The Concept of Open Banking: From a Remedy to an Ecosystem
by Ine van Zeeland and Jo Pierson
The concept of Open Banking has been around for several years now without being clearly delineated in a legal or otherwise widely accepted definition. Recently, the European Commission announced a Digital Finance package to take Open Banking a step further – but further from what, and towards what? Our analysis shows that opinions diverge. It is clear that Open Banking has something to do with sharing client data beyond banks, but many questions still remain as to the conditions for such data-sharing. In this regard, policy makers can play a decisive role: bank clients need independent oversight, information and education, but also need to build ‘trust by design’ to create an environment in which everyone feels safe to share financial data.
| Highlights |
|---|
|
|
|
|
The banking sector has not received much attention over its data protection practices, as it is considered to be fairly reliable and trustworthy when it comes to protecting data. Something is changing in this sector, though, and it is not entirely clear what it is, but it is called ‘Open Banking’. In broad terms, Open Banking has to do with sharing banking data more widely, within[1] and outside financial institutions. Most data held within retail banks – the type of banks that most people would recognize as providers of mundane financial services like bank accounts, payment services and loans – are personal data[2]. Sharing banking data more widely will therefore most likely entail sharing personal data more widely.
WHY THE CONCEPT OF OPEN BANKING NEEDS TO BE CLARIFIED
Personal financial data can be sensitive data. Some payment data may betray, for instance, religious affiliation, union membership, or sexual preferences. Within the framework of the EU’s revised Payment Services Directive (PSD2)[3], bank clients can consent to sharing payment data from their bank with a so-called third-party provider (TPP). A TPP could for instance be an online shop, or a budgeting app. However, sharing payment data may expose sensitive information to the TPP. On the other hand, there can be benefits of sharing financial data with TPPs. For example, a smartphone app comparing conditions of opening an account at various banks, in a personalised, clear format, presents obvious informational advantages. Open Banking is thus often presented as offering better services to bank clients and increasing competition. In the UK, Open Banking was specifically introduced by the Competition and Markets Authority as a remedy against a lack of competition in the banking market.
Some banks may be reluctant to share data assets, others may acknowledge the advantages of data-sharing with partners and of being able to offer more personalized services to clients. In an ideal Open Banking scenario, clients can shop around for financial services – holding an account at bank A, exchanging currencies at FinTech provider B, and closing car insurance at InsurTech company C. Banks could specialize in the type of services that reflect their strengths. Yet, banks have a reputation to lose. They are trusted with financial data now, but who will be held responsible if client data that are shared in a complex network end up in the wrong hands? Who checks on the network?
Considering ideal scenarios also raises other questions: What is Open Banking to whom? What are key elements? Who gets to benefit from which outcomes? Open Banking is contingent on different perspectives: FinTech start-ups will relish another Open Banking landscape than regulators, or bank clients. Clarification can be helpful to researchers, policy makers, financial institutions, regulators, consumer rights activitists and others who wish to discuss financial data-sharing and its ramifications. We therefore reviewed terminology, definitions, and descriptions of Open Banking in a large set of (252) documents. Our intent is to provide information for the evaluation of Open Banking scenarios and to illuminate specifics.
‘OPEN BANKING’ OVER THE YEARS
Figure 1: Documents about ‘Open Banking’ per year
The distribution of publications over the years shows that ‘Open Banking’ as a topic only took off from 2016 onwards (Figure 1). It is interesting to see that the number of documents peaked in 2019 and dropped in 2020. This may be an effect of including only cited documents in our review, as papers that were published near the end of 2020 may not have been cited in more recently published documents yet. It could also indicate the end of a ‘hype’.
The titles and abstracts of the documents were automatically analyzed to find terms associated with Open Banking. The use of those terms changed over the years, starting from a focus on states and (East Asian) countries, specifically China, Indonesia, and Singapore. More recently, the focus moved to technology, FinTech, PSD2, and customers. Figure 2 shows a visualization of the terms and their usage over the years since 2016. (Lines indicate frequent co-occurrences between terms.)
Figure 2: Usage of ‘Open Banking’-related terms over the years
| About the data set: | ||
The 252 documents in our data set were found through a search for ‘Open Banking’ as a keyword in the Google Scholar database, conducted on 5 February 2021. The Publish or Perish tool was used to select only documents that were cited at least once. These were then scanned to exclude ‘false positives’ (e.g. accidental combinations of ‘open’ and ‘banking’). | The documents varied from (4) blog posts to (29) reports, but more than half (131) were articles in academic journals. Most documents were in English (235), some in Spanish (5), Portuguese (4), German (3), Italian (2), Turkish (2), or Finnish (1). Documents that were not in alphabetic script were excluded as they did not allow for automated analysis with our current tools. | Most documents were published by academic authors or research centers (149), but for 34 documents the authors represented financial institutions and 21 were published by consultancies. The remainder were published by journalists (13), professional book authors (10), technology companies (8), think tanks (6), law firms (4), authorities (2), other industries (3) or reference websites (2). |
DIFFERENT CONTEXTS IN WHICH OPEN BANKING IS DISCUSSED
The automated analysis of terms in titles and abstracts also made it possible to cluster terms that often co-occurred. The analysis identified eight major clusters of terms associated with Open Banking. Figure 3 shows the clusters in different colours. The largest cluster (in red), centered around the term ‘bank’, contains 193 terms that often co-occur. The terms ‘psd2’ and ‘customer’ also belong to this cluster. The term ‘banking’ belongs to another cluster (in blue), which contains 136 terms, including ‘competition’, ‘regulation’ and ‘data’. Two other notable clusters are centered around ‘fintech’ (in purple) and ‘open banking’ (in yellow). Terms with strong relations in the ‘fintech’ cluster are: ‘technology’, ‘new business model’, ‘financial service’, ‘risk’ (and ‘benefit’), ‘growth’ and ‘efficiency’. The cluster around ‘open banking’ contains terms like ‘scheme’, ‘model’, ‘framework’, ‘component’ and ‘privacy’.
While we should be careful about overinterpreting co-occurrences, the different clusters appear to indicate different discourses of ‘Open Banking’, among which: banks and their customers, regulations and competition, or financial technology. Clusters can also be interpreted as different contexts rather than different discourses. For instance, a paper on technical aspects of APIs may spend fewer words on legal details of PSD2.
Figure 3: Clusters of terms co-occurring in titles and abstracts
WHAT SORT OF THING IS OPEN BANKING AND WHAT FOR?
The (yellow) cluster around ‘Open Banking’ reflects disparate perceptions of the concept: Is it a scheme, a model, a framework? In a qualitative analysis of definitions and descriptions in the documents, we looked at the question: What sort of thing is it? Table 1 presents the answers.
Table 1: How Open Banking is labelled
We also looked at the purposes of Open Banking that were presented in the documents that contained definitions or descriptions[4]. Table 2 shows the answers that were given more than once. Some of the answers overlap: ‘better products and services’ for the consumer might well mean ‘innovative and more competitive services’ or ‘customer-specific services’, but not necessarily. The elements of competition and ‘better’ services do come up most.
Table 2: Described as the purposes of Open Banking
WHO IS INVOLVED AND HOW?
Almost all of the definitions and descriptions of Open Banking mention at least one actor (or ‘stakeholder’) involved in Open Banking. Most mention more than one. Banks and their customers as well as third parties who get (access to) data, are mentioned most. Few mention government or regulators, and one document specifically mentioned “FinTechs, GAFA[5], automakers, smart cities, the Internet of things, etc.” Table 3 presents an overview.
Table 3: Stakeholders mentioned for Open Banking
According to the definitions and descriptions in the documents, who among those stakeholders is supposed to be sharing? And whose data are they sharing? Tables 4 and 5 show that the view that ‘everyone shares’ is itself not widely shared; it is mostly banks sharing customer data.
Tables 4 and 5: Who is sharing whose data?
CONCLUSIONS AND RECOMMENDATIONS
The automated analysis of terms shows that Open Banking is a recent concept that is discussed as a regulatory issue, a technological question or a matter of customer-centricity. The number of mentions over the years shows that it started in East Asia and has moved westward with PSD2 in the EU and the Open Banking framework in the UK. Different connotations of Open Banking may stem from different jurisdictions but may also reflect different perspectives. More recently, the focus in Open Banking discussions has moved to (financial) technology, its risks and benefits, and new business models.
The analysis of descriptions and definitions puts the spotlight on different perspectives. Its purposes are considered to be providing new (‘better’, ‘customer-centric’) services to customers and improving competition in the banking market by letting ‘third parties’ in. A variety of stakeholders are thought to be involved: banks, their clients, financial technology providers, developers, governments, regulators, and even smart cities are mentioned. The ‘third parties’ who are to access or use banks’ customer data often remain unspecified. They could be lenders or small entrepreneurs, but also Big Tech companies or rival banks.
The analysis has made clear that banks are expected to do the sharing. Mostly they are expected to be sharing customer data. None of the documents seem to discuss how bank clients can find recourse should anything untoward happen with their financial, possibly sensitive, data. The analysis also raises new questions:
- Assuming most bank clients do not read Terms & Conditions before consenting to sharing potentially sensitive data held by their banks (as is common practice), who can they hold accountable should they be confronted with unpleasant surprises?
- A lot is expected from the banks, but are they also the caretakers of the system? Who is responsible for the sharing network and ‘due diligence’ of the partners?
These questions lead us to the following recommendations:
| Recommendation 1 – Create independent oversight and consumer redress |
|---|
| There is a need for independent oversight on Open Banking practices, for both Open Banking ‘partners’ and clients, to create a trustworthy environment in which all feel safe to share data. As financial data can be sensitive and potentially lead to harm, bank clients should be able to seek redress directly at an independent authority. |
| Recommendation 2 – Bank clients must be educated on risks and benefits |
|---|
| Clients are accustomed to a banking environment in which they trust banks with their financial information. They are not trained to foresee what might happen in a more open sharing environment. Since banks are the first point of contact for their clients, they are in a position to inform and educate them on potentials risks and benefits of sharing financial data. |
| Recommendation 3 – Implement ‘trust by design’ in the technology |
|---|
| As the current discussion about Open Banking appears to focus on the technology, this is the moment to introduce ‘trust by design’, in line with the GDPR principles ‘privacy by design and default’. Technology that allows for (outsider) scrutiny and verification by consumer representatives, improves accountability and strengthens trust in shared values. |
Certain business departments within large financial institutions are not allowed to exchange data in line with banking rules introduced after the 2008 financial crisis, but Open Banking potentially makes indirect data exchange between these departments possible again.
The General Data Protection Regulation defines ‘personal data’ as “any information relating to an identified or identifiable natural person” (Art. 4(1)). Many financial data allow for identification of a person.
Directive (EU) 2015/2366
Only 66 documents contained definitions or descriptions and not all of those answered the questions.
GAFA is a common acronym for ‘Google, Amazon, Facebook, Apple’.
Click here to download the policy brief.
Policy-Brief_44_finaal-1
Ine van Zeeland is a PhD researcher within the VUB research chair on Data Protection On The Groynd. Jo Pierson heads the research unit ‘Data, Privacy & Empowerment’ at imec-SMIT, Vrije Universiteit Brussel (VUB) and is professor in the VUB Department of Media and Communication Studies. He holds the VUB research chair on Data Protection On The Ground. This research was conducted within the Data & Society Programme of imec-SMIT, Vrije Universiteit Brussel. The programme is headed by Prof. Dr. An Jacobs (an.jacobs@vub.be)
(Photo by hellooodesign on Unsplash)