Banks are scared. They’ve seen the rise of the new world of open APIs, apps and analytics and know that their organisations are not yet ready or fit to change to that world. What to do?
Well, the easiest thing to do is to block access to the bank’s data. If third party FinTech firms cannot get access to the customer’s financial data, then you can severely limit what they can do.
Brilliant … and it’s just what banks are doing.
In the USA, there is a move by the big banks to get Washington to outlaw access to bank data based on security. The only person who should access bank data is the customer, the banks bleat. That would kill the industry as the likes of Venmo, LendUp and Betterment would be shut down.
Even with data access, the challenges are high. As the American Center for Financial Services Innovation (CSFI) writes:
Numerous industry participants and observers have voiced concerns that current methods of data sharing, which typically require the consumer to share his or her bank account credentials with third parties, are insecure and expose the various parties (including consumers themselves) to unknown liability in the event of a breach. At the same time, direct data feeds through Application Programming Interfaces (APIs) with a tokenized or alternative authentication method, a solution many favor as a way to eliminate credential-sharing, can be inconsistent among financial institutions, creating new challenges for fintech providers and limiting interoperability in the overall system. Moreover, the significant technical and legal costs that are required to build and maintain APIs and negotiate bilateral datasharing agreements can effectively exclude smaller financial institutions and fintech providers (and the millions of consumers they serve) from full participation in the data-sharing ecosystem.
While initiatives such as the Open Banking Working Group in the United Kingdom have created roadmaps for the design of open banking infrastructure, often in response to regulatory mandates, no U.S. guidelines currently address the unique complexity of our financial system. Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act grants the Consumer Financial Protection Bureau (CFPB) the authority to prescribe rules governing access to consumer data, but the CFPB has not yet formally signaled its intention to take up this issue.
Interesting that the CSFI should mention the CFPB as Richard Cordray, Director of the CFPB, made these remarks at Money2020 last year:
Many exciting products we see through the lens of Project Catalyst depend on consumers permitting companies to access their financial data from financial providers with whom the consumer does business. We recognize that such access can raise various issues, but we are gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.
It is clear from my visits to the USA that the big banks want to block third party access to consumer data:
I blogged the other day about the American markets and how big US banks are lobbying the government to block third party access to data. This would block aggregators and other third parties from getting a looksee into a customer’s information store. Again, this is a fine line of balance. Access to customer data is all well and good, as long as that data is not breached or abused. Figures published in the UK this week, for example, show that identity theft doubled in the last year and this has to be a key concern. As a result, banks can use data fear as a reason to exclude third parties from data access. This has been tried as a method to exclude third parties from access to bank data under PSD2, although it failed.
Talking of PSD2, the second Payment Services Directive, Europeans are all agog at the idea of banks being forced to offer data access through Open APIs (Application Programme Interfaces). This comes into law next year, and means that any third party with a trusted licence – a lite form of regulatory approval – can ask for customer data and the bank, by law, must provide easy access to that data through plug-and-play software.
The UK has taken this a step further and created an Open Banking Framework that aims to ensure that “barriers to participation will be kept deliberately low to cultivate an engaged developer community”.
Great news … but it isn’t that simple.
No bank is going to just roll-over and give away their core asset: the customer; and by giving away the customer’s data, they might as well be doing that. As The Financial Times reports:
Banks have pressed regulators to tighten privacy and data protection rules for fintechs to prevent customers’ financial data being abused or stolen by cyber criminals. This has fuelled fintech industry fears that the banks will be given too much control over the channel by which competitors will access the data. They cite scenarios in which banks deliberately slow their responses to access requests or find other ways to interfere with the performance of fintech apps — an idea dismissed as fantasy by the banks.
A chief executive at one of Europe’s biggest banks admitted the threat posed by the fintech industry. “Clients will be told: ‘Come to me, you can do more things, all for free’,” he said. “But fraud is rising . . . and as this increases the desire of people to give their banking password to just anybody will fall quite quickly.”
The EBA insists safeguards will be built into the rules to ensure fintechs are not discriminated against. It will submit draft technical standards to the European Commission this month, after which Brussels will decide how to proceed.
Ahmed Badr, head of legal at GoCardless, a UK digital payments provider, said the bank lobbying could bring a limit to the number of balance inquiries a fintech can make each day, potentially crippling some start-ups’ business plans. Fintechs, “with less money to spend and fewer resources to send people to meetings, [could be left] exposed to having banks dominate proceedings”, he said.
The key headline on PSD2, according to Sebastian Siemiatkowski, the CEO of Klarna, is that “if it goes ahead as currently written it will not create open banking as the law originally envisaged.”
Roll on PSD3.
Meantime, the core headline here has to be where I started this blog update: banks are scared. Until European and American banks refresh their legacies, they will undoubtedly block, as far as legally possible, any technology challenger.
As the CSFI paper states:
Many financial institutions and important infrastructure players rely on older computing systems that limit their ability to implement and manage new technology such as APIs or consumer-facing dashboards. Solving these challenges will likely take time and significant investment on behalf of many industry participants.
Yep. And until that time and investment is completed, don’t expect the incumbents to provide Open APIs or Open Banking services.