OPEN BANKING: WHAT’S CERTAIN, WHAT’S NOT

Carl Slabicki
Carl Slabicki

Open banking brings great promise — and new questions — for banks and customers alike, says Carl Slabicki, Director, Immediate Payments, Treasury Services at BNY Mellon.

Open banking will soon arrive; that is certain. PSD2 (Europe) and the Open Banking Standard (UK), in order to force collaboration opportunities between banks and third-party providers, have mandated that, beginning in 2018, banks will be required to share — with client approval, via Application Programming Interfaces (APIs) — access to client accounts and account information with third parties, mainly fintech providers, opening a door to a transformed future payments landscape.

These third-party providers will be of two types: Account Information Services Providers (AISPs) and Payment Initiation Services Providers (PISPs). AISPs will be allowed to access and extract client information — balances, history, transaction data—and PISPs will be allowed to initiate and make online payments, drawing directly from a client’s account, without bank intermediation.

To appreciate the magnitude of this change, consider that since the advent of banking, banks have held a monopoly on the information they retain on their clients. That such information would be privileged and unshared has been core to the very idea of banking and maintaining the security of such proprietary information has been strictly regulated by law and typically enforced with various firewalls within individual banks, access allowed on a need-to-know-only basis in order to thwart inappropriate pooling, leaking or misuse.

Indeed, the maintenance of rigorous privacy has been the historic selling point for Swiss banks (if not always for commendable reasons). How could it have been otherwise? Clients are, after all, trusting banks with their money. But the monopolization of vast amounts of data is a very valuable business asset as well. And it is this that open banking is on the verge of changing and forcing banks to give up.

What is not Certain

The ways this access can be used are myriad. For example, an AISP might be able to compare offerings from numerous banks and provide them to clients. This could include information on car loans, mortgages, business loans, savings account returns, and checking account charges. For businesses or banks themselves, a client’s creditworthiness could be readily and directly ascertained, without the intermediation of a ratings company.

AISPs might serve as financial advisers to both corporates and individuals, with the ability to manipulate and analyze massive amounts of data virtually and provide investment information in real time. This would enable them to advise that monthly bills are coming due. PISPs could pay those bills, oversee spending and provide budget advice. Competition will drive ideas and shape the market, all ostensibly to the consumers’ benefit.

But that benefit comes at some expense. The growth in networks and solutions, capabilities and services provides a wealth of new options, but at the potential expense of clarity for consumers, who want an experience that is intuitive and self-explanatory.

This was reflected in a Payment Experience Client Survey, conducted in August of 2017.

Payment Experience Client Survey, conducted in August of 2017
Payment Experience Client Survey, conducted in August of 2017

Asked whether they thought direct peer-to-peer system interaction via APIs would bring a fundamental shift in interbank correspondent banking, more than half of responding client banks were uncertain as shown below (and more than half of respondents thought the first meaningful API interaction with their providers was one to three years away).

Risk Uncertainty

The enormous amount of private financial data that will be made available to third parties will be an equally large target for those seeking to obtain it illegally and they will have more avenues available by which to try to gain access to it. The creators of the initiatives have taken steps to address this, codified within the legislation.

AISPs and PISPs, in order to be licensed, must convince regulators of the soundness of their data security and will be required to submit to annual inspections. They will also be required to acquire fraud insurance, adding another layer of prevention, in that insurers have a clear stake in seeing that security procedures are optimal. Also, regulations requiring a more robust authentication and two-step verification will make on-line payments more secure than they are currently.

Still the risks cannot be overstated. Regulations on paper and put into practice can be very different issues. This will be a rapidly changing and unpredictable market and the regulatory environment must be fluid, not static. Replacing a single bank portal with numerous lines of access will provide many more opportunities and points of attack for criminal activity.

It should come as no surprise that many banks look at these changes with trepidation. At BNY Mellon, our policy has been to view change and uncertainty not as threats but as opportunities. As the full effects of these initiatives come clear, we expect to be in position to take advantage of them to the benefit of our clients.

The views expressed herein are those of the author only and may not reflect the views of BNY Mellon. This does not constitute treasury services advice, or any other business or legal advice, and it should not be relied upon as such.