Buzzwords like “big data” typically bring to mind quantitative exercises like the application of algorithms and analytics. While these are certainly critical steps to gaining insight, a more fundamental building block of the data market is access. Easier access to data has become a hot topic in all industries, none more so than financial services. For instance, the G20’s Anti-Corruption Working Group has identified open data as a priority to advance public sector transparency and integrity. From a commercial standpoint, data can serve as a catalyst for new products and business models. The European Union has been proactive on this front, setting the rules of engagement through the updated version of the Payment Services Directive (PSD2).
How open banking brings new relevance to APIs
Data sharing is often accomplished through an application programming interface (API), an intelligent conduit that allows for the flow of data between systems in a controlled yet seamless fashion (Exhibit 1). APIs have been leveraged in banking settings for years (see sidebar “How open banking brings new relevance to APIs”). Given breakthroughs in advanced analytics and the market traction of numerous nonbank fintech companies, however, APIs are receiving renewed attention as a means to enhance the delivery of financial services to both retail consumers and business customers.
While open banking stands to benefit end users as well as to foster innovations and new areas of competition between banks and nonbanks, it is also likely to usher in an entirely new financial services ecosystem, in which banks’ roles may shift markedly. It also raises issues around regulation and data privacy, which helps to explain why global markets have taken varying approaches to governance, contributing to disparate levels of progress. Regardless of region, the momentum toward open banking models seems clear, requiring banks and fintechs alike to position themselves for success in a new environment and to anticipate the likely customer impacts.
Open banking reaching a fever pitch
Open banking can be defined as a collaborative model in which banking data is shared through APIs between two or more unaffiliated parties to deliver enhanced capabilities to the marketplace. APIs have been used for decades, particularly in the United States, to enable personal financial management software, to present billing detail at bank websites, and to connect developers to payments networks like Visa and Mastercard. To date, however, these connections have been used primarily to share information rather than to transfer monetary balances.
The potential benefits of open banking are substantial: improved customer experience, new revenue streams, and a sustainable service model for traditionally underserved markets. In addition to well-known players like Mint, examples include alternative underwriters ranging from Lending Club in the United States to M-Shwari in Africa to Lenddo in the Philippines, and payments disruptors like Stripe and Braintree (Exhibit 2).
Naturally, such advances are not quite as straightforward as our capsule description implies. Recent years have brought the development of digital ecosystems, Tencent (WeChat) and Alibaba in China being prime examples. As these ecosystems mature they begin to collide, and the inability to share data threatens to curtail innovation in business and operating models. Moreover, most advancements to date have come from firms outside the financial services realm. While incumbents still hold the keys to the vault in terms of rich transaction data as well as trusted client relationships, banks often view the opening of these data flows as more threat than opportunity. After all, it is the nonbank insurgents who have demonstrated market traction thus far, and gained valuable new customer relationships—by presenting data in new forms.
There are inherent risks in sharing data, however, which is why it is critical to develop processes and governance underpinning the technical connections. Although the core API value proposition lies in streamlining the systems integration required for data access, the need for guardrails to support protections for the privacy and security of personal data create a formidable infrastructure challenge.
The data consent/protection elephant in the room
Notably, banks have traditionally viewed the custody and protection of their clients’ data as a responsibility, more of a stewardship role than an asset to be commercialized. Data sharing in financial services tends to be risk- and permission-based, with required audit trails, and subject to regulation and risk management. If done well, however, it can deliver increased security through enhanced know-your-customer capabilities, identity validation, and fraud detection. For instance, the current version of PSD2’s technical standards may put an end to the practice of screen-scraping, long a point of contention for banks.
At the same time, customer transparency and control must remain at the center of product design decisions. This is a more vexing rule to follow than it appears on the surface. Even as PSD2 is advanced by regulators, it could be argued that through adoption consumers have already set the agenda for services they want opened to third parties. On the other hand, different data categories warrant different levels of security, and informed consent requires understanding the implications of sharing before approving—no small feat when the reflexive clicking of “I Agree” on an unread set of terms and conditions is standard. There is a fine line to walk: educating and empowering consumers without confusing, scaring, or boring them.
Perhaps the most complex of these is educating end users on data permission and privacy. PSD2 explicitly empowers account holders with the authority to share data, removing the financial institution’s role as gatekeeper. Further complicating matters, real-world evidence suggests consumers may not attach the same value and sensitivity to certain data elements that banks and their regulators do. Although the move to open banking need not be a zero-sum game, there are several areas where banks harbor legitimate concerns regarding loss of brand recognition and reputational risk, especially given their own required investments to effect such change.
Further questions persist regarding the duty to redact “sensitive data” in certain circumstances as well as third-party providers’ obligations to delete/destroy data after a period. Many of these details remain a work in progress and will be refined as the market impacts of open banking play out. Banks are understandably concerned about such details, as any perceived disclosure missteps will almost certainly radiate back to their brand.
Which layout option you want to use?
Which theme color you want to use? Select from here.
Which background pattern you want to use?
Which background image you want to use?