The advent of online banking and mobile payments has revolutionised banking, increasing opportunities for banks and customers alike but also introducing new risks.
The introduction of the Competition and Markets Authority's (CMA's) Open Banking reforms (in the UK) and the coming into force of the second Payment Services Directive (PSD2) (in the UK and across the EU) on 13 January 2018 has the potential to transform the industry yet again. Open Banking creates opportunities for banking services which were literally impossible prior to January, but carries with it new risks, particularly with regard to data and security.
The first change to occur as part of Open Banking is that nine of the UK’s largest current account providers will now be required to give registered service providers access to their customer banking data through secure and open application programming interfaces (APIs).
The CMA has aligned its delivery roadmap with changes required under PSD2, where all account service payment service providers (i.e. the CMA9 and other banks and account providers) are required to allow open API access to two new categories of regulated service providers – Account Information Service Providers (AISPs), who may provide services such as price comparison and credit assessments, and Payment Initiation Service Providers (PISPs), who may initiate payment transactions from customers' accounts.
These changes will enable third-party software developers to build new apps, services and solutions that plug into online banking platforms and create the potential for innovative services that make better use of customer data. While Open Banking could create some incredible opportunities for data-driven innovation through mobile banking platforms, the risks of data loss, privacy breaches, fraud and other cyber security attacks have also increased.
In addition to innovations in banking, the new regime should offer a great deal more choice to customers in the long-term – with banks competing with non-banks to offer services such as payment initiation, account information, account payments and financial analysis – and further boost the UK’s dynamic fintech sector.
The potential to improve services to customers is considerable, but this relies on the creation, storage and transmission of an ever-greater amount of data. As a result, Open Banking will significantly increase the ‘attack surface’ for criminals as the number of platforms and access points – all of which are potentially hackable – multiply. In 2017, the number of cyberattacks against financial services firms reported to the Financial Conduct Authority (FCA) rose by 80% compared with 2016.
As a result, all organisations involved in Open Banking should make data security a priority and pay close attention to different data locations, user needs, data types, environments and people accessing the data. Cyber offences and fraud are estimated to account for nearly half of all crime in England and Wales. In the context of rising data security risks, renewed focus across technology, people and processes becomes vital to maximise data security. Not only should technology be secure and comply with the requirements of data protection legislation; people working in those organisations should be trained on data-handling, breach procedures and secure working practices. Organisations should have clear processes in place about what to do if a cyber-attack or data breach occurs, and procedures in place to minimise such risks.
The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018 in the UK and across the EU, introduces new data rights for individuals and serious consequences for organisations that fail to comply. Data protection regulators – the Information Commissioner’s Office (ICO) in the UK – will have powers to issue fines of 4% of an organisation's annual global turnover or €20m (£17m), a significant increase above the previous maximum fine of £400,000 in the UK.
In addition to potential fines, organisations face a significant financial threat of lost business, reputational damage and claims for compensation from customers. The right to compensation for distress – without the requirement to show financial loss – caused by a data breach is now enshrined in the GDPR.
The GDPR also gives individuals more control over how their data is processed and obliges organisations to provide more transparent explanations about that processing. It may require significant organisational change as data privacy principles that were previously best practice become legal requirements, including privacy by default and by design and the requirement to document privacy impact assessments regarding prospective use of personal data. Even in the absence of cyber-attacks and data breaches, these represent considerable new responsibilities. All actors involved in Open Banking will have to understand that this legislation now puts customers firmly in control of their data, making transparency and consent critical to data use for the purposes of both Open Banking and the GDPR.
Open Banking brings with it huge opportunities for the established financial services firms, new entrants, fintechs and customers alike. Open Banking, PSD2 and the GDPR are intended to hand control of banking data to customers, enabling them to choose which data they share with chosen third-party service providers to receive better financial services. This gives banks the opportunity to deepen their existing customer relationships and fintechs the ability to offer new services and disrupt the market via unprecedented access to banking data. The consequences could be significant, not only for banking but also for accounting, retail and other sectors. Addressing concerns relating to data and security will be critical to ensure that organisations comply with their regulatory obligations and win the confidence of their customers to adopt Open Banking and realise its true potential.
This article first appeared in Information Age.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.