Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Is Regulatory oversight the biggest threat to undermining Open Banking

By Brendan Jones, Chief Commercial Officer of Konsentus

This article is in response to one from Matt Cockayne of Envestnet Yodlee published 5th October 2018 that stated the biggest threat to open banking was the lack of the FCA in the UK to extend the definition of an AISP to include non-consumer facing data aggregators.

And thus, by implication state that Yodlee and similar data aggregators that do not deal directly with Payment Service Users can not be regulated by them as AISPs.

I would push back on this premise in two areas, firstly to some of the arguments he states and then more importantly by highlighting what is a far bigger threat to open banking.

The Role of UK OBIE

Brenan Jones
Brenan Jones

Matt states that the Open Banking Implementation Entity (OBIE) only allows companies registered with the relevant regulatory authority (the FCA in the UK), to directly access Open Banking APIs in the long-term. Without this direct access, third party providers must register such companies as their ‘outsource provider’ so they can gain access to the Open Banking APIs indirectly.”

I would contend that there is significant misunderstanding of the role of UK OBIE here.  UK OBIE was created and mandated by the UK Competition and Markets Authority (CAM) for the 9 largest banks in the UK, commonly referred to as the CMA9, to be a member of and implement Open Banking standards under their instructions and directions.  There is however NO mandate for any Third Party Provider (TPP) to register with UK OBIE to gain access to any Financial Institution (FI) the UK – FI’s of course as term also cover Electronic Money, Payment Institution, Building Society and Credit Card accounts, under the European Payment Services Directive 2 (PSD2) open banking.  For the UK market OBIE is purely a voluntary registration, despite what some banks or others would state.

The European Banking Authority RTS of Strong Customer Authentication and Common Secure Communications is very clear in that once a TPP has been approved/registered with their local National Competent Authority (NCA) and passported to the relevant NCA in the country of operation of the FI, then the FI cannot refuse access to the TPP unless they believe there to be fraudulent activity.  If Envestnet Yodlee was registered with another countries NCA and then passported into the UK no UK FI can refuse it access.

Payment Service User Confidence

Matt states in the article that the current position of the FCA in not allowing aggregators to be AISPs will undermine confidence in open banking as “in the event of a data breach with an aggregator – consumers would not be able to hold that company liable.”  This is wrong, Payment Service Users (consumers, small and medium enterprises etc.) would never have a relationship with an aggregator service.  Their contractual relationship will be with the TPP, for whom they have given their “explicit consent” to access their account(s) and who is providing the service.  It is thus the TPP who as the direct contractual relationship that would be held liable by the Payment Service User (PSU) in the event of any data breach either at the TPP or any of their suppliers.  It is a bit like a retailer and a wholesaler, the PSU has a relationship to the retailer, in the event that there is a problem they go back to the retailer not the wholesaler.  It is up to the retailer then to take the dispute up to the wholesaler.  Further the aggregator is likely to be also affected by GDPR legislation around the data breach and face regulatory oversight from this perspective also.

I can fully understand why Envestnet Yodlee would like to be regulated as it would make their business model easier to run in the UK, but to state it is the biggest threat undermining open banking implies that the majority of TPPs will use aggregators such as Envestnet Yodlee to access FI data and not just integrate directly with them – something that I believe a great many TPPs will do.  Thus, the impact of any non regulation of aggregators will be limited both by the number of TPPs using such services in the first place and the fact that they are covered by GDPR requirements already around protection of data.

The Real Big Threat to Open Banking

There are 9,000 plus FIs in Europe that need to be ready by March 14th 2019 for open market testing under mandatory PSD2 timescales.  The biggest single threat to PSD2 open banking is simply the market will not be live and ready in time.

  • To date there are still a number of countries that have not transposed PSD2 requirements into national law including Romania, Sain and Ideland.
  • To date there are a number of NCAs who have not yet announced how they will register or approve TPPs, how they will hold the data and how they will communicate revocation.

Checking of TPPs identity and regulatory status is at the heart of PSD2 open banking.

When a PSU signs up to use a open banking service, they do not need to check that the service provider that they have provided “explicit consent” too, is regulated/approved, or indeed maybe a fraudulent, TPP; this is the job of the FI.

It is the job of the FI to check on the identity of the TPP and check their regulatory status, this is crucial to establishing the trust factor as part of the PSD2 open banking.  As Matt stated “The data sharing aspect of Open Banking is already a primary concern for consumers – recent research by Accenture found that 85% of those asked said the fear of fraud would put them off sharing data, and 69% said they would not share financial data with businesses that were not banks.”  This means that all FIs need to ensure that they only ever supply PSU data to approved/regulated TPPs.  If they supply data to a TPP who is not, then they are in breach of PSD2.

With Konsentus providing the only real time, online, machine readable database currently for the market covering both TPP regulatory status and eIDAS identity checking, we believe the biggest threat to PSD2 open banking is ensuring the NCA databases are ready and that FIs understand the importance of checking on TPPs.