Dylan November 20, 2023 Regulation 10 Challenges for Open Banking Regulators 1. Data Privacy and Data Rights 2. Balancing innovation with security 3. Consumer Education & Trust 4. Fast-changing landscape 5. The Big Techs 6. The FinTechs 7. Traditional Financial Services Providers 8. Terminology 9. Lost in Tech Translation 10. Industry collaboration Where to start? The Regulatory Canvas Originally published: 11 October 2020 Updated: November 2023 With over 100 countries either implementing or planning an Open Banking framework, the movement is encouraging data-sharing in the global financial services industry. Regulating Open Banking, April 2023 Open Banking promises a wide range of benefits, from financial inclusion to financial education in the community. It drives competition, reduces costs and paves the way for rapid financial innovation, which is why various official bodies across the globe have chosen to implement this framework. But establishing frameworks that ensure steady innovation, increased competition, equilibrium and consumer protection is nothing short of a Herculean task. In particular, a fast-paced market often leaves regulators behind the innovation curve. In order to propose, design, enforce and review their regulatory framework to the highest standards, official bodies need to take a number of factors into consideration. So, what are the main obstacles that delay the arrival of widespread Open Banking regulation? 1. Data Privacy and Data Rights While financial regulators have abundant experience in designing regulations and overseeing regulatory regimes, there’s something different about the age we’re living in. Now, all attention is on the impalpable asset with very tangible benefits – data. In simple terms, Open Banking is about granting consumers the right to choose who can see their data and how they use it. It is a more secure alternative to screen-scraping, which requires a user’s credentials to access their account and provide Fintech services. The benefits of data-sharing have already been described exhaustively on the internet, and so have the risks. Open Banking provides a new entry point for cybercriminals, i.e. Application Programming Interfaces (APIs). Furthermore, there is often much ambiguity as far as where the liability lies – the bank or the Fintech. As a result, Open Banking users can be vulnerable to data breaches, cybercrime and fraud when the regulatory framework fails to address and prepare for these issues. Regulators know that their decisions could leave consumers with a Sword of Damocles hanging over their heads. For example, cybercriminals may now have a new way to deceive customers by posing as a certified FinTech company. To add to that, FinTechs are likely to have weaker security measures compared to banks and can thus become the weak link in the network. On a more technical level, there have been issues in the past with sharing personally identifiable information in the URLs of APIs, such as usernames, passwords and client IDs. Aside from the new risks, there is also the question of making the framework compatible with existing data privacy regulations. For example, the EU’s GDPR secures customer data but remains in contrast with Open Finance, making it difficult to navigate these two regulations and ensure compliance with both. Some regions have yet to implement a data privacy framework, which is essential for protecting consumers in an Open Finance ecosystem and thus a prerequisite for such an initiative. Regulators would benefit from researching data breaches and common data privacy errors in order to protect the public from malicious actors and avoidable mistakes. 2. Balancing innovation with security Security should be at the heart of Open Banking, but a good framework leaves enough space for innovation without trading in consumer safety. At first glance, Open Banking may seem more of a threat than an opportunity. Any cybercriminal would dream of gaining access to customer banking data to perform all sorts of nefarious activities. Needless to say, successful data-sharing frameworks calculate this risk and include security measures that keep customer data safe. Regulators should define the vetting process and start thinking about where liability falls should something go wrong. But it’s not simple and linear. Some types of security issues can only be identified when market players initiate data-sharing. These new problems initially seem to be unforeseeable. However, there’s a tool that fosters innovation while protecting consumers and market players from negative outcomes – the sandbox. Regulatory sandboxes provide a safe environment to test innovative products, services, and business models under a more relaxed regulatory environment. This prevents innovations from being stifled by high regulatory requirements and allows regulators to test the standards and services before implementing them. Regulators use sandboxes for various purposes, such as allowing FinTechs to test their applications, testing and future-proofing newly created standards, or monitoring FinTechs while they interact with real customers. Regulatory sandbox regimes are cropping up around the world, from Africa and the MENA region to Asia Pacific. Regions are finding that the balance between innovation and safety may indeed lie in the sandbox. 3. Consumer Education & Trust One of the greatest challenges is adoption. When the European public first got wind of Open Banking, there were very mixed reactions. Some believed that such a regulation would only increase the danger of data breaches and fraud. Even Mick McAteer, a former board member of the UK’s Financial Conduct Authority (FCA), shared his disapproval and doubts regarding Open Banking. As far as the general public goes, anyone who has read a 2019 article about Open Banking has seen comments decrying this new technology, and it isn’t surprising. The public’s understanding of data privacy and risks has significantly changed over the years. The Cambridge Analytica Scandal in 2016, where millions of Facebook users’ personal data was used without consent to aid political campaigns, reawakened a sense of privacy that the public had for long been dubious about. Consumers are now more aware that organisations with access to sensitive data may use it for other motives, with or without consent. Very few people knew about Open Banking when it first arrived. When they learned about it, it wasn’t love at first sight. Even now in 2023, according to NTT Data, a whopping 84% of UK consumers don’t believe Open Banking is safe, and 58% don’t understand it. In countries where Open Banking is either in its infancy or not officially launched yet, understanding and trust are even lower. For example, a report by the Financial Consumer Agency of Canada shows that only 9% of Canadian consumers have heard of open banking. Even after learning what it is, only 15% felt that they would participate in open banking. Of course, any new technology or process usually meets doubts and fears. The only solution, aside from implementing secure measures, is to educate the public and help them understand how it works and what the benefits are. That’s why, for example, Open Banking UK launched a consumer-focused YouTube campaign providing content that explains the benefits of Open Banking and why it’s safe. 4. Fast-changing landscape Regulators often struggle to identify the risks posed by new technologies and the business models that they enable. Technologies can die quickly and are replaced almost instantly. They can also transform at remarkable speeds. Some say the cloud revolution brought us here. By removing barriers to entry and allowing equal access to computational power, the cloud has significantly accelerated innovation. So much, in fact, that regulators find themselves behind on the innovation curve. Regulations focused on technology are already complex to design and regulators often lack the technical expertise to fully understand how to regulate in a way that doesn’t stifle innovation or leave customers unprotected. What’s more, regulators may design a robust framework to gain control over a certain type of technology or service, just to find that the service has changed so much that the new regulation is already somewhat out of date. An example of this is the recent boom in Artificial Intelligence (AI). According to Stanford University’s AI Index, until 2014, academia was at the forefront of releasing significant Machine Learning models. After that, the industry started taking over. In 2022, ChatGPT broke the record for the fastest-growing application in history with 1 million users in just 5 days. By comparison, Instagram took 2 and a half months to reach the same user count. In general, Generative AI reached over 100 million users just 2 months after ChatGPT launched, a growth rate that beats both smartphones and tablets. Chart from Insider Intelligence, 2023 The AI explosion in 2023, especially among younger generations, is in part due to the newfound availability of data, lower barriers to entry, and a better understanding of AI. Google Trends clearly shows interest in the topic shooting up in 2023. Google Trends: AI Interest Worldwide 2004 – 2023 This is great news for the AI industry, but there’s always a dark side to this speed. According to the AIAAIC database, AI incidents and controversies have increased 26 times since 2012. For example, 2022 saw multiple deepfakes (including Ukrainian President Volodymyr Zelenskyy’s surrender), 11 Tesla autopilot incidents, a chess robot breaking a child’s finger, and the list goes on. AIAAIC Database: AI Incident count 2010 – 2023 Although AI is the most relevant example, this also applies to fintech, especially applications that leverage advanced technologies. Moreover, cybercriminals are always devising new ways to steal data and ultimately money, meaning that cybercrime is also in continuous evolution. How can regulators keep up with such a fast-growing sector that’s saturated with unknown risks? Innovation will always be a few steps ahead. But authorities can avoid trailing far behind by keeping abreast of the most up-to-date technology trends, consulting with experts in the field, and evolving their frameworks with the changing tides of innovation. As previously mentioned, authorities can also use sandboxes to monitor innovations and ensure they are always in the loop. 5. The Big Techs Big Tech companies are confidently encroaching on financial services territory, blurring the lines between industries as they dd, but they always tend to fall right outside of the regulatory scope. Tech companies will eventually obscure the line between financial and non-financial regulations, creating either value or havoc – or both. According to BIS, Big Techs have the potential to threaten financial stability. Their business is based on a mix of money-related and tech services and they can leverage a vast amount of customer data, helping them gain a competitive advantage that can lead to a dangerous concentration of power. BIS Working Papers – Big techs in finance Their competitive advantages place them in a particular position. They can quickly dominate markets, as seen in China where big techs processed payments equivalent to 38 percent of GDP, and can abuse customer data as seen in the previous points. Already, the likes of Apple, Google, Amazon, Alibaba and Tencent, among others, are expanding their financial services offerings. For example, Apple partnered with JP Morgan Chase to introduce Apple Pay in 2014 and didn’t stop there. In 2019, Apple joined forces with Goldman Sachs to issue the Apple Card, then again in 2023 to provide a high-yield savings account with an interest rate 10 times higher than the US average, which reached $10 billion in deposits in just 3 months. Apple’s offering now includes credit, BNPL, savings, credit rebates, and merchant payment tools. WhiteSight provides an in-depth analysis of this journey with its recent article: iPhone to iBank. Google has been dabbling in finance for almost two decades now. After launching Google Wallet in 2011, the firm expanded into car insurance and mortgage comparison and even announced a partnership with a number of banks to introduce a new digital bank account. The plan was soon scrapped, though not for lack of opportunity. According to a Forrester report entitled Why Google Bank Won’t Happen, Google will still disrupt financial services even without becoming a bank. The real value that Google will bring to finance lies in the integration of new FinTech services with its ecosystem of tools such as Google Maps, Gmail, Google Play and Google Now. By avoiding the regulatory burden of traditional finance, Google can stay on its disruptive path without incurring regulatory consequences. However, it still has the potential to use transaction data and combine it with its own consumer data, and ultimately could become a financial hub. These new BigTech fintech services are complicated to regulate. BIS outlines two main reasons Big Tech disruption can make regulation more complex. Their business models may require competition and data privacy regulations, Welfare goals have to be considered, as opposed to just focusing on policy objectives. As a result, regulation targeting Big Techs must take into consideration their unique features and mitigate new risks that are nonexistent or less prevalent in other institutions. By reason of this, regulators are seeing the need to build broader frameworks that can work between sectors and even to design regulations specifically for Big Tech firms that are embedding and providing financial services. 6. The FinTechs One cannot expect a small firm to follow the same framework as a large enterprise. Regulators must ensure a level playing field, not by enforcing the same rules for FinTechs as they would for banks, but by adapting the rules to the different organisational contexts. Many regions are “loosening the leash” through the use of regulatory sandboxes, while some countries such as Germany decided that no regulatory exceptions should be made for Fintechs. Such a double standard may appear to be unfair to traditional institutions, which will have to deal with more regulatory pressure. However, the lack of regulatory guidance and high pressure may deter FinTech companies and hurt the country’s chances of becoming a hub for innovation. Thus, some in Germany have identified a need for more regulatory leeway for FinTech companies. The difficulty in regulating Fintechs also arises from their agility. Regulators will have to adapt their processes to monitor these fast and more flexible players. These qualities also create a challenge for Bank/FinTech collaboration. While banks are large, slow and risk-averse, FinTechs are small, fast and innovative. These polar opposites will have to find some middle ground if they are to bring any value to consumers. 7. Traditional Financial Services Providers There are two important factors to consider when it comes to traditional institutions. 1. Regulators have to decide which ones to regulate. This may seem simple at first, but is it? When the Payment Services Directive 2 (PSD2) was first proposed, it focused on institutions offering payments and bank accounts. In 2023, the European Commission (EC) proposed a new framework for accessing financial data beyond payments (FIDA), thus including the wider financial system. Instead, the Fintech Law in Mexico and Brazil’s Open Finance set out to include additional financial services players, such as credit bureaus and clearing houses, from the start. To take it a step further, the Australian Consumer Data Right (CDR) was first introduced to the banking sector, but expanded in 2022 to include the non-bank lending sector and will continue to expand into other sectors such as telecom and energy. Including all financial services providers is ambitious and creates more opportunities for innovation, but going step by step is more cautious and allows regulators to adjust the initiative as they progress. 2. To encourage adoption, regulators should give thought to business incentives Financial institutions aren’t often enthusiastic about sharing their data. Aside from security and technical challenges, it may seem that they’re giving away a competitive advantage and losing customers to new players, especially if they aren’t allowed to charge for API usage. For example, despite the initial reluctance, most UK banks now feel more positively about the potential of Open Banking, likely because they are overcoming obligations and now have a better view of the business opportunities. Open Banking use cases haven’t always been clear and easy to imagine. With FIDA, the EC enables data providers to seek compensation for implementing APIs so as to at least distribute the costs of implementation. In the Middle East, after studying regional market opportunities, the Bahrain Central Bank set out 8 use cases in the Bahrain Open Banking Framework (OBF). In Jordan, participating institutions are allowed to commercialise their APIs, though no rules have been specified yet. Regulators must keep in mind that for traditional institutions, Open Banking is both an investment and a way to let in new competitors. Adoption will be easier if the incentives, use cases and business opportunities are made clear. 8. Terminology Like with any novelty, terminology is always an issue. There are always terms that need to be reconciled and definitions that need to be clarified. It isn’t rare to find the same word used in completely different ways due to its infancy. For instance, even the term ‘open banking’ when written in lowercase may refer to the practice of data-sharing, while ‘Open Banking’ in uppercase may refer to the regulation. There have also been debates regarding the true meanings of Bank-as-a-Platform and Bank-as-a-Service: Banking as a Service is commonly accepted as a model that enables licensed banks to offer certain capabilities as services. This allows non-banking Third Party Providers to integrate financial services in their own products. With Banking as a Platform, the Bank integrates third-party services into its own offering. However, a brief search on the internet will show the range of definitions that both have been given. The financial services industry gets creative in its way of describing what it can do with APIs, but isn’t always able to reach a consensus on meanings. It is easy to see how semantics and even case variants could be cause for misunderstanding. What should be done if terms are coined by the sector? What definitions should regulators use? Finding common terminology facilitates communication between regulators and regulated organisations, as well as neighbouring regions, and makes sure that all players are speaking the same language. But that’s not where the interpretation difficulties end… 9. Lost in Tech Translation Even when the regulations have been designed and promoted, the fintech community may have issues receiving them. In other words, regulations are written for lawyers, not “techies”. IT departments expect libraries, toolkits, SDKs, and much of the technical terminology that they understand and are able to work with. For example, when it comes to defining guidelines, not enough focus is placed on the API. The UK provided the market with UX guidelines, but only on a surface level. The specifications referred more to the outcome and expectations rather than to the actual APIs. By consulting and collaborating with experts in the field, authorities can make their regulations developer-friendly and understandable. And when the technical guidelines have been written, what then? How will you ensure community engagement and quick adoption? Regulators must have clear, well-maintained, and well-documented specifications that the market can easily access. This means relying on best practices for publishing API standards using open collaboration platforms such as GitHub – which most developers are acquainted with – so that technical teams know what is being asked of them. Of course, on the other side, TPPs must work with regulatory experts to understand the requisites for compliance. Collaboration with traditional institutions can also help in this regard. 10. Industry collaboration If regulators want to release a framework that is easy to adopt and considers the needs of the market, collaboration will be key. First of all, regulators need to know what financial institutions and FinTechs need. They are very different organisations and you will have to find some middle ground. Secondly, the market can work together to reach an agreement on technical standards, commercialisation rules, partnership agreements and liability. For example, the Central Bank of Jordan has decided to leave the technical standard up to the market to decide. On one side, this can mean a fragmented market such as in the EU. On the other, if the market manages to collaborate, it can result in a standard that is adapted to the local context and market needs. During our work with regulators, it’s common for us to launch surveys and interviews to understand what regulated organisations think about Open Banking, including their expectations and worries. This has always helped regulators understand what to prioritise and what to avoid, but most of all it helps set the scene for creating the framework. But, as we mentioned, the market is populated by many different institutions and sometimes one organisation’s wish contrasts with another organisation’s need. Finding some middle ground for all actors, including the regulating institution, is a challenge. Where to start? A good way to start is by picking apart the open banking frameworks in other countries. The analysis of similar regions will produce insights that are relevant to the country in question. By examining the regulations, one can gain some inspiration to build a picture of a potential Open Banking regulation. Examples of questions that are highly relevant when examining other frameworks are: Why did they propose this framework? What is the objective? Who proposed it? Is it the same body that will supervise? Which regulatory model are they using? Commander, Advocate, Architect, Diplomat. And last but certainly not least: What are the weak spots of this regulation? The early identification of vulnerabilities and flaws in a framework will prepare regulators for missteps and, hopefully, prevent them altogether. The Regulatory Canvas When advising regulatory bodies, the OBP team uses an essential tool – The Open Banking Regulatory Canvas. The Canvas helps regulators outline the key aspects of their framework. If you are at the start of your regulatory open banking journey, we suggest asking yourself these 12 questions. What problems can Open Banking address in my region? What’s more important: The end goal or the way organisations get there? Who should fall under the regulatory scope? Should we tighten the reins or let them roam free? How strict should it be? Will standardisation stem the tide of innovation? Who should be in charge of standardising? Which services should we open up? Who are we opening the gates to? Which types of companies should have access? How will we assess and vet Third Parties? If something goes wrong, who is liable? Who are the major stakeholders and who should pay for implementation? Should we think about pricing or should we forbid charging of any kind? What is the most efficient way to oversee all of this? That’s it. 12 questions that can help regulators see their future Open Banking regime in their mind’s eye. Regulatory authorities aiming to transform their regions for the better through Open Banking and Open Finance will encounter hurdles. They will have to study Open Banking, introduce a feasible data-sharing framework, and ultimately decide the future of their region’s financial services sector. Of course, there will be some regulatory hand-holding in the beginning. But regulators cannot hold all of the burden. Regulatory authorities, financial institutions, and new fintech players must collaborate to unlock the full potential of open banking data in financial services and bring benefits to their region. Are there more important challenges to add to this list? What challenges do regulators face?