Open APIs for UK banking: It's happening, people
Consumer trust central to success of initiative, say law bods
On Tuesday, an industry-led group published a new framework for supporting the use of open APIs in the banking sector.
The UK Treasury is keen for banks to open up access to the data they hold on customers to other businesses to encourage innovation and boost competition in the sector. It tasked an industry-led Open Banking Working Group (OBWG) with developing a new framework for underpinning an open banking standard to facilitate its plans and has said it will legislate to deliver better access to bank data through APIs "if necessary" if industry does not embrace the changes.
In its new report, the OBWG set out a raft of recommendations on how open APIs in banking should best be delivered. It said third parties should be able to access both customer and aggregated data banks hold using APIs through technical "protocols" still to be agreed.
However, such access should be only be facilitated where bank account holders have given their "informed consent", it said. Access, where consent has been obtained, would be "subject to constraints", such as time limits or transaction size caps, it said.
In addition, the OBWG said an "independent authority" should take on responsibilities for complaint-handling, and on "how data is secured once shared, as well as the security, reliability and scalability of the APIs provided". That authority should also "vet third parties, accredit solutions and publish its outcome through a whitelist of approved third parties", it said.
The OBWG proposed a timeframe for further development and implementation of the new standard in stages. 'Read only' access to "midata personal customer data sets via the open banking API" could be operational within a year, and a fully functioning open data market in the UK banking sector would be a reality by the end of March 2019.
The OBWG's proposals have a broader scope than EU legislative reforms set out in the EU's new Payment Services Directive (PSD2). PSD2 will give so-called payment initiation service providers and account information service providers (AISPs) greater access to payment accounts under strict conditions.
Expert in financial services and technology Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law.com, said that the open banking APIs framework will place the UK in a position to "lead regulatory change in relation to open banking". She said that new comparison tools and 'how to save and invest dashboards' are two of the many examples of innovative solutions that the UK government's push for an open banking API standard is aimed at supporting.
"While much work still needs to be done from a technical perspective to ensure that legacy systems can be adjusted to enable an open API framework, there is also work to be done from a legal and regulatory perspective," Dunn said. "Consumers will only feel confident allowing third parties to access their banking data, including their investment records, transaction histories and current and savings account data if they know who carries the risk when something goes wrong. Transparency as to the liability, privacy and security rules that will underpin the framework need to be established and also communicated to consumers in a clear and transparent manner."
"Banks will also want to ensure that their voices are clearly heard. They will want to ensure that these rules are formed in a way that balances the cost of ownership and access to the infrastructure required to maintain the underlying systems that enable access to banking data with the need to encourage innovation," she said.
Angus McFadyen, also of Pinsent Masons, said the development of the open API standard will help third parties understand what they need to do to develop and scale up their services so as to connect with banks and provide more innovative services based on the access to data they would have.
"At the moment each bank can define its own standard for connectivity to its services," McFadyen said. "Even if banks conform to the ISO 20022 standard on messaging there is a degree of variation that ISO standard provides for. Settling on a single standard will make connectivity a lot easier."
McFadyen said open APIs could deliver a range of benefits to banks and other businesses alike.
"For example, one of the biggest advantages could be delivered in relation to credit scoring," he said. "Potentially APIs could allow businesses to connect directly to prospective customers' bank account data as a low cost substitute or supplement for buying in data from credit reference agencies when assessing creditworthiness or completing ID checks. Equally, mortgage providers could use APIs to pull bank data from prospective customers' accounts. This would avoid the need for people to submit paper bank statements as part of their mortgage applications and could speed up applications and approvals and help reduce fraud."
Luke Scanlon of Pinsent Masons said open APIs present opportunities for the fintech companies, but only if they are prepared to address trust issues.
“The best fintech companies recognise the importance of understanding liability and security frameworks – customers will not develop trust in new and innovative services that require permission to access banking data unless they are completely sure that their investments and savings will not be placed at greater risk through the use of those services," Scanlon said.
"It seems that the first response many consumers have to open banking data is one of fear – that their savings and investments will be put at risk. Therefore for fintech companies it is of critical importance that they communicate the liability and security rules that will underpin the proposed API framework in a way that gives consumers confidence," he said.
Copyright © 2016, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Becoming a Pragmatic Security Leader