Getting open banking right for customers and competition

Open banking has great potential for social and customer benefits, but it needs refinement in how it’s implemented

In the new digital economy, products and services are based on data like never before. New technologies have exponentially increased the capabilities to store, process and transfer customer data, leading to greater personalisation of products, services and marketing, and more immediate fulfilment.

It is in this context that the emergence of “open banking” frameworks for data sharing, such as the EU’s PSD2 initiative, is so significant. By granting third parties access to their bank accounts, customers can potentially access new tools and offerings, but there are accompanying risks, both for that customer and for the broader system.

The open banking policy objectives are generally to promote competition and to empower consumers (perhaps emphasised slightly differently in various jurisdictions). These are noble objectives, and ones that market participants should embrace – but they do come with some key design issues and considerations.

To highlight three of those design considerations, there is firstly the protection of that customer data. While banks are by no means immune from breaches, they have consistently outperformed other industries in protecting data, underpinned by a mix of direct and indirect regulations, supervisory oversight, and a commercial imperative to preserve their customers’ trust. In a dynamic environment where banks are increasingly required to transfer that customer data to a new player, it is critical that all market participants can emulate the same high security standards that customers have come to expect – this should be a prerequisite to being eligible to receive data under an open banking system.

Secondly, ensuring customer protection comes even more into focus when we look at compensation for victims of data breaches and unauthorised or defective payments. This necessitates having a clear framework for the assignment of liability for breaches or errors, and their consequential financial loss, and ensuring that market participants are sufficiently resourced to be able to compensate customers in such an event.

These elements have been addressed differently under various open banking models, with variable implications. The UK’s Open Banking Standard sensibly includes a Dispute Management System (DMS), although participation in the DMS is voluntary – various other jurisdictions have models that are vaguer and/or put an increased onus on the consumer. The reality is that there is not always a consistent mechanism across jurisdictions to ensure that third-party payment providers are able to settle such claims.

Where all market participants should retain sufficient resources to be able to make customers whole in such an event, this is well-established for incumbent firms in the form of the operational risk capital requirements on banks. In a major data breach with thousands of customers affected, the claims may well exceed the resources that a payment initiation service has. For this purpose, new entrants should be required to have some form of emergency resource available, whether that be via in the form of insurance or bank-like capital.

Thirdly, the design of open banking frameworks often leads to asymmetries between different types of players, with the potential to distort the very competition that they are intending to encourage. If only payments data is required to be shared (as per PSD2 in the EU), then the mandated sharing of data is decidedly one-way, from banks to new entrants such as the “BigTech” firms.

Under such conditions, a new-entrant tech firm can couple the newly accessed bank account data with its own stores of data on the same customers – be it social media content, online search queries or mobile phone records – which it can combine to generate a fulsome picture of a customer, when other providers can’t. This gives tech firms an unparalleled advantage in personalising the services that they can offer.

There are ways to address such asymmetries, for instance by adopting a reciprocal approach to the scope of data sharing – for example, ensuring that the entities that can share and receive data are effectively the same. This could enable all types of players to have access to the same amalgamated data pool, from which they could each run their own analytics and compile their own respective offerings to the customer.

The open banking concept has great potential for considerable social and customer benefits, but the specifics can throw up some design implications. In some cases, it may need some refinement in the way that it’s implemented, if it is to support its underlying competition objectives.


For more information please see our recent paper on reciprocity in customer data sharing frameworks.

by Brad Carr, Senior Director, Digital Finance Regulation and Policy, Institute of International Finance 


Originally published in Business Reporter Online: Future of banking and fintech - October 2018