The measures in the PSD2 (and in the UK, the CMA banking remedies) to open up consumer banking data to third parties will undoubtedly lead to new innovations and consumer benefits, but I see three challenges:
1) a potential gap between expectations on using open banking consumer data, and the reality of what is actually allowed
2) public understanding of data privacy/protection lagging reality
3) fragmentation in the ways banks publish PSD2 APIs.
FinTechs are excited at the prospect of aggregating and mining consumer bank data and banks are eyeing how they can use data of their competitors’ customers to market their own products to them. However, the PSD2 is prescriptive on how account data can be
used – only with the consent of the consumer, only for use by the third party given consent and only for the specific purpose consented to the third party. The EU General Data Protection Regulations (GDPR) come into effect in May 2018, and further limits
the use of consumer data – new rules include consent for data usage, rights to portability, erasure and to be forgotten and new accountabilities for third party data processors, with wider data protection definitions and tighter principles and fines of up
to 4% of worldwide turnover for breaches. Open banking data may not be as freely usable as some expect, and its use comes with accountability and responsibility.
Data privacy and protection in the digital age, and the implications of breaches, have not yet reached the level of public understanding it should do, with many people unaware of how the data they generate is being collected and used*. Technologists tend
to believe that to benefit from the digital age, you have to accept living with reduced data privacy. However, this is a convenient assumption, not a given. As Andreas Antonopoulos observes, if a company uses your private data, given up by you to get access
to its products, you become the product. Consumer understanding of data generation, consumption, privacy and security will eventually catch up with reality, and the new regulations will help this process by requiring explicit consent - but how consumers will
respond will not be known for some time. New business models that assume blanket consent and unrestricted use of consumer data may not be viable.
The draft EBA RTS leave it to PSPs to define their interfaces (APIs) to access accounts. PSPs recognise that it makes sense to collaborate to define common standards, and to build common processes and even infrastructure, for example on identity checking
and on checking the validity of authorised AISPs and PISPs. This collaboration has started, but it is happening at country level, which risks a fragmented approach to open APIs across Europe. This will impact merchants and other organisations planning to use
open banking APIs, leading to complexity and inconsistency.
Together, these challenges present the industry with uncertainty – on how to ensure data exposed to third parties is used properly and legally, on how third parties plan to use the data (what services will they provide?) and in what volume, on how consumers
will consent to use of their data, and on how to keep aligned with other PSPs on standards and processes.
To be compliant and relevant, PSPs (bank and non-bank) and FinTechs have to address these challenges. Core to doing this successfully is to launch open APIs as minimum viable products and to develop them as the market grows - keeping compliant with regulation,
collaborating on standards and, very importantly, keeping on the pulse of consumer behaviours and expectations in managing consent.
In summary, to be successful in Open Banking and PSD2, the three Cs of compliance, collaboration and consent need to be implemented effectively. For Open Banking, there is a fourth C – commercialisation, but that can be the subject of another blog.
* as an example, if you have an iPhone, go to settings/privacy/location services/system services/frequent locations to see how your phone is tracking your location history (assuming you have not already turned it off).