Open banking is, undoubtedly, a good innovation for the banking sector, especially for consumers and FinTechs. But open banking can also help traditional banks to provide better services, with the assistance of third-party providers (TPPs) to their customers.
That means that financial institutions (FIs) and FinTech companies need to collaborate, share information and build new application programming interfaces (APIs) to make sure that everybody wins with these symbiotic relationships. Then, if open banking offers plenty of opportunities, what are the challenges that banks and FinTechs face when they engage in negotiations?
The main challenges probably are security and consumer trust.
Most companies that are championing open banking are FinTech companies that don’t have homogenous technical standards, which combined with complex internal technology systems, may make the process susceptible to corruption and fraudulent activity. For banks and FIs to be able to share customer data, they need a secure API. The alternative to APIs is screen-scraping where TPPs basically “copy” the bank’s screen and use the customer’s credential to access the data. As this technique triggers significant risks, many Fis are replaying it by APIs.
An API is a software intermediary that allows two applications to talk to each other. An API allows the bank and the FinTech to share information. But FinTechs and banks usually have different APIs and different requirements, so to share data, both parties need to agree when, how and what information the APIs are going to share. Historical data or just the last few months? Current accounts or credit card expenses? And so on.
The burden usually lies with the FIs because they are liable for any data breach, unauthorized access and any type of fraud or scam. This is one of the reasons why negotiations to share data may drag on for months as banks need to conduct a thorough due diligence of the TPP to ensure that the TPP complies with the best privacy and cybersecurity practices.
This is a non-exhaustive list of the FIs’ responsibilities when it comes to adopting an open banking initiative:
- authenticating customers;
- gaining consent (authorization) from customers to share data;
- recording consent for audit purposes;
- allowing customers to revoke consent;
- vetting partners and their cybersecurity capability;
- granting secure access to partners to customer information (and only the information that the customer has consented to share).
Market-driven and regulatory-driven open banking economies offer different solutions on how to address and minimize these risks. In the former, like the U.S., the parties need to decide all the details and assess the risks, which slows down the process. Banks and FinTech companies need to negotiate with each counterpart and adjust their APIs almost every time. Building and monitoring changes in APIs is time consuming and not very efficient. API standards are not yet widely used although some TPPs are creating API gateways to facilitate connectivity with banks. The Financial Data Exchange is also a good example of how a group of banks, FinTechs and financial services has aligned around a single data sharing standard to create an open banking framework across the country.
In the EU and the U.K., legislation mandates that FIs must provide this access through a secure and standardized set of APIs. While there is not a unique API standard, this obligation facilitates the creation of compatible APIs. In the case of the nine largest U.K. banks, they are obligated to support open banking U.K. API specifications, which facilitates FinTech companies to access data from all these banks using the same API. Additionally, EU regulation specifies various elements to ensure strong customer authentication (SCA) and common and secure open standards of communication.
A regulatory mandate to provide access and to do so following standard protocols and open APIs is likely the reason why open banking develops quicker in regulatory-driven economies. Nonetheless, open APIs are not a magic key, and banks and FinTechs still need to engage in negotiations.
The second challenge that FIs and TPPs need to address is customer trust. According to a PYMNTS study, 53% of individuals see open banking as a “dangerous” way to share their data. Consumers in Europe and the U.K. feel a bit more ease than in the U.S., but there is still work to be done.
But the challenge is not only convincing customers to consent, but in how to handle, store and modify this consent. Once the customer consent hurdle is bypassed and cleared, both banks and FinTechs have to make sure that the data that is shared is securely stored and transferred. Hackers and scammers will be targeting the open APIs to seek access to sensitive data.
In Europe, under the General Data Protection Regulation (GDPR), companies can be fined up to 4% of their annual revenue if they mishandle personal data, which in the case of banks and FinTechs is part of their daily business. Thus, strong data protection protocols are essential in any negotiation between banks and FinTechs.