In a rapidly evolving financial landscape, the global open banking market is set to skyrocket from $7.29 billion in 2020 to an astonishing $43 billion by 2026. This remarkable growth underscores a transformative shift towards collaborative financial services. Coupled with this momentum, a recent study reveals that 72% of consumers are eager to embrace third-party services for their banking needs, signaling a strong demand for innovative, user-friendly solutions. As open banking reshapes how we manage our finances, exploring the opportunities and challenges of this exciting new era is crucial.
What is Open Banking?
Open Banking is the practice of providing access to financial services like bank account information and payments to providers other than your bank. It allows the sharing of data across institutions such as your bank and third-party service providers.
Before Open Banking, you needed to use your bank’s own online services, either a mobile app or internet bank, to get an overview of your finances. And if you needed to pay for something or make a payment to someone, it was either with a credit card or through your bank’s internet bank or mobile app.
Along comes Open Banking. Now, for instance, you can carry out payments directly from your bank account when shopping on apps or websites. You can also get a total overview of your account balances, even if you have accounts with several banks.
In other words, Open Banking provides a wider range of ways to view your finances and makes it easier to make payments because data can flow between various apps or websites.
An example of Open Banking would be that you, as a consumer, can receive all your bills in one mailing app. From there, you can pay your bills directly from your bank account without having to go to your banking app or website. This mailing app will let you choose from which of your various accounts you want to withdraw the money while staying on the app.
How does Open Banking work?
The foundation on which the entire concept of open banking is built is the seamless exchange of consumer data. The exchange is technically enabled by the use of APIs, which stands for an application programming interface. An API is an interface which can connect different IT systems and let them securely share real time data. These can be the IT systems of a bank and a fintech company, for instance. In simpler terms, an API can make two IT systems “communicate” with each other despite the fact that these systems are not from the same company. APIs make it possible for the software at one company to “plug in to” and access information from the software at another company in real-time.
To further improve your security, the industry is moving toward more “tokenized” access, also known as “Open Authorization” or “oAuth” connections. oAuth connections involve providing a third party with a “token” — a coded alternative to your bank account credentials that have no meaningful value if breached. In regulated markets, many procedures are in place to protect you and your data against potential fraud and loss.
Is your data safe in Open Banking?
Thanks to their convenience, digital payments through open banking are already widespread and growing rapidly. However, with so much data being exchanged, it’s only natural to feel uneasy. Questions about where your sensitive information is going and who is handling it are especially important, given the critical nature of this data.
Here’s how different countries around the world are trying to secure open banking:
- The European Union
To address security and privacy concerns, the EU issued a directive called the Payment Services Directive (PSD2), which came into effect in 2018 in Denmark, Finland and Sweden and in 2019 in Norway. The idea behind PSD2 is to make electronic payments safer for consumers and minimise the risk of fraud. Payment service providers, such as banks, are therefore obliged to use strong customer authentication (SCA) when a payer starts an electronic payment transaction under PSD2’s strict security requirements. Strong customer authentication is needed to check whether you are really you and whether you have the right to carry out the electronic payment you are about to make. PSD2 strengthens the opportunities for open banking in the EU. More specifically, PSD2 regulates account information services and payment initiation services.
GDPR and PSD2 share the goal of giving consumers control over their data. However, while GDPR aims to minimise data sharing and protect consumers’ privacy at all costs, PSD2 requires banks to give instant account access to authorised third parties as long as prior customer consent has been given. As a result, financial institutions are stuck in a difficult position between these two legal frameworks and must take great care to ensure they are compliant with both.
In December 2020, the European Data Protection Board (EDPB) published guidelines on the interplay between PSD2 and GDPR. PSD2 clearly states that data holders must comply with GDPR and all national data protection laws (Article 94). This means that financial institutions must follow GDPR when processing open banking transactions, including gaining “explicit consent” from the consumer (Article 9) and taking responsibility if the data falls into the wrong hands (Article 82).
- The USA
There is no comprehensive federal regulation for open banking in the US. In October 2023, the Consumer Financial Protection Bureau (CFPB) proposed a rule to implement Section 1033 of the Consumer Financial Protection Act, which would give consumers the right to access and share their financial data. This rule, if finalised, will establish a federal framework for open banking, and the CFPB will oversee its implementation. Meanwhile, several states have introduced or are considering their own open banking legislation, and industry-led organisations such as the Financial Data Exchange (FDX) have established voluntary data-sharing standards. The introduction of common standards is helping define how people’s data is created, shared, and accessed. These standards are issued by national bodies and regulators, such as in the U.S. through the Financial Data Exchange, a broad cross-section of banks, fintech, and financial services groups that have aligned around a single data-sharing standard that could accelerate the adoption of open-banking API frameworks—perhaps globally.
- The UK
Following Brexit, the UK has retained the stipulations of the PSD2, adding specifications for the standardisation of APIs, and established the Open Banking Implementation Entity (OBIE) to oversee the implementation and development of open banking standards. The Financial Conduct Authority (FCA) regulates the financial services industry, including open banking activities, and emphasises consumer rights to data access and privacy as well as detailed guidelines on how financial institutions should handle consumer data.
- India
In India, open banking API guidelines focus on the consumer’s consent for data sharing. Shri M. Rajeshwar Rao, Deputy Governor of the Reserve Bank of India, discussed open banking regulation in depth at an address in 2021. Shri Reddy emphasized that while technology is a powerful enabler, the regulatory framework must evolve to address data handling and security concerns. Open banking frameworks globally differ, with some countries adopting a prescriptive approach, requiring banks to share customer data with third parties under stringent regulations. Others have taken a more facilitative or market-driven approach, focusing on industry guidelines and standards.
India’s approach to open banking has been unique, with the introduction of the Account Aggregator (AA) system in 2016 by the Reserve Bank of India (RBI). This system allows customers to grant explicit consent to share their financial data across institutions, facilitating a smoother flow of information between Financial Information Providers (FIPs) such as banks, insurance companies, pension funds, and Financial Information Users (FIUs). The AA acts as an intermediary, ensuring data is securely shared without being stored or misused. India’s open banking framework is centred on consent-based data sharing, robust IT governance, and strong consumer protection mechanisms, ensuring that data integrity and security are maintained at all levels.
Some risks highlighted by him in the address were:
- Financial privacy and data security
- Customer liability
- Cybersecurity and operation risks
- Compliance and reputational risks
- Grievance Redressal
- Other Countries
Some countries have adopted or are developing their own open banking regulations. Notable examples include Singapore (regulated by the Monetary Authority of Singapore), Japan (regulated by the Financial Services Agency), and Hong Kong (regulated by the Hong Kong Monetary Authority).
Conclusion
As we embrace the conveniences of open banking, it is imperative to remain vigilant about data protection. Understanding how your data is shared, accessed, and stored is crucial in this new landscape. As consumers, we must prioritize our digital security and stay informed about our regions’ policies governing open banking. Choosing service providers that adhere to rigorous security standards and maintain transparency about their data handling practices is essential. By being proactive in understanding how our data is protected, we can enjoy the benefits of open banking while safeguarding our financial information.
Open banking is on the verge of transforming how we interact with financial services, making it crucial for consumers to be educated and aware of their rights and protections. Embracing this change with a clear understanding of data privacy will empower us to navigate the future of banking confidently.
Recent Comments