Is open banking doomed from the start?
The financial world is currently in the throes of implementing two landmark regulations aimed at making the banking sector more customer-centric, secure, competitive and innovative.
However, if you look beyond the headlines, it is clear there is a great deal of conflict between the Second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR).
In simple terms the GDPR enshrines the individual’s right to own their data, while making businesses responsible for a greater standard of data privacy. Meanwhile the goal of PSD2 is to compel banks to share customer data with third parties, if this is the customer’s wish, heralding a new era of ‘open banking’.
With obvious tensions between making data more readily available on one hand, while ensuring it is more secure and private on the other, you would expect EU regulators to make specific reference to potential conflicts and offer guidance, but you would be wrong.
Neither regulation refers to the other, while PSD2 has just seven lines of text covering data protection and refers to the outdated data protection regulations of 1994 and 2001.
So what exactly are the risks consumers and banks are being exposed to? PSD2 compels banks to make consumer data available to third parties at the consumer’s request, but there’s no requirement for a contract between bank and third party. So, once data is handed over the bank has little control over how third parties use the data, operate or behave. For example third parties may:
- Use customer data to engage in miss-selling
- Use data in a way the customer has not consented to
- Enable hackers to bypass the bank’s cybersecurity controls
- Collect and sell customer data to other third parties
- Combine a customer’s social and transaction data to steal their identity
- Expose a bank’s systems to a denial of service attack, leading to severe difficulty for customers who need access to payment services.
Third parties will need a license to access consumer data, but due to the bank’s traditional role as keeper of sensitive information they face the biggest reputational risk if PSD2 goes wrong – even it is the third party’s fault. The bank will be damaged by association.
Despite all of these problems there are still lots of positive consumer-focused aspects to PSD2.
Open banking will enable customers to compare different financial products, shop around for the best deals and pick and mix services from multiple providers all from the same secure platform.
So, instead of customers doing their banking through one or two institutions, they will be able to take a modular approach – have their current account with one provider and then bolt on other financial services such as an insurance policy, ISA, mortgage and investments through other providers, all from the same secure app.
Third-party aggregator companies, making use of banks’ APIs, will also be able to provide customers with access to price comparison and switching services.
The advantage of all of this, according to the Competition and Markets Authority (CMA), will be “reliable, personalised financial advice, precisely tailored to your particular circumstances delivered securely and confidentially”.
This new approach is being put in serious jeopardy, however, by regulatory conflict. Without clarification from regulators, risk averse banks are likely to prioritise the data security requirements of GDPR over PSD2’s need to share, effectively snuffing out the new era of innovation and increased competition promised by open banking.