Open banking APIs—a method of allowing consumers to share their financial data with third-party services like Venmo, Acorns, or digital lenders—are taking off across the globe. A quick glance at headlines mentions regulatory movement on open banking in the United States, the European Union, the United Kingdom, and now Australia. While this momentum is real, regulators and other stakeholders have also bumped into challenges as they move from concept to implementation. Some markets are grappling with legacy technologies like screenscraping, and where they fit in the new world of open banking. These international efforts offer learning opportunities for the United States in how to preserve financial innovation as data sharing methods evolve.
International markets have adopted varying approaches toward Open Banking APIs.
- European Union: The European Council passed the Revised Payment Services Directive (PSD2) in November 2015, enacting a framework for open banking APIs to develop over a multi-year period. Notably, the EU didn’t mandate a specific open banking standard. Instead, it called for basic rules of the road for the financial services industry, from which a multitude of different banking standards is expected to emerge.
- United Kingdom: The United Kingdom’s Competition and Markets Authority adopted a different approach, requiring implementation of a single API standard, scheduled to begin with transaction data for large banks in early 2018.
- Asia: In other major economies like Japan and India, leading companies have taken steps to enable third-party data sharing in the absence of top-down regulation.
- Australia: The latest major market to join the open banking spotlight is Australia. Major financial institutions such as National Australia Bank (NAB) had previously announced APIs for third-party data sharing. However, a Parliamentary Committee recently took this momentum several steps further by announcing a new regime under which Australia’s four largest banks will enable open API access for customers by 2018. Indeed, the national government has budgeted AUS$1.2 million for the Treasury in 2017-8 to assess what the open API schema should look like.
Taken together, these efforts represent an exciting and positive trend for consumers. There appears to be an emerging global consensus that consumers own the right to control all of their financial data—with conversations now shifting to how to enable that sharing with third parties. What’s more, the parallel nature of these developments allows stakeholders in each geography to learn from each other—creating laboratories for experimentation.
Learnings from international experiences
So, what can be learned from these approaches so far? A common thread is that when regulation is top-down, it’s challenging to preserve innovation. PSD2 in the EU is widely considered the first open banking effort—and therefore offers the most to unpack.
In Europe, stakeholders have found that open banking raises concerns about the viability of the technology and unfair competition.
A consortium of 70 leading European financial technology companies banded together recently to protest a provision in PSD2’s draft Regulatory Technical Standards (RTS) that would ban the technology commonly known as screenscraping.
These companies argue that banking APIs, while well intended, are an unproven method of consumer data sharing. In fact, limiting data sharing to APIs could threaten the very same consumers that PSD2 was originally designed to help—by mandating a shift from a reliable data sharing method (i.e., scraping plus modern authentication) to an uncertain one.
The fintech firms also say that APIs effectively hand over unvarnished control of digital financial services to banks, instead of consumers. For instance, a bank could decide to not maintain their API infrastructure for third parties, favoring direct customer access over access via a third party—echoing the net neutrality debate in the United States. Banks could also restrict availability of certain data fields needed for critical consumer use cases.
The question, of course, is how well-founded these concerns are. It’s taken some of the largest and well-resourced financial institutions years to build APIs, a meandering journey that continues today. Small and medium-sized banks, however, often do not have the technical resources, expertise, or budgets available to build proprietary APIs. Thus, customers of smaller banks stand to get squeezed out of the digital financial services ecosystem under PSD2. What’s more, these customers often live in rural areas that are already underserved by mainstream financial services.
A less benign concern has to do with the potential for the prohibition on screenscraping to create an unfair playing field. In practice, there’s very little to immediately stop a European financial institution from deliberately enabling subpar data sharing via APIs. While PSD2 puts certain safeguards in place to prevent this from happening, transparency and enforcement are likely to be challenging across Europe’s thousands of financial institutions.
And stakeholders have taken notice. In an unusual move, no less than the European Commission—the executive branch of the EU—has asked the European Banking Authority (EBA) to reconsider its proposed ban on scraping. It’s unclear how the EBA will decide as it finalizes technical standards. In Australia and the UK, authorities have not signalled that they will try to restrict the use of screenscraping—noting the technology’s benefits as well as disadvantages.
Implications for the United States
As the debate in Europe and across the world plays out, stakeholders in the United States are inching toward a more formalized regime for third-party data sharing. These stakeholders include financial institutions, consumer-facing fintech services, trusted intermediaries, regulators, lawmakers, industry working groups (such as FS-ISAC and NACHA), and of course, consumers.
The United States has so far refrained from adopting a top-down regulatory approach like Europe’s PSD2 and Australia—but there are still lessons for all stakeholders to learn from the ongoing PSD2 discussion:
- Allow for reasonable flexibility in data sharing methods. While the EBA’s initial ban on scraping was well-intended, it now looks premature. In the United States today, there is a thriving ecosystem of security-focused, third-party data sharing benefiting tens of millions of consumers, enabled by trusted intermediaries. Plaid, for instance, uses Screenless Data Collection where necessary. This access method is critical for enabling an inclusive financial system.
The United States has a fragmented consumer banking landscape, compared to many other markets: This country is home to over 9,000 banks and credit unions, many of which have substantial customer bases, yet aren’t large enough to have resources to stand up an API. (By contrast, the UK’s Big 5 and Australia’s Big 4 banks support an estimated 80+ percent of consumer bank accounts in each country!) Because the “longtail” of small and medium banks is so robust in the United States, any effort to restrict data access methods here would have an even more severe impact on consumers than efforts in Europe.
Institutions often want to customize authentication, so that they can better determine who is accessing customers’ data, and how often.
But when it comes to data transmission, consumers—not their bank—should determine what data they can share with third parties. For this reason, it’s more helpful to standardize the data layer, rather than authentication. At the data layer, standardization gives consumers necessary protections around the minimum amount of data that they’re able to share digitally—leaving this decision to consumers, not the bank.
PSD2 has actually reversed these priorities—focusing on authentication and less on the actual data. So, consumers might find that they’re unable to access the data they want for a given use case, such as applying for a mortgage or enrolling for payroll. As part of any industry collaboration efforts, stakeholders in the United States should take note and focus on the data model.
- Take into account all components of the ecosystem, and the value that each can enable. The proposed ban on screenscraping technology under PSD2, if enacted, would eliminate significant swaths of the current system of data sharing. The reality is that the current system—enabled by trusted intermediaries—generally works.
The U.S. should heed PSD2’s lessons and put consumers first while piecing together its own data sharing approach—and not rush to “fix” what’s not broken.
There’s much to learn from the approaches to financial data access unfolding internationally. The United States’ leadership position in the technology world has never been in question. Yet it’s not clear that we’re further along the fintech innovation curve than our trans-Atlantic neighbors. By avoiding the early mistakes of PSD2, the United States can reinforce its position as a leader of digital financial services—all while doing right by the tens of millions of consumers who benefit daily from these critical products.