Open Banking is an initiative mandated by the UK’s Competition and Markets Authority (CMA) in 2017. It is intended to facilitate better competition in the banking sector by mandating protocols that facilitate the secure sharing of customer-related data of the nine largest banks in the United Kingdom (CMA9) with third-party providers (TPPs).
Open Banking is developed and delivered in the United Kingdom by the Open Banking Implementation Entity (OBIE). The OBIE was established by the CMA and is funded by the CMA9. The CMA’s UK Retail Banking Market Investigation Order 2017 (Order), which applies only to the CMA9, requires the CMA9 to provide their customers with the ability to access and share their account data on an ongoing basis with TPPs through the use of specified application programme interfaces (APIs). This compliments the reforms under the EU’s Second Payment Directive (as transposed in the United Kingdom primarily by the Payment Services Regulations 2017), which requires all payment account providers to permit open access to payment accounts for authorized TPPs, but which does not specify the means of access or prescribe the scope of access in any detail.
How Is Access Achieved?
The information sharing is achieved through APIs, which are software intermediaries that allow different applications to communicate with one another. Through the use of APIs, authorized TPPs can, with the relevant customer’s consent, access that customer’s information directly from banks. In particular, the CMA9 are required to develop certain standardized and open APIs pursuant to the Open Banking Standards (Regulatory APIs) so that it is easier for companies to develop new online and mobile applications.
How Is Security Achieved?
The Order required the OBIE to create security standards that include, in relation to confidential data, (i) authorization and authentication standards; (ii) standardized permission frameworks; and (iii) whitelisting as a system for approving TPPs. To this aim, the Open Banking Standards were introduced. All regulated providers must adopt the requirements contained within the Open Banking Standards. These include detailed security obligations covering the need for informed user consent, alignment with existing security standards, and the adoption of the “OAuth” model for authorization protocols. The OBIE also maintains the Open Banking Directory, which constitutes the “whitelist” of regulated providers as mandated by the Order.
API providers and users are expected to agree to the Terms and Conditions for API users/providers. These impose specific security responsibilities on API users and providers.
Further, API providers and users that are authorized by, or registered with, the UK’s Financial Conduct Authority or Prudential Regulation Authority will be subject to strict regulatory security standards.
Open Banking Example Use Cases
The following are some examples of current use cases supported by Open Banking:
- Personal finance – companies review customer spending data to provide insights into an individual’s spending habits (e.g., Yolt and Moneyhub)
- SME financial management – financial management software automates finance functions such as invoicing and cash flow projections (e.g., Xero, Intuit, and Free Agent)
- Open Banking as a service – companies provide Open Banking support to companies that lack the resources to do it themselves (e.g., TrueLayer, Token, and Yapily)
The following latest statistics evidence encouraging progress in the implementation of Open Banking:
- There are now 188 regulated providers, up from 104 at the start of 2019. The new total is made up of 123 TPPs and 65 account providers.
- There are currently 58 regulated entities that have at least one proposition live with customers. There were 17 at the start of 2019.
- Open Banking technology was used 180 million times in October 2019, up from 13.9 million in October 2018.
- The Open Banking Standard has now been implemented across 90% of the UK payments account market.
In order to further drive implementation, the OBIE intends to create “Premium APIs” that will sit above the Regulatory APIs. In contrast to Regulatory APIs, Premium APIs will be voluntary and will be allowed to be made under a contract. By allowing banks to determine the price and the contracting terms, this will, it is hoped, incentivize banks to develop their offerings further by providing them with a significant potential revenue stream, while supporting the development of new services beyond those that are mandated by the Regulatory APIs.
Digital IDs are also likely to be a part of the future for Open Banking. Debate continues on whether and how digital IDs should be created. Open Banking has the potential to support the formation of digital IDs. The standardized authentication mechanism that Open Banking provides could allow customers to access their digital ID regardless of where it is stored. Customers could therefore access different accounts without the need to remember numerous passwords and usernames.
A verified digital ID could also simplify the current Know Your Customer and Anti-Money Laundering requirements, and, consequently, simplify access to digital services and reduce operational burdens for financial institutions. If an agreed set of standards of any identification information is adhered to, a suitable digital ID accepted by one service provider could be used by another. This would remove the need for burdensome on-boarding requirements and alleviate consumer concerns about sharing personal data as the customer would control the information that makes up their digital ID.
As the UK’s Open Banking initiative approaches two years since implementation, a review of its progress demonstrates healthy and increasing implementation and adoption. As new products are released, and more consumers engage, the Open Banking ecosystem should progress further, improving competition in the retail banking sector with consumers now in control of their data.