Open Banking is the cornerstone of a new digital banking framework, which will increase consumer choice, enable innovation, and open up the sector to new players. As regulatory deadlines approach, greater challenges and opportunities are being created for both incumbent institutions, challengers and fintech innovators. The recent Open Banking Summit, hosted by Event Creation Network (ECN), explored the strategic ramifications of the move to open banking, and what this means for our digital economies. During this summit, I had the privilege of speaking about The Benefits of Open Data Access with Frank Jan Risseeuw, Head of Yolt, by ING. This included an examination of data access issues and how to overcome the challenges associated with PSD2 and Open Banking. The demo of Yolt by ING was a great example of how a responsible innovator can engage successfully in an open banking environment. The potential benefits of a properly designed and operating Open Banking ecosystem to consumers, small businesses, and financial institutions is well documented. Competition for financial services will enable customers to engage with the service providers and institutions best suited to help them achieve their desired financial outcomes. The ability to lead better financial lives will improve individual financial wellness. Access to applicants’ financial data allows responsible lenders to better engage with the credit invisibles or those with thin credit files, and uplifts the quality of financial advice. Envestnet | Yodlee has been at the forefront of data-driven personalized financial services since 1999, and we’ve learned a few things that I shared with the attendees. First, the primary focus must be the consumer. All stakeholders – the financial institution, fintech innovator, and data aggregation provider – are all in service to their shared customer. Secondly, we must align transparently and responsibly around some key principles, under which we organize the safeguards and governance upon which all stakeholders rely. The consumer’s permission is the mechanism by which the end-to-end ecosystem operates. In order to obtain, respect and align with that permission, the consumer must be presented with clear and understandable terms and conditions for the services with which they want to engage. Say what you’re going to do, how you’re going to do it, and what other companies are part of the solution. Give the user as much choice as they can reasonably handle to fine-turn their experience. That means let them opt out of marketing emails, but don’t ask them to opt-in to 35 data fields required for your financial wellness solution. Next, the principle of minimization says we need to limit the data we collect from the customer, or on their behalf, to the minimum amount necessary to deliver the services for which they’ve engaged. This can be tricky to manage in highly innovative environments where the data processing algorithms are evolving. My advice here is to group like data elements together in the consent by category and sensitivity. Minimization as a principle is enforced by governance across the data flows, not unilaterally enforced by any one party. Otherwise, innovation is stifled and the user experience suffers. The security principle is best implemented around the data, not just the end-points and the connections between them. Yes, we absolutely require appropriate safeguards like Transport Layer Security (TLS) encryption, end-point hardening, and security event monitoring. First though, conduct a risk assessment of the data flow to identify all the assets, both data and systems, involved in the end-to-end solution. This includes the consumers’ devices, untrusted networks, and third party service providers. Combine this with the data model (from your minimization exercise) to identify the requirements for layered technical, detective, and response controls implemented by tech and/or process. Update the data flow and model as your service evolves, and use that in combination with current threat intelligence to drive your security roadmap. The final two principles are availability and reliability. The consumer has a right to access all their financial data that is available directly from the institution’s native online experiences by using the registered or authorized service of their choice. That data access must be as complete and as available as the native online experience. Similar to how the UK Live Market functions today, we support Open Banking and the consumer’s right to securely access and permission their financial data – so they are both empowered to obtain their desired financial outcomes and protected from fraud and abuse. To enable online and mobile banking services powered by aggregation technologies yet also protect consumers from data loss while adhering to regulatory and legal requirements, download this whitepaper on aggregation platforms and security.
