Open banking is the idea that UK banks will have to shift from being one-stop-shops for financial services, to open platforms where consumers can start to embrace a more “modular” approach to banking.
This isn't some far off possibility though, as regulators in the UK and EU are forcing the banks to open up customer data to third parties in the form of secure APIs this year, creating more choice on where and how consumers manage their money. However, concerns remain around security and data privacy issues created by the new rules (detailed in the 'data sovereignty and security concerns' section at the end of this article).
The Competition and Markets Authority (CMA) issued its final order today to formally implement open banking. Alasdair Smith, chairman of the retail banking investigation, said: "Open banking will make a transformational change to banking for personal customers and small businesses.
"For the first time innovative and secure apps will provide personalised services and information to cover all financial needs in one place, and make it easy for people to find out what bank account is best for them."
So, instead of doing all of your banking through one or two firms, customers would have their current account with one provider and then bolt on other financial services like an insurance policy, ISA, mortgage and investments through other providers, all under the user interface of your choosing. This approach is also known as banking as a platform (BaaP).
Open banking: Regulatory requirements
In order for this to happen the banks will have to open up their data through application programming interfaces (APIs). Fortunately for consumers the CMA is forcing the banks to adhere to open banking standards by January 13, 2018.
The new rules state that banks must create open APIs so that customer data can be shared between organisations and be incorporated into third party applications in a common, consistent format.
The first stage will be open APIs for what the CMA calls product and reference data. This will allow developers to create price comparison services, or include ATM locations on their maps, for example.
This is due to be in place by the end of March and is something of a test run for the more confidential customer transaction data being opened up by January 2018. This data will allow developers to securely view things like transaction history to aid applying for a mortgage, or to alert users that they are at risk of becoming overdrawn, for example.
AIB Group, Bank of Ireland, Barclays, Danske, HSBC Group, Lloyds Banking Group, Nationwide, RBS Group and Santander are all currently working together to create that open API standard. In practice this should look like a set of documentation, development code and reference implementations that anyone can use, dramatically bringing down entry barriers for participation in financial services.
The advantage of this, as the CMA itself defines, would be: “Reliable, personalised financial advice, precisely tailored to your particular circumstances delivered securely and confidentially.”
This, presumably, will lead to a massive land grab from the big banks and from smaller challenger banks and fintech companies in order to provide customers with the best possible banking experience.
Matt Cox, head of insight and innovation at Nationwide Building Society is a tad more sceptical though. "So when this thing launches do I think there will be an explosion of people using it? No," he told Computerworld UK.
"Traditionally you see a relatively consistent take-up profile, with early adopters and 5-10 percent of users waiting to consume this. There will be an adoption curve and the steepness of that will come down to how we as an industry get trust and security right."
As well as the CMA's new rules, banks are having to reckon with the overlapping European Commission's Revised Payment Service Directive (PSD2). This, similarly, forces European banks to open up customer data via a standard set of APIs.
The applicability of PSD2 post-Brexit remains unclear but commentators expect it to proceed regardless. The directive requires all member states to comply by 13 January 2018, a timetable the CMA is looking to match.
Bank of England
Mark Carney, the governor of the Bank of England made a speech at the Deutsche Bundesbank G20 conference last week, where he spoke about the impending benefits and risks open banking could bring to the UK market.
He said: "Fintech’s true promise springs from its potential to unbundle banking into its core functions of: settling payments, performing maturity transformation, sharing risk and allocating capital. This possibility is being driven by new entrants – payment service providers, aggregators and robo advisors, peer-to-peer lenders, and innovative trading platforms."
"Aggregators, making use of banks’ Application Programme Interfaces (APIs), are providing customers with ready access to price comparison and switching services. New pro-competition policies are reinforcing this competition."
Carney recognises that open banking will bring with it a series of risks though for the market. "Specifically, while fintech may make conventional banking more contestable, improving efficiency and customer choice, the opening up of the customer interface and payment services business, could, in time, signal the end of universal banking as we know it," he said.
Open banking: What the banks say
The banks tend to be positive about open banking, in public at least, despite it posing a dramatic existential threat. A recent report by McKinsey titled 'A Brave New World for Global Banking' estimates that banks in Europe and the UK currently have $35 billion, or 31 percent, of profits at risk because of digitisation in general.
The report reads: "More severe digital disruption could further cut their profits from $110 billion today to $50 billion in 2020, and reduce returns on equity in half to 1 to 2 percent by 2020, even after some mitigation efforts."
Kevin Hanley, director of design and services at RBS has said that the bank wants to position itself as “the bank of APIs” during a roundtable event last year. He explained: “You see the disaggregation of banking services, the disintermediation of banking services, banking becoming more unbundled, more modular.”
“We are moving from an era of physical banking to a connected bank of digital services. This starts to re-frame banking and our role in it as much more of a composite where we both provide services and link to other services. So we become a platform for our customers to navigate around.”
Although Cox from Nationwide admits that the next 18 months poses a "challenging regulator agenda" he believes that "the regulations are well intended to drive the right customer outcomes."
These include the ability to "provide our members who have transactions data with us and money held with us to easily and securely get access to that data to use with whatever provider they choose," he said.
Lastly, David Beardmore, commercial director at the Open Data Institute (ODI) raises the concern that "open banking could become a compliance exercise where banks agree to do what they are told to do and parking it and forgetting about it. I don't think all nine banks think that way and I know for sure some fully embrace the spirit of open banking."
UK Challenger Banks
UK digital challenger banks like Atom and Monzo are well placed to thrive in this new open banking ecosystem. They have both acquired their banking licenses (Monzo is still on a restricted license) and both CEO's have spoken about becoming the open platform of choice for consumers.
Atom CEO Mark Mullen told our sister publication Techworld in December that its intention is to provide basic banking products for its customers -- like current accounts, mortgages and small business loans -- "and present them on an open platform."
Tom Blomfield, CEO at Monzo started the bank with this strategy in mind. He wrote in an early blog post that "the bank of the future will be a marketplace." The post reads: “This is why [Monzo] has a singular focus— to build the best current account in the world—rather than selling dozens of different financial products. We can focus on what we know best, whilst offering our customers access to the best products and services from across the market.”
Monzo has exposed its APIs to third parties since February. Chief technology officer Jonas Huckestein wrote in a blog post: “We’ll allow developers to build applications that can request access to other customers’ data on an individual basis, using OAuth 2.0. For example, in the future you could make an accounting app that connects to [Monzo] and customers could authorise you to access their account to extract their expenses.”
Data sovereignty and security concerns
Matt Cox also confronted some of the interesting questions around customer data which will have to be assessed in the open banking era. “In a world where the data is freely available and the consumer chooses where to do their digital banking, this raises some interesting questions around accountability...This is something we will have to decide upon collectively as an industry," he said.
He added: "Practically we need to ensure security of that change of data...GDPR rightly ensures the way we get consent for sharing and securing that information is in line with what members [customers] expect."
Monzo CTO Huckestein is similarly aware of potential issues around data, writing: “There are several important questions around data security and privacy that need to be answered before we can allow developers to publish apps that can access other people’s data."
A major concern for the banks here is around accountability and liability in the case of a hack. Beardmore at the ODI also voiced these concerns, asking: "Who is liable if you hit the button and it goes to a scammer, where is the right of redress?"
In short, consumers will have to be very trusting that the APIs are working in a way that doesn't allow for criminals to embed themselves in-between the banks and the trusted third party apps.
There are already plans to 'whitelist' third parties that have appropriate security in place to protect against fraudsters. However fintech companies have already raised concerns that the banks may impose unrealistic criteria for whitelisting in order to limit the number of approved third parties accessing customer data.
The Open Data Institute has published some of these concerns, and suggests that "an independent authority should be established to ensure standards and obligations between participants are upheld. This authority would govern how data is secured once shared and the security, usability, reliability and scalability of APIs."
Individuals, businesses and governments must have an awareness of their rights and responsibilities when sharing or handling data. We need to be clear on what informed consent means in our ubiquitously connected world, and the responsibility for this falls on everyone."
So where 2017 may not be the year that open banking becomes widespread, it will be the year that we start to see if the technology works. Due to the strict timetable set by regulators this year will see banks reckoning with open APIs, the proof will be if the transition is a smooth one and if developers truly embrace these new data streams and create applications that consumers actually want to use.
Traditionally UK consumers have been extremely difficult to convince to switch things like bank accounts, 2017 will be the year we see if open banking can convince them otherwise.
Unfortunately it doesn't seem like the regulators, nor the banks, have any concrete targets in place from which to define the success of open banking. How many people do they want to switch accounts? How much money do they want consumers to save? These are important measures of success that would drive everyone involved beyond simple regulatory box checking, hopefully that is the next step after the technical steps have been taken.
Find your next job with computerworld UK jobs