Understanding Global Open Banking Practices and Implementation

API Banking and Open Banking

With the advent of API banking, there has been a transition from traditional banking. API banking refers to a set of protocols that yields a bank’s services by combining the functionality of one application with another via APIs. API banking has impeded the market for payment and account information services. APIs have garnered noteworthy importance among banks and FinTechs. The process of sharing customer data by bank APIs is called ‘API banking’. One of the prevalent uses of API banking is Open banking. Open banking is the standardisation of API protocols for banks so they can converse in the same language. Open banking provides common taxonomy for the smooth application of API banking. Open Banking renders API-linked ecosystems that can create and market compact offerings which otherwise would have been difficult for independent providers to cater to. That being said, open banking is a sub-system of API banking.

Open banking has become increasingly popular. Without even knowing we have been actively using open banking in various forms. Every time you are using UPI for payment or using peer-to-peer payment solutions, you are enjoying the advantages of open banking. A study by Accenture ‘Catching the Open Banking wave’ has revealed that $416 billion in revenue will be at stake as the open data wave arrives. The study was conducted on the world’s 20 largest economies responsible for 75% of global GDP worldwide. With such high stakes, FinTechs, neobanks, big techs, and other non-traditional players are all gearing up to leverage banking incumbents for a stake in this emergent market. It has become imperative to understand Global Open Banking Implementation Practices and the regulations that can help in the better governance of open banking.

What is open banking?

Put together, open banking allows free data sharing with the consent of consumers for aiding financial services. Since a large part of open banking is concerned with consumer consent, it encourages customers’ control over generated data. It involves Data Disclosures & Data Requestors. Data disclosures are large banks and credit card providers that render data access to Data requestors including price comparison sites, banks and financial service providers (FSP), FinTechs, technology suppliers, and payment service providers (PSPs). There are 5 major open banking participants, starting with the bank that builds APIs, the TPPs (third-party providers) that integrate with bank APIs, companies utilizing TPP services to offer solutions, End-users, and regulators.

A ‘Third Party Provider’ is an authorized online service provider which is an external party having an alliance with the bank. It may not have a direct relationship with you but may be involved in the online transactions being carried out. TPPs are further classified into two types of Third-Party Providers (TPP): PISP – Payment Initiation Service Provider and AISP – Account Information Service Provider. A PISP allows you to make online payments without using credit or debit card details. These are not dependent on banks and are usually FinTech, big techs, businesses that capture payment flows, and merchants.

An AISP has been given consent to view certain banking information of an account for a specified per. E.g., if you have given consent to an AISP to view your accounts of multiple banks it can provide you with consolidated accounts across your multiple banks. It can help one in personal finance management and other services like subscription management Account Aggregation and Instant credit risk. Not just in the field of finance open banking has ushered new opportunities by offering services like the Known Traveller Digital Identity Program (KTDI) being developed by the World Economic Forum that would empower consumers to use their mobile phones as passports to verify their identities, realty users by tailoring customers’ apartment and home hunting, insurance service providers.

How is it emerging?

In the year 2016, the Competition and Markets Authority (CMA), UK, asked leading banks to provide access to data to third party applications. The consolidated efforts subsequently brought PSD2 (Revised Payment Services Directive, 2018) which repealed PSD1 (2007) which introduced the concept of open banking to Europe, by requiring banks to utilize Application Programming Interfaces (APIs). It also introduced GDPR (General Data Protection Regulation) in the same year. Later, CMA created Open Banking Implementation Entity (OBIE) for standardizing open banking in UK retail banking.

In India, RBI launched Unified Payments Interface (UPI), in 2016 which is contributing significantly to the rise of API banking in India. RBI has also set up ReBIT to enhance the cyber resilience of the Indian banking industry. For a better picture of geographical acceptance, the countries can be understood as forerunners and beginners. Forerunners are countries that are leaders because they have gone a step ahead by making a strong regulatory framework for adoption. These countries are The United Kingdom (UK), Australia and the European Union (EU), Hong Kong. UK and EU have reached the next level in the adoption of open banking so much that Open banking has become analogues to these regions. The other set of countries that are following a market-driven approach includes the United States, India, Japan, Singapore, and South Korea.

However, China has presented altogether a different picture with its tremendous development of open banking. This can be attributed to numerous factors such as internet access, the willingness of the Chinese population to share information and the rise of direct banking. As per the EY study, 69% of the digitally active population uses two or more FinTech services, China already has wide acceptability of direct banking which has provided banks with access to a huge customer base. Along with these, banks have started using API banking portals to rebrand themselves from just being a financial service provider, to technology and lifestyle partner. The EY study has also yielded 78% of China’s smartphone users have adopted mobile banking apps, more than any other country in our index. All this has happened when China has no regulatory or mandatory supervision for open banking, which the government is now planning to put into practice in line with Europe.

Regulatory Authorities

With seemingly limitless benefits, there comes the regulation part. Across the globe, the regulation is built upon licensing or authorization of third parties, enabling third-party access to customer-permission data and most critical being consent requirements and implementing data privacy and disclosure. While in most countries, open banking regulations are in a nascent stage, Date privacy has taken the forefront. Specifically, about open banking, there are major two regulations: the EU’s Payment Services Directive (PSD2) and the UK's Open Banking Standard. However, some countries have come up with a stringent version of data protection like The General Data Protection Regulation (GDPR) in the European Union and the European Economic Area, Personal Data Protection Act (PDPA) Singapore, Consumer data right (CDR) Australia, and The FinTech Law in Mexico. Apart from these, there are several other initiatives taken by various countries, like electronic payments Intermediate Service Providers (Japan), The Hong Kong Monetary Authority (HKMA) 4phased Open API Framework, USA Financial Data Exchange (FDX), Singapore Financial Data Exchange (SGFinDex), API Exchange (APIX). Rwanda is seeing a surge in the growth of financial technologies; Nigeria is developing API standards and South Africa is pushing towards catching the trends in open banking. The Bank Negara Malaysia (BNM), the Central Bank, has issued a Policy Document on Publishing Open Data using Open APIs. In South Korea, Financial Services Commission (FSC) has proposed a three-phased plan for introducing open banking. In India, RBI has set up Reserve Bank Information Technology Private Limited (ReBIT), a wholly owned subsidiary of the RBI for adoption by all regulated entities, acting either as Financial Information Providers (FIP) or Financial Information Users (FIU). Another prominent initiative by the government is India Stack. India Stack stands as the largest open API across the globe. India’s national biometric identification system “Aadhaar”, was built using India Stack. Aadhar is mandatory for KYC purposes by financial institutions.

The GPDR seems to be a bible for all the other regulations as it has some most comprehensive and clear definitions of the rights of consumers including the right to portability and the right to being forgotten and erased along with precise information of sensitive data which most of the Act and recommendation do not. However, the majority of regulations have focused on privacy protection and consent and have not given much importance to commercial aspects. Barring PSD2 which aims to enhance innovation and aid banking services to adapt to advanced technologies, no other country has brought up such regulation. The Australian regulations CDR is more in line with GDPR focusing primarily on the safety of personal data.

What could go wrong?

The changes brought by open banking will have different challenges both to consumers and banks as well. Open banking will pose a disruptive threat to banks. Banks have been operating in a closed structure with bolts on the information. Not just that, banks have to make transitions in their platforms to protect their competitive edge. Banks will have to make a change in their ecosystem to embrace third-party FinTech companies, calling for a change in the Legacy system. On the other hand, consumers will have a different set of concerns with sharing of information. There are other issues like data consent is incomplete or in some cases is forged. Precisely, data protection and consent are the elephants in the room that are going to pose a tremendous challenge in shaping the future of open banking across the globe.

There are other challenges with regard to regulatory compliance such as reciprocity, standardization and classification of data. Reciprocity implies that an organization willing to become part of an open banking ecosystem should also share data it holds with other parties. This might seem beneficial from the consumer part as it leads to equal open access to information to all parties while banks might suffer as FinTech might effectively take up banking functions while the opposite might not happen with the banks. So it is for the regulatory bodies to decide on whether to provide for reciprocity or not and if yes to what extent. Standardising too is a tricky business. The regulatory standard should be simplifying the already complex system. It should not be too imposing that it curtails the innovation and simultaneously it should not be too loose that there is a lack of direction. Arguably, the most difficult of all challenges is the Data category. The definition of sensitive data as per GDPR might have not got the same importance in other regulations. There are various concerns about sharing silent party data. Other than these banks have certain financial statistical data, is that supposed to be shared or not is again a question. If the requirement is broad banks might be skeptical. Therefore, a clear-cut regime on what can be shared in open banking needs to be established.

The Way Ahead

It took two decades and a pandemic for the world to understand Bill Gates’ quote, “Banking is necessary, but banks are not”. The pandemic led to the closure of banks for weeks and no one realised. The pandemic made a point of explaining the importance of various third parties and opening data sources to make life convenient. Yet, it is difficult to imagine a world without banks. That’s why a standard policy on how banks should roll out their open banking program will be helpful. In all probabilities, Open banking is likely to pose several challenges to the financial services industry. Countries everywhere are trying to cope with the new challenges. On one hand, the regulation should not prohibit innovation and development and on the other hand, it should not devoid data subject to their right of consent. The road to convergence seems difficult but not impossible. In the coming years, open banking will change the entire prospects of finance not only for the retail consumer but for less explored corporate consumers as well.

About the Author

Dr. Raghuveer Kaur holds double masters one in Business Administration and the other in Commerce. She has a doctorate from IIT Roorkee and has worked for various start-ups. She has also co-founded a content writing agency. Currently, her area of interest is API banking & open banking.

References: