The Pinsent Masons financial services blog
The Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
EU and UK policy makers want to use application program interfaces (API) and data standards to enable banks to swap customer information easily to drive competition and innovation. Banks need to start to respond to this now or risk being left behind.
APIs change the way in which banks reach, understand and communicate with their customers. The framework for an Open Banking Standard released last week by the Open Banking Working Group (OBWG), and backed by the UK Treasury, is the latest concrete step towards making open bank APIs a reality in the UK.
Existing retail banks need to respond – resisting this change is not an option and so they should move early to embrace it. As banks assess the opportunities of open standard-based banking they must pay attention to its legal and regulatory consequences. These changes are real, but banks have strong brands and a legacy of customer trust over many years, which gives them some competitive advantages over the new market disrupters.
Open and proprietary models
At the heart of open standards based banking is the requirement that banks allow anyone to access data they hold about their customers, products and services. They will need to agree common rules for describing data and specifications for transferring it from their systems to others, including the security arrangements that will govern those transfers.
This change has two immediate consequences. Any value that a bank gains directly from reliance on proprietary rights, such as database rights and copyright licensing arrangements will reduce, and technology systems will need to be adapted or replaced to enable the use of open APIs.
Beyond these obvious changes, many banks will be just as concerned about the loss of the indirect value that they gain from this data. Customers are reliant on the relationship they have built with their banks over time. Simply having the ability to easily switch to a better deal within seven days has not been an effective incentive for them to switch banks. Doing this, customers lose years of deposit and transaction history. The use of open APIs mean that customers can switch easily and take the history of their relationships with their banks with them.
This is an immense improvement from the customer's perspective from the current position. Currently, customers have to use subject access requests under data protection law to gain access to their transaction histories when switching providers, which is cumbersome. It requires too much effort on the part of the customer to make the request and, even if they receive the information they want, no bank is equipped to take that information directly from the customer and integrate it into its systems and so they lose the benefit of the history in their new banking relationship. The ability to access this level of historic transaction information can also help with verifying the ID of customers and obtaining valuable data for credit reference purposes.
Of course, open banking APIs mean that banks must have a clear understanding of the framework which governs the transfer and use of both behavioural data and identity data. They need to know clearly all implications of the new profiling rules set out in the General Data Protection Regulation. They also need to be engaged in discussions around anti-money laundering and counter terrorist financing – particularly the extent to which the Joint Money Laundering Steering Group Guidance could be adapted to better account for data transferred through open APIs.
Open APIs also open up new opportunities for customers to work with their own financial data. While companies like Mint.com in the US are popular because they help customers use their data to build personal budgets and save more effectively, similar offerings in the UK have suffered because they are reliant on obtaining data by screen scraping. Screen scraping often requires users to hand over their online banking login and password details to the provider. Many banks will void a customer's online banking guarantee if they hand over these details, which is clearly off-putting for the customer. We would expect open APIs to change this and banks need to consider how to respond to that change.
An API ecosystem and who to partner with
This is an opportunity for banks to consider what future products and services they are best placed to provide, and for which ones it would be better to rely on partners. Banks might want to act like the technology platforms that own app stores, such as Apple and Google; or tie users in to operating systems, like Microsoft did, or allow third party provide services to use their network, like Facebook and Twitter. The fact that banks have recognised and trusted brands means they have a head start on the vital issue of consumer trust.
In an open banking API world, banks might conclude that they are not best placed to monitor data security threats to customer's accounts and transactions, as the OBWG report suggests. A specialist partner, perhaps providing a security product through a bank's own branded app store, may be able to monitor threats across the whole range of products that customers have and react more quickly and effectively.
The compliance and cost burden on banks could be reduced in this scenario, freeing up ability for the bank to focus more on its core offerings. The app store then, like the physical branch, would operate as a shop front with the potential to offer all of the financial products and services that a customer needs and the related data and technology services necessary to enable the customer to wholly engage with their financial lives by digital means. The customer will benefit from getting a view of threats which is not in a silo with each bank but rather tracks across all of their financial life.
Banks must have a clear strategy in place for determining the regulatory and legal arrangements needed to make banking as a platform work. This will involve assessing issues ranging from the implications of financial services regulation on outsourcing in a closed app store ecosystem to how best to contractually structure relationships with a growing number of partners of varying size and attitude to risk.
Trust is vital
Whether or not banks take an app store approach, choose to focus on digital wallets or concentrate on creating an omni-channel experience for customers, an open API strategy will only be successful if it has trust at its centre. As the OBWG report puts it, trust is "the single most important factor" in a digitally-enabled economy.
Allowing anyone to access customer bank accounts will make customers nervous about cybercrime, identify theft and other forms of fraud even if access depends on a customer first giving consent. Most customers will only engage with third party providers if they feel that they are personally not at financial risk.
This means that banks are well placed to build brands as the trusted providers of stable systems for finance. If they do so customers may be less likely to shift to third party service providers as is the case currently in the non-open banking API world. In the non-open banking API world many customers distrust third party providers because they cannot give them the level of comfort required that their services are secure from a liability perspective.
As has been the case at EU level with the finalisation of the Payment Services Directive 2 (PSD2), the OBWG report indicates that the regulatory regime will need to give customers certainty that they will not be left out of pocket if they choose to use third party providers and something goes wrong. Ultimately, as is the case with PSD2, this means that banks will be exposed to greater risk.
Banks therefore have a vested interest in ensuring that changes to the regulatory regime to account for open APIs do not, at a minimum, impose liability on banks beyond that which has been agreed at EU level in PSD2.
Governance that doesn't strangle innovation
As banks form their open API strategy they should also pay close attention to any governance structure put in place for vetting and accrediting third party solutions. A governance structure that directs customers towards trusted services is likely to increase their use. But banks will want to ensure that the governance body responsible does not create unnecessary barriers to innovation.
If the body is to issue directions or formalised guidance, it must be equipped with sufficient resources to link its approach to implementing standards to guidance provided by the regulators charged with interpreting laws and regulation that impact on the transfer of data in financial services context. Another broken link between standards bodies and certification regimes and the interpretation of law and regulation can only create more uncertainty for banks looking to innovate quickly and effectively.
Yvonne Dunn and Luke Scanlon are financial technology experts at Pinsent Masons, the law firm behind Out-Law.com
Contact an adviser
