Open banking is, undoubtedly, a good innovation for the
banking sector, especially for consumers and FinTechs. But open banking can
also help traditional banks to provide better services, with the assistance of
third-party providers (TPPs) to their customers.
That means that financial institutions (FIs) and FinTech
companies need to collaborate, share information and build new application
programming interfaces (APIs) to make sure that everybody wins with these
symbiotic relationships. Then, if open banking offers plenty of opportunities,
what are the challenges that banks and FinTechs face when they engage in
negotiations?
The main challenges probably are security and consumer
trust.
Most companies that are championing open banking are FinTech
companies that don’t have homogenous technical standards, which combined with
complex internal technology systems, may make the process susceptible to
corruption and fraudulent activity. For banks and FIs to be able to share
customer data, they need a secure API. The alternative to APIs is
screen-scraping where TPPs basically “copy” the bank’s screen and use the
customer’s credential to access the data. As this technique triggers
significant risks, many Fis are replaying it by APIs.
An API is a software intermediary that allows two
applications to talk to each other. An API allows the bank and the FinTech to
share information. But FinTechs and banks usually have different APIs and
different requirements, so to share data, both parties need to agree when, how
and what information the APIs are going to share. Historical data or just the
last few months? Current accounts or credit card expenses? And so on.
The burden usually lies with the FIs because they are liable
for any data breach, unauthorized access and any type of fraud or scam. This is
one of the reasons why negotiations to share data may drag on for months as
banks need to conduct a thorough due diligence of the TPP to ensure that the
TPP complies with the best privacy and cybersecurity practices.
This is a non-exhaustive list of the FIs’ responsibilities
when it comes to adopting an open banking initiative:
authenticating customers;
gaining consent (authorization) from customers to share
data;
recording consent for audit purposes;
allowing customers to revoke consent;
vetting partners and their cybersecurity capability;
granting secure access to partners to customer information
(and only the information that the customer has consented to share).
Market-driven and regulatory-driven open banking economies
offer different solutions on how to address and minimize these risks. In the
former, like the U.S., the parties need to decide all the details and assess
the risks, which slows down the process. Banks and FinTech companies need to
negotiate with each counterpart and adjust their APIs almost every time.
Building and monitoring changes in APIs is time consuming and not very
efficient. API standards are not yet widely used although some TPPs are
creating API gateways to facilitate connectivity with banks. The Financial Data
Exchange is also a good example of how a group of banks, FinTechs and financial
services has aligned around a single data sharing standard to create an open
banking framework across the country.
In the EU and the U.K., legislation mandates that FIs must
provide this access through a secure and standardized set of APIs. While there
is not a unique API standard, this obligation facilitates the creation of
compatible APIs. In the case of the nine largest U.K. banks, they are obligated
to support open banking U.K. API specifications, which facilitates FinTech
companies to access data from all these banks using the same API. Additionally,
EU regulation specifies various elements to ensure strong customer
authentication (SCA) and common and secure open standards of communication.
A regulatory mandate to provide access and to do so
following standard protocols and open APIs is likely the reason why open
banking develops quicker in regulatory-driven economies. Nonetheless, open APIs
are not a magic key, and banks and FinTechs still need to engage in
negotiations.
The second challenge that FIs and TPPs need to address is
customer trust. According to a PYMNTS study, 53% of individuals see open
banking as a “dangerous” way to share their data. Consumers in Europe and the
U.K. feel a bit more ease than in the U.S., but there is still work to be done.
But the challenge is not only convincing customers to
consent, but in how to handle, store and modify this consent. Once the customer
consent hurdle is bypassed and cleared, both banks and FinTechs have to make
sure that the data that is shared is securely stored and transferred. Hackers
and scammers will be targeting the open APIs to seek access to sensitive data.
In Europe, under the General Data Protection Regulation
(GDPR), companies can be fined up to 4% of their annual revenue if they
mishandle personal data, which in the case of banks and FinTechs is part of
their daily business. Thus, strong data protection protocols are essential in
any negotiation between banks and FinTechs.
Click here for the
original article.