I found an interesting article about Open Banking the other day (via FinTech Insider News). Its title is: Open Banking in the UK; a disaster in the making? no wonder it intrigued me. However, I clicked the article open and the first paragraph read:
When the CMA Order went live on 13/1/18, aside from the banks, there were no PISP authorised TPPs, there remain very few today, and there is no sign of a customer (PSU) facing service using APIs available on the open market. The question is why, the answer is simple – the authorisation journeys.
I really, really, really hate TLAs …
… always have and always will. The only reason people use TLAs is if they’re talking to their very narrow audience, as the author above is, or to confuse everyone else and make it sound as though their job is very complicated. You see it in banking, in technology, in all walks of life. It’s a great way to sound authoritative and confuse those who are not in the know. Yeuch!
Anyways, after that tirade, the article itself is actually very informative and interesting, if you can get through the TLAs. So, here’s the low-down, beginning with explaining all of these acronyms for those who are not inducted to the Open Banking world.
PSU is the Payment Services User or, to you and me, it’s us. It’s whoever is making the payment. It’s the user.
PISP is the Payment Initiation Service Provider. A PISP lets you pay companies directly from your bank account rather than using your debit or credit card, through a third-party such as Visa or MasterCard. A PISP needs your explicit consent before providing you with this kind of service.
AISP is the Account Information Service Provider. AISPs let you see all of your account information from different bank accounts in one place online or in a mobile app. AISPs can include budgeting apps and price comparison websites offering budgeting help and product recommendations. An AISP needs your explicit consent to provide you with these services.
TPP is Third-Party (Payments) Provider – I put the brackets as the terms are used interchangeably – and this could be anyone from Google to Amazon, from Stripe to Klarna, from RBS to Starling bank. In fact, may people predicted that TPPs who would be most active would be other banks, and this might be true sometime … but not according to this article.
CMA is The Competition and Markets Authority who introduced the Open Banking laws in the UK in January 2018. Sharing in their own words:
In 2016, The Competition and Markets Authority (CMA) published a report on the UK’s retail banking market which found that older, larger banks do not have to compete hard enough for customers’ business, and smaller and newer banks find it difficult to grow and access the market. To tackle this, they proposed a number of remedies including Open Banking, which enables customers and small and medium-sized businesses to share their current account information securely with other third-party providers from January 2018.
This led to an FLA, a four-letter acronym: OBIE. The Open Banking Implementation Entity (OBIE) is the company set up by The Competition and Markets Authority (CMA) in 2016 to deliver Open Banking. Their trading name is Open Banking Limited, and they are governed by the CMA and funded by the UK’s nine largest banks and building societies: Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group and Santander. These nine banks are known as the CMA9 for this reason.
Then there are APIs, Application Program Interfaces, which I’ve blogged about often. APIs are plug-and-play code that allows you to drop a process into your online developments quickly and easily. A great example is Stripe which, with just seven lines of code, has allowed 1000s of firms to create easy online checkout services. There are many more, and it’s all about making things simple with code that is interchangeable between systems, services and providers.
Finally, there’s OAuth2, the Open Authorisation standards under PSD2 (Payment Services Directive, second version). The CMA9 under the Open Banking implementation are using the OAuth 2.0 technical standard and family of protocols as the standard of choice for API security. OAuth 2.0 is a mature, industry open standard that provides customers with a secure mechanism for allowing third parties (TPPs) to act on their behalf, without the need to share their login credentials. Once a TPP is authorized by the customer, it can securely access their data and interact with their bank account through APIs offered by their bank.
After all that explanation, you can now pop over to the Open Banking Space blog (you needed all of this preamble to understand what they’re talking about), and read their article about why Open Banking will be a disaster. Alternatively, read on …
The gist of what’s going on is that consumers can permission third parties to access their bank account data, under Open Banking and PSD2 regulations. This may be for convenience, e.g. making Amazon checkout services direct from your bank account rather than via your credit or debit card; or for information services, e.g. allowing Google to add mapping of your transaction data so you know where you spent money, as well as when; or for offers, e.g. allowing John Lewis loyalty program to access data and show you when they could have saved you money.
There is a whole range of activities that could benefit people, and these are well hyped in the articles cited in the Open Banking Space blog:
- Technology and Open Banking can end ‘horrendous’ paper trail
- Moody’s: Open Banking means higher leverage – FStech
- FCA: Open Banking “crossroads” for banking sector – Credit Strategy
PwC recently delivered a report on open banking – Open Banking market could be worth £7.2bn by 2022: PwC – PwC UK. Some notable points raised;
The principle growth areas are projected as account aggregation, analytics of expenditure and financial product comparisons. This is difficult to understand given that none of these areas is new – in fact the information is being delivered differently – that is all that has changed. And in most cases (relative to challenger banks) the data delivered is very limited, preventing innovation on these pre-existing services. The major market comparison engines pull richer data through a combination of private means and screen scraping, and have made clear that open banking APIs will not replace this in their current form.
‘The consumers most likely to share data tend to be young, urban-dwelling, high earners who are comfortable using technology and multibanking’. – sort of stating the obvious – most people in the UK are urban-dwelling, and open banking can only be accessed using some form of tech platform. PwC think account aggregation is important – you can’t use this unless you ‘multibank’.
“Open Banking is a potential game changer for individual and corporate consumers. It provides an opportunity to transform the public’s interaction and everyday experience with the financial services industry. But there are still many ‘hard yards’ to travel. Few disruptive propositions have been developed so far. This is unsurprising given that since the launch of Open Banking in January it remains unclear who needs to get an account information licence or a payments handling licence and how these licences may change in the future.”
Open Banking Space claim that these guys are all just hyping the action as, six months after the CMA ordered banks open up to third parties, there’s not a single customer-facing service using APIs available on the open market in the UK.
Not a single one.
Because it’s too darned difficult for you or me as customers to get them set-up. This is because to set-up a TPP using APIs on your account, you have to go through an authorisation journey that the big banks, the CMA9, manage and, apparently, the permissions journey is horrible.
Multiple steps, requirements to recall opaque user IDs and static passwords / memorable words, needless repetition of the consent object, reliance on web journeys and the like all feature.
According to the Open Banking Space blog, the banks have a captive audience where the customer has no option but to accept whatever is put in front of them. This means that they get a terrible customer experience and give up on the idea of completing access to their account for TPPs, as it’s just too much effort.
The banks care little for the drop-off rates experienced by TPPs, and if anything will be happy to see the customer give up, as it will increase the likelihood of customer retention for the bank’s own services. This means that they will continue to maintain the market dominance that the CMA Order was trying to end.
The main point of the Open Banking Space blog is this:
If the status quo continues, both aims of payment initiation services developing, and an increase in competition as a result will have failed, partially as a result of design decisions taken by the very organisations subject to the Order.
All of the above applies equally to PSD2, which is why the FinTech community bleat often about its failure to dictate any design standards and, take note, from October 2017: