With the official Open Banking kick-off date programmed for this weekend, it’s the topic of the moment. What will change with it? Is it safe to share customer data? How much information do banks need to give their customers?
Many banks have already missed the deadline, asking for extensions at the last minute, and what was originally set to be a full-steam-ahead approach to Open Banking looks now to be a more cautious, hesitant launch, on a considerably lower scale. So, come Saturday, what will change?
Let’s break down the above image. On the left-hand side, the dotted line shows what currently happens when we make a payment online: the customer pays the merchant, the merchant asks for permission from the acquirer bank (the financial institution that maintains the merchant’s bank account and enables them to process debit and credit card transactions). The acquirer bank passes the merchant’s transactions along to the applicable issuing banks to receive payment.
The continuous lines demonstrate the updated payment model including a payment initiation service provider (PISP). Third parties will be able to initiate online payments to an e-merchant or other beneficiary directly from the payer’s bank account via an online portal, cutting out the middle-man altogether. Banks, FinTech companies and large merchants would likely have capacity to provide such payment initiation services.
On the right, the image depicts a new, updated payment model including a account information service provider (AISP), showing how third parties will be able to extract a customer’s account information data including transaction history and balances going forward, and initiate an online payment to an e-merchant directly from the customer’s bank account, using an online portal. Banks have an important advantage over the competition - the element of trust. Banks strictly adhere to regulation and offer a less-risky option for the customer. Internet newcomers have fewer constraints and more is at stake, and as such, seventy-six percent of consumers are likely to choose traditional banks as their PISP over third-party PISPs.
With this change, banks will be faced with open banking concerns such as security, and how opening the floodgates, to all intents and purposes, will affect the stronghold they have traditionally had over their customers’ sensitive data. The customer will now decide with whom they share their data, but more importantly, whether to share it at all.
This is where SCA, or Strong Customer Authentication, comes into play: two levels of security ‘filters’ which, depending on the transaction, involve one or two authentication steps. To ensure optimum safety, transactions will now require two means of authentication and all payments and access to user data initiated by third parties will be closely monitored and controlled. SCA is essentially the implementation of identification mechanisms which allow banks to refuse third parties entry to customer data where necessary, and trace all third party transactions at all times. SCA puts access to financial data via web scraping firmly in check.
2FA, or 2 Factor Authentication, is considered to be authentication that is based on the use of two or more elements:
- knowledge (something only the user knows, e.g. password, PIN, etc…)
- possession (something only the user possesses, e.g. card, token), and
- inherence (something the user is e.g., biometrics)
Both elements should be independent from one another (so the breach of one does not compromise the reliability of the others) and SCA is designed in such a way as to protect the confidentiality of the authentication data. Both SCA and 2FA will require a prior verification process to filter third parties within the bank’s API marketplace, meaning banks will have to implement measures to ensure security, traceability and control to block unwanted or unlawful access to user data.
It shall apply to:
- Electronic payments initiated by the payer, such as credit transfers or card payments, but does not apply to electronic payments initiated by the payee only, such as direct debits.
- Any action through a remote channel which may imply a risk of payment fraud.
- Banks, to be in compliance with PSD2 regulations, will also need to provide a Sandbox testing environment to allow third party providers to join the bank’s marketplace and develop their financial services. PSD2 represents a strategic move by the EBA to create a freer financial sector in which all parties involved collaborate for the customer’s benefit.
SO, WHO BENEFITS?
For customers, having access to and control over their own banking data will mean increased options for choosing and using financial products, and better ways to manage their finances. The end-user also gains access to third-party services and products as a direct result of this growing competition, and as industry players reinvent themselves and their offering. For industry challengers, having access to open bank data, and clear, secure ways to integrate it with shared customer data, will mean they can quickly develop new, or better, products and services. For banks, being able to make their interactions with customers smoother and simpler will help them to find efficiencies, improve customer service and deepen their customer base.
So, the EU is happy, the customer is happy, but what about the banks? Open Banking will go a long way to providing the solution to banks’ main concerns or pain points: additional revenue streams, greater customer fidelity, reduced churn rates and above all, a better, fuller picture of their customers’ habits. “Forward-thinking banks will have better luck keeping existing customers and attracting new ones, as companies with public APIs had three times more online traffic growth from 2014 to 2015 than those without open APIs”, according to Apigee research.
A glimmer of hope for the bank? Much more than that, actually. By guiding how banking data can be better opened, accessed and shared, the Open Banking Standard will help developers to build services that are more targeted to meet the needs of customers, suppliers and other innovators in finance. Banks’ experience and in-depth knowledge of customers and their habits gives them the upper hand and puts them in a hugely advantageous position from which to reinvent reinvent themselves, and what it means to be a bank.