Open Banking – regulatory oversight must be addressed

Open Banking – regulatory oversight must be addressed

From the January issue of International Finance

The Open Banking reforms have had a turbulent reception in the UK, following their launch in January this year. Designed to open up access to the industry and its data to support innovation and the development of new services, this new era of ‘openness’ demands major infrastructural – and cultural – changes for incumbent financial institutions in particular. These long established giants must get their arms around a new world order of collaboration, and redefine the value they offer at each stage of the chain. It’s a new system for consumers to get to grips with too. While there’s no need for dinner party discussion about the relative merits and logistics of open APIs, it is the industry’s collective responsibility to build trust in this ecosystem of the future, and paint a picture of the services it could enable so that UK consumers obtain the intended benefits of Open Banking: more connected services, for easier engagement with their financial world. It is a significant evolution to the ecosystem of financial data connectivity, and its success hinges entirely on consumer trust and uptake. Of course, the changes bring many more and different types of businesses into the picture, which must be carefully assessed from a regulatory standpoint, to ensure the chain of data security and control is not compromised at any stage.

Navigating new definitions

In the UK, the FCA – at odds with definitions set out by the European Union institutions under PSD1 (legal framework adopted in 2007 to provide the legal foundation for an EU single market for payments), and also by HM Treasury in The Payment Services Regulations 2017 (which implement the Payment Services Directive) – has chosen to run with a much more restrictive definition of an AISP (Account Information Service Provider). Their handbook stipulates that only consumer-facing companies can be defined, and therefore regulated, as an AISP. This is problematic for the group of non-consumer facing service providers and data aggregators, who handle large amounts of consumer-permissioned data behind the scenes, powering the range of new FinTech apps we see at the front end. Despite this data access, these ‘behind the scenes’ players are not subject to direct regulatory oversight. FinTech apps that are relying on service providers, such as lending and advice platforms, and data aggregators for their information – which will be many, considering that not all data that will power Open Banking is currently available via an API – must therefore take individual responsibility for auditing and examining that aggregator’s security and data privacy standards. As part of this, they’ll need to build bilateral agreements with this ‘outsource data provider’ to include liability provisions in case of a breach. That’s a large, unreasonable and unnecessary burden to place on a small company, which will likely lack the time and expertise to accomplish this with the rigour that would be expected for this task. The alternative would be for these front end providers to seek direct access to Open Banking APIs. Before they can apply however, they must first seek regulation from the FCA, which can be a complicated and time consuming process. This lost time may hold them up on their product development journey, and ultimately mean they suffer from not having quick access to cleaner, more usable data. Slower to market, to slower to deliver the innovation and connected customer experience that Open Banking created to create.

Liability questions remain

In the absence of direct authorisation for aggregators, the FCA isn’t able to directly audit these service providers. With that in mind, they are reliant on each AISP’s ability to understand and enforce compliance obligations on their vendors – which is potentially an oversight in the auditability of one of the key links in the Open Banking chain of data control. If there were to be a breach, consumers would not be afforded the full protections available to them under the Second Payment Services Directive (PSD2) and Open Banking regimes. The concern of course, is the potential to undermine consumer trust in the initiative, if there were to be a breach. If the industry gets this wrong, it won’t get a second shot to build confidence in the power of data connectivity in the world of financial services. We don’t have to look back in time too far to remember the impact of the Cambridge Analytica scandal on Facebook’s user numbers. Open Banking is the most significant – and potentially the most impactful – regulatory overhaul to touch the financial services industry in the last ten years. We must take care to ensure that differing interpretations of the law across different markets do not stall its progress, and limit very the innovation that it is set up to ignite.