What is Open Banking?
Open banking, in data terms, refers to the practice of opening up banking data and infrastructure to third-party providers using standard Application Programming Interfaces (APIs), allowing customers to share their financial data securely with third-party providers.Open Banking is built on two fundamental principles:
- Data has value.
- The data, which the traditional institutions hold, belongs to the consumer and not to the bank. If consumers wish to use their information to access better products and services, it is their right to do so.
From a consumer perspective, it is intended to make it more personalized, accessible, convenient, and smart. From an industry standpoint, it lowers the barriers to entry and innovation within the financial services industry.
It is a system that encourages financial institutions to share data securely with third-party providers, such as fintech or other financial institutions, via open Application Programming Interfaces (APIs). With Open Banking, customers can easily and securely share their financial data with other service providers, such as budgeting apps or investment platforms, without providing their login details. It also provides a way to improve financial transparency, allowing customers to compare products and services from different providers and make informed decisions about their finances.
Here is a suitable example of what Open Banking is and what it’s not. Partner APIs (like Visa, and MasterCard) do not qualify as Open Banking. Open APIs, which may be hosted publicly but require your custom proprietary data structures and protocols, are also not within the periphery of Open Banking. Open Banking is achieved when all the players and the financial institutions use a standard API.
Source: APIDays London
Open Banking Frameworks
Data security and privacy are at the core of Open Banking while ensuring the standardization of the APIs and contracts. Frameworks are needed to define the technical standards and guidelines that decide how this data can be shared securely and efficiently between different parties. Some of the standards formulated by different countries include:
- The Open Banking Standard (UK): This framework was developed by the UK’s Competition and Markets Authority (CMA) and requires the nine largest banks in the country to share customer data securely with third-party providers via open APIs.
- The Second Payment Services Directive (PSD2) (EU): PSD2 is a European Union directive that requires banks to provide open access to their payment systems and customer data to third-party providers via open APIs. It also mandates strong customer authentication and lays rules for handling disputes between parties.
- The Consumer Data Right (CDR) (Australia): The CDR is an Australian regulatory framework that gives consumers the right to access and share their data held by businesses in the banking, energy, and telecommunications sectors. It requires these businesses to provide open APIs for data sharing and prescribes rules for data privacy and security.
- The Monetary Authority of Singapore (MAS) API Playbook (Singapore): The MAS API Playbook provides technical guidelines for financial institutions in Singapore to develop open APIs that comply with industry best practices and regulatory requirements.
- The Financial Data Exchange (FDX) (USA): FDX is a non-profit industry association in the US that has developed a standard for secure and transparent data sharing between financial institutions, fintech, and other third-party providers via open APIs.
India has a framework for Open Banking called the Account Aggregator (AA) system. The AA system was introduced by the Reserve Bank of India (RBI) to enable the secure and efficient sharing of financial information among financial institutions and their customers. Under the AA system, licensed account aggregator entities act as intermediaries between financial institutions and customers, facilitating the sharing of customer data through open APIs. Customers can use the AA system to securely share their financial data across multiple financial institutions, without the need to share their login credentials or other sensitive information.
The AA system is part of the RBI's broader efforts to promote digital payments and financial inclusion in India and has the potential to unlock new business opportunities for fintech startups and other third-party providers. Several large banks and financial institutions in India have already joined the AA system, including ICICI Bank, HDFC Bank, Axis Bank, Kotak Bank, and more are expected to follow as the system becomes widely adopted.
What are the compliance aspects of implementing Open Banking?
Since there is a high volume of communication happening across multiple parties, financial institutions and third-party providers must adhere to the compliance requirements to ensure the security and privacy of customer data. Some of them include:
- Data Protection and Privacy: All service providers must adhere to the regulations applicable to the specific region they serve. Examples include the General Data Protection Regulation (GDPR) in the European Union and the Personal Data Protection Bill in India. This aspect pertains to obtaining customer consent for data sharing, implementing strong security measures to protect customer data, and ensuring that data is used only for the purposes for which it was shared.
- Strong customer authentication: Financial institutions and third-party providers must comply with strong customer authentication (SCA) requirements, which mandate the use of at least two-factor authentication to access customer accounts and data.
- Regulatory compliance: Financial institutions and third-party providers must comply with applicable regulatory requirements, such as the Second Payment Services Directive (PSD2) in the European Union or the Account Aggregator (AA) system in India. These regulations may include requirements for data sharing, security, and privacy.
- Standards compliance: Financial institutions and third-party providers must comply with technical standards for data sharing, such as the Open Banking Standard or the Financial Data Exchange (FDX) standard.
- Liability and dispute resolution: It is also essential to have processes in place to resolve disputes and allocate liability in the event of errors or fraud related to data sharing.
Data Architecture for Open Banking
Data plays a central role in Open Banking. An organization needs to have robust data governance and architecture to be able to respond to the compliance obligations mentioned above. The sharing of data (related to customer, transaction, financial) between financial institutions and third-party providers through open APIs is the foundation of Open Banking. This data can include transaction history, account balance, and other financial information that can be used to provide a range of services such as account aggregation, budgeting, and credit scoring. Some of the core components from a data standpoint include using Open APIs, adopting a microservices architecture, a strong data governance framework, and the use of analytics to improve customer experience. The following figure shows the elements of robust data governance and architecture that organizations need to adopt as they embark on their Open Banking journey.
In addition, an efficient integration system is key to ensure that the API call is able to get clean, accurate data that is current and up to date. This integration can happen either via Application Integration or Data Virtualization. The information from multiple sources can be integrated and exposed into one virtual data warehouse, instead of physically combining all the data sources. This ensures that the data doesn’t move while providing the necessary information. It also avoids the creation of data swamps.
If we look at Open banking purely from a concept perspective, it is about sharing data, collaborating, and providing efficient services to its customers. It is highly likely that the same concept can be extended to other industries as well, e.g. retail and telecom to create more value-added services for their customers. How it will be extended to other industries remains to be seen as it will depend on the way the industry functions and its supporting ecosystem. Keeping in mind the principles around security, scalability, compliance, API design, and data management will be the key. By carefully designing the data architecture, financial institutions (and in the future others) can provide their customers with secure and convenient access to their financial (and personal) data while complying with regulatory requirements.