The Open Banking reforms have breathed new life into the financial services industry, upturning traditional models and assumed monopolies around data and the customer relationship. This new order is designed to empower consumers through the ownership of their own information, and drive competition and transparency amongst the financial services providers that seek to serve them. Customers can look forward to a full and transparent view of their financial world, as well as the opportunity to unlock the new products, services and experiences that will be enabled through smart connectivity between previously unlinked data points. So far, so good.
However, some of the mechanics that will enable this infrastructure require further inspection – particularly when it comes to regulation.
One of the primary goals of PSD2 was to define common standards across the EU, to encourage interoperability. That said, we’re seeing a wide range of implementations across Europe, as each country takes its own approach. Most European countries have written PSD2 straight into their rulebook – an approach which we expect to see replicated by Australia, which is due to implement Open Banking by the end of 2018. By contrast, the UK stands out amongst all other EU member states as the only county to have an Open Banking Implementation Entity (OBIE). On top of that, the Financial Conduct Authority (FCA) is treading its own path with some of the crucial definitions for the different parties that make up the infrastructure.
One such definition is that of an Account Information Service Provider (AISP). The FCA is using a much more restrictive definition of an AISP than had been previously set out both by the European Union institutions under PSD1 (legal framework adopted in 2007 to provide the legal foundation for an EU single market for payments), and also by HM Treasury in The Payment Services Regulations 2017 (which implement the Payment Services Directive). The FCA handbook stipulates that only consumer-facing companies can be defined as an AISP.
This is problematic, as it fails to directly regulate the data aggregators that power the front end FinTech apps. Although not consumer-facing, aggregators handle and have access to a huge amount of customer data behind the scenes. Failing to take account of this leaves a wilful regulatory oversight of one of the key links in the Open Banking chain of data control.
If a breach were to take place at a data aggregator, consumers would not be able to hold that aggregator liable for any losses – a fact hardly likely to fill an already nervous population with confidence, when it comes to establishing a ‘new normal’ around data sharing.
This also represents a notable flaw from a competition standpoint. FinTech businesses looking to take advantage of data access under Open Banking have two options. They can go the FCA to seek direct regulation themselves, and then apply with this registration number for direct access to Open Banking APIs through the OBIE. This process can take months, stalling the very tech enablement that the reforms were designed to promote. It can also be a significant time drain, demanding that small FinTech companies seek the in-house expertise to categorise, clean data, and connect their systems to bank APIs. Not to mention that not all bank entities have an Open Banking API yet.
The alternative approach – indirect access through an aggregator – requires them to register this data source as an ‘outsource provider’. This has surprised many within the Third Party Provider community, who have generally expected that the aggregators would be subject to regulatory oversight in their own right. In the absence of direct regulatory oversight, Third Party Providers must build bilateral agreements with the data aggregator, to include liability provisions in case of a breach. This is causing a great deal of confusion, and puts a huge and unrealistic onus on a small firm to audit and examine its aggregator’s security and data privacy standards.
Open Banking has enormous potential, but we’re facing a lack of joined up thinking from a regulatory perspective, and bureaucratic inertia from the FCA, which risk stalling its process. A new and complex ecosystem must be viewed from end to end, else we risk undermining crucial confidence and engagement from all sides.