Is open banking a nightmare waiting to happen?
The world of banking is about to be transformed. In January 2018, the second Payment Services Directive (PSD2) will be incorporated into UK law, obliging banks to provide other organizations with access to their customers’ financial information. Known colloquially as the "open banking" directive, the new law is intended to end the monopoly of big banks and to provide consumers with a much wider range of financial services providers to choose from.
There are many technical and cultural difficulties that banks will need to overcome in order to comply with the new directive, but perhaps the most serious challenge is how to implement PSD2 without bringing themselves into conflict with another impending piece of legislation; the European Union General Data Protection Regulation (GDPR).
This comes into force in May 2018 and aims to give control of personal data back to the individual. Fines for transgression in the form of data breaches will be as high as 20 million euros, or four percent of a company’s global revenue, so the regulation cannot be dismissed lightly.
For those organizations hoping to escape the regulations once the UK has officially exited the European Union, there will be no such reprieve. Recent news from the UK government has confirmed it is proposing its own version of the regulations -- the Data Protection Bill. This piece of legislation may leave some companies sorely disappointed and scrambling to improve their data management processes, but its aims reflect that of the EU GDPR; to give people more control over their data and require citizens to be more explicit about how their data can be used, and by whom.
What’s the problem?
At first glance, it’s hard to see why there should be any issue with the two regulations. Both are designed to protect the rights of the consumer and both are European initiatives that will apply throughout Europe in spite of the UK’s decision to leave the EU. PSD2 aims to free individuals from the autocracy of the big banks, while the GDPR is all about protecting their personal data.
Yet there is an inherent conflict. The fundamental principle behind PSD2 is that banks must make their customer data and Application Programming Interfaces (APIs) available to other financial organizations, while the GDPR is all about the control of personal data. PSD2 means that banks are likely to be in a position where dozens of financial technology companies are all handling information about the same customer. GDPR is all about that customer data being traceable, secure, and ultimately easy to erase. Achieving both of these aims will not be easy.
Where to start: know your data
At the heart of addressing the two requirements is the ability for banks to see, access and manage customer data. The GDPR demands that you know not only where customer data is being stored, but why, how and when it has been shared with other systems, both externally and internally. It is also necessary to be aware of all movement of customer data and sharing of personal identifiable information (PII). So, if a customer’s account information has been shared externally though an API, the bank must be aware not only that it has taken place and where it has gone, but that the API itself meets all security requirements.
The GDPR also contains a clause laying out an individual’s "right to erasure" clause, also known as the "right to be forgotten." This gives customers the right to ask for their details to be completely wiped from an organization’s systems, something that will require a complete overview of corporate databases and a system of notification for partners who are accessing the same data.
Many organizations just aren’t in this position yet. A study from Blancco Technology Group showed that 12 percent of corporate IT professionals in the UK admit that they don’t know where all their customer data is stored. In Germany and France the situation is even worse, with 15 percent and 20 percent of IT workers respectively saying they had little confidence in their ability to find customer information within their systems.
Two directives: great news for customers
If both legal frameworks function as planned, 2018 is going to be a great year for consumers. The Open Banking directive has the potential to completely transform the financial services sector. Customers will be able to switch providers easily, to view accounts held with different banks through individual portals and to manage their financial affairs far more easily. Protected by the GDPR, they will enjoy far greater control over their personal records and have the ability to remove themselves completely from an organisation’s database if they so desire.
There is also a potential for both to be good news for banks. The new fintech startups have some great ideas and new technologies that could enable the banking industry to take leaps forward if partnerships are managed right. In turn, the GDPR will put in place sensible measures that will protect customers, grow trust and thereby increase loyalty.
Looking to the future of banking
In reality, however, there is still a great deal of work to be done. The effects of the open banking regulation are going to be a shock for those banks who have dominated the market so comfortably for so long. A significant change in mindset will be required for them to see the newcomers as potential partners rather than upstart competitors. And striking the balance between openness, privacy and data protection will take some sharp technological thinking.
It’s time for banks to focus their attention on their data. Both regulations are all about access to customer information, and no bank will be able to reap the benefits of the revolution that is about to happen unless they can not only share, but also protect and manage, these details. There’s still time to get things straight, and for those that do, the next few years will be exciting. It’s going to be the biggest shake-up in banking since the arrival of the cheque book, and it’s the banks who really understand how to manage their data that will be the winners.
Richard Whomes, director of Product Engineering at Rocket Software.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.