Open Banking began on 13 January 2018 with the launch of PSD2. Industry pundits spoke about customers walking through a promised land of meaningful financial insights and competitive products, writes Aniruddha Maheshwari, payment consultant at Icon Solutions
The new rules make it easier for consumers to compare services and switch to get better deals and more personalised products.
With the younger generation’s willingness to switch to an online-only bank, surely challengers would be looking to snap up customers? In turn, it was also an opportunity for traditional banks to play to the key advantages they already hold over their younger digital rivals.
Yet the big day came and went with less than a whimper. Only three large banks were ready with APIs on 13 January. At the same time, institutions are concerned about a lack of consistent standards, and question marks remain about critical issues such as data security and liabilities.
One year on, and nearly half (41%) of banks failed to meet the testing environment or ‘sandbox’ for third-party providers (TPPs). Along with fears around the forthcoming strong customer authentication (SCA), permissions and data security, many argue that Open Banking is not just moving slowly, but is, in fact, introducing risk into the financial system.
This raises a question: is Open Banking a promised land or wild west?
Banking’s Wild West?
One of the biggest issues around Open Banking and PSD2 has been the nature of the technical standards, and key areas where standards do not exist at all.
The problem here has been a lack of alignment between the European Commission, which lays out the broad direction, and the European Banking Authority, which specifies and ratifies these standards. Due to differing views from each body, the standards are not really standards: they are more like guidelines, with significant room for interpretation.
On SCA, for example, the EBA has set a particularly high bar for use of authentication elements categorised as ‘inherence’. While devices and software provided to the payer to read inherence elements must possess security features – biometric sensors, for example – these features must:
- Guarantee a “sufficiently low likelihood of an unauthorised third party being authenticated as the legitimate payment service user”, and
- Guarantee “resistance against unauthorised use of the elements” through access to the relevant device and software.
There is currently no guidance on the precise meanings of “sufficiently low likelihood” or “resistance”.
With so much open to interpretation, and most merchants unable to penetrate the payments jargon, many expect merchants to implement full two-factor authentication from the deadline.
Thus, there is a danger that the first time consumers really hear about Open Banking will be when they cannot buy with one click at Christmas. They will also need to authorise third parties to access their accounts by providing log-in details, despite 10 years of online banking guidance advising the contrary.
Confused? That is probably not what the regulators envisioned when devising PSD2 at the outset.
There is also a distinct lack of guidelines on permissions and consent for consumers granting access to third parties. While TTPs should be FCA-authorised, consumers may not be able to easily differentiate between those that are and those that are not without checking the official roster.