What is open banking?

Open banking is the requirement for banks to share their customer data with authorised third parties for the development of new financial apps and financial services.

What is open banking?

Open banking is the requirement for banks to share their customer data with authorised third parties for the development of new financial apps and financial services.

Open banking regulations have been in place since the introduction of the European Union’s Payment Services Directive 2 (PSD2) and have consequences for both banks and their customers so it is important that financial institutions understand how to manage their compliance responsibilities in the new regulatory environment.

Why was open banking introduced?

Following the introduction of PSD2 in 2018, banks in the EU must open their customer data records to certain third party service providers: a regulatory practice known as open banking. Although it left the EU in January 2020, the UK has implemented PSD2 legislation, albeit with some technical differences, and open banking rules apply to UK banks in the same way.

Open banking requirements essentially cover all financial data that banks hold on their customers, including where, when, and to whom payments are made (information that would be included on an account or card statement). Third parties can then use that data to inform and develop their own financial products and offer competing financial services to customers. Example products might include apps that analyse customer spending habits for budgeting purposes, or services that examine customers’ financial behaviour and recommend suitable credit or debit card schemes.

Open banking seeks to make the financial landscape more competitive and innovative. By preventing established banking institutions becoming gatekeepers of useful customer information, smaller firms can gain a foothold in the market and deliver tailored financial services and products.

Authorisation and consent

It is not mandatory for customers to make their banking data available to third parties. Under open banking regulation, banks are required to share data only with the permission of the data owners (customers): accordingly, when customers sign up to a third party service or product, the provider must obtain their consent before requesting data from their bank. Consent must be obtained via some type of affirmative customer action, such as checking a box after reading associated terms of service. If a customer chooses to withdraw their consent, they may do so at any time.

How does open banking work?

After obtaining consent from customers, third party financial service providers interface with the data stored by banks via application programming interfaces (API).

While there are other ways to interface with stored data, APIs are particularly effective in the context of open banking because of the security that they offer. Rather than collecting data indiscriminately from customer accounts (a technique known as ‘scraping’), APIs can select the specific details that a third party service requires without any need to reveal login details. APIs enable account owners to retain complete control of their banking information – and to revoke third party access at any point.

What are the benefits?

By freeing important financial data from the exclusive grip of banking institutions, open banking promises to deliver faster, simplified access to financial services. However, given the pace of progress on the FinTech landscape, open banking also promises an array of innovative new products with the potential to change the way customers engage with their finances.

The specific benefits to products, services, and processes, include:

  • Financial control. Third party apps offer customers greater control of their finances with apps that analyse spending habits, suggest more effective financial products, or help with budgeting strategies. Service providers may be able to build in greater levels of efficacy by integrating artificial intelligence systems that predict customer behaviours based on historical data.
  • Loan applications. By authorising lenders to access their banking information customers may be able to streamline the loan application process. Rather than gathering necessary customer data manually, lenders can pull what they need quickly with an API and use it to make an offer. APIs can be used to streamline applications for both individual and business loans.
  • Accounting automation. Customers may permit third-party accounting services to manage their accounting needs, including filing tax returns. By automating the data collection process, accountancy providers may be able to offer their services with greater speed and efficiency, updating their systems automatically when payments are sent or received, and passing the savings onto customers.
  • Payment services. PSD2 authorizes third parties to make payments on behalf of customers. In practice this means firms other than banks will be able to handle payments for customers, potentially introducing innovative new payment methods at lower costs.
  • Commercial competition. Since open banking is a relatively new concept, its commercial impact is still unknown. However, by introducing competitors to the banking sector along with a variety of new financial products, customers stand to benefit from new pricing frameworks and an environment driven by innovation.

What are the risks?

There are inherent risks in online banking which require financial institutions to implement a range of compliance measures. With that in mind, open banking cybersecurity regulations, such as the General Data Protection Regulation (GDPR), protect the security and unauthorised use of sensitive personal information, while many jurisdictions maintain registries of authorised third party providers in order to help customers choose who to share their banking information with.

If customers authorise their data to be shared with a provider that is not registered with a regulator, they face a much higher risk of exposing their information to malicious apps and criminal threats. Similarly, while banks and service providers are expected to implement cybersecurity measures in compliance with regulatory standards, the risk of hacking and data leaks can never be completely eliminated. Accordingly, customers must remain vigilant for potential threats, and service providers must be proactive about protecting data by keeping their cybersecurity solutions up to date.

Where is open banking available?

Open banking is still a relatively new commercial concept. While the UK, the EU, and Australia have facilitated the roll-out of open banking with robust regulatory support, other global jurisdictions, including the US, Canada, and Japan, have been slower, with legislation seemingly contingent on customer demand and a desire for competition. In the United States, for example, studies show that over 50% of banking customers want more control over their financial data yet US regulators have been issuing only non-binding guidelines that allow banks to use their discretion when it comes to sharing data.

As the popularity of open banking services continues to grow, global regulators will face pressure to introduce more definitive data sharing legislation. With that in mind, banks should prepare to integrate API security considerations into their compliance solutions and work to explore the emerging commercial benefits of open banking.


Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More