WILL PRIVACY CONCERNS UNDERMINE OPEN BANKING?

by Ciaran Dynes, SVP Products, Talend

“Open Banking launched in January 2018 with a whimper more than a bang, why this was the case is not totally clear, but one possible explanation is that there was a reluctance to cause a panic among consumers. Research by Ipsos MORI in November 2017 found that while 63% of UK consumers see the services enabled by Open Banking as ‘unique’, just 13% of them would be comfortable allowing third parties to access their bank data. Clearly there is a still a way to go before adoption really takes off, but these kinds of slow adoption patterns are not uncommon, particularly when there is fear that consumers could become victims of criminals or exploitation. If these concerns are addressed appropriately then they should help to limit any detrimental effects on Open Banking take up.”

What are consumers really worried about? Are they right to be worried?

“For years consumers have been told to be careful with their financial information, to be astute and aware of who has access to it, and to guard it at all costs. The message of Open Banking seems to go against this mentality which can be confusing for consumers. While Open Banking is allowing third parties to access consumers’ bank account and transactional information, there are many checks and balances in place to protect consumers and prevent fraud.

“Firstly, consumers’ data will not be shared without their express permission, and the PSD2 legislation on which Open Banking is built, makes it clear that this permission must be explicit, meaning that consent must be requested clearly, in plain language, so consumers are clear what they are agreeing to. Secondly, any processes or transactions must be authorised using Strong Customer Authentication based on 2-factor authentication processes by which a consumer’s identity is confirmed using two identifiers from either something they know (e.g. a password, secret answers), something they are (e.g. fingerprint, voice recognition) and something they have (e.g. registered mobile device, digital token). Thirdly, third party service providers, whether they are Payment Initiation Service Providers (PISPs) or Account Information Services Providers (AISPs) must be registered by the Financial Conduct Authority in the UK. Registration will help to prevent fraudulent companies requesting data from banks and ensure legitimate service providers are held to high data protection standards.”

Will attitudes to Open Banking change over time?

“As adoption of services based on the Open Banking initiative become more widespread and consumer confidence grows attitudes will change over time. If consumers see a benefit in sharing their financial data more will be inclined to do so. When it comes to issues such as data breach or fraud – data security teams operate on a “not if but when” mentality when it comes to cyber-attacks. They must be handled swiftly, with the customers’ needs put front and centre. If the customers are protected and it is demonstrated that should the worst happen they have legislative protection, more are likely to use the new services that Open Banking enables.”

How can banks and providers reassure consumers?

“Education. Pure and simple. If consumers understand they will use the services. They need to understand what Open Banking is, what it enables, what benefits it gives them, and how they are protected. Consumers also need to understand what to look out for to avoid unscrupulous parties who may try and rig the system. Hopefully, with the safeguards of FCA registration in place fraudsters trying to gain access to financial information will be minimised, nonetheless, consumers should be educated on what to look out for, and how they can keep themselves protected. Banks, governments and consumer protection organisations have been providing this kind of information for decades, the information offered needs to evolve to meet the new landscape created by Open Banking.”

Is there privacy technology that will help, or is this an emotional issue best tackled with marketing?

“From a legislative perspective, linked to Open Banking and PSD2 (Payment Service Directive) is the EU General Data Protection Regulation which comes into force in May. GDPR has tightened up the controls consumers have regarding their data and introduced greater financial ramifications on companies and organisations that do not adhere to the regulation. PSD2 and Open Banking aligns with this because it is the consumer that has the control over whether their data is shared with third parties, but also for it to stop being shared with third parties. In addition, the concept of ‘right-to-be-forgotten’ enshrined in GDPR means that consumers can demand that any data held by the third-party service provider be permanently deleted. Similarly, because GDPR puts the onus of data protection on both data controllers (i.e. banks) and data processors (i.e. PISPs and AISPs) it is in the interests of both to ensure that their data governance and data protection strategies and technology is of the highest quality. In short, the technology requirements to keep consumers’ financial information protected should be a given if organisations are GDPR compliant, thus to give consumers peace of mind, it goes back to the education factor.

“That said, one area that should be considered by banks, PISPs and AISPs from a technology standpoint is the use of cloud to provide these services. The use of third-party cloud services adds another layer of complexity when it comes to GDPR compliance and there are some legislative grey areas in relation to bank customer data being tapped into by PISPs/AISPs and then processed in the public cloud. Because there is no contract between PISPs/AISPs – but there will be contract for cloud services between PISPs/AISPs and the cloud providers they may choose to use – it may complicate proceedings with regards liability in the event of a data breach. Third party PISPs/AISPs should be working with reputable service providers and have the contracts in place to ensure GDPR compliance, but with banks unable to have a say in the services used it could leave them vulnerable. Bearing in mind the concern some consumers have regarding the use of sensitive data in the cloud, it is essential that new third party financial service providers are working with mature, best-in-class cloud providers, and are being transparent with customers how their bank data, should they choose to share it, is being used.”

by Ciaran Dynes, SVP Products, Talend

“Open Banking launched in January 2018 with a whimper more than a bang, why this was the case is not totally clear, but one possible explanation is that there was a reluctance to cause a panic among consumers. Research by Ipsos MORI in November 2017 found that while 63% of UK consumers see the services enabled by Open Banking as ‘unique’, just 13% of them would be comfortable allowing third parties to access their bank data. Clearly there is a still a way to go before adoption really takes off, but these kinds of slow adoption patterns are not uncommon, particularly when there is fear that consumers could become victims of criminals or exploitation. If these concerns are addressed appropriately then they should help to limit any detrimental effects on Open Banking take up.”

What are consumers really worried about? Are they right to be worried?

“For years consumers have been told to be careful with their financial information, to be astute and aware of who has access to it, and to guard it at all costs. The message of Open Banking seems to go against this mentality which can be confusing for consumers. While Open Banking is allowing third parties to access consumers’ bank account and transactional information, there are many checks and balances in place to protect consumers and prevent fraud.

“Firstly, consumers’ data will not be shared without their express permission, and the PSD2 legislation on which Open Banking is built, makes it clear that this permission must be explicit, meaning that consent must be requested clearly, in plain language, so consumers are clear what they are agreeing to. Secondly, any processes or transactions must be authorised using Strong Customer Authentication based on 2-factor authentication processes by which a consumer’s identity is confirmed using two identifiers from either something they know (e.g. a password, secret answers), something they are (e.g. fingerprint, voice recognition) and something they have (e.g. registered mobile device, digital token). Thirdly, third party service providers, whether they are Payment Initiation Service Providers (PISPs) or Account Information Services Providers (AISPs) must be registered by the Financial Conduct Authority in the UK. Registration will help to prevent fraudulent companies requesting data from banks and ensure legitimate service providers are held to high data protection standards.”

Will attitudes to Open Banking change over time?

“As adoption of services based on the Open Banking initiative become more widespread and consumer confidence grows attitudes will change over time. If consumers see a benefit in sharing their financial data more will be inclined to do so. When it comes to issues such as data breach or fraud – data security teams operate on a “not if but when” mentality when it comes to cyber-attacks. They must be handled swiftly, with the customers’ needs put front and centre. If the customers are protected and it is demonstrated that should the worst happen they have legislative protection, more are likely to use the new services that Open Banking enables.”

How can banks and providers reassure consumers?

“Education. Pure and simple. If consumers understand they will use the services. They need to understand what Open Banking is, what it enables, what benefits it gives them, and how they are protected. Consumers also need to understand what to look out for to avoid unscrupulous parties who may try and rig the system. Hopefully, with the safeguards of FCA registration in place fraudsters trying to gain access to financial information will be minimised, nonetheless, consumers should be educated on what to look out for, and how they can keep themselves protected. Banks, governments and consumer protection organisations have been providing this kind of information for decades, the information offered needs to evolve to meet the new landscape created by Open Banking.”

Is there privacy technology that will help, or is this an emotional issue best tackled with marketing?

“From a legislative perspective, linked to Open Banking and PSD2 (Payment Service Directive) is the EU General Data Protection Regulation which comes into force in May. GDPR has tightened up the controls consumers have regarding their data and introduced greater financial ramifications on companies and organisations that do not adhere to the regulation. PSD2 and Open Banking aligns with this because it is the consumer that has the control over whether their data is shared with third parties, but also for it to stop being shared with third parties. In addition, the concept of ‘right-to-be-forgotten’ enshrined in GDPR means that consumers can demand that any data held by the third-party service provider be permanently deleted. Similarly, because GDPR puts the onus of data protection on both data controllers (i.e. banks) and data processors (i.e. PISPs and AISPs) it is in the interests of both to ensure that their data governance and data protection strategies and technology is of the highest quality. In short, the technology requirements to keep consumers’ financial information protected should be a given if organisations are GDPR compliant, thus to give consumers peace of mind, it goes back to the education factor.

“That said, one area that should be considered by banks, PISPs and AISPs from a technology standpoint is the use of cloud to provide these services. The use of third-party cloud services adds another layer of complexity when it comes to GDPR compliance and there are some legislative grey areas in relation to bank customer data being tapped into by PISPs/AISPs and then processed in the public cloud. Because there is no contract between PISPs/AISPs – but there will be contract for cloud services between PISPs/AISPs and the cloud providers they may choose to use – it may complicate proceedings with regards liability in the event of a data breach. Third party PISPs/AISPs should be working with reputable service providers and have the contracts in place to ensure GDPR compliance, but with banks unable to have a say in the services used it could leave them vulnerable. Bearing in mind the concern some consumers have regarding the use of sensitive data in the cloud, it is essential that new third party financial service providers are working with mature, best-in-class cloud providers, and are being transparent with customers how their bank data, should they choose to share it, is being used.”