A year of banking openly
On 16th July 2019 the Open Banking Implementation Entity (OBIE) released its latest report. The report, prepared by Fingleton Associates and the Open Data Institute… Read more
Notice: Undefined variable: people_info_class in /home/kemplittle/test.kemplittle.com/wp-content/themes/kemplittle/single.php on line 210
On 16th July 2019 the Open Banking Implementation Entity (OBIE) released its latest report. The report, prepared by Fingleton Associates and the Open Data Institute follows a review commissioned by OBIE of Open Banking and examines the ‘purpose, progress and potential’ of the initiative.
Some elements of the initiative were highlighted as working well. Many of the respondents to the review praised the Open Banking standards themselves. The standards are now accompanied by User Experience Standards that make signing up to Open Banking services much more convenient for customers. Mobile users can now move from a third party app to their banking app for authentication (and back again) smoothly. This has meant that the customer experience is greatly improved as it is much slicker and meaning the likelihood of customers being inconvenienced or put off by multiple clicks is reduced.
OBIE’s approach to implementation has been praised for how it seemingly manages to balance the demands of third party providers, banks and other groups in the design and implementation without favouring one group, despite the fact that OBIE is funded by the CMA9 (six of the largest banks in Great Britain and 3 of the largest Northern Irish banks).
The report notes that the Open Banking ecosystem is one of the factors that is really working and that Open Banking has potential to support a ‘large, innovative ecosystem of Fintech companies’. OBIE has made efforts to balance the needs of smaller businesses against those of banks, regulators, consumers and other stakeholders. OBIE provided information on its progress against key performance indicators to its stakeholders so those stakeholders were able to hold OBIE to account and this resulted in a heightened level of engagement and rapid adjustment to the Open Banking ecosystem.
What’s not so good
The areas that have been identified in the report as requiring ‘building out’ are:
Additional payments functionality: i.e. the ability to support merchant refunds and the ability to consent to recurring payments. OBIE has described the refunds functionality as being absolutely critical to the adoption of payment APIs by merchants, because the costs for online retailers in particular are very high when it comes to processing refunds. Refunds have not automatically been included as part of the functionality as they are not specifically mandated by the Second Payments Services Directive (PSD2).
Variable recurring payments: the biggest structural complaint from third party providers has been that customers have to authorise individual payments every time a payment is made. Variable recurring payments functionality would enable users to authorise a third party provider to make a number of payments without the need to get new authorisation. This could be useful for paying e.g. utility bills and subscription services. Recurring payments were also not mandated under PSD2, but the FCA has formally accepted the OBIE’s proposal for variable recurring payments into its regulatory sandbox for testing.
Three different methods of improving customer consent were discussed in the review:
Customer consent: The first method is codifying consents, meaning that the intent of the given consent is codified and attached to transaction data to create metadata. The benefits of this are thought to be that the way that the user consent is captured can be structured to ensure that it is simple to understand and is limited in scope. An audit trail would also be created that reflected the customer’s wishes which is useful where the data is passing between data processors and to any entities that are not governed by PSD2 themselves.
Revocation of consent: when a customer revokes their consent, the data that the customer has provided is deleted by the third party provider – this is the General Data Protection Regulation (GDPR) ‘Right to be Forgotten’. This deletion does not currently happen automatically under Open Banking APIs, but by making this automatic, it is thought that any issues with customer trust in Open Banking being eroded would be avoided and compliance with GDPR would be a smoother process.
Third party provider reauthorisation: at present, PSD2 requires that a full reauthorisation of use of the third party apps via the banking app is carried out every 90 days. This can lead to increased costs for third party providers and to customers being inconvenienced. Allowing customers to reauthorise via the third party app itself (rather than via a banking app) would minimise this. The report does not suggest an alternative timeframe, but instead states that an evaluation for the appropriate timeframe for reauthorisation should be possible and should be determined using a cost-benefit analysis.
The report notes that there are significant opportunities for extending Open Banking APIs to other financial products such as insurance, pensions, mortgages and savings accounts. This would allow customers to see all their financial information in one place. There has been some progress in this area, but until now this has been largely reliant on use of screen scraping (this requires the customer to give the third party provider their bank login details and the third party apps use these to access the customer’s bank account details), which creates additional security risk for customers by comparison to the use of APIs. Due to the impending PSD2 requirements for strong customer authentication being implemented (note that in the UK enforcement is to be delayed until March 2021), screen scraping will become impossible.
“Sweeping” is another very strong user case for Open Finance; this would allow customers’ money to be automatically moved from a current account to a savings account with a more favourable rate.
Currently, the CMA9 are legally required to provide Regulatory APIs free of charge and without a contract. The CMA Order has been described as being “all stick and no carrot” and this has resulted in a drag on implementation. Premium APIs would be available under a contract and would be voluntary for banks to introduce. The banks would be free to determine price and the contracting terms with each participating third party provider. By allowing banks to charge for the Premium APIs, it is thought that there would be an increase in cooperation, and changes would be brought about more quickly than if only mandated by law or regulation.
HM Treasury has highlighted Open Banking’s approach to data sharing as being a pro-competitive model for other markets to follow. The government is now exploring how similar data sharing models could be used in markets such as pensions, telecoms and energy, and at the same time, the FCA is exploring Open Finance. The energy and telecoms markets in particular have an interesting use case as it is common for customers to experience a ‘loyalty penalty’ where customers who stick with the same energy or telecoms providers end up paying more for their services. It is possible that this problem could be solved by combining data comparison services with Open Banking functionality. In future, we will likely see a move towards individuals having open access to all of their banking, telecoms, energy and internet transaction data. This initiative is currently being implemented across a number of sectors in Australia, the first sector in line is banking.
The report highlights the potential for Open Banking to be used to support a digital identity service: this would use the Open Banking authentication functionality to enable customers to access their digital identity wherever it is stored and/or would enable banks to provide the verified identity data they hold on their customers through the Open Banking APIs. The Open Banking authentication standards could be used by non-bank authentication providers to allow competition at the authentication layer. The report notes that the mechanism could provide additional security to already existing government services such as DWP’s pension tracer. As banks are already authorised to carry out detailed identity checks on their customers, the banks already hold this data, but are not currently required to allow their customers to access it or to share it with third parties. Many respondents to the review argued that customers should be able to share this data with third parties if they wished.
Despite the UK’s Open Banking project being so advanced, there is still a need for its existing functionality to be expanded. Many of the proposals for expansion include providing information that customers are already entitled to under the GDPR. The report recommends that the government undertakes a review of the services enabled under the CMA Order and PSD2 and considers whether further guidance is required to govern the rapidly expanding scope of Open Banking.
The report states that focus should now be on prioritising new use cases for Open Banking based on how valuable they are to customers; and providing support to third party providers to develop their services in the market, including supporting the potential for new use cases for sectors outside of banking. Open Banking has the “potential to become a cornerstone of the digital economy” with the right level of engagement from the government and regulators, and a willingness to improve Open Banking’s current regulatory underpinning. There is much more to do, but the first year hasn’t been a bad start.
 Trustee of the Open Banking Implementation Entity (OBIE), Imran Gulamhuseinwala OBE http://www.mondovisione.com/media-and-resources/news/uk-open-banking-implementation-entity-launches-new-fingleton-and-odi-report-exam/
Share this blog
- Adtech & martech
- Artificial intelligence
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- Open banking
- Software & services