banks find it difficult to grow. One of the solutions to remedy this was to implement open banking, which has forced the nine biggest UK banks to maintain their data in a standardised form (i.e., using the same set of standards) so that it can more easily be shared with service providers.
What are the benefits?
The aim of open banking is to provide consumers with a broader choice of services and not be reliant on innovations only coming from the banking sector.
As mentioned above, the UK's changes have been driven by the CMA. Further, part of the purpose of the access rules in PSD2 was to ensure fair competition and avoid unjustifiable discrimination against existing players in the market. In part, this issue was likely to have been highlighted by some of the litigation in Germany around German banks and access by Sofort, a payment initiation company, where the subject of the claim was that the banks' terms, which prohibited access by third parties even where explicit consent was provided by the customer, were anticompetitive.
What are the problems?
Obviously, from a bank's perspective, allowing access to these start-ups to attempt to out-compete you is not ideal! However, banks can equally take advantage of these provisions - see, for example, HSBC's Connected Money app which allows users to view other accounts (effectively it's the account information service) and Deutsche Bank's airline payments solution (which looks like payment initiation).
The strong customer authentication secondary legislation in PSD2 was some of the most contentious and heavily lobbied parts of PSD2 and took quite a long time to be finalised.
Strong customer authentication needs to be applied whenever a customer accesses its payment account online or initiates an electronic payment transaction. The secondary legislation requires the authentication to be based on two or more elements which are categorised as:
- knowledge - i.e., something only the user knows;
- possession - i.e., something only the user possesses; and
- inherence - i.e., something the user is (e.g., biometric information).
