In financial services, open banking allows for financial data to be shared between banks and third-party service providers through the use of application programming interfaces (APIs). Traditionally, banks have kept customer financial data within their own closed systems. Open banking allows customers to share their financial information securely and electronically with other banks or other authorized financial organizations such as payment providers, lenders and insurance companies.

Proponents argue open banking provides greater transparency and data control for account holders, and could allow for new financial services to be provided. Proponents also say that it aims to promote competition, innovation, and customer empowerment in the banking and financial sectors.[1][2][3] Opponents argue that open banking can lead to greater security risk and exploitation of consumers.

The first open banking regulations were introduced by the European Union in 2015, and many other countries have introduced financial regulations related to open banking since.

History

edit

The concept was first explored in 2003 as part of the open innovation movement that was promoted by Henry Chesbrough.[4][5] The advent of internet banking and development of online technology in the early 2000s led to interest in access to the data, which was first seen in account aggregation attempts by technology companies.

During the 2010s, open banking was also linked to shifts in attitudes towards the issue of data ownership, illustrated by regulations such as GDPR and the open data movement.[citation needed] With open banking, banks turn into financial service platforms, technically implemented through a banking as a service concept.[6]

The first real regulatory move to open banking came in 2015 when the European Parliament adopted a revised Payment Services Directive known as PSD2.[7] The new rules were aimed at promoting the development and use of innovative online and mobile payments through open banking.[8][9] This introduced a number of new services, definitions, and obligations for market participants.

This was welcomed by fintech companies but banks were generally slow to agree to sharing the data for technical and security reasons as well as concerns for new competition. Between 2015 and 2021, a number of countries enacted laws and regulations forcing traditional banks to provide API access to customer data.

Risks and criticism

edit

With open banking, banks open their APIs to third-party fintech companies, which comes with security risks. Hackers can target third-party apps and excessive access privileges could be given to employees. Malicious actors may be able to trick banking customers and third-party companies with phishing scams.[10]

There are also privacy concerns about open banking.[11] There is a risk of aggressive market practices or offering a customer more expensive products based on an analysis of openly-available financial data.[11]

For consumers, open banking poses a risk of "digital and financial exclusion".[11] Mick McAteer, from the UK research firm Financial Inclusion Centre, said that only the tech-savvy would benefit from open banking and it would lead to more financial exclusion of those with low income.[12] He said that consumers could be exploited, either by new types of payday loans or the misuse of data and personal information that people have revealed online.[12]

Use and regulation

edit

Africa

edit

Open banking in Nigeria was kickstarted by the Open Banking Nigeria as an initiative to be non-partisan and non-financial API standards for Nigerian financial services. It was formed in June 2017 by a group of bankers and fintech experts who got together to propose the adoption of common API standards for the country.[13] Open banking in Nigeria later evolved into a regulatory backed initiative with the release of the open banking regulation by the Central Bank of Nigeria in 2021[14] and the subsequent Operational Guidelines for Open Banking in Nigeria.[15]

Australia

edit

An open banking project was launched in Australia on 1 July 2019 as part of the Consumer Data Rights (CDR) project by the Treasury and Australian Competition & Consumer Commission.[16] The CDR legislation was passed by the Australian parliament in August 2019.[17]

In May 2023, Payments NZ, which supervises the payment system in New Zealand, said that the main banks will be ready by 2024 to implement open banking.[18]

European Union

edit

In October 2015, the European Parliament adopted a revised Payment Services Directive known as PSD2.[19] The new rules were aimed at promoting the development and use of innovative online and mobile payments through open banking.[8][20] It introduced a number of new services, definitions, and obligations for market participants.

More than two years after the entry into force of the PSD2 provisions, which took place on 13 September 2019, the European Commission announced the commencement of the review procedure of the Directive.[21] On 18 October 2021, the European Commission submitted a call for advice to the European Banking Authority (EBA).[22] The EBA responded on 23 June 2022.[23][24] Amendments to the Directive were planned for the fourth quarter of 2022.[21]

The SEPA (Single Euro Payments Area) API Access Scheme initiative was launched by the ERPB (Euro Retail Payment Board), a strategic advisory body at the European Central Bank.[25] The initiative was described in two reports, the first was published on 31 May 2019,[26] and the second was published on 4 June 2021.[27] The information on the transfer of the initiative for further works and the implementation of the SEPA API Access scheme by the European Payments Council is also publicly available.[28]

The proposed scheme defines the principles of cooperation between the entities participating in it and defines standard methods of implementing selected services based on the use of APIs, billing systems, and payment systems. The starting point for the work on the scheme was PSD2 services provided by European credit institutions, which would remain free of charge for third parties. Other services – referred to as value-added services, premium services or extended services – could be monetised by credit institutions based on the rules adopted in the scheme. These rules and the general assumptions of the scheme would be discussed with the relevant Directorates-General of the European Commission.[27][non-primary source needed]

On 26 October 2020, The Berlin Group established a new task force called The Berlin Group openFinance API Framework, which replaced the previous task force responsible for creating the NextGenPSD2 standard.[29] The new task force's work focuses on the standardisation of value-added services that credit institutions may make available to eligible third parties based on bilateral agreements or potential new payment schemes.[citation needed]

Standardisation initiatives include:

  • NextGenPSD2 – Pan-European standardisation initiative run by The Berlin Group.[30]
  • STET standard – developed by the French clearing house (STET); in its shape, the standard has been as close as possible to the NextGenPSD2 standard of The Berlin Group as part of the convergence project.[31]
  • Slovak Banking API – a standardisation project entirely run by the Slovak Bank Association in cooperation with the National Bank of Slovakia, made available in the form of documentation.[32]
  • PolishAPI – the PolishAPI standard defines an interface for the needs of services provided by third parties based on access to payment accounts, i.e. services introduced by the amended directive on payment services within the internal market (PSD2). Participants include the Polish Banks Association, associated commercial and cooperative banks, and third-party providers.[33]

Latin America

edit

Mandatory and centralised electronic invoicing was implemented relatively early in countries such as Mexico, Chile, Colombia, and to a lesser extent, Brazil, offering the possibility to retrieve open accounting data in a similar way as open banking.[34]

The Central Bank of Brazil deployed its open banking model, which mandates banks and financial institutions (including fintech) to make available information on traditional financial services and products.[35][non-primary source needed] Brazil's implementation is mandatory for institutions with large sizes, significant international activity, and high-risk profiles, and optional for all other institutions.[citation needed] The implementation of the first phase happened almost two years after the first open banking framework was published in April 2019, in which the fundamental requirements for the implementation of the law were disclosed.[citation needed] The Central Bank of Brazil outlined the following phases of implementation:[needs update][citation needed]

  • Phase 2: Customer Information (July 2021) – Consumers have the option to share their data (registration, account transactions, card, information, and credit transactions) with the institutions of their choice, at the time of their choice.
  • Phase 3: Transactional Information and Payment Initiation (August 2021) – Consumers have access to services, such as new payment options and credit offers, through the shared channels by financial institutions.
  • Phase 4: Extra information (December 2021) – The following phases include additional products such as insurance, pension plans, and investments.

In late 2020, the Chilean government announced that it was working on a proposal for fintech regulation and the incorporation of an open banking standard. The government edited the Financial Portability Act, a set of regulations aimed to facilitate the switch between banks and financial providers.[36][37] On 4 January 2023, Chile enacted a law with the aim to establish a regulatory framework for fintech activity and create an open finance system that enables secure data-sharing.[citation needed]

Colombia has established a voluntary model for open banking,[38] with the Financial Regulation Unit (URF)'s goal being to foster public-private discussion.[39]

Mexico was the first Latin American country to implement open banking legislation.[40] On 9 March 2018, the Fintech Law of 2018 (Ley para Regular las Instituciones de Tecnología Financiera) was published in the Federal Official Gazette (DOF; Diario Oficial de la Federación).[41] Article 76 states that standardised APIs must be established to enable connectivity and access to other interfaces. As a consequence, more than 2,300 institutions were technically required to share information.[42] Article 76 provides that certain information may be shared by financial institutions, money transmitters, Credit Information Companies (SIC; Sociedades de Información Crediticia), clearing houses, and financial technology institutions. Those types of data are open data (related to products and services offered to the general public), aggregated data (related to any type of statistical information related to operations), and transactional data (related to the use of a product or service).[citation needed]

On 10 March 2020, the Mexican Central Bank (Banxico) published Circular 2/2020 in the DOF. Circular 2/2020 outlined secondary provisions of the law, specifically dealing with open banking.[43] Different financial market entities were required to share information through APIs. The secondary provisions only apply to SICs and clearing houses; Circular 2/2020 states that both SICs and clearing houses must obtain authorisation from Banxico for the use of the APIs by other institutions. In turn, SICs and clearing houses must enter into agreements with other entities authorised by Banxico for the exchange of information. Additionally, the issuance of fees to be charged between institutions that exchange information is also defined. Circular 2/2020 states that in case of non-compliance with the provisions of Circular 2/2020, SICs and clearing houses may face fines levied by Banxico.[non-primary source needed]

In June 2020, the rules for exchanging open data were applicable to all financial institutions – banks, fintechs, and companies authorised by the Comisión Nacional Bancaria y de Valores.[citation needed]

United Kingdom

edit

In August 2016, the Competition and Markets Authority (CMA) issued a ruling that required the nine biggest UK banks – HSBC, Barclays, RBS, Santander, Bank of Ireland, Allied Irish Bank, Danske Bank, Lloyds, and Nationwide – to allow licensed startups direct access to their data, down to the transaction level.[44] The direction came into force on 13 January 2018, using standards and systems created by Open Banking Limited, a non-profit created especially for the task, while enforcement rests with the CMA. Protection for consumers is the responsibility of the Financial Conduct Authority (FCA) for account information and payment initiation services (under the PSD2 directive), and the Information Commissioner's Office for data.[45] The CMA direction only applies to the nine largest banks, and works alongside the broader PSD2 rules that apply to all payment account providers.

As of April 2023, there are 339 FCA-regulated providers enrolled in open banking.[46] Many of them provide financial apps that help manage finances; others are consumer credit firms who use open banking to access account information for affordability checks and verification.[47]

In March 2021, the CMA consulted on arrangements for the future oversight of open banking.[48] This consultation referenced a proposal by UK Finance (a trade association for the banking and finance industry), which had engaged with stakeholders to develop a blueprint for a new organisation (a 'Future Entity') to replace Open Banking Limited, which would serve the needs of the significantly larger number of financial institutions by enabling an Open Data and payments market.

United States

edit

In 2021, president Joe Biden issued an executive order indicating the administration's desire to begin rulemaking for Section 1033 of the Dodd–Frank Act.[49] The intention was to support open banking initiatives in the United States.[49] Also in 2021, open banking provider Plaid settled for US$58M in a consumer-driven, privacy-related class-action lawsuit.[50] Rohit Chopra, the director of the Consumer Financial Protection Bureau, initiated rulemaking pertaining to Section 1033 in 2023.[51]

References

edit
  1. ^ Premchand, A.; Choudhry, A. (February 2018). "Open Banking & APIs for Transformation in Banking". 2018 International Conference on Communication, Computing and Internet of Things (IC3IoT). pp. 25–29. doi:10.1109/IC3IoT.2018.8668107. ISBN 978-1-5386-2459-3. S2CID 84185109. Archived from the original on 4 April 2023. Retrieved 15 May 2023.
  2. ^ Open Banking Working Group. "The Open Banking Standard" (PDF). HM Treasury. Archived (PDF) from the original on 18 April 2017. Retrieved 18 April 2017.
  3. ^ Brodsky, Laura; Oakes, Liz (September 2017). "Data sharing and open banking". McKinsey & Company. Archived from the original on 8 November 2017. Retrieved 7 November 2017.
  4. ^ "When Open Innovation comes to banking - BNP Paribas". BNP Paribas. Archived from the original on 27 January 2021. Retrieved 29 October 2020.
  5. ^ "Open banking: The new face of digital transformation". IBM RegTech Innovations Blog. 3 April 2018. Archived from the original on 31 May 2021. Retrieved 29 October 2020.
  6. ^ Scholten, Ulrich. "Banking-as-a-Service - what you need to know". VentureSkies. Archived from the original on 20 February 2019. Retrieved 28 May 2020.
  7. ^ "Press corner". European Commission - European Commission. Archived from the original on 25 August 2020. Retrieved 8 September 2021.
  8. ^ a b "European Parliament adopts European Commission proposal to create safer and more innovative European payments". EU Commission. Archived from the original on 22 July 2016. Retrieved 4 May 2016.
  9. ^ Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance. ), 13 March 2018, retrieved 14 February 2022
  10. ^ "The Risks of Open Banking: Are Banks and their Customers Ready for PSD2? - Security News". www.trendmicro.com. Archived from the original on 9 May 2023. Retrieved 15 May 2023.
  11. ^ a b c Reynolds, Faith (2017). "Open Banking: A consumer perspective" (PDF). Barclays. Archived (PDF) from the original on 9 May 2023. Retrieved 15 May 2023.
  12. ^ a b Kevin Peachey; et al. (21 November 2017). "The Disruptors - Money". BBC News. Archived from the original on 21 November 2017. Retrieved 21 November 2017.
  13. ^ Moses-Ashike, Hope (9 March 2023). "Explainer: What to know about Open Banking". Business Day. Retrieved 22 May 2023.
  14. ^ Central Bank of Nigeria (17 February 2021). "Regulatory Framework for Open Banking in Nigeria" (PDF). Central Bank of Nigeria. Retrieved 22 January 2024.
  15. ^ Central Bank of Nigeria (7 March 2023). "Operational Guidelines for Open Banking in Nigeria" (PDF). Central Bank of Nigeria. Retrieved 22 January 2024.
  16. ^ "Open banking era dawns in Australia". SBS World News. 29 June 2019. Archived from the original on 31 January 2021. Retrieved 15 May 2023.
  17. ^ O'Brien, Kate. "ASX shares that could benefit from Open Banking". Yahoo! Finance. Yahoo. Archived from the original on 31 October 2019. Retrieved 31 October 2019.
  18. ^ "Open banking coming to NZ mid-2024". Radio New Zealand. 30 May 2023.
  19. ^ "Press corner". European Commission - European Commission. Archived from the original on 25 August 2020. Retrieved 8 September 2021.
  20. ^ Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance. ), 13 March 2018, retrieved 14 February 2022
  21. ^ a b "Payment services – review of EU rules". European Commission. Archived from the original on 26 April 2023. Retrieved 8 May 2023.
  22. ^ "Call for advice to the European Banking Authority (EBA) on the review of the payment services Directive (PSD2)". finance.ec.europa.eu. Archived from the original on 11 May 2023. Retrieved 8 May 2023.
  23. ^ Campa, José Manuel (23 June 2022). "2022 06 23 Letter to Mr Berrigan - Response PSD2 CfA" (PDF). European Banking Authority. Archived (PDF) from the original on 8 May 2023. Retrieved 15 May 2023.
  24. ^ "Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2)" (PDF). European Banking Authority. 23 June 2022. Archived (PDF) from the original on 8 May 2023. Retrieved 15 May 2023.
  25. ^ "Euro Retail Payments Board (ERPB)". European Central Bank. 2 December 2021. Archived from the original on 4 April 2023. Retrieved 14 February 2022.
  26. ^ "Report of the ERPB Working Group on a Single Euro Payments Area (SEPA) Application Programming Interface (API) Access Scheme" (PDF). Euro Retail Payments Board. 31 May 2019. Archived (PDF) from the original on 10 May 2023. Retrieved 15 May 2023.
  27. ^ a b "Report of the Next Phase of the ERPB Working Group on a Single Euro Payments Area (SEPA) Application Programming Interface (API) Access Scheme" (PDF). Euro Retail Payments Board. 4 June 2021. Archived (PDF) from the original on 27 December 2022. Retrieved 15 May 2023.
  28. ^ https://www.ecb.europa.eu/paym/groups/erpb/shared/pdf/16th-ERPB-meeting/SEPA_Payment_Account_Access_Scheme_status_update.pdf%20https://www.ecb.europa.eu/paym/groups/erpb/html/index.en.html [dead link]
  29. ^ Group, The Berlin (26 October 2020). "PRESS RELEASE - Berlin Group starts new openFinance API Framework". the-berlin-group. Archived from the original on 14 May 2023. Retrieved 14 February 2022. {{cite web}}: |last= has generic name (help)
  30. ^ "PSD2 Access to Bank Accounts | The Berlin Group". the-berlin-group. Archived from the original on 14 May 2023. Retrieved 14 February 2022.
  31. ^ "Stet : PSD2". Stet. 30 May 2018. Archived from the original on 4 April 2023. Retrieved 14 February 2022.
  32. ^ "Slovak Banking API Standard". SBA - Slovenská banková asociácia (in Slovak). Archived from the original on 21 March 2023. Retrieved 14 February 2022.
  33. ^ "PolishAPI". polishapi.org. Archived from the original on 7 May 2023. Retrieved 14 February 2022.
  34. ^ "CFDI: Mexico's Electronic Invoicing Model That's Become a Reference Across all of Latin America". Edicom CFDI. 14 March 2018. Archived from the original on 31 May 2021. Retrieved 23 May 2021.
  35. ^ Open Banking: entenda o que é e como poderá ajudar na sua vida financeira, archived from the original on 4 April 2023, retrieved 23 May 2021
  36. ^ "BNamericas - Chile financial portability bill becomes law". BNamericas.com. Archived from the original on 12 May 2023. Retrieved 23 May 2021.
  37. ^ "Gob.cl - Portabilidad Financiera". Gobierno de Chile (in Spanish). Archived from the original on 4 April 2023. Retrieved 23 May 2021.
  38. ^ "Open banking en Colombia se prepara para despegar". iupana (in European Spanish). 8 February 2021. Archived from the original on 4 April 2023. Retrieved 23 May 2021.
  39. ^ "BNamericas - Snapshot: The 2021 agenda for Colombia finan..." BNamericas.com. Archived from the original on 12 May 2023. Retrieved 23 May 2021.
  40. ^ "LatAm turns to Mexico's year-old fintech law as a model for regulation". www.spglobal.com. Archived from the original on 12 May 2023. Retrieved 23 May 2021.
  41. ^ "Ley para Regular las Instituciones de Tecnología Financiera" [Law to Regulate Financial Technology Institutions] (PDF) (in Spanish). 9 March 2018. Archived (PDF) from the original on 20 March 2021. Retrieved 15 May 2023.
  42. ^ Garzón Galván, Jonathan G. "Open Banking MX Reporte 2019" (PDF). Cecoban. Archived (PDF) from the original on 4 April 2023. Retrieved 15 May 2023.
  43. ^ "Interfaces de programación, disposiciones, Banco de México". www.banxico.org.mx. Archived from the original on 4 April 2023. Retrieved 23 May 2021.
  44. ^ Manthorpe, Rowland (16 October 2017). "To change how you use money, Open Banking must break banks". Wired UK. Condé Nast. Archived from the original on 22 December 2017. Retrieved 29 December 2017.
  45. ^ Manthorpe, Rowland (17 April 2018). "What is Open Banking and PSD2? Wired explains". Wired UK. Condé Nast. Archived from the original on 30 January 2021. Retrieved 15 May 2023.
  46. ^ "Meet the regulated providers". Open Banking Implmentation Entity. Archived from the original on 27 January 2021. Retrieved 15 May 2023.
  47. ^ Yang, Qiang; Fan, Lixin; Yu, Han (2020). Federated Learning: Privacy and Incentive. Springer Nature. ISBN 978-3-030-63076-8.
  48. ^ "The future oversight of the CMA's open banking remedies". Competition and Markets Authority. 25 March 2022. Archived from the original on 4 April 2023. Retrieved 15 May 2023.
  49. ^ a b "President Biden Issues Executive Order Encouraging CFPB To Act On 1033 Data Access and UDAAP". JD Supra. Archived from the original on 14 May 2023. Retrieved 15 May 2023.
  50. ^ "Plaid settles class-action lawsuit for $58 million". 6 August 2021. Archived from the original on 4 April 2023. Retrieved 15 May 2023.
  51. ^ "The power to walk away: CFPB moves to give consumers control over financial data". POLITICO. 19 October 2023. Retrieved 24 December 2023.