Open Banking regulation – the stuff of legend?

2019 will bring a significant milestone for Open Banking. On 14th September, we will see the introduction of new regulations which govern how banks permit access to customer data to the authorised third parties they integrate with. This will be a major inflection point in the progress of these reforms, and should accelerate industry-wide collaboration on the standardisation of APIs, to make the process easier for all parties.

Aside from the challenge of technical implementation, there has of course been some intellectual resistance to this from the banks, who will no longer be able to rely on their historic monopoly on data and the customer relationship. This means finding new ways to add value and a mind-set overhaul, from ‘closed door development’ to collaboration – writes Matt Cockayne, VP EMEA at Envestnet | Yodlee.

Regulation to spur and to stifle

This new world order brings new players into the mix – and with customer data at stake, appropriate regulation must follow. It is regulation that drives the concept of Open Banking, though differing interpretations of this legislation threaten to undermine PSD2 initiatives for cross-country harmonisation across the EU. The intention was to get rid of bilateral agreements to encourage interoperability, yet we’re seeing a wide range of interpretations across Europe.

One of the main impacts we are seeing in the UK as a result of this siloed regulation, is the FCA’s narrow definition for an Account Information Service Provider (AISP). Unlike in PSD2 and the Payment Services Regulations, the FCA handbook stipulates that only consumer-facing companies – for example, budgeting apps or price comparison websites – can be defined as an AISP. This doesn’t take into account the vast amount of consumer-permissioned data that data aggregators handle and have access to behind the scenes, to power these innovative FinTech apps.

The need for end to end oversight

The ‘dream’ of Open Banking – the connected, holistic and personalised view of finances for all – will rely on all APIs being easily and accessible by everyone, for every type of customer data. The fact is that this is not yet a reality, and many services will continue to be enabled by data aggregators.

FinTechs looking to take advantage of Open Banking APIs have two options – direct access to these APIs, or indirect access. To have direct access, they must first seek regulation with the proper regulatory body – the FCA in the UK. Needless to say, this can be a complicated and time consuming process.

The other option is indirect access – meaning start-ups can use aggregators to supply the data feed they rely on. They can then declare and register these aggregators as their ‘outsource provider’ with the FCA. This approach saves start-ups valuable time, giving them quick access to cleaner, more usable data – essentially giving them a head start on their product development journey, and end service for the consumer.

This has created somewhat of a catch 22 situation for small companies – seek regulation, which is time consuming and can be costly, or rely on an unregulated third party. Not only does this introduce a regulatory grey area, it also places the burden on Third Party providers to build bilateral agreements with their ‘outsource data provider’, to include liability provisions in case of a breach.

It’s a lot to ask of a small FinTech to take responsibility for auditing and examining its aggregator’s security and data privacy standards. On top of that, it undermines the original principles of PSD2 to “make payments safer and more secure” and one of key the aims of Open Banking – to ensure that consumers can “share their data securely”.

The missing link

In the absence of direct regulation for this group, the FCA will not have the ability to audit one of the key links in the Open Banking chain of data control, and consumers are left exposed. If there were to be a data breach with an aggregator, consumers would not be able to hold that company liable.

This problem has arisen unintentionally, but brings a major – and so far, ignored – consumer threat, as well as implications for FinTech development in the UK. If Open Banking is to be a success, the need for every entity involved to be properly regulated is non-negotiable.