Open Banking: A Reflection by Hogan Lovells
by James Black, Counsel London, Hogan Lovells
What a difference a few weeks makes. Back in March we were talking about Open Banking at the Innovate Finance global summit, with a focus almost exclusively on the UK, and a nod towards an emerging global trend. Less than two months on, and the list of countries actively exploring open banking solutions seems to be growing by the day. Some, like Australia and Hong Kong, are well advanced in their planning, whilst others are at much earlier stages, including countries such as Mexico, Belarus, Taiwan, Canada and a host of countries in Africa and SE Asia. All of which makes the issues discussed at the summit event even more relevant. They eyes of the world are on the UK, watching to see how Open Banking develops and to learn from its implementation, so now seems like a good time to look back and recall what we said at the summit about the key areas of remaining uncertainty.
The legal framework
For any open banking project to succeed, it is helpful to have a clear legal framework setting out the respective rights and responsibilities of the various participants, whether that is statutory or contractual-based such as a scheme. One of the difficulties in the UK is that we have not one but two such frameworks, thanks to the CMA Order stealing a march on PSD2 and requiring nine of the UK's largest account providers to open up access to product data and transactional data at an earlier point in time. The two items of legislation not only had different scope and different timelines, but also different approaches to how prescriptive they are about solutions. The CMA Order requires open APIs, and an independent body to deliver them, whilst PSD2 requires each payment account provider to open up transactional data but does not specify how. This leaves open to (lengthy) debate the extent to which third parties are permitted to access accounts using the customer's own credentials (screen-scraping). One of the biggest problems with screen-scraping, however, is that it is difficult to reconcile with the principle of data minimisation under the General Data Protection Regulation because there is no way for the customer to control the type of data to which access is granted – it is an all-or-nothing approach. That is an issue because it is far from clear that third parties should be able to see everything a customer can see. Which takes us on to…
The precise extent of access for third parties is unclear under PSD2. In particular, there has been debate since the first Directive in 2009 over the meaning of 'payment account' and the extent to which it includes savings accounts, for example. That debate is not resolved under PSD2 so payment service providers will all have reached their own separate conclusions on the types of account to which they have to grant access. This won't help third party providers, who face a bit of a lottery when seeking access to accounts as they won't necessarily know what they can see until they try, unless they are using the customer's credentials. And any that do use screen-scraping methods will of course need to ensure they have robust controls in place to ensure they access only the data to which explicit consent has been granted. Of course, it would all be much easier if everybody provided…
The Regulatory Technical Standards allow (and encourage) providers to make account information available via a dedicated interface – for example via APIs – and allow those providers whose interfaces meet certain standards an exemption from the requirement to maintain a backup interface based on screen-scraping. At the time of the summit, we noted that those standards (to be determined by the API Evaluation Group set up by the EBA) had yet to be set and that a lot was riding on them. We also noted that time was running out, as providers were already at the stage of having to decide whether or not they had to build the backup interface.
Since then, the Evaluation Group has published its interim findings. It is clear from those that the bar for the exemption is being set very high and involves an element of subjective assessment by third party providers. This raises concerns that providers may feel they have no choice but to start building a backup, since there is little guarantee of gaining the exemption in time. And if they are building the backup anyway, what incentive is there to build a dedicated interface as well? It remains to be seen how things will pan out, of course, but there is certainly a risk that this leads to a fragmented approach involving a variety of screen-scraping based solutions, interspersed with APIs for some providers and some products – a result which would ironically suit neither the account providers nor the third party payment service providers.
All of these areas remain uncertain to some extent, and that uncertainty has huge significance for the potential success or otherwise of open banking. For that reason, when regulators and providers elsewhere ask what the most important things are for them to be thinking about in the early design stages, these are invariably the key themes that come to mind. Any project that solves these problems will give itself a great chance of success.