/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
CMA writes to Barclays and Lloyds over open banking API breaches

CMA writes to Barclays and Lloyds over open banking API breaches

The UK's Competition and Markets Authority has written to Barclays and Lloyds about a series of failures to make accurate and comprehensive data on its products and services available through open APIs.

Under the Open Banking provisions of the Retail Banking Market Investigation Order 2017, big banks are required to make accurate, comprehensive and up to date product and service information continuously available through APIs so that third parties can use the data.

Barclays published inaccurate information 13 times, ranging from overstating the number of ATMs available to customers to posting the incorrect debit interest rates for its SME lending products. Several of the mistakes persisted for more than a year.

Lloyds breached the order 10 times, also through publishing inaccurate information.

In letters to both banks, the CMA says: "Failure to make continuously available accurate, comprehensive and up to date information on products and services can mean that consumers take wrong decisions and they may therefore choose financial products or services which are not best suited to their needs."

The banks have taken actions to address the issues, with Barclays introducing manual controls to check data accuracy and rolling out staff training on open banking API compliance.

Read the CMA letter to Barclays:

Download the document now 149.4 kb (PDF File)

Comments: (1)

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 22 March, 2022, 18:18Be the first to give this comment the thumbs up 0 likes

Sadly these breaches highlight infrastructure challenges for these banks, and shouldnt be seen as something they maybe doing on purpose. 

When you have multiple sources of data being shared across platforms and to various different consumers of that data, you have to have a resilient event driven model. Direct APIs are not the way to go, they are complex and put a large overhead on the bank. 

Sadly these issues should also be taken into consideration when we talk about expanding open banking concepts to open finance. We cannot implement in a similar direct API fashion, because the burden will just become too much. Open finance must start to embrace the concepts of event models and event subscriptions...

Kill APIs if we want Open Finance – FinTechAndrew – The blog (wordpress.com)