In our hyper-connected world, there’s no denying how important integration has become. Everything from calendars to the productivity suites we use daily seem to support an endless amount of integrations.
And yet, within Canada, banking and the greater financial service industry has been slow to adapt to this trend. But with the coming of open banking in Canada — change is on the horizon.
The Basics of Open Banking
Open banking is built on standardized data sharing via APIs. It works to enhance data integrity and security for financial services organizations while encouraging innovation, promoting healthy competition, and empowering banking customers with greater control over their financial data.
Open banking is not without its challenges, from cost and complexity to regulatory compliance.
Since Canada began working to implement open banking in 2020, you’ll need to prepare for those challenges sooner rather than later. The good news is that although open banking is a fairly recent development for the Canadian financial services sector, other countries have had regulations in place for years.
By looking at how some of those countries have approached open banking, we can get a better idea of what to expect here.
Open Banking in the United Kingdom
The United Kingdom is widely regarded as the nation that led the charge into open banking.
In 2016, the Competition and Markets Authority published a report on the country’s stagnating banking market. That same year, the country required its nine largest banks to fund and establish the independent Open Banking Implementation Entity (OBIE).
Consisting of both industry experts and consumer representatives, OBIE’s responsibilities were as follows:
- Create a roadmap that ensures the UK’s top banks implement open banking in a timely manner.
- Devise the technical and security standards for the sharing of data and payment services with third-party providers.
- Collaborate with banks to develop and implement APIs based on those standards.
- Work closely with regulators to ensure all standards and controls align with existing customer consent, privacy, and data protection legislation.
The OBIE’s efforts eventually led to the development of the Open Banking Standard in 2017. Based on principles established in the European Union’s Second Payment Services Directive (PSD2), the standard has proved pivotal in guiding open banking’s global development. It functions as follows:
- A customer may give explicit consent for third party providers to access their financial data either online or through a banking app.
- Third-party providers must register with the OBIE, at which point they can request access to the customer’s data through one of the standardized APIs.
- Once the bank authenticates the customer and validates their consent, it then shares that customer’s data.
- The third party may then use the customer’s data to provide a number of different financial services.
As of January 2023, six of the country’s nine major banking providers have implemented all roadmap requirements. Six million people now actively leverage open banking services in the UK, while over 200 companies and 70 account providers have products and services built on open banking. At the same time, the overall landscape of the UK’s finance industry has changed relatively little, with large institutions still holding the majority of the market.
It’s also important to note that the UK hasn’t pushed for adoption as hard as other countries, as it now runs the risk of being overtaken by the countries that originally emulated its Open banking Standard.
Open Banking in the European Union
It’s no secret that the EU leads the charge on consumer-focused legislation. In a roundabout way, open banking is no exception. The UK’s Open Banking Standard was, after all, developed in tandem with and loosely built on a piece of European legislation — the Revised Payment Services Directive (PSD2), first introduced in 2015. Developed as an amendment to the original Payment Services Directive, which was introduced in 2007, PSD2 specifically targeted electronic payment services.
The regulation started to come into effect in 2018, bringing with it the following changes to the payment services market:
- Banks are now required to open their payment services to third-party payment service providers, enabling the development of new payment services.
- All service providers must implement Strong Customer Authentication for electronic payments and banking options.This means that transactions must be authenticated with at least two of the following factors, each independent of the other:
- A password, PIN, or security key.
- A specific system or device.
- Biometrics, such as a fingerprint or facial recognition scan.
- Credit card numbers, expiration dates, and CVVs are no longer valid authentication factors.
- End users can now initiate online payments via bank account without requiring a credit card.
- In order to access a customer’s banking information, a third-party payment provider must have explicit consent. If the provider has consent, the bank must provide access.
- Within eight weeks of any direct debit transaction conducted through SEPA, the EU’s integrated payment network, customers are entitled to an unconditional refund.
- Payment service providers must be licensed by national regulators within the EU.
PSD2’s impact on the payment services landscape — in which banks are major players — has been largely positive. It has introduced a great deal more competition and innovation into the market, and helped guide regulations around privacy and ownership in financial services. However, PSD2 has also been criticized for both its cost and its complexity, for smaller payment service providers.
Open Banking in Brazil
Brazil’s approach to open banking has been a great deal more aggressive than that of other countries. For one, Brazil’s Central Bank opted for a one-year implementation roadmap. Introduced as part of a broader aid roadmap consisted of four distinct phases:
- Phase 1. Financial institutions standardize the way they store, deliver, and manage their data, and all products, services, costs, and service channels are made publicly available.
- Phase 2. Customers can share their data with institutions and service providers as they so choose.
- Phase 3. Customers can access financial services without needing to directly access the channel through which those services are provided.
- Phase 4. Non-banking financial products and services are now available to customers.
Brazil completed its rollout of open banking in December 2021. Though the country’s open banking regulations hit all the same broad notes as other frameworks, they also differ in a few key ways.
- Rather than a private entity or committee, the regulatory requirements and implementation plan for Brazil’s open banking framework were both developed by the country’s Central Bank.
- The Central Bank of Brazil maintains a consolidated platform through which it manages and facilitates data sharing between financial institutions and third-party providers.
- Brazil’s open banking framework has stricter mandates and requirements around encryption, as the legislation was introduced in tandem with the country’s new data protection law — itself a mirror of Europe’s.
Although Brazil’s open banking system is still relatively new, detractors have raised serious concerns about the security risks it may introduce. Third-party payment providers in the country are not typically held to the same security standards as they are elsewhere. Disaggregation of services further compounds this issue, as banks will have less visibility into customer activity and thus will also be less able to identify and clamp down on suspicious activity.
Open Banking in India
As a country with one of the world’s largest populations of underbanked people, open banking has the potential to be uniquely beneficial to India. Managed by the Reserve Bank of India, the country’s open banking framework is itself part of a broader initiative collectively known as the India Stack. Essentially a collection of APIs intended to modernize India’s financial services sector, the India Stack consists of:
- An interoperable payments system.
- Universal digital IDs.
- Standards to facilitate transactions between banks, financial technology firms, and digital wallets.
- Trust-based access to financial data.
Although most Indian adults have their own bank account, commercial banks only work with the country’s 100 million wealthiest, leaving as many as 800 million people without access to services such as wealth management, insurance, and loans. Open banking promises to address this problem by reducing the cost of customer acquisition down to near zero. This, in turn, will provide a massive boost to the country’s finance sector.
Currently, India’s open banking initiative is still in development, and the country has been continually refining its approach for the past several years. As is the case with Brazil, cybersecurity represents a significant challenge for open banking in India. To that end, the RBI has taken a strict approach to technical requirements and controls, though it remains to be seen how effective this will be.
Open Banking in Australia
Australia introduced open banking as part of the Consumer Data Right, a broadly-focused regulatory framework that allows consumers greater ownership over their data while also enabling them to share it with third-party service providers. Rather than simply applying to the financial services sector, the CDR also covers energy and telecommunications.
The CDR allows consumers to directly access their data, and direct businesses to share that data with any accredited third-party service provider. This is a somewhat different approach to other countries, where the service providers are responsible for gaining consent and accessing customer data. The core idea behind this approach is to ensure people can get better deals on products and services through greater transparency.
Currently, the CDR has been adopted by all three sectors, and the Australian government is considering extending the regulatory framework to other sectors in the future.
Technical and regulatory complexity together represent the two most significant stumbling points of the CDR. Beyond the challenging development of standardized APIs, the CDR requires cooperation and coordination between multiple regulatory bodies across multiple industries, which has the potential to create significant confusion for businesses. Additionally, customers, particularly those who are unaware of the CDR, may share incomplete data with service providers, making it difficult for companies to effectively engage with them.
A Challenging Road Ahead
Based on what we discussed above, there are a few common threads where the challenges of open banking are concerned.
- Complex technical requirements which an organization may lack the expertise to fulfill.
- Confusing regulatory frameworks.
- Security risks created by increased data sharing and interconnectivity.
- Costly, time-consuming implementation.
Any one of these would be difficult to overcome on their own. Taken together, they can seem impossible to address. But they aren’t — or rather, they don’t need to be.
The right approach to security and risk management goes a long way towards making open banking easier to adopt. Indigo Consulting can help you prepare.
We’ll work with you to ensure your security, infrastructure, and operations are all where they need to be, and ensure you can de-risk in preparation for what may be the biggest market shift your organization will ever face.