Open Banking is the technology that enables non-bank financial firms – e.g. “fintechs” – to access consumer-authorized financial data, such as personal and business checking-account transaction data. Open banking is proclaimed as driving the fintech revolution, transforming retail banking, and disrupting the global payments market.
Many US banks already enable open banking to selected third-party firms, such as financial management and accounting software providers. However, regulators in other countries have required banks to go much further, mandating that banks must enable open banking to any authorized third party – to propel new competition and innovation. For example, in the UK, mandated open banking is powering a range of new business models that are starting to disrupt traditional retail banks. Despite this, so far, open banking has left the global payments market untouched.
Open banking has existed in the US for at least the two decades – in one of two forms:
“Screen-scraping”, where third-party firms access consumers’ financial data by logging into consumers’ accounts using consumer-provided private credentials; and
“Application programming interfaces” (APIs), where certain third-party firms and banks have made agreements to share consumer-authorized financial data using secure data access.
For example, leading US fintechs such as Acorns, Credit Karma, and Venmo – as well as established financial firms including Experian, Fidelity, and Freddie Mac – use financial data aggregator firms such as Envestnet Yodlee, Finicity, , and Plaid to “screen scrape” consumer financial data from almost all major US banks, albeit mostly without banks’ permission. Separately, several large banks – including JPMorgan Chase and Wells Fargo –have bilateral agreements with selected third party fintechs to share customer-authorized financial data using proprietary APIs, i.e. APIs developed by the banks or data aggregators.
While both of these “open banking” models are well developed in the US, they both have major challenges. First, sharing of customer credentials is normally a breach of bank-customer agreements. It is also an inherently insecure and unreliable way of data sharing, creating high risks of unauthorized account access, data misuse, data breach, data error, fraud, and other consumer losses.
Second, while APIs are much more secure and reliable than screen-scraping, they depend on banks’ agreement to enable such access. In practice, this means that large banks only allow data sharing to third parties that don’t compete with banks. In contrast, smaller innovative banks are open to customer data sharing with any provider, to help themselves compete. This leaves fintechs and other users needing to rely on a patchwork of screen scraping and multiple API standards.
In any event, under the US 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, banks are already required to make financial data available – upon request by consumers – in a usable electronic form. This should have unlocked the US open banking market. Banks have nevertheless resisted this requirement. In 2016, the US Consumer Financial Protection Bureau expressed “grave concerns” that some large financial institutions were trying to close access to consumer financial data, rather than support safe and secure access. The Bureau subsequently issued “Consumer Protection Principles for Financial Data Sharing” and called for “a robust, safe, and workable data aggregation market” 1.
Further to the Bureau’s work, in 2018, the US Treasury Department has called on “industry solutions” to provide effective consumer financial data sharing – while addressing the security and liability concerns – recognizing that consumers’ ability to realize the benefits of open banking remain limited in the US, owing to banks not providing sufficient access to consumers’ financial data and lack of common API standards. In particular, the Treasury called on solutions that provide for security of consumer data, consumers’ right to control their data, notification of data breaches, a move away from screen-scraping to standardized APIs, and development of consumer digital legal identity systems. This has led to various industry initiatives to develop open standard APIs, but these remain voluntary and fragmented 2.
In 2018, a Bill was proposed in Congress for a regulatory study of third party to access consumer-authorized financial data 3, but was not enacted, and in 2020, members of Congress called on the Federal Trade Commission to investigate the largest US consumer financial data aggregator for alleged misuse of consumer data 4. The Consumer Financial Protection Bureau just held a Symposium in February. The opportunity for open banking to develop effectively in the US therefore remains stalled.
In comparison, regulators elsewhere in the world have chosen to mandate open banking, so that customers of any bank or financial firm have a right to share their financial data with any other provider using a common data sharing approach.
In 2017, the UK was the world’s first country to compel banks to establish secure open banking. This followed an extended antitrust investigation into the UK consumer and business retail banking market, which found that “larger UK banks did not have to compete hard for customers’ business – and smaller banks found it hard to grow”. It found that customers were paying more than they should and not benefiting from new services 5. To tackle this, the UK’s antitrust regulator implemented a series of reforms, led by open banking – requiring the nine largest UK banks develop and adopt an open API standard. This would enable consumers and businesses to share their financial data securely with third parties, and for third parties to initiate payments on behalf of customers 6.
The objective of open banking in the UK is to make the banks compete harder for consumers and small businesses – to result in lower prices and better services. Two years on, has it been a success?
It is useful to restate the main products and services provided by retail banks, namely:
These each represent comparable shares of retail banking income and come either as “bundled” products (such as personal or business checking accounts, which combine deposit, credit, and payment services) or distinct products (such as credit cards, savings accounts, loans, or payment wallets).
One of the widely proclaimed outcomes of open banking – and the “fintech revolution” – is the “unbundling” of retail banking between separate products and providers, rather than all part of a checking account or single bank relationship.
In the UK, there are now over 200 regulated providers and over one million users to date of open banking. Of these, two main products dominate 7:
- Financial management tools; and
- Credit/lending services.
These financial management tools are actually very similar to those in the US and include many of the same providers and products, such as Intuit QuickBooks, Sage, and Xero. Like the US, these products existed long before mandated open banking, using a combination of screen-scraping and proprietary APIs. In addition, UK open banking has also enabled many new financial management tools, especially personal financial management tools like Mint and Quicken in the US. As in the US, such services do not compete directly with banks. The business model for these services is a combination of paid-for user subscription and/or cross-selling of other products and services.
Such services help consumers and small businesses in budgeting and saving, shopping around, “robo-advice”, and access to new products of services. They may also facilitate growth of fintech banks (the “neobanks”), like Aspiration, Chime, and Varo, entry of the tech giants, and greater risk of data breaches. There are also concerns that these open banking services only benefit more financially sophisticated and wealthier consumers – and may harm financially vulnerable and lower income consumers, through much more personalised offers.
In comparison, open banking-enabled credit/lending services represents a direct competitive threat to banks. This is because open banking overcomes a large competition barrier for consumer and business lending. Namely, customer data held by banks – especially income, expenditure, and savings – provides a large information advantage in offering credit. Banks have traditionally exploited this advantage through combination of:
- Generous credit offers to the lowest risk customers.
- High costs of credit to vulnerable customers (such as punitive overdraft charges).
- Rejection of credit to the highest risk customers (leaving alternative lenders facing “adverse selection” risk, i.e. risk of only getting the worst risk customers).
Credit bureaux partly overcome these information “asymmetries” between bank and non-bank lenders. Credit bureaux nevertheless do not provide the same data as open banking. This itself has made credit bureaux – such as Equifax and Experian – some of the most eager participants in open banking, alongside other new and existing credit/lending business models, including credit checking, credit file enhancement, credit scoring, direct lending (including loans, mortgages, and non-bank overdrafts), and marketplace lending.
Banks therefore rightly fear the impact of open banking on bank-balance sheet and bank-originated consumer and business lending. This explains ongoing complaints of bank attempts to frustrate open banking – and hence the need for regulation, effective governance, and enforcement. Such competition should greatly benefit customers, in lower interest and easier access to credit. Higher risk and more vulnerable customers could nevertheless end up paying more, more likely be denied credit, or face greater risks of over-indebtedness.
Of banks’ other main services – deposits/savings and payments – open banking in the UK has so far had little impact, with few if any new providers. This is probably unsurprising however, as open banking does not address the barriers to competition in these products. Making open banking work for these products is also much more complex.
For payments, the chief revenue for banks are payment card interchange fees. Interchange fees are set jointly by banks and payment schemes (e.g. Mastercard and Visa). They are payable by retailers/merchants to banks, but ultimately paid for by consumers. The underlying barrier to competition is that payments are a “platform” market – bringing together the “senders” of payments (e.g. consumers) and the “recipients” (e.g. retailers/merchants).
In such platform markets, one user decides which platform to use (e.g. typically the payment sender) – e.g. by cash or by card – while the other user bears the cost this choice (i.e. the payment recipient). This creates bad economic incentives. It also means that even if a sender has a choice of alternative payment method that is cheaper for the recipient to accept – such as an open banking-enabled real-time payment, rather than a card payment – then the sender will still most likely choose the higher cost card payment. This itself is the problem of card interchange fees, which impose higher costs on retailers/merchants – and ultimately on consumers – but nevertheless incentivizes consumers to pay by card in any event.
Open banking therefore does not solve the problem of card interchange fees. On the contrary, Europe (and the US’s) leading neobanks – including Chime, Monzo, Revolut, and N26 – are even more dependent on card interchange revenues than high street banks, therefore equally resistant to open banking payment options. Moreover, almost all new payment services – in the UK and US – are just new ways of paying by card, e.g. Apple Pay, PayPal, Square, and Stripe.
Payments also entail much greater security risks and complexity than simple open banking services. For example, UK real-time/faster payments already suffers high fraud levels. Hence, this means the need to design open banking payment functions including sender protection, recipient guarantee, and payment dispute resolution, plus variable, recurring, and reverse payment functionality. Such features have so far proved too difficult.
So, open banking is likely to have no impact at increasing competition and innovation in payments in the foreseeable future, i.e. of mitigating the continuing increase in share of the global card schemes and ever-increasing costs to merchants of payment card acceptance.
Last, for deposits/savings, banks benefit from considerable customer inertia – of customers in paying money into and leaving money in low or zero-interest accounts, and banks progressively reducing account interest rates. Open banking can in theory solve this, by enabling customers to automatically “sweep” balances into alternative higher-rate accounts. Such products nevertheless depend on similarly complex and risky payment functionality.
Beyond banking, the UK is also now looking to develop:
- “open finance” – extending open banking to all retail financial services, including insurance, investments, mortgages, pensions, savings, and unsecured credit 8; and
- “smart data” – extending data sharing ultimately to all digital sectors of the economy.9
Alongside the UK, the European Union has mandated that all European banks and payment account providers must enable consumers to use secure open banking services – in order to share customer financial data with third party firms and for third party firms to initiate customer payments – using common, secure, and open standards, in Europe’s revised Payment Services Directive (“PSD2”) . In addition to PSD2, the European General Data Protection Regulation (GDPR) creates a right of data portability for all European consumers.
The chief objective of this European regulation was to encourage innovative new open banking-based services – especially payment services using real-time payments – while addressing the consumer protection, security, and liability issues associated with screen-scraping. PSD2 also seeks to abolish screen-scraping. However, the chief drawback of PSD2 is that is doesn’t sufficiently mandate the necessary common and open API standards, leaving it to banks to set their own APIs. This has created unsurprising and widespread complaints that the APIs offered by European banks are neither common in standard nor effective for achieving PSD2’s and GDPR’s stated objectives.
Open Banking developments in other markets include:
- Australia’s 2019 Consumer Data Right law, which gives customers control of their data and enables them to share it with third parties.
- Canada’s Banking, Trade and Commerce Senate Committee, which called in 2019 on the government to provide “an open banking framework that will keep Canadians’ personal financial information safe, provide more choice and improved financial products and services” 10.
- India’s 2016 Unified Payments Interface, enabling inter-bank payments using APIs and national digital identity system.
- Japan’s 2017 Amended Banking Act, encouraging banks to open APIs to third-party providers by 2020.
- Mexico’s 2018 FinTech law, which mandates open banking based on the UK model.
Of these, India has been the most effective at driving competition and innovation in payments. India is nevertheless a nascent digital payments market in which card payments so far have little presence.
In summary, while regulated open banking is starting to disrupt consumer and business lending – and helping consumers and businesses share financial data in a much more safe and secure way – it is unlikely to bring competition and innovation to payments to the benefit of merchants. Other regulatory solutions are needed to address this, in particular, antitrust enforcement and effective interchange fee regulation.
1 “Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation”, Consumer Financial Protection Bureau, 2017.
2 Including the Center for Financial Services Innovation (CFSI), Consumer Financial Data Rights Coalition (CFDRC), Electronic Payments Association (NACHA), Financial Data Exchange (FDX), Financial Services Information Sharing and Analysis Center (FS-ISAC), Open Financial Exchange (OFX), Securities Industry and Financial Markets Association (SIFMA), and Statement of Joint Principles for Ensuring Consumer Access to Financial Data.
3 H.R.6789 - Open Banking Study Act of 2018, 115th Congress (2017-2018).
4 Letter from Wyden, Brown, and Eschoo, US Congress, to the Federal Trade Commission, January 2020.
5 “Retail banking market investigation: Final report”, UK Competition & Markets Authority, 2016.
6 “The Retail Banking Market Investigation Order 2017”, UK Competition & Markets Authority.
7 See “Open Banking, Preparing for lift off”, Open Data Institute and Fingleton, 2019; and UK Open Banking Implementation Entity openbanking.org.uk.
8 See “Call for Input: Open finance”, UK Financial Conduct Authority, 2019.
9 See “Smart Data Review”, UK Government, 2019.
10 “Open Banking: What it Means for You”, Canadian Standing Senate Committee on Banking, Trade and Commerce, 2019.