Can regulation achieve a harmonized, transparent, and innovative open-banking ecosystem?

The EU’s Revised Payment Services Directive (PSD2) was just the beginning of several open banking initiatives, worldwide, that encourage the use of application programming interfaces (APIs) by third parties to build innovative financial products based on incumbent banks’ customer data.

Similar schemes include the UK’s Competition and Markets Authority (CMA) ruling, the Hong Kong Monetary Authority framework for open APIs (two phases to roll out this year,) and Australia’s open banking regime, slated for February 2020 launch.[1]^{, [2]} Japan, Singapore, Malaysia, India, the United States, Canada, and Mexico, are all examining comparable plans.

Existing standards are complex, lack homogeneity

While Europe has the prime-mover advantage, its banks and payment service providers (PSPs) are struggling with open-banking compliance. With the September 2019 Regulatory Technical Standards (RTS) deadline approaching, the market continues to grapple with PSD2 adoption issues. As recommended by the RTS, financial institutions should onboard third parties via a sandbox environment in which open API testing takes place without exposing sensitive information.[3]

However, for those banks that were unable to implement a dedicated interface by March 14, RTS requires a “contingency mechanism” that allows screen scraping through which third-party providers use a bank customer’s credentials to automatically access the customer’s banking system and initiate a payment.

Here’s where regulatory hand-holding is essential and should be welcomed by firms as a way to alleviate the compliance burden while mitigating customers’ security qualms. Currently, there are multiple security standards for secure data sharing among industry stakeholders, including OAuth, Open Financial Exchange (OFX), and Durable Data API (DDA).[4]

For any open-banking ecosystem, API and security standards, and the creation of a central infrastructure are critical success factors. Regulators tend to leave it to the market to come up with API standards for different use cases and the central infrastructure. However, a laissez-faire approach can lead to fragmentation and confusion such as the situation that exists in the EU today.

Multiple standardization initiatives – Berlin Group’s NextGenPSD2, STET, and ERPB’s API Evaluation working group on PIS – were created, but are not legally binding. Many standards are complicated, while others leave room for improvement. This is leading to an implementation conundrum for FIs.

However, CMA Open Banking UK has formed a dedicated company called the Open Banking Implementation Entity (OBIE) that is responsible for one single API standard, central infrastructure, and governance.

OBIE’s latest API standard (version 3) covers all products with payment capabilities (credit cards, pre-paid and e-wallets) in any currency.[5] OBIE’s Open Banking APIs are the only channels through which regulated Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) can consume open banking data in the UK. Read/Write specs have been developed to accelerate clarity over consumption and banks’ ability to process API calls.[6]

Global efforts for open API standardization

At the international level, the Banking Industry Architecture Network’s (BIAN’s) latest standardized global IT architecture model (SL 7.0) includes technical standards for open APIs as well as a new Business Capability layer, and a Business Object Model aligned with ISO 20022.[7]

Data61, Australia’s data standards body, has recently introduced the Consumer Data Right (CDR), which will give consumers greater control over their data and requires common technical standards that make it easy and safe for consumers to access their data that is held by businesses.[8]

Similarly, the Hong Kong Monetary Authority released an Open API framework in July 2018 that paves the way for bank data sharing with third-party vendors and introduces norms for standardized open APIs. The framework, expected to go into effect this year, details how banks should onboard and maintain relationships with third-party providers to ensure consumer protection.[9]

In the United States, the Electronic Payments Association (NACHA) sponsors the API Standardization Industry Group (ASIG) to support development and adoption of uniform APIs for US and global FIs. ASIG has identified 16 interbank services to be standardized and enabled using APIs in three broad categories: fraud and risk reduction, data sharing, and payment access. The group offers a self-service platform in which stakeholders and developers access information, tools, and resources, and test standardized APIs.[10]

Today’s API standardization efforts are either centrally-mandated design-standard initiatives and infrastructure that are led by regulator-driven working groups or else they are solutions that regulators have left to the market to make workable for all stakeholders.

While both approaches have pros and cons, for the most critical ecosystem design elements it can be beneficial for regulators to coordinate and mandate binding working groups that offer banks legal clarity and help reduce design and implementation costs.

Regulatory support: a catalyst for a sustainable open ecosystem

Collaborative and proportionate regulation can help reduce friction and eventually accelerate the new payments ecosystem journey. The European Banking Authority (EBA) serves as an example and case study for other geographies.

Ahead of the September 2019 deadline for PSD2’s Regulatory Technical Standard (RTS) the EBA published a 2018 opinion paper on RTS that covered customer consent, data scope and daily use, and strong customer authentication (SCA). While the paper offers high-level RTS implementation guidance, answers to more detailed and technical questions are still necessary.

The EBA is working on a harmonized framework consistent with outsourcing requirements under various directives (PSD2, MiFID II, and the European Commission’s Delegated Regulation) to ease compliance effort processes broadly.

The Authority recently published clarifications to PSD2 API issues that its working group had raised and discussed such as testing platform reliability, functionality between API schemes, and how to identify entities not yet authorized for testing.[11]

A balance between compliance and innovation is critical

Globally, regulators are carefully monitoring open-banking-space developments for best practices and dos and don’ts. Banks and PSPs are looking to ensure 100% compliance with PSD2/open banking regulations around relevant technical standards.

However, the more significant challenge is to advance beyond inward-looking compliance projects and move toward a market-facing strategy that includes market positioning, product roadmaps, and customer engagement. Exclusive focus on compliance efforts may jeopardize the essence of open banking.

After the September introduction of the EBA’s Strong Customer Authorization (SCA) and Common Secure Communication (CSC) standards, APIs will be used to process all EU transactions. These standards will define how customer data is accessed, and are expected to ensure safe innovation and encourage further collaboration between established banks and the FinTech community at large.

Future-focused banks will take more than a compliance-only approach, however. They will embrace open banking opportunities to improve customer experience, generate new revenue streams, and innovate and strategically transform core services for increasingly tech-savvy customers to capitalize on the true potential of transparency.

To learn more, feel free to get in touch with me on social media.

# # #

[1] Hong Kong Monetary Authority (HKMA) website, “Summary of Consultation on Open API Framework,” June 18, 2018, https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2018/20180718e5a1.pdf.

^[2] InnovationAustralia.com, “Open banking quietly delayed,” Denham Sadler, January 15, 2019, https://www.innovationaus.com/2019/01/Open-banking-quietly-delayed.

[3] Finextra, “PSD2: The real RTS deadline is closer than banks think,” October 17, 2018, https://www.finextra.com/blogposting/16149/psd2-the-real-rts-deadline-is-closer-than-banks-think.

[4] Capgemini, World Payments Report 2018, October 2018, https://worldpaymentsreport.com/resources/world-payments-report-2018.

[5] Open Banking UK, Ltd website, “Open Banking publishes Open Banking Standards version 3.0,” September 7, 2018, https://www.openbanking.org.uk/about-us/news/open-banking-publishes-open-banking-standards-version-3-0/.

[6] Yappily via Medium, “Why is the UK leading the world on open banking?” Lindsay Whyte, January 18, 2019, https://medium.com/yapily/why-is-the-uk-leading-the-world-on-open-banking-af9383810efe

[7] Banking Industry Architecture Network website, “BIAN Service Landscape 7.0,” November 13, 2018, http://bian.org/bian-service-landscape-7-0.

[8] Computerworld Australia, “Data61 releases draft open banking API”, Rohan Pearce, November 5, 2018, https://www.computerworld.com.au/article/649169/data61-releases-draft-open-banking-apis.

[9] Finextra, “Hong Kong Monetary Authority embraces Open APIs,” July 19, 2018, https://www.finextra.com/newsarticle/32411/hong-kong-monetary-authority-embraces-open-apis.

[10] NACHA press release, “API Standardization Industry Group Launches Online Community to Support Adoption of Standardized APIs,” August 9, 2018, https://www.nacha.org/news/api-standardization-industry-group-launches-online-community-support-adoption-standardized.

[11] Finextra, “EBA publishes PSD2 API clarifications,” March 11, 2019, https://www.finextra.com/pressarticle/77604/eba-publishes-psd2-api-clarifications.