Open Banking is all about the customer being in control of their data and funds. It gives them the freedom and flexibility to decide when and with whom to share their valuable information. However, as with all vibrant and progressive ecosystems, speed, security, and ease of use will determine open banking’s future success along with the key issue of trust. Will the end user trust people to share data with them and trust their banks to still protect their data?
PSD2 Open Banking gives Payment Service Users (PSUs) the legal right to share their transactional account data with regulated third party providers (TPPs). For this to be possible, the 6,000+ Financial Institutions providing transactional payment accounts that can be accessed online have to put in place open banking APIs. These APIs give TPPs the access required to either make payments on an account holder’s behalf or view account data and funds, both of which require the account holder’s prior explicit consent. Access can only be denied if a TPP is believed to be unauthorised or fraudulent.
Open banking regulation has given rise to a new group of FinTechs who are seizing the opportunity to create innovative apps and products with the customer at the core of the offering. At the end of 2019, 240 TPPs from across the EEA and UK were regulated to provide open banking services. A year later, this figure had increased to 450 (excluding the thousands of credit institutions that are also able to act in the capacity of TPPs). The near doubling of newly regulated entities demonstrates user demand for the innovative products and services that these organisations are offering – it is now down to trust and security in the ecosystem, along with ease of use, to drive volumes.
The ability for TPPs, many of whom may be unknown to these Financial Institutions, to request immediate access to valuable data and funds presents many challenges and risks – all of which must be addressed without introducing potential friction in the customer journey. The main challenges are knowing if a TPP is who it claims to be and whether it is regulated to provide the services being requested at the time of the transaction request. After all, these are the key factors enabling the bank to trust the TPP and feel confident the end user can trust them. The added difficulty of knowing which markets within the EEA a TPP is authorised to operate in is an additional challenge.
Financial Institutions have long been the trusted guardians of their customers’ data and funds. Although the open banking model means the customer now has ultimate control of their data, it is still primarily the Financial Institution’s responsibility to ensure nothing goes wrong and they are likely to be held liable in any disputes that arise. There is also the very real reputational risk to Financial Institution if something does go wrong.
Checking a TPP’s identity, its current regulated status, and the services it is requesting to perform are essential but not easy tasks to complete in that, firstly, a Financial Institution needs to determine whether a TPP is who it claims to be. This is done by having real-time access to the 70+ Qualified Trust Service Providers (QTSPs) who can issue PSD2 eIDAS certificates. These eIDAS certificates contain the requisite information on a TPP’s identity and are used to secure communications between Financial Institutions and TPPs. They also digitally seal messages, ensuring the integrity of the concept and proof of origin.
However, an eIDAS certificate can have up to a two-year validity period. During this time, changes may have been made to a TPP’s regulatory authorisation status by its Home National Competent Authority (NCA). This introduces significant risk to the Financial Institution’s decision process.
eIDAS certificates also do not contain information on the countries a TPP is authorised to provide their products and services into under passporting rules. This information is held on the TPP’s Home NCA Credit Institution and Payment Service Provider (PSP) registers. Between them, the 31 NCAs maintain over 115 databases and registers. Checking them at the time of a transaction request is paramount to prevent fraudulent TPPs from slipping through the net.
According to the Konsentus Q4 2020 TPP tracker, every country in the EEA had at least 75 TPPs who could provide open banking services. These may not all be Home regulated TPPs. Take, for instance, Germany, who had 35 Home Regulated TPPs in December 2020 but an additional 112 TPPs who could passport in their services. To do the requisite due diligence on all these TPPs would require having online access to all the databases and registers hosted by the NCAs regulating these TPPs. This means connecting to the 31 NCAs and interrogating over 115 separate registers in real-time, in addition to connecting with all the QTSPs who issue PSD2 eIDAS certificates.
When a Financial Institution is presented with an eIDAS certificate by a TPP, if a real-time online connection can be made to all the legal sources of record, the Financial Institution can make an instant informed risk management decision on whether, or not, to give the TPP access. All this can be done behind the scenes without the end user even being aware of what is happening.
As volumes look to dramatically increase over the next few years fraudulent and other sorts of attacks are bound to increase. Financial institutions are going to face increasing challenges around protecting end users’ data, ensuring access is only given to those with the appropriate authorisations and permissions. A very real risk for them is the reputational one; after all, end users may not be that good at separating a reputational issue around open banking from broader issues around their banking relationship.
For Financial Institutions, maintaining trust in their brands is going to be crucial going forward, but the risks are going to increase if they have not locked down who can access end user account data and funds.