Ever since the digital revolution, so many aspects of our life have been digitalized. Some took the form of a website, others took the form of digital services, including banking and finance. Technological advancements also enable banks and other financial institutions to implement an open banking system.
Definition
The term “open banking” refers to a system where banks or other financial institutions allow third-party providers (TTPs) to access customers’ financial data (with the customer’s consent). Previously, only the bank and the customer could access the customer’s financial data. Even in the age of digitalized databases, this sensitive data remained inaccessible to third parties, aside from law enforcement, until just recently.
The open system was created so banks or other financial institutions can offer their customers a range of previously unavailable products or services, usually in the form of digital products and services available on other platforms.
On the customer’s side, the system enables them to bypass lengthy and tedious paperwork when applying for various services from other financial institutions. Since their data is already digitized in the bank’s system, the bank can share this data—with the customer’s consent—to the TPP using a highly secure communication protocol to avoid leaks.
In some cases, the government encourages the implementation of the system, albeit heavily regulated. In Europe, the revised Payment Services Directive (PSD2) took effect in 2016, mandating stronger customer authentication processes and requiring banks to open their payment services and customer data to TPPs. The regulation aims to drive the creation or delivery of new products and services to the customers.
In the UK, open banking is regulated under the Payment Services Regulations (PSRs). The regulation transposes the EU’s PSD2 into the UK banking system. However, the UK’s PSRs also include the Open Banking Implementation Entity (OBIE), established to standardize the system used across the nine largest banks in the country.
How the System Works
There are three main factors that form the core basics of the system: data sharing, the bank’s application programming interfaces (APIs), and customers’ consent. Due to the two main factors being digital, open banking can only function effectively in digital ecosystems, typically in the form of mobile apps.
There are typically three APIs often used in this open system:
- Data APIs: give TPPs read-only access to customers’ data (account information, balances, and transaction history).
- Transaction APIs: used to allow payment services, transfers, and direct debits to the TPPs.
- Product APIs: often used in online marketplaces or websites, they grant TPPs access to list their products, rates, and terms.
The open system enables customers to share their data with authorized TPPs through the bank’s API. However, the key to securing data transfer between the bank and the TPPs is in the customer’s hands. Although the bank has granted access to its APIs to the selected TPPs, data sharing can only occur after the customer has given their consent.
The Benefits
The open system benefits banks by providing them with the opportunity to partner with select financial services and expand their mutual offerings in the digital realm. The value-added service provided through this partnership has been proven to improve each party’s customer retention.
For the TPPs, the system has driven competition and thus advanced innovation—including enabling new business models such as Pay Later and soft loans—in the financial services industry. The valuable banking data shared by the banks also helps TPPs to build a better user experience.
Security Concerns and Mitigation
Even though the open system is heavily regulated, the risk of data breach or leak is still a major security concern. There is also a threat of a cyberattack targeting the bank’s database that could occur at any time without warning.
So, how do we mitigate these threats? The API in itself is a secure communication protocol, often layered with end-to-end encryption. The encryption prevents parties with malicious intent from accessing the transferred data.
Furthermore, to add more security layers, the banking and financial services industries have begun to move toward a tokenized authorization framework known as ‘Open Authorization’ (OAuth). The framework allows banks to grant TPPs their customers’ banking data as a “token”—a coded string of information that has no value to a breacher.
In the past, banking data was kept confidential by banks for security reasons. In the digital era, the open banking system enables banks to secure and protect their data while sharing it with third-party providers through secure protocols, driving competition, triggering innovation, and exposing customers to additional products and services.