Australian proponents of Open Banking who eagerly watched the UK launch earlier this year are likely to be feeling somewhat disappointed. Rather than setting the world of finance on fire, the concept has been met with a collective shrug.
Under the Open Banking rules that came into force in January, large UK banks are required to make customer data available to third-party financial service providers. The logic is that opening up data in this way will stimulate competition and lead to the development of a host of new products and services.
So, this begs the question: if consumers stand to enjoy some significant benefits, why has the reaction to the concept been so lacklustre? One explanation is that most remain unsure about what will happen to their data and what protection measures might be in place.
This is backed by research conducted by Ipsos MORI in November last year . It found that, while 63 per cent of UK consumers see the services enabled by Open Banking as ‘unique’, only 13 per cent of them would be comfortable allowing third parties to access their bank data.
For years, consumers throughout the world have been told to be careful with their financial information, be aware of who has access to it, and guard it at all costs. The message of Open Banking seems to go against this sentiment and so many are finding it confusing.
This where more of the detail needs to be clearly communicated. While Open Banking does allow third parties to access customer bank account and transactional information, there are many checks and balances in place designed to protect against fraud and loss.
One of the most important is that a customer’s data cannot be shared without their express permission. Indeed, the PSD2 legislation on which Open Banking is built makes it clear that this permission must be explicit and in plain language.
Secondly, any processes or transactions must be authorised using strong, two factor authentication. A customer’s identity needs to be confirmed using two identifiers from either something they know (a password or secret answers), something they are (a fingerprint or voice recognition) and something they have (a registered mobile device or digital token).
Also, third-party service providers, whether they are Payment Initiation Service Providers (PISPs) or Account Information Services Providers (AISPs) must be registered by the UK’s Financial Conduct Authority. Registration will help to prevent fraudulent companies requesting data from banks and ensure legitimate service providers are held to high data protection standards.
As services based on the Open Banking initiative become more widespread and consumer confidence grows, it’s likely that existing negative attitudes will change over time. If consumers can see a benefit in sharing their financial data, more will be inclined to do so.
When it comes to issues such as data breach or fraud, financial service providers must handle them swiftly and put customer needs front and centre. If customers are protected and it is demonstrated they have legislative protection, more are likely to use the new services Open Banking enables.
The key here is education. Customers need to be informed about what Open Banking is, what it enables, the benefits it offers, and the protections that are in place. They also need to understand what to look out for to avoid unscrupulous parties who may try and rig the system.
Improving regulatory protection
Closely tied to Open Banking is the European Union’s General Data Protection Regulation (GDPR) which comes into force in May. GDPR will significantly tighten the control consumers have regarding their data and introduce greater financial ramifications on companies and organisations that do not adhere to the regulations.
Open Banking aligns with this because it is the consumer who has the control over whether their data is shared with third parties. In addition, the concept of the ‘right-to-be-forgotten’ enshrined in GDPR means that consumers can demand any data held by the third-party service provider be permanently deleted.
Also, because GDPR puts the onus of data protection on both data controllers (the banks) and data processors (PISPs and AISPs), it is in the interests of all to ensure that data governance and data protection strategies and technologies are of the highest quality. In short, the technology requirements to keep consumers’ financial information protected should be a given if organisations are GDPR compliant, thus giving consumers peace of mind.
Through adherence by banks to regulations and the provision of clear education campaigns, customers come to understand the benefits offered by Open Banking and their concerns will dissipate.
As Australia moves down the Open Banking path , financial service providers here can learn a lot from the UK experience. Working to educate customers about the changes now will lead to better innovation and services