Protecting shared data

Data is often regarded as the new oil or the new gold. Like both, it must be extracted and processed to create value, then – given that perceived value – be protected from unauthorised access.

 

But even the neatest analogy won’t explain every nuance of this valuable digital resource. For a start, given its non-physical nature, data can be shared infinitely – something that people are unlikely to do with gold or oil. But that means it’s also much more challenging to establish and enforce data ownership than it is with physical assets.

 

Opening up data

 

The rationale behind Open Banking was to give account holders control over the banking data being collected about them by financial institutions. Transparent access to this data by third parties, with the consent of data owners, can release the information that banks sit on to facilitate innovation, thus levelling the playing field for fintech start-ups that want to enter the arena.

 

The transaction of data in Open Banking is much more straightforward than the more blurry business of online marketing, where people use web browsers and other digital services seemingly at no cost, while their digital trail is commercialised via data exchanges.

 

In Open Banking, clients can give access to third parties of their choice in return for more innovative, personalised and cheaper services they couldn’t previously get from traditional banks. Although Open Banking regimes of different shapes and sizes currently exist in more than 124 countries, it was the UK and the EU that pioneered its regulatory-driven model.

 

Six years into the UK’s project, following the CMA’s announcement that the Open Banking Roadmap was fully completed on 9 September 2024, it seems timely to reflect on the choices its implementers, headed by the Open Banking Implementation Entity (OBIE), have made.

 

Some of the figures speak for themselves. The completion of the Roadmap means that all nine banking providers (the C9) mandated by the CMA have successfully implemented the required functionality to offer a prescribed range of Open Banking-based account, information and payment services. 

 

For a more nuanced picture of what that success means, there are some oft-quoted metrics. In September 2024, there were 1,603 million successful API calls, when clients’ account data was accessed by third parties via standardised application programming interfaces to provide either account management or payment services, with an average API response time of 351 milliseconds.

 

However, only 1 per cent (17.23 million) of these calls were made to execute payment services.

 

Open banking was used by 12.34 million people this September. This might be less than its advocates and implementers anticipated, but a more than 1 million increase in the number of new user connections every month suggests a steady growth.

 

It must be noted, though, that new user connections can be established by both individuals who have just entered the ecosystem and legacy members who engage with a new brand.

 

Striking the right balance between regulation and innovation

 

Although some may be underwhelmed by the rate of adoption, it must be evaluated in the context of how people have, until now, traditionally kept personal banking details under their hats, for fear of fraud or theft.

 

These are attitudes that can’t be changed overnight. But, aware of how key to adoption consumer trust is, the OBIE has gone out of its way to bake security into the system as much as possible.

 

For example, unlike PSD2 in Europe, OBIE banned the precarious data-gathering method of screen-scraping, where a consumer’s bank account is accessed by using their log-in credentials rather that via APIs. OBIE has also switched to a financial-grade API (FAPI) profile based on the OAuth 2.0 and OpenID Connect (OIDC) frameworks, from launch, which aims to provide enhanced security features tailored to the needs of the financial industry. Today, 12 major countries have also selected FAPI as their baseline secure communications standard. 

 

Guaranteeing the integrity of third-party account and payment initiation service providers is also instrumental to trust building. Third-party providers (TPPs) in the UK are authorised by the Financial Conduct Authority (FCA), and they must be registered as digital service providers.

 

Once registered, they also need to comply with strict data sharing, secure communication and customer identification requirements. To further enhance TPPs’ resilience, the government gave regulators including the FCA and the Bank of England new powers in 2023 to oversee their services.

 

On 9 September, an introductory phase of the Open Banking project concluded. There is plenty more work to do, though. Variable recurring payments must evolve beyond transferring money between an individual’s own accounts. To convince more consumers to overcome their anxiety over sharing their financial data, business cases for payments in general must become as compelling as those of credit application and bank onboarding – two unqualified success areas that stand out.

 

There is a long road to be built for Open Banking and finance in the UK, but the foundations are robust – with the caveat that cyber-security is an endless battle. But the fact that, in its Roadmap to open finance in the UK, Innovate Finance – an independent fintech industry body – highlights the importance of “a digital ID framework that could serve as the cornerstone for secure and efficient financial transactions in an open data ecosystem” suggests that security remains a sound counterbalance to innovation in the UK.