Open banking is defined as the sharing and leveraging of customer-permissioned data by banks with third party developers and firms to build applications and services, including for example those that provide real-time payments, greater financial transparency options for account holders, marketing, cross-selling opportunities. Individuals jurisdictions may define open banking differently.
Technology has connected the entire world. Through the internet connections and electronic gadgets the reach to information, services and products has become child’s play. The innovative technology has enabled the banks and the financial institutions the access the untouched market segments, people which remained unreachable. In the recent years, technology driven modes of financing, new financial business models, specialized financial services and products are emerging and driving Fin Tech innovation in areas such s P2P lending, wealth management, micro finance, smart contract, artificial Intelligence, machine learning based decision analysis systems and robo-advisory, etc. and have started to shape the regulatory engagements and discourse. Integral to this discourse are the issues concerning data sharing, data access and to a large extent data democratization.
In addition to the extensive focus on payments channels and transaction, accessing the financial data of the consumers is also looked on. Digital exchange of financial data can become the building block for new emerging service models, clearing inefficiencies in the process and venturing new product possibilities. Thus regulators acknowledge that enabling a simplified framework for the financial information data exchange has the potential to transform the financial systems and may lead to product innovation and provide better financial services to the consumers and end users. Therefore, the financial data access and distribution has significant implications not only for the concerned stakeholder institutions but also for future economic growth.
The Basel committee on Banking Supervision, November 2019, study report has observed that while sharing of bank-held , customer-permissioned data with third parties has been taking place for several years, increased used of digital devices and rapidly advancing data aggregation techniques are transforming retail banking services across the globe. This sharing of customer-permissioned data by banks with third parties is leveraged to build applications and services that provide faster and easier payments, greater financial transparency and options for account holders, new and improved account services, as well as additional marketing and cross-selling opportunities .
Such initiatives also raise the issue of whether financial institutions as holders of data of individual customers should act only as agents and whether they should have ownership stake driven by commercial considerations. It is quite clear that the right to data accessibility and uses should vest in the owners of data rather than the holders of data. Apart from this data democratisation, there are major concerns around transportation and storage of data in safe and secured manner enveloped within a consent-based architecture. Different jurisdictions are currently trying to address this need for a framework that allows efficient and secure navigation and enables use of customer’s financial data through different methods ; for example, by allowing use of open API frameworks within financial institution’s user applications. In India, we too have envisioned a similar ecosystem of account aggregators (AAs) to broaden the scope of financial data sharing.
Globally, open banking regulatory frameworks are structured to enable third party access to customer-permissioned data, requiring licensing or authorization of third parties, and implementing data privacy and disclosure and consent requirements. Some frameworks may also contain provisions related to whether third parties can share and/or resell data onward to “fourth parties”, use the data for purposes beyond the customer’s original consent and to whether banks or third parties could be remunerated for sharing data. Open banking frameworks may also contain expectations or requirements on data storage and security.
India has kick started its approach to Open Banking by enabling an intermediary which will be responsible for the customer’s consent management. These intermediaries are licensed as Non-Banking Financial Companies. In September 2016, Reserve Bank Of India , announced creation of a new licensed entity called Account Aggregator (AA) and allowed them to consolidate financial information of a customer held with different d financial entities, spread across financial sector regulators. In India, AA acts as an intermediary between Financial Information Provider (FIP) such as bank, banking company, non-banking financial company, asset management company, depository, depository participant, insurance company, insurance repository, pension fund etc., and Financial Information User (FIU) which are entities registered with and regulated by any financial sector regulator. The flow of information takes place through appropriate Application Programming Interfaces (APIs).
The transfer of such information is based on an explicit consent of the customer and with appropriate agreements/authorizations between the AA, the customer, and the financial information providers. Data cannot be stored by the aggregator or used by it for any other purpose. Explicit and robust data security and customer grievance redressal mechanisms have been prescribed and the Account Aggregators are not permitted to undertake any other activity, primarily to protect the customer’s interest.
Consent Based Architecture
The emphasis of regulatory framework for account aggregators in India is thus on explicit customer consent for data sharing. No financial information of the customer is to be retrieved, shared, or transferred without the explicit consent of the customer. The other tenets of these open banking initiatives in India are – financial data integrity, security and confidentiality, robust IT governance & controls, and strong customer protection & grievance redressal mechanisms. Further, in order to facilitate seamless movement of data and consent-based sharing of financial information in the AA ecosystem, a set of core technical specifications have been framed by Reserve Bank Information Technology Private Limited (ReBIT), a Wholly owned subsidiary of the Reserve Bank for adoption by all regulated entities, acting either as Financial Information Providers (FIP) or Financial Information Users (FIU) in November 2019.
In order to protect critical financial information of users and to enforce a mechanism for obtaining proper consent from customers, the consent of the customer to be obtained by the Account Aggregator shall be standardized electronic consent format as prescribed under regulations. The AA is required to inform the customer of all necessary attributes to be contained in the consent format and the rights of the customer to file complaints. The customers are also provided a functionality to revoke consent post which a fresh consent would have to be obtained. Explicit onus has also been placed on Financial Information Provider (FIP) to verify – validity of the consent, specified date and use of it and the credentials of the AA.
Different jurisdictions have taken a different approach on the issue of Open Banking. While some have adopted a prescriptive approach, requiring banks to share customer-permissioned data and requiring third party users to register with regulatory authorities, others have taken a facilitative approach by issuing guidance and recommended standards, and releasing open API standards and technical specifications. Some jurisdictions also appear to be following a market-driven approach, currently having no explicit rules or guidance.
The AA is a regulatory initiative in India under a hybrid model which is a combination of perspective & facilitative approaches and is in its early stages of development. One of the key things to look out for is whether the market forces will drive the adoption of this initiative or further regulatory nudge will be required. The pace of adoption will also depend on the strength of the community to come together and continue to drive the technical specifications standards and scalability potential.
Risk Associated with Open Banking
Open banking may offer benefits in the form of convenient access to financial data and services to consumers and streamlining some costs for financial institutions. However, it also potentially poses significant risks and concerns around:
- Financial privacy and data security : In open banking frameworks, risks associated with the loss or theft of personal data on account of poor security, data protection violations, money laundering and terrorist financing concerns cannot be ruled out. Therefore large scale adoption of open banking frameworks should ideally be preceded by strong data protection and privacy laws. Such laws should anchor the ownership rights and ensure control and consent-based ose of the data. They should also establish the boundaries of rights and obligations of third-party use, down-streaming of data to fourth parties and reselling it. India has already embarked upon the same and The Personal Data Protection Bill, 2019 has already been introduced. The Bill seeks to provide for protection of personal data of individuals and establishes Data Protection Authority for the same.
- Customer liability : In absence of explicit arrangements for redressal of customer grievances and limiting their liability in case of erroneous or fraudulent activity, the acceptability of open banking frameworks may remain limited. Therefore, the jurisdictions should look to address customer liability for third party access of data through customer protection r indemnity laws. Reserve Bank has issued Charter of Customer Rights in December 2014, which lists ‘right to privacy’ along with ‘right to grievance redress and compensation’ among others . the right to privacy requires that customer’s personal information should be kept confidential unless they have offered specific consent t the financial services provider or such information is required to be provided under the law or it is provided for a mandated business purposes.
- Cyber security and Operational Risks: Use of open banking architecture, which is premised on the enhanced sharing of data, increases the surface area for cyber frauds. As the open API provides uncluttered access to customer banking data such as transactions and balance stored within the infrastructure, it may also pose a severe cyber security risk. Losses caused to customers on account of cyber events would require financial institutions to compensate customers for such losses. Institutions may also face a variety of potential operational and cyber security issues related to the use of APIs, including data breaches, misuse, falsification, denial of service attacks and infrastructure malfunction.
- Compliance and Reputational Risk: While open banking expands vistas of traditional banking and offers unique business opportunities, it also reposes extreme responsibilities with respect to compliance with applicable prudential regulations and privacy laws. Risk arise due to exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements due to omissions and commissions of the third-party service provider.
- Grievance Redressal : With more parties and intermediaries involved in the provision of financial services in an open banking model, it is more difficult to assign liability. If the regulations governing customer grievance redressals are not updated to take open banking business models into consideration, the national authorities may find it difficult to provide the customers adequate levels of protections. In India, Reserve Bank has implemented a separate Ombudsman Scheme for Digital Transactions in January 2019. The number of complaints received under the Ombudsman Scheme for Digital Transactions (OSDT) have been consistently increasing reflecting increased adoption of digital modes of banking.
In addition to the above, open banking frameworks also present regulators with many challenges. In open banking, there can be wide-ranging third-party arrangements such as fintech firms, intermediary firms engaged in data aggregation and other service providers which may not have a contractual agreement with the bank over which regulators can exercise jurisdiction. Further, it may be possible that several of these firms may not fall under regulatory purview of any financial sector regulator. In such situations, it may become difficult for regulators to set requirements, specifications, and exercise regulatory jurisprudence.
In many jurisdictions, including India, outsourcing arrangements for banks and other regulated entities are covered under explicit regulations. Supervisors also have certain amount of oversight over the third-party entities. If the relationships in the open banking extend beyond the existing supervisory and regulatory parameters, the enforcement of standards and prudential policies may become difficult.
Open banking is a potential disruptor in financial system and may change the way of doing banking for both customers and banks. New pure tech-play entities have the potential to snatch market share from established but traditional financial institutions because they are technologically more advanced, digitally agile to cater to customer needs with higher efficiency, have better use interface and are more competitive in pricing.
In contrast to Open Banking initiatives witnessed in some countries, India has embraced an approach where both the Regulator and the market have collaborated for the development of the Open Banking space. In India Reserve Bank and National Payments Corporation of India (NPCI) came out with a payment system like Unified Payment Interface (UPI) and released its API for the banks and third-party app providers to build upon. The market participants are also driving innovation and many banks are releasing their own APIs and joining forces with the fintech companies to provide better experience to their customers. Moreover with the launch of Regulatory Sandbox and Reserve Bank innovation Hub, Reserve Bank’s approach has been that of encouragement and guidance.
At the same time, all stakeholders need to appreciate the fact that while technological innovation is of paramount importance, the customer privacy and data protection are not negotiable. We must generate trust amongst the customers that their data is safe and secure in all their financial relationships with regulated entities and for that – innovation and regulation should hand-in-hand. Regulators and Supervisors should also gear-up for the future challenges. Afterall, as the saying goes for (Regulators)……”while they can overlook the weather of the day, they cannot ignore climate of the era”.