In August 2016, the Competition and Markets Authority (“CMA”) published its report proposing banking reforms focused on encouraging technological innovation. These reforms included introducing an open API standard for banking to be adopted by early 2018. Such a standard is intended to enable intermediaries to readily access information about bank services, prices, service quality and customer usage, that is currently accessible in most cases only by the relevant individual financial institution and is not generally shared in a portable format.
This report marks the completion of the CMA’s retail banking market investigation, and follows on from the approach recommended by the Open Banking Working Group, published in February 2016.
Purpose – level playing field
The CMA envisages that applications will be developed using the open APIs and the data that flows through them that will:
- allow customers to manage their accounts held with several banks or building societies;
- allow customers to authorise transfers of funds between their various accounts;
- provide comparison services on price and quality, tailored to their own usage patterns;
- monitor a current account and forecast cash flow, helping to avoid overdraft charges; and
- use a business’s transaction history to allow a potential third party lender to reliably assess that business’s creditworthiness (and thereby help the business get a better deal).
The CMA hopes that introducing open APIs will help to bridge the knowledge gap between incumbent banks which have known their customers for years and challenger banks and the FinTech sector which, without the customer history, do not have the same ability to assess financial risk in lending to a particular customer or to develop new products.
In order to ensure a level playing field between new market entrants and incumbent banks (which may develop their own aggregator solutions), there has been speculation that a new regulator or rulebook may also be required, drawing parallels with the Payment Systems Regulator that was established in 2015 to oversee the opening up of payment systems by the incumbent banks.
However, allowing third parties access to sensitive customer data raises concerns about data security and the extent to which customers would be willing to share data between different organisations. Additionally, by bringing data together from a number of different accounts it may make the application a more attractive target for fraudsters. Any third party aggregator will therefore need to ensure that it has rigorous data security measures in order to gain trust and build its market share.
At the moment, the contractual structure between a bank, its customers and the various technology services is relatively straightforward: typically, the bank acts as the technology provider and is therefore responsible to the customer for errors or security issues with the technology. Where the third party is also able to initiate payment instructions to the bank, as envisaged by the CMA, there is a risk that the customer is left without recourse for any erroneous or fraudulent transactions executed through the third party aggregator. For example, this situation could arise where third party aggregators adopt a business model based on low fees and a very conservative liability position or where the third party aggregator does not have sufficient capital to continue in the event of a security breach that leads to a high number of customer claims.
However, it is worth noting that the Revised Directive on Payment Services (PSD2) seeks to address exactly this type of issue with the new category of “payment initiation services”. This is likely to include a number of third party aggregators that use open APIs, who would therefore be subject to certain regulatory requirements set out in PSD2, including in relation to their liability to customers and holding a certain amount of capital within their business – measures which should go a considerable way towards protecting the customer’s position.
More to come
These are just some of the issues – both legal and commercial – that such a broad change in the data landscape is likely to bring with it. The short timelines for introducing open APIs proposed by the CMA and the Open Banking Working Group coupled with the level of complexity mean that this is likely to be a hotly debated topic for the foreseeable future.