On November 19, the Basel Committee on Banking Supervision (the “BCBS”) released a report on open banking and application programming interfaces (“APIs”), focusing specifically on aspects of open banking related to customer-permissioned data sharing, including sharing between a customer’s bank and various third party firms. The report builds on the BCBS’ February 2018 paper (“Sound Practices: Implications of fintech developments for banks and bank supervisors”), which noted the increasing adoption of advanced technologies—including APIs—by banks, service providers, and fintech firms to deliver innovative financial products and services. The key findings from the report are outlined below.
Although individual jurisdictions may vary in how they define open banking, the report defines open banking as “the sharing and leveraging of customer-permissioned data by banks with third party developers and firms to build applications and services, such as those that provide real-time payments, greater financial transparency options for account holders, and marketing and cross-selling opportunities.” In developing the report, the BCBS examined how open banking is evolving across BCBS jurisdictions (which include the U.S., U.K., and elsewhere across the Americas, the European Union, Asia, etc.) and identified potential implications for banks and bank supervisors. The BCBS’ findings included the following:
Features of open banking frameworks:
- Open banking is increasingly replacing traditional banking, and although banks have been sharing customer-permissioned data with third parties for years, new digital services and data aggregation techniques are revolutionizing retail banking.
- Adoption of open banking frameworks varies (in terms of stage of development, approach, and scope) across BCBS jurisdictions. Some jurisdictions require banks to share customer-permissioned data and require third parties that want to access such data to register with authorities. Other jurisdictions have only issued guidance or recommended standards, or released open API standards and technical specifications. Still other jurisdictions currently have no explicit rules or guidance that require or prohibit the sharing of customer-permissioned data by banks with third parties, allowing industry-led solutions to emerge.
- Data privacy laws can provide a foundation for open banking frameworks. According to the BCBS, many jurisdictions that have adopted open banking frameworks have also updated their data protection or privacy laws; but data ownership and control principles vary by jurisdiction.
- Greater regulatory coordination may be required to address potential inconsistencies or gaps in regulation where multiple regulatory authorities, with varying mandates, have a role in addressing issues related to open banking. Relevant authorities may include, for example, bank supervisors, competition authorities, and consumer protection authorities.
Challenges associated with open banking frameworks:
- In addition to its benefits, open banking poses risks and challenges for customers, banks, and bank supervisors, including challenges with adapting to potential changes in business models, challenges with ensuring data and cyber security in an open banking framework, and the time and cost associated with building and maintaining APIs, including the lack of commonly accepted API standards. (The BCBS notes that this is particularly challenging when the APIs are built and maintained on a bilateral basis with multiple organizations.)
- Managing third party risk can be challenging for banks if they have no contractual relationship with the relevant third party or where the third party has no regulatory authorization.
- Open banking makes it more difficult to assign liability in the event of a financial loss, erroneous sharing, or a loss of sensitive data, and even in jurisdictions with established liability rules, banks may face reputational risk if there are errors.
In its concluding remarks, the BCBS noted that although open banking may transform banking, banks and bank supervisors “need to pay greater attention to the risks that accompany: (i) the increased sharing of customer-permissioned data; and (ii) the growing interconnectivity of various entities involved in the provision of financial services.” These are likely to be key areas of interest for regulatory authorities globally as open banking becomes more widely adopted.