Banks Wary Of Opening Up

Rules requiring banks to make client data available to third parties are taking shape, generating both trepidation and excitement in the fintech world.

Return to Supplement

Damian Richardson, head of payments strategy and innovation at RBS, is excited about the prospect of making customers’ lives better under a new “open banking” regime that will take effect in the European Union in January next year. “We’re likely to see dramatic shifts in customer experience,” he said, addressing the SWIFT Business Forum in London this past in April.

Graubner-Müller, Kreditech: The way [PSD2] is taking shape, I don’t think it will deliver what it promised.

Open banking is legislated under the European Commission’s revised Payment Services Directive (PSD2), which aims to promote competition and innovation in payments. PSD2’s open banking provisions mean that, for the first time, non-bank competitors can access accounts of bank customers to retrieve account information or initiate a payment. Banks will need to expose this data to third parties via application programming interfaces, or APIs. New services could include more advanced apps or payment functionality that provides “cardless” withdrawal or instant peer-to-peer payments. PSD2 came into force on January 13, 2016, and EU states have until January 13, 2018, to transpose it into national law.

“There is a new economy that will come out of open banking,” says Richardson, adding that APIs will enable banks to more readily leverage other companies’ services. “We [banks] haven’t got all the brains.”

Consultancy PwC describes open banking as “game-changing regulation” in a brief about PSD2: “The ability to engage directly with and add value to customers will no longer be just the advantage of banks, but shared with fintechs, technology firms, and even retailers and telecommunications providers.”

It’s a landmark moment. “The world is watching,” says Ben Robinson, chief strategy officer at core banking systems software provider Temenos. “It is the first time any industry has been forced to put its inventory online.” Open APIs are already emerging in transaction banking and investor services to deliver greater customer insights and a superior customer experience.

Under the new rules, banks will be obliged to provide licensed third parties with secure access to customers’ accounts, hence the ability to initiate payment transfers directly will impact how corporate clients do business. Nordea says open banking’s main benefits for corporate customers include better access to multibank account information via a single portal, easier management of cross-border accounts, reduced costs and entirely new services and solutions.

The 2017 World Retail Banking Report released in June by CapGemini and the European Financial Management Association (EFMA) details how APIs offer a path to open banking, whereby fintechs and financial institutions collaborate rather than compete to create customer-centric solutions. The report’s authors say APIs are crucial in allowing banks to take advantage of “fintech ingenuity” without major changes to existing infrastructures, as well as offering opportunities to retain and grow their customer bases by personalizing and customizing products and services.

“Fintechs are now earning higher positive customer experience scores than traditional banks, and banks are openly seeking to collaborate with fintechs,” says Anirban Bose, global head of banking and capital markets for Capgemini. Note that 57.8% of customers surveyed for the report say fintechs offer a positive experience, compared to 49.5% who cite banks. “For banks that don’t think strategically and establish a role in open banking, there is a chance they will be disintermediated from their customers,” he adds. “It is imperative that banks consider business transformation now, to establish and solidify their long-term base in open banking.”

Enria, EBA: In the process of developing mandates for PSD2, the EBA has had to make difficult trade-offs.

Open banking will push banks out of their comfort zone, says Maia Mekvabishvili, business development manager at Kontomatik in Poland, which provides a banking API that enables users to import their account information from any financial institution so it can be used for credit scoring, online KYC (Know Your Customer) or more contextualized customer offerings. Today, Kontomatik’s solution works by screen-scraping account information, with the user’s approval, while customers are logged into their accounts. Mekvabishvili says Kontomatik doesn’t store any data—it only accesses the data during the online banking session, after customers agree to share their data. But it isn’t clear whether screen-scraping will be permitted under PSD2. “If there is no screen-scraping under PSD2, we have no idea how good the APIs of banks will be,” she says.

Not all fintechs are convinced that PSD2 will deliver the truly open and competitive banking landscape that the European Commission envisioned. In June, Alexander Graubner-Müller, co-founder and CEO of Kreditech, a German fintech that uses online data rather than traditional credit information to lend to individuals, was in Madrid for MoneyConf, where fintechs and banks meet. He noted that there had been great hopes of liberalized access to bank account information under PSD2. “Now, the way the banking regulation is taking shape, I don’t think it will deliver what it promised,” he said, adding that the latest version of PSD2 leaves a lot open to interpretation.

A February 2017 Financial Times article reported concerns from fintechs that the European Banking Authority (EBA), which is jointly developing the technical standards and guidelines for PSD2 alongside national regulatory authorities, had been asked by banks to tighten the privacy and data-protection rules to prevent the abuse or loss of customer financial data. In a December 2016 newsletter on PSD2, UK law firm Mills & Reeve pointed to the EU’s General Data Protection Regulation, which they describe as being among the most stringent in the world. “How do you find the right balance between freeing up consumer account data to permit access to new applications, while protecting privacy adequately?” they ask.

While PSD2 seeks to promote greater competition, it also talks about “strengthening the security of payment transactions and the operations of payment services providers,” Andrea Enria, chairperson of the EBA, said in a speech at the 2017 Westminster Forum. Enria says PSD2 pursues a range of potentially competing objectives. “Fully achieving one may come at the cost of reducing the level of ambition on one or several of the others,” he noted. In the process of developing most of its mandates for PSD2, Enria says the EBA has had to make difficult trade-offs. “This has been quite a challenge,” he states, “but in none of the mandates has this been more evident than in the technical standards on strong customer authentication and common and secure communication.”

Exposing customer account information to multiple third parties, security experts readily admit, creates more touchpoints for fraud. “Does open banking introduce new risks? Yes. But we need to trust that banks will properly defend against these new risks,” says Peter McElwaine-Johnn, principal director of technology strategy at Accenture. “Banks are designing the security protocols implemented in open banking. If they’re not happy, it won’t go ahead.”

While a world of truly open banking with customer account data flowing seamlessly through a multitude of new, lower-cost applications is no doubt what the EU had in mind when it conceived PSD2, that almost utopian vision must be reconciled with the highly regulated, risk-averse world of mainstream banking, which is not inherently “open.”

Exactly how the evolution toward open banking will play out is far from clear, say CapGemini and EFMA. Almost 54% of fintech companies and approximately 44% of banks surveyed for their World Retail Banking Report foreshadow a future in which banks and fintechs build cross-industry platforms with bundled, complementary services. “A less likely, but still plausible outcome,” say the report’s authors, “is that banks will continue to provide products and services, but leave distribution to fintechs or other new open platforms.” This has the potential to lower customer acquisition costs, they say, but raises issues related to branding and customer ownership. Unsurprisingly, almost half (47.8%) of fintechs predict this future scenario, compared to just 29% of banks.

With the adoption of PSD2, some form of open banking appears inevitable. In order to remain competitive with the fintech industry, Europe’s banks must either overcome their risk aversion to create the requisite technology or surrender outright to the elements of this brave new world.