José Manuel Mansilla-Fernández
Open banking frameworks
Open banking is defined as the “sharing of customers’ permissioned information held by banks with so-called ‘third-party’ developers, who can use them to build applications and services comprising payments, synthetic information for account holders, and other marketing and cross-selling opportunities” (BIS, 2019).The term ‘third party’ can be defined as ‘legal entities’, rather than supervised banks. More precisely, ‘third parties’ can be supervised banks and / or regulated companies, sellers, and … Continue reading
Many authorities are planning to take actions to regulate Open Banking in their jurisdictions. A large part is following a prescriptive approach, which mandates banks to share customers’ information with the aforementioned ‘third parties’ willing to access, as long as they are included in a register established by regulatory authorities. Other jurisdictions are instead adopting a facilitating approach, avoiding explicit requirements to make data available to ‘third parties’ but providing guidelines or recommendations, as well as suggesting common standards for the application programming interfaces (API) used to access the data, that the whole industry is invited to adopt. Lastly, other authorities are following a market-driven approach, setting no specific rules the sharing of customers’ information between banks and ‘third parties’ (BIS, 2019). The European Union countries follow the prescriptive approach. Japan, Hong Kong, Singapore, and Republic of Korea adopted the facilitative approach. Argentina, the US and China follow the … Continue reading Overall, the regulatory framework is still embryonic in many jurisdictions, and activities by regulators, banks and market developers are still in at the initial stage (OECD, 2023).
A thorough Open Banking framework can include rules, standards and practices aimed at solving the many issues that are likely to emerge from such a pervasive data-sharing environment. Most jurisdictions take the perspective of customer protection from possible problems caused by allowing access to bank customer-permissioned data to unregulated third (and possibly fourth, if data are further transmitted to other corporations) parties (Bains et al., 2022). From this perspective, a range of different authorities are involved in regulating open banking, including: i) bank supervisors, in their traditional role of with respect to the activities of regulated banks (that are the producers of customer data); ii) technical standards setting bodies, that establish standards for automated access to customer permissioned data through API, with a special focus on security and standardization, requiring all involved entities to comply with them; iii) competition authorities, that monitor, encourage and take actions to ensure the well-functioning of markets; iv) data privacy authorities, responsible of ensuring the protection customer data; v) alternative dispute resolution mechanisms, responsible of mediating disputes between consumers and financial service providers (BIS, 2019).
The regulatory framework in the European Union
The revised PSD2 (Directive (EU) 2015/2366), adopted from January 13th 2018, standardizes payment services across the European Union (EU hereafter), and is the reference framework for the regulation of the payment sector.
Among other seminal provisions – e.g., detailed security transactions for electronic payments – the PSD2 also establishes the key concepts for the definition of Open Banking, by including in the regulation the Payment Initiation Services (PIS) and the Account Information Services (AIS). In this regard, the Directive clarify that the ‘competition-enhancing objective’ by regulating services operating as competitors to main banks.Art. 108 of The Directive foresees reporting on the application of PSD2 to the European regulatory institutions, i.e., the European Parliament and the Council, the European Central Bank and the … Continue reading An important step in this direction was the reply by EBA to a question raised by the Bank of Ireland on the interpretation of the Directive, stating that an AISP is not limited to providing the consolidated information on the different account positions to the payment service user, but with the user’s consent it can also make this information available to third parties (EBA, 2021).
Despite the innovative content of PSD2, a recent document by EBA (2022) assessing the impact of PSD2 came to the conclusion that significant areas are still to be addressed so as to achieve the objectives to enhance competition, facilitate innovation, increase security of payment transactions, ensure the neutrality of the business model, and build a ‘single EU retail payment market’. In particular, the EBA proposes detailed interventions in four areas: 1) the prudential framework on licencing payment companies under the PSD2 regulation; 2) the responsibility of funds transferred by ‘third-parties’;In particular, EBA proposes for the Directive: (i) not to take into consideration maximum limits for the amount to block payers’ accounts if the transaction is known, but introducing some … Continue reading 3) the application of Secured Customer Authentication (SCA), especially regarding the regulation of the merchant-inititaled transactions; 4) the need to address social engineering fraud risk by introducing requirements on educational and awareness campaigns, incentivising Payment Service Providers (PSP hereafter) to invest in monitoring mechanisms and sharing information among PSPs related to possible cases of fraud or fraudsters. Interestingly, regarding the need for ensuring the maximum degree of ‘financial inclusion’, the EBA suggests that the Directive introduces a general provision taking into account vulnerability of customers. The EBA also suggests enhancing attention and training on authentication procedures.
The British regulatory framework
The United Kingdom’s (UK) Open Banking Initiative constitutes a reference worldwide. The Open Banking Working Group (OBWG hereafter) was created in September 2015 by HM Treasury to assess whether bank data sharing may benefit the whole sector. The group consists of representatives of financial institutions, open data groups such as the Open Data Institute (ODI hereafter), as well as consumers’ associations and representatives of ‘third-party’ corporations. The following year, the Group suggested that standardized APIs would be a useful step to facilitate the sharing of information. In addition, it argued that a decentralised system of Open Banking would be safer than a single, centralised system.
The crucial year for Open Banking in UK is 2017. The PSD2 was transposed into legislation with The Payment Services Regulation and the Competition and Markets Authority (CMA) conducted a ‘Retail Banking Market Investigation’, that reached the conclusion that “older and larger banks do not have to compete hard enough for customers’ business, and smaller and newer banks find it difficult to grow. This means that many people are paying more than they should and are not benefiting from new services” (CMA, 2016). As a result, the CMA introduced a major open banking initiative aimed at enhancing innovation and competition within the banking sector, requiring the nine largest banks to “give their personal and business customers the ability to access and share their account data on an ongoing basis with an authorised [by the government] third parties” (see Taylor-Kerr, 2020). Here, the term ‘third party’ refers to banks and FinTechs. Furthermore, the aforementioned banks were required to enable third parties to make payment services authorised by customers’ banks, the so-called payment initiation. Importantly, the access to the data must be free to the petitioner (under customers’ permission), and banks are mandated to allow it (Babina et al., 2022).
In allowing banks to access customers’ information, regulators intend to create an environment where financial might propose new or improved financial services for customers and enhancing competing environment.
Lastly, the Open Banking Implementation Entity’s (OBIE hereafter), which was created in May 2020 after a thorough consultation process, adjusted the ‘Roadmap’. The process was conducted in two steps of consultation: i) open workshops, and ii) the assessment over 75 pieces of feedback from representative stakeholders, including the banks, third party suppliers, and user representatives.
Regulatory framework in other jurisdictions
As argued above, the regulatory framework of open banking is still embryonic in many jurisdictions. This section describes briefly the situation and perspectives of Open banking around the World.
The Australian government introduced the Consumer Data Right (CDR hereafter) legislation in 2017. The CDR applies to a broad range of customers’ data, including banking, energy, telecommunication data information, which are aimed at generating interoperability across sectors. Furthermore, the Australian Open Banking application is exclusively dealing with data, but not on payments. Additionally, the Australian Competition Consumer Commission (ACCC hereafter) assumes the supervisory role, which is equivalent to that of the CMA in the UK, while operating along the Australian Payments Network. In this regards, Andi White, CEO of the Australian Payments Network, stated that “the regulatory stance is about a balance of stability and innovation but there is a desire for good competition with the rise of challenger banks” (ACCC, 2023).
In Canada, a consultation was announced in 2017 to analyse the capabilities of Open Banking for their banking sector. In particular, an ‘Advisory Committee on Open Banking’ was appointed to conduct the analysis, along with a secretariat within the Department of Finance. In June 2019, the ‘Standing Senate Committee on Banking, Trade and Commerce’ launched a report entitled “Open Banking: What It Means For You”, which deals with a number of recommendations aimed at consolidating the Open Banking in Canada (World Bank, 2022).
The Hong Kong Monetary Authority (HKMA) released the “Open API Framework for the Hong Kong Banking Sector” in July 2018. The HKMA is intended to allow their banking industry to set their own criteria without making it a regulatory requirement (HKMA, 2018).
India released the Unified Payment Interface (UPI) in 2016, which is developed by the National Payments Corporation of India (NPCI). The UPI allows data transfer among financial institutions using a strong API environment that includes a digital identity solution which is still missing in most European and US jurisdictions/markets. Importantly, a new category of entities called Account Aggregators act as data fiduciary managing data requests from institutions that have a legitimate interest and the providers of information, and the consent of the data subject. The model is a clear representation of the regulatory approach. Importantly, it does not pre-judge the type of services the data receivers will offer, and allows all institutions regulated by any of the financial sector regulators in India and the Department of Revenue, Government of India to be able to participate as data receivers (see Natarajan, in this issue).
In Japan, the Amended Banking Act introduces a system for TPPs and establishes the environment for the banks-TPPs collaborations, in addition to other voluntary partnerships among banks to release ‘digital payments initiatives’. However, the activities of adopting ‘third parties’ are still in a preliminary phase, partly because of the difficulty in negotiating contracts between banks and FinTechs.
Mexico has implemented a model similar to the British one, but considering ‘premium’ versions for APIs. In March 2018, Mexico passed the ‘Financial Technology Institutions Law’ (The FinTech Law) aimed at regulating the FinTech and the Open Banking companies. The Mexican government is now finalising its implementation. The National Banking and Securities Commission will be the Open Banking regulatory framework, which is also intended to enhance innovation and financial inclusion (Greenberg and Traurig, 2020).
New Zealand implemented a model of Open Banking similar to the British one. The similarity results from the tight collaboration between both jurisdictions, conducted under the administration of the local payments associations, namely PaymentsNZ. Furthermore, New Zealand’s programme includes information about customers’ accounts and their payments (World Bank, 2022).
In Nigeria, the ‘Open Technology Foundation’ launched the Open Banking Nigeria (OBN hereafter) in 2018, which was aimed at fostering innovation in the Nigerian banking sector. OBN was intended to standardize open APIs as well as foster financial institutions and FinTechs to open their APIs protocols. Unlike other Open Banking jurisdictions, OBN regards excessive the British standards for the Nigerian purposes. Hopefully, Nigeria is designing suitable standards for the needs of their banking sector, and for other West African countries. The OBN’s API framework is expected to reduce the cost of innovation and to provide a good customer experience (Kassab and Laplante, 2022; ODI, 2020).
In Singapore, banks are encouraged to adopt APIs to accelerate the implementation of Open Banking. The Monetary Authority of Singapore (MAS hereafter) is not directly intervening, but together with the Association of Banks in Singapore has released an API typescript to encourage financial institutions to take part in the programme. As a result, several banks are launching their own API portals (e.g., Citibank, DBS, Standard Chartered, among others).
In the US, the so-called “NACHA’s API standardisation programme”, which was announced in 2017, focusses on three areas: i) fraud; ii) customers’ information sharing; iii) access to payment services. Additionally, the Consumer Financial Protection Bureau’s principles advice banks to include APIs for customers’ information sharing.
Australian Competition and Consumer Commission (ACCC) (2023). The consumer data rights. Available at: https://www.accc.gov.au/focus-areas/the-consumer-data-right (Accessed on 23 March 2023).
Babina, T., Buchak, G. and Gornall, W. (2022). Customer Data Access and Fintech Entry: Early Evidence from Open Banking. Mimeo.
Bains, P., Sugimoto, N., and Wilson, C. (2022). BigTech in Financial Services: Regulatory Approaches and Architecture, FinTech Notes. Available at: https://www.elibrary.imf.org/view/journals/063/2022/002/article-A001-en.xml (Accessed on 22 March 2023).
Badour, A., and Presta, D. (2018). Open Banking: Canadian and international developments. Banking & finance law review, 34(1): 41-47.
BIS (2019). Report on open banking and application programming interfaces. Basel Committee on Banking Supervision. Available at: https://www.bis.org/bcbs/publ/d486.pdf (Accessed on 15 February 2023).
Competition and Markets Authority (CMA) (2022). Retail banking market investigation. Avaulable at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1048212/Final_revised_Agreed_Arrangements_190122.pdf (Accessed on 22 March 2023).
Competition and Markets Authority (CMA) (2016). CMA paves the way for Open Banking revolution. Available at: https://www.gov.uk/government/news/cma-paves-the-way-for-open-banking-revolution (Accessed on 22 March 2023).
EBA (2022). Opinion of the European Banking Authority onitstechnicaladvice on thereview of Directive(EU) 2015/2366onpayment services in the internal market (PSD2). Available at: https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Opinions/2022/Opinion%20od%20PSD2%20review%20%28EBA-Op-2022-06%29/1036016/EBA%27s%20response%20to%20the%20Call%20for%20advice%20on%20the%20review%20of%20PSD2.pdf (Accessed on 15 February 2023).
EBA (2021). Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘The ML/TF Risk Factors Guidelines’) under Articles 17 and 18(4) of Directive (EU) 2015/849. (Accessed on 22 March 2023). Available at: https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/963637/Final%20Report%20on%20Guidelines%20on%20revised%20ML%20TF%20Risk%20Factors.pdf
GreenbergTraurig (2020). New Open Banking Regulation in Mexico. Alert – Financial Regulatory & Compliance. Available at: https://www.gtlaw.com/en/insights/2020/6/open-banking-en-mexico-nueva-regulacion (Accessed on 23 March 2023).
Hong Kong Monetary Authority (2018). Open API Framework for the Hong Kong Banking Sector. Available at: https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2018/20180718e5a2.pdf (Accessed on 22 March 2023).
Kassab, M., and Laplante, P.A. (2022). Open Banking: What It Is, Where It’s at, and Where It’s Going. Computer, 55: 53-63 DOI: 10.1109/MC.2021.3108402.
Leong, E., and Gardner, J. (2022). Open Banking in the UK and Singapore: Open Possibilities for Enhancing Financial Inclusion. Journal of Business Law, 5: 424-453. DOI: http://dx.doi.org/10.2139/ssrn.4194256.
Natarajan, H. (2022). Regulatory Aspects of Open Banking: The Experience thus Far. European Economy. Banks Regulation, and the real Sector, this issue.
Open Data Institute (ODI) (2020). Open Banking preparing for lift off. Purpose, Progress & Potential. Available at: https://www.openbanking.org.uk/wp-content/uploads/open-banking-report-150719.pdf (Accessed on 23 March 2023).
OECD (2023). Data portability in open banking: Privacy and other cross-cutting issues. OECD Digital Economy Papers, No. 348, OECD Publishing, Paris, DOI: https://doi.org/10.1787/6c872949-en.
Parliament of Canada (2019). Open Banking: What it means for you. Senate, Ottawa, Ontario, Canada, K1A 0A4. Available at: https://sencanada.ca/content/sen/committee/421/BANC/reports/BANC_SS-11_Report_Final_E.pdf (Accessed on 2 March 2023).
Taylor-Kerr, A. J. (2020). Adopting Open Banking in Canada: An Analysis of Current Global Frameworks (Unpublished master’s project). University of Calgary, Calgary, AB. URI: http://hdl.handle.net/1880/114213
World Bank (2022). Technical Note on Open Banking. Comparative Study on Regulatory Approaches. Available at: https://elibrary.worldbank.org/doi/abs/10.1596/37483 (Accessed on 2 March 2023).
The CDR Treasury Laws Amendment (Consumer Data Right) Act 2019. Available at: https://www.oaic.gov.au/consumer-data-right/cdr-legislation (Accessed on 15 February 2023).
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance).
Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC.
Hong Kong Monetary Authority (2018). Open API Framework for the Hong Kong Banking Sector. Available at: https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2018/20180718e5a2.pdf (Accessed on 15 February 2023).
Japan. Act No. 59 of 1981, as amended (Banking Act). Available at: https://uk.practicallaw.thomsonreuters.com/w-007-5339?transitionType=Default&contextData=(sc.Default)&firstPage=true (Accessed on 15 February 2023).
Mexico. DECRETO por el que se expide la Ley para Regular las Instituciones de Tecnología Financiera y se reforman y adicionan diversas disposiciones de la Ley de Instituciones de Crédito, de la Ley del Mercado de Valores, de la Ley General de Organizaciones y Actividades Auxiliares del Crédito, de la Ley para la Transparencia y Ordenamiento de los Servicios Financieros, de la Ley para Regular las Sociedades de Información Crediticia, de la Ley de Protección y Defensa al Usuario de Servicios Financieros, de la Ley para Regular las Agrupaciones Financieras, de la Ley de la Comisión Nacional Bancaria y de Valores y, de la Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita. Available at: https://www.dof.gob.mx/nota_detalle.php?codigo=5515623&fecha=09/03/2018#gsc.tab=0 (Accessed on 15 February 2023).
|↑1||The term ‘third party’ can be defined as ‘legal entities’, rather than supervised banks. More precisely, ‘third parties’ can be supervised banks and / or regulated companies, sellers, and other payment companies.|
|↑2||The European Union countries follow the prescriptive approach. Japan, Hong Kong, Singapore, and Republic of Korea adopted the facilitative approach. Argentina, the US and China follow the market-driven approach. Lastly, Brazil, Canada, Russia, and Turkey are in process of adopting their approach.|
|↑3||Art. 108 of The Directive foresees reporting on the application of PSD2 to the European regulatory institutions, i.e., the European Parliament and the Council, the European Central Bank and the Economic and Social Committee. In October 2021, the Commission’s ‘Call of Advice’, which was addressed to the EBA, was aimed at gathering information about the repercussions of the PSD2. The Art. 16a(4) of Regulation (EU) No 1093/2010 (EBA Regulation) establishes the EBA’s competence to give this opinion (see EBA 2021, 2022).|
|↑4||In particular, EBA proposes for the Directive: (i) not to take into consideration maximum limits for the amount to block payers’ accounts if the transaction is known, but introducing some requirements, (ii) to clarify the regulatory treatment of transactions when the final and the initial transactions are different; (iii) to clarify the distribution of responsibility between TPPs and and account service providers (ASPSPs) and between the issuing and acquiring PSPs when a secured customer authentication (SCA) exemption has been applied; and (iv) to clarify the terms ‘reasonable grounds to suspecting fraud’, ‘fraudulent act’, ‘gross negligence ‘and others, to avoid legal uncertainty and/or applying inconsistently the Directive regarding unauthorized transactions.|