On 19 November 2019, the Basel Committee on Banking Supervision (BCBS) published its report on open banking and its implications for banks and banking supervision. The report builds on the BCBS’ previous findings on open banking and application programming interfaces (APIs) in its 2018 report (“Sound practices on the implications of FinTech developments for banks and bank supervisors”). We highlight findings from the report from a data protection perspective below.
Background
The report (including the 2018 report) recognises that technological advances and customers’ need for greater access to information and services have transformed traditional banking, and potentially opened a divide between incumbent banks, and specialised FinTech firms and new intermediaries.
Data sharing in third party arrangements has been increasingly prevalent due to the diversity of services that open banking brings: financial management tools, seamless payment transmissions between banks, vertically integrated financial services – the list goes on. The BCBS has focused on ‘customer-permissioned data sharing’, where customers grant permission to third party firms to access their data through the customers’ banks. These third party firms would collect such data through data aggregators – which may employ various techniques, such as screen scraping or reverse engineering, to access and store customer credentials.
Highlighted issues
- Open banking frameworks – generally, a ‘prescriptive’ approach (the EU, India) requires banks to share customer-permissioned data, and third parties accessing such data to register with local regulatory authorities. Authorities adopting a ‘facilitative’ approach (Hong Kong, Singapore) would issue guidance/recommendations instead of rules, and open API standards and technical specifications; while a ‘market-driven’ approach (China, the United States) would not have any explicit rules/guidance regulating banks’ sharing of customer-permissioned data with third parties.
- Data privacy laws as a foundation – although the report recognises that legal frameworks differ across surveyed jurisdictions, customer consent remains as the basis, whether it is banks seeking customer consent, or banks accepting customer consent via confirmation provided by third parties. Nearly all jurisdictions restrict third parties from using/reselling data for purposes outside the scope of the initial consent, and require third parties to obtain further consent from customers before using/reselling data. Further, data sharing with fourth parties is possible provided it is specified in contractual arrangements and under the conditions of the revised Payment Services Directive (for the EU).
- APIs – third parties use data aggregators to gain access to customer credentials via techniques such as screen scraping or reverse engineering. For more secure interactions, banks have turned to tokenised authorisation methods via APIs, thereby bypassing the need to screen scrape. Anti screen scraping laws have also been developed in certain jurisdictions, encouraging the use of such APIs, and the development of modified customer interfaces should the bank’s API be unavailable. However, the time and costs required to develop such APIs present barriers, especially for smaller banks without large economies of scale. Some jurisdictions are issuing guidance on open API frameworks such as OAuth 2.0, to assist in adoption and to further discourage screen scraping.
- Third party risk management – it is difficult to oversee and monitor third parties in the absence of contractual relationships, or where third parties are not registered with a separate authority. Jurisdiction rules differ, as some place the responsibility on banks to ensure that third parties are compliant, while in other cases, registered third parties are subject to the authority of the bank supervisors themselves. A regulatory gap could exist where a third party neither has contractual obligations towards the bank, nor is subject to authorisation from any authority – which would make it difficult to impose risk control requirements on the third party.
Comment
We see an upward trend in the use of APIs and the need to develop open API standards globally for open banking, as open banking continues to grow with the next generation of customers. Banks should think a few steps ahead and consider operational and cybersecurity risks associated with APIs, such as DOS attacks, infrastructure malfunction and IP address spoofing, and have systems in place to respond to these threats. While we recognize that different jurisdictions hold different attitudes towards open banking regulation, we anticipate greater leadership from international organisations and regulators in navigating this fast-growing space.
We are monitoring updates closely, so do check back often.