Posted: 1st March 2018
First published by Thomson Reuters during February 2018
January saw the start of the mandated roll-out of Open Banking, a UK directive under the Competition and Markets Authority (CMA) designed to improve competition in the retail banking market. This followed the CMA's final report on its market investigation into the sector, published in August 2016.
Open Banking refers to the "opening-up" of customer account data held by banks and building societies. It allows other regulated financial services providers to access it in the spirit of providing consumers with a more cohesive service and greater choice as to who provides their payment or account services. Essentially, Open Banking will mean that consumers will gain greater control of their data, and who has access to it.
Under the Retail Banking Market Investigation Order (the CMA order), the nine largest current account providers will be expected to open their customer current account data to regulated entities should a customer explicitly request this.
One of the challenges facing Open Banking and the wider payments industry will be educating the consumer in a bid to drive the acceptance and take-up of new services. Due to the nature of services Open Banking will allow a third-party provider (TPP) to offer to consumers, there is a need for a collaborative approach by the industry to provide guidance and education.
This need is being addressed by a number of industry organisations collaborating with the Open Banking Implementation Entity (OBIE), including banks and building societies whose customers will be directly affected, Financial Fraud Action UK (FFA), the Financial Conduct Authority (FCA), and UK Finance, the industry's primary trade association.
With the emergence of the New Payment Services Organisation (NPSO) and the new architecture (the combining of three organisations which deliver cheque clearing, Faster Payments immediate payments, and BACS bulk payments), what the combined delivery will be to the end consumer is still unknown. Ultimately, it will deliver a new consumer experience which experience which allows the consumer to manage multiple payment/banking needs through one central interface.
The emergence of new customer propositions
The OBIE has achieved a first for Europe: the delivery of a national industry standard for payment account access. This challenge has attracted the attention of the sceptics who have unsuccessfully attempted to cast doubt on the new propositions.
The increasing competition in the market delivered by the CMA Order will create a new world of solutions and applications, providing fintech organisations with the ability to obtain a customer's data and deliver new, highly specific, customer-friendly products and services.
The OBIE's announcement (made on November 17, 2017) that it was extending its product delivery to ensure full adherence to the CMA Order has provided the TPP and "account servicing payment service provider" (ASPSP) opportunists with a greater platform for the development of new propositions.
Aligned with input from the consumer bodies, the OBIE will ensure a "CMA-compliant" solution whose standards and products will allow industry participants, old and new, to move funds securely and seamlessly. This will give consumers a greater choice in how to manage their accounts.
Relevance to PSD2
The development of the CMA Order and subsequent mandate for the UK's largest current account providers to develop industry standards for sharing data coincides with the introduction of the revised Payments Services Directive (PSD2). The pace of innovation in customer-centric payment products and services has increased significantly over the last 15 years, with developments such as Chip and PIN, Faster Payments, contactless payments and smartphone payments.
In addition to other mandatory obligations which PSD2 requires ASPSPs to meet, it also imposes the need to allow access to other regulated third parties to these accounts. PSD2 goes further in its requirements than Open Banking, but its timely introduction allows the ASPSPs to combine their compliance obligations, thus looking to the OBIE to deliver this with new product and services, supported by application programming interfaces (APIs).
The risk of Open Banking
The question of whether Open Banking poses a risk to consumers and their data has yet to be answered. The solution proposed by the OBIE increases the level of security by setting a firm standard for how data is communicated between parties.
Presently, propositions and solutions in the market are supported by "screen scraping": a method of allowing access to your account by relinquishing your security credentials. Until now, this was in contradiction to what the banks stipulated in their terms and conditions.
UK banks and building societies are now amending their terms and conditions, however, and removing this once highly regarded clause, which prevented consumers from sharing their account details.
Banks will now be unable to tell customers not to share their details, even though the primary risk from a payments dispute lies with the bank.
Are we at greater risk from fraud?
Fraud can arise in a multitude of ways, primarily via unreliable and criminal TPPs.
This is an item of discussion drawn from the many new TPPs (unfamiliar to the consumer) which will enter the market, both from the UK and other EU markets, and often with a minimal background in financial services.
The FCA, the UK competent authority assigned to PSD2, is required to authorise these new providers, but authorisation is not a cast-iron guarantee of their legitimacy. The other support offered in the UK is the creation of the OBIE, which provides standards to which the nine largest ASPSPs, and all TPPs, must adhere for open access to payment accounts.
Fundamentally, the threat is no greater than it has been previously. The new standards delivered by the OBIE, coupled with the forthcoming regulatory technical standards for strong customer authentication, will provide a greater barrier to fraud.
Additionally, the General Data Protection Regulation (GDPR) and future Fifth Money Laundering Directive (5MLD) continue to challenge fraud and money laundering. All in all, the opportunist fraudster may face a bleak future.
The mandate to be compliant
Firms must take discrete approaches to compliance with Open Banking and PSD2, despite some of the similarities covered earlier in this article.
Open Banking is a mandatory deliverable for the nine financial institutions outlined in the published CMA Order, whereas PSD2 is mandatory for all organisations providing payment services in the nominated European area.
The compliance requirements of both directives took effect from January 13 this year, with a number of the "CMA nine" requiring an agreed exception to the application of the order.
The resulting impact is not yet known, but the FCA is working tirelessly to support UK financial services in ensuring the best customer outcome from the multiple deliverables within the regulation. By comparison, the CMA has agreed a delivery plan for the few UK financial institutions which are currently not supporting its order.
Compliance no longer a "should" but a "must"
Open Banking promises to bring great benefits to the consumer. The challenge for firms is to identify emerging risks and put measures in place to manage them effectively and proactively. Fintech firms, challenger banks and the established banks and building societies have started this journey and are looking to enhance their propositions further as the development of Open Banking standards and products matures.
Adhering to multiple rules and regulations, complying with competent authorities, developing the capabilities, architecture and systems are just some of the obstacles which need to be addressed.
At the same time, firms must remain vigilant against the new opportunities for fraud and money laundering which could arise as a result of Open Banking.
Compliance is no longer a "should" but a "must", not purely to deliver in accordance with the regulation but also to deliver on the needs of the consumer.