First published on Thomson Reuters
Open banking has been around for some time, but despite potentially being one of the biggest developments in retail banking, the regulatory response has on the whole been fairly slow. One of the reasons is that many consumers still do not know what open banking is, which is exacerbated by the lack of a formal definition. For example, in Germany the President of the German Federal Financial Supervisory Authority has stated that there is no generally recognised meaning of the term. In addition, it has been reported that many consumers are concerned about the security implications of open banking, including identity theft and data breaches.
Norton Rose Fulbright recently conducted a global comparative study regarding the implementation of open banking in 15 jurisdictions. This article takes a brief look at reported open banking developments in Europe, Hong Kong, Australia and the United States.
Arguably the United Kingdom has led the way on open banking. In addition to implementing the revised Payment Services Directive (PSD2), a number of open banking reforms have been introduced by the Competition and Markets Authority (CMA).These include the establishment of the Open Banking Implementation Entity for the development of application programming interface (API) standards.
In January 2019, it was estimated that roughly 200 UK organisations were in the process of adopting open banking. The CMA had also partnered with an innovation charity, awarding £4.5 million to 25 tech companies to assist in developing technology to support open banking. However, it has not all been plain sailing. For example in April the CMA was forced to issue directions to some of the major UK banks mandating them to open up their data to third party vendors.
In the main European jurisdictions of Germany, the Netherlands, France, Italy, and Poland open banking has primarily been driven by the implementation of the PSD2. All of these Member States have now implemented the Directive, although in the Netherlands implementation was significantly delayed. This was due to lengthy Parliamentary debates concerning a range of issues including the division of supervisory responsibility between the Dutch Central Bank (De Nederlandsche Bank, DNB) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA).
Like most pieces of EU legislation, the PSD2 is supplemented by highly technical level 2 provisions. Importantly, the PSD2's regulatory technical standards on strong customer authentication (SCA) and common and secure communication must be complied with by payment service providers from September 14, 2019. In June the European Banking Authority (EBA) issued an opinion on the elements of SCA under the PSD2, setting out a non-exhaustive list of the authentication approaches currently observed in the market and stating whether they were considered to be SCA-compliant.
In addition, the EBA acknowledged that some firms not directly subject to the PSD2 (such as e-merchants) might not be ready by the September deadline and that, on an exceptional basis, member state competent authorities might provide such firms with limited additional time. In the UK, the FCA has stated that the legal deadline for compliance remains September 14, 2019, but recognising the challenges in meeting this deadline, has been working on a migration plan to implement SCA for card payments in e-commerce as soon as possible after this.
The FCA added that it will not take enforcement action against firms if they do not meet the relevant requirements for SCA from September 14, 2019 in areas covered by the migration plan, where there is evidence they have taken the necessary steps to comply with the plan.
In all European jurisdictions, market-led initiatives are playing an important role in open banking. For example, the UK banking industry association UK Finance, has, with other industry bodies, produced voluntary guidelines around so-called screen-scraping. Screen-scraping is the process of collecting screen display data from one application and translating it so that another application can display it.
In Germany the Berlin Group initiative has published the "NextGenPSD2 Framework", an open, harmonised and interoperable set of APIs for the access of third party providers to payment accounts. The Polish API standardisation initiative involves the Polish Banking Association, commercial banks and other institutions. In Italy, the Italian banking trade association, the ABI, has launched a specific open banking platform. In France, a great deal of work has been done at the national level, notably through a dedicated working group within the National Committee on Scriptural Payments.
While not having specific legislation dealing with open banking, the Hong Kong Monetary Authority (HKMA) has published an Open API framework. The framework, published in July 2018, is high-level in nature and is intended to allow banks greater flexibility in implementing open API as part of their strategy. While the framework applies to Hong Kong's retail banking sector, banks may extend it to any other part of their business as they see fit.
The Open API framework has four phases. The first two of these phases dealing with product and service information and subscription and new applications for products and services are due to be implemented by banks by October 2019. The deployment timeline for the third and fourth phases dealing with account information and transactions is expected to be announced by the HKMA during the summer.
Unlike Europe, the HKMA has not provided technical standards for APIs but instead requires each bank to provide it with a roadmap of the APIs it proposes to open, including a justification for any deviations from the Open API framework.
Also unlike Europe, there is no specific requirements for strong customer authentication in the Open API framework. However, banks must apply a risk based approach and use their own authentication methods (such as user name/password and two-factor authentication where appropriate) for bank customers.
The push for open banking is being well received, as exemplified by the official launch of the first open API platform in January 2019. This will provide over 200 APIs from 13 banks. This positive momentum is expected to continue for some time.
Australia is making significant progress with its open banking agenda. Specific legislation dealing with open banking, the Consumer Data Right, is being reintroduced to the Australian Parliament after it lapsed without passage when Parliament was dissolved back in April. The initiative has seen improvements in the levels of transparency over the terms and conditions of a wide range of banking products, with three of the four major banks voluntarily launching the first stage of Consumer Data Right on July 1, 2019.
The next stage – due in February 2020 – will give consumers greater access to information that banks hold on them; and the power to require those banks to provide safe and secure access to that information to trusted third parties.
The Australian Competition and Consumer Commission is the primary body responsible for the Consumer Data Right. It has published a draft version of the Consumer Data Right Rules for public consultation. These rules set out how the Consumer Data Right can be used, including the consumer consent process, and data recipient accreditation requirements. The Office of the Australian Information Commissioner also has an important role being empowered to make guidelines concerning the privacy safeguards set out in the rules.
The Consumer Data Right rules specify that a Data Standards Chair must make a standard relating to authorisation. A bank must obtain a consumer's authorisation to share their data with an accredited data recipient. Australia's national science research agency ('CSIRO') has established a data innovation group called Data61. Data61 was formed in 2016 from the integration of CSIRO's Digital Productivity flagship and the National ICT Australia Ltd, its mission is to create Australia's data-driven future. Data61 is working on designing a consent model providing technical support for consent, authentication and authorisation.
The United States has no official legal definition of the term open banking but in common usage of the term, an API being used by a customer to authorise third parties to access the customer's bank data.
The United States has no specific laws or regulations regarding open banking although the U.S. Consumer Financial Protection Bureau (CFPB) issued regulatory guidance in October 2017. The CFPB advocates that the consumer be in control of their data and transparency, not the financial institution in possession of the data, while at the same time emphasising data privacy and security.
There is one specific statute that addresses a consumer's access to his or her financial account and transactions information –Title 12, U.S. Code, section 5533, part of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. However, there is a difference of opinion among stakeholders as to whether this statute deals only with direct consumer access or whether it includes the consumer's agent, trustee or representative acting on behalf of an individual. Last year the U.S. Department of Treasury weighed in on the question but since then the CFPB has not made any further pronouncements.
In terms of third party access the CFPB guidance covers nine areas including access, data scope and usability, security and control and informed consent. However, there are no specific requirements in the open banking context as regards strong customer authentication. This gap is currently plugged by general guidance on risk management regarding customer authentication and account aggregation issued by the Federal Financial Institutions Examination Council in 2003 and 2016. In addition, New York State has issued cyber security regulations that became fully effective earlier this year.
There are a number of industry initiatives, formal and informal, occurring. Two such initiatives are those by the Financial Services Information Sharing and Analysis Center and the Electronic Payments Association.