Author(s): Patricia Jackson
Date published: Jul 2017
SUERF Policy Note, Issue No 14
by Patricia Jackson1, Strategic Adviser EY; Council Member, SUERF; Non-executive Director Atom Bank
Download: SUERF Policy Note, Issue No 14 (0.94 MB)
In Europe regulation is driving open banking with the Revised Payments Services Directive (PSD2) coming into law in 2018 and requiring banks to enable authorised third parties to extract data on a customer’s financial histories or to initiate a payment from the customer’s account. This creates the scope for a jump in financial intermediation to a digital future. Aggregators will be able to tell customers the trends in spending, trends in saving as well as detailed analysis of spending patterns. But it also opens the door to new and much more sophisticated money management services. Combined with artificial intelligence the rich data available on a customer would enable product need to be predicted and exactly the right array of products in terms of price and characteristics to be offered to the customer. The likelihood is that successful operators will be platforms offering products manufactured by a variety of players rather than just offering their own. Whether this future is realised to its full potential depends on the design of the regulatory framework that will accompany PSD2. In particular will an open API framework be mandated or will the water be muddied by allowing access to ‘scrapers’ who access the data not computer programme to computer programme but through ‘impersonating’ the customer, using their passwords etc. This would create issues of lack of standardisation and reduced robustness and security.
The digital revolution raises a range of policy issues for the authorities. In Europe the move to open banking is regulatory-driven, but will authorities build a legislative framework which fully embraces the potential for future change?
There are also strategic challenges facing the industry itself. Will existing players move fast enough to take advantage of the new environ-ment, or will new players gain an edge in some areas?
Traditional banking is under pressure from low interest rates, much higher capital requirements which have reduced ROE and resulted in pressure from shareholders, 2 new entrants, including digital players, and shadow banks. Yet, digital also offers opportunities for banks in terms of the way they interface with clients and internally reengineering processes to cut costs. The question is whether the intense cost pressures traditional banks are facing will deter the upfront spend needed to achieve long-term digital goals. Again new challengers with a more flexible architecture may benefit much faster.
Under the developing requirements in Europe, banks will be forced to embrace at least part of the digital world. European banks will have to build a new architecture such as open APIs to meet the new regulatory requirements, and they need to consider carefully the strategy which they need to follow to maximise the benefits.
Banks are facing considerable pressure on business models, and need to reduce costs and improve efficiency: cost-to-income ratios of the largest banks in Europe vary between around 55% to over 90%.3 However, costs cannot be brought down significantly without a full streamlining of operations using digital. For example, banks are experimenting with block-chain, have already moved to robotics for various repetitive processes, and are developing cognitive systems using artificial intelligence as well as smart analytics.
Open banking, which is about the external environment is also a market opportunity. It changes the way that banks can interface with their customers and the range of products offered. It is also a threat. It will provide a framework for a wider variety of players outside banking to engage in a revolution around personal and small business finance. The thinking behind open banking is that it will enable banks’ customers to use the banking services to which they have access, in the context of other fintech services – literally integrating banking and wider cutting-edge services.
A core part of open banking centres on the standardisation of how banks share customer data with third parties at the customer’s request, for use in new third party services, in a secure way. Banks develop products and distribute them. In the future, with open banking, they could partner with fintechs over the creation of new products; or fintech firms could create new products that would be distributed by either the bank or the fintech. The authorities leading the regulatory change envision that it will lead to more customer choice and enhance competiti-on - driving lower cost and a wider scope of services.
With bank customers increasingly using digital channels such as internet or mobile banking, this is an extension of the current journey and takes the industry towards integration of a range of bank and non-bank players into a wider network of services. However, it is a path that requires rules and standardisation. Without standards there would not be interoperability, making cross-company integration cumbersome and substantially reducing the potential for substantial change.
In Europe, regulators are driving open banking. The Revised Payments Services Directive (PSD2) requires banks to enable customers to authorise licensed third parties to access their transactions history. It also requires banks to enable third parties authorised by the customer to initiate payments from the customer’s bank account to another party through use of dedicated interfaces such as application programming interfaces (APIs) – direct channels into the bank. Open APIs enable banks to connect with their customers in a different way, and to connect with new styles of player to offer different services. APIs are the interfaces between software applications within an organisation, and between one organisation and another using a standard set of requirements which make the interface easy to use and protect quality.4
PSD2 provides the way forward for a variety of players to aggregate a customer’s information across all their different bank accounts – analysing spending, total savings and so on. PSD2 will come into force early next year, but with much still to be agreed, full implementation is likely to be delayed. The final impact is dependent on the full regulatory environment, including customer authentication, to be in place which currently seems likely to be early 2019.
PSD2 will create scope for new services, such as money managers offering a highly tailored service for customers. By using the data on the customer that will now be available from a customer’s bank accounts /credit card transactions, the money manager could use artificial intelligence to predict what products the customer needs and then find the exact array of products which offer the best features and terms, given the customers’ needs and circumstances.
The extent to which customers will be willing to give third parties access to all their financial data to support these services is unclear. Nonetheless there is quite a lot of evidence that customers are willing to share information if they can save money. This seems to be the case even with the current aggregators, which are using scraping techniques where they use the current passwords/credentials of the customer to in effect ‘impersonate‘ them to acquire the data. In the US, aggregators such as Mint have been very successful at disintermediating banks.5 Mint started in 2010 and now claims it is acting as aggregator for 10mn users – providing a free service collecting customer information across different accounts and aggregating it. Mint customers can create budgets, know what payments are coming in, receive customi-sed advice on actions to save money and receive a free credit score. Mint makes money from banner advertising on its website and from referral payments from financial services, products or credit cards that a customer takes up after advice from Mint. In Asia too banks and fintechs are looking at open banking to drive innovation.
The second major innovation of PSD2 is to allow third parties, for example merchants, to initiate a payment direct from the bank account of the customer through APIs – bypassing the need for a credit card transaction.
The move to open banking is likely to spread globally. For example, the authorities in Singapore and Australia have expressed intent to adopt open banking with use of APIs.
Fig 1 Open Banking APIs
The licensed third party at the request of the customer can use their APIs to talk direct to an array of banks via the banks’ APIs. The customer authenticates the third party with their banks.
Unlike the private sector solutions in the US and currently in Europe, PSD2 will provide a legislative framework requiring open banking. This is what gives rise to the policy choices. PSD2 is accompanied by the general data protection regulation (GDPR). This reforms the data protection requirements for companies operating in the EU which handle their customers’ personal data. PSD2 will also have its own regulatory technical standards set by the European Banking Authority (EBA). These standards were expected by January 2018 but two core standards are likely to lag by even as much as eighteen months. These are the standards around strong customer authentication, and common and secure communica-tion. Both are critical parts of the design, and fundamental to the strategy of the different players and it is important that these are completed as soon as is practical. It is also essential that they are really effective while not hampering ease of use.
An important policy question currently on the table is whether PSD2 should require APIs to be used as the sole channel through which data could be accessed as originally envisioned, or whether current scraping techniques should also be allowed. Players currently using scraping are lobbying the EU Commission intensely to allow it in the future: a coalition of 62 fintech firms and lobbying organisations is fighting plans by the EBA to ban screen scraping from online banking interfaces on the grounds it would damage their business models.6 The EBA had been proposing to use the technical standards surrounding PSD2 to ban screen scraping.
Allowing screen scraping would change the end point of open banking. It also raises important cyber and other security questions which need to be addressed. Unlike using open API technology, scraping requires the ‘impersonation’ of the customer. The scraper acquires the passwords and account details from the customer, accesses the bank as if it were the customer, calls up the data required on the screen and collects and translates it so that it can be used by another application. Currently, the wave of activity from the ‘scrapers’ can appear to a bank as a hacker. Given the small number of current players and the set times of day when they seek information, this has been more or less manageable – although in the US, such problems have been substantial, causing some banks to produce APIs for scrapers to use. Once access to information by aggregators becomes a core part of financial services, the effects of scraping on cyber security could become unmanageable. It is also hard to see how a route that does not require mandatory use of an open API framework can meet the second PSD2 objective which is enabling the initiation of payments from a customer’s account, given the complexity of authentication in the payments area.
As important, with screen scraping it is impossible for a customer to limit the data to which the third party has access. Once the third party can ’impersonate’ the customer they can access any information to which the customer has access. With an API framework authorisation can be limited to a subset of the data.
The importance of an API architecture to ensure that the full benefits of open banking are achieved is underlined by the thinking of leading players across a wider selection of the industry. For example, Goldman Sachs has made clear that they are packa-ging everything they do around APIs.7Goldman has built a data lake pulling in information from across the firm – transactions, markets, investment research, materials from emails, phone calls etc. Using artificial intelligence, their sales forces can decide who to call and what to offer them. The importance of the APIs is that they enable clients to access directly the data available in the lake. Goldman Sachs say they will have more than a thousand unique data sets available for clients. The APIs make access quick, usage can be measured and the impact on clients assessed. APIs are the standard way for computer programmes to interact with each other and this is what makes the API based solution much more robust and straightforward.
The same will be true of retail operations involved in open banking. APIs offer a sound mechanism to underpin the new architecture – enabling information to be pulled from different accounts of a client and payments to be triggered. The benefits for customers of a fully API-based model rather than a mix of API and scraping are substantial. The risk of the latter is that rather than one universal approach providing ease of use, some interactions based on scraping will fail or trigger cyber reactions in a bank where data is being extracted. Standard processes for customers will not be possible because firms using scraping will still need customer passwords to access customer data, rather than computers talking direct to each other through APIs.
Of course in this open banking world there needs to be protection for customers covering their data and their payments. GDPR provides some of the frame-work and further EBA rules will provide more. However, policy questions remain to be answered in this area too. Participants in the open banking architecture – those triggering payments through a customer’s bank or requesting information from a customer’s bank – will have to be licensed, but the details of this licensing regime have not yet been agreed. With regard to payments triggered by a third party, there are concerns about liability if the payment was fraudulent.
The bank which made the payment initiated by the third party has to make good the customer and then sue the third party. This raises issues about the stringency of regulation of the third party – who should be able to initiate a payment?
There is an important policy question about the size and structure of the open banking ecosystem. Will the regulators favour an ecosystem of hundreds of firms licensed to request data on customers from banks and initiate payments through banks or will they favour a small number of interface players who stand between the fintech companies and the banks? The fintech company with approval of the client would send an information request or a payment request to one of the 10 or so interface companies who would then access the information from the bank and transmit it back to the fintech or initiate the payment through the bank. The choices need to weigh up whether a particular approach might create barriers impeding the development of a flexible competitive market and whether it would provide the right incentives.
The whole process of certification of the third party and authentication by the customer of information and payment requests to a bank also needs to be worked out. This needs to be secure but not cumber-some. A mechanism which ensured authorisation and certification at the same time would be much more steamlined. The policy decisions taken are critical and will affect the extent to which PSD2 heralds a new style industry.
Fig 2 Open Banking using scraping
Winners and losers
The changes brought by PSD2 will alter the value chain in banking for retail and SME products. The credit card value chain is likely to be undermined over time by the ability of licensed third parties to trigger a direct payment from a customer’s bank account.
Organisations that are quick to embrace the scope to aggregate information from customers’ accounts and use artificial intelligence will be able to offer customers savings in search time and cost when selecting a wide range of products, assessing the appropriateness of products in a much more granular way reflecting the richness of customer data to which they have access. An example here is Yolt, an ING tool being tested in the UK, offering the customer a comparison of bank account fees, interest rates, cost of energy contracts, and insurance. The new landscape will offer customers the benefits of money management and price comparison. Using artificial intelligence a customer’s needs can be predicted.
Fig 3 The platform of the future servicing an SME
Example of a platform providing a single point of contact for an SME – linking to services through APIs. Links and execution through APIs could include a wide variety of products including FX, insurance and accounting services.
The net effect is likely to be a move to a much more fluid banking and financial services model, with many more customers willing to switch providers. This will mirror and progress the revolution that has already occurred in terms of retail insurance, where use of price comparison websites in the UK, for example, has resulted in much lower renewal likelihood on policies as customers search at each renewal date for the most advantageous product.
It is hard to predict the effect that this could have on traditional financial services or the speed. But both could be substantial. Amazon has shown the speed with which retail customers have been willing to adopt a new purchasing mechanism which offers monetary savings and greater convenience. Price comparison websites in the UK have also shown how quickly buying patterns for insurance or energy can change when better value can be achieved. Without regulatory impediments, and indeed with regulatory support through the design of the framework, this could snowball very quickly.
Over time, this could start to erode incumbents’ retail and SME profits. The major banks are fast building their own response, but the challenge is to move flexibly given their existing product ranges, processes and so on. An existing player will not want to offer products that undercut its existing services.
This creates major strategic questions for existing banks. How quickly should they move to build a new range of customer interfaces, where they use the new potential to aggregate information rather than just being a provider? Or do they want to remain focused on their current products and customer interfaces in which case they will be a provider not a user of the information available.
The whole process has the potential to create a tectonic shift in the landscape. However, the regulatory framework will affect the confidence in the new environment through the success of the protections built into it. Regulation will also affect potential development in other ways. Processes of certification of fintechs (a digital ID for the third party) and authentication of information requests or payment requests by customers which are cum-bersome will reduce take-up of new services.
Likewise, lack of commonality through not requiring use of APIs could also damage the rate of progress – particularly if the attempt to use scraping as well as open APIs results in failure of processes because cyber defences in the banks are triggered. This will become more likely given the expected sharp increase in data requests. It is also possible that existing and highly regulated retail banking markets may not benefit fully from the potential developments because other regulations stand in the way. The choice of how fintechs can interface with the banks, directly or through special intermediaries, could also potentially create barriers keeping some players out.
The benefits from the standpoint of the authorities lie in the increased flexibility of services provided to retail and SME customers in particular and much greater competition between players. This will almost certainly result in improved pricing and choice for consumers. With services provided on the back of aggregation of data from different bank accounts, retail and SME customers will also be able to track expenditure patterns and savings more effectively. Another goal is to open up the payments world to greater competition.
About the author
This Policy Note is based on a presentation held by the author at the 44th OeNB Economics Conference in cooperation with SUERF in Vienna, on 29 May 2017.
SUERF Policy Notes (SPNs) focus on current financial, monetary or economic issues, designed for policy makers and financial practitioners, authored by renowned experts. The views expressed are those of the author(s) and not necessarily those of the institution(s) the author(s) is/are affiliated with.
Editorial Board: Natacha Valla (Chair), Morten Balling, Ernest Gnan, Frank Lierman, David T. Llewellyn, Donato Masciandaro.
SUERF - The European Money and Finance Forum
A-1090 Vienna, Austria
www.suerf.org • firstname.lastname@example.org