Government action on open banking data could transform industry, says expert

Out-Law Analysis | 17 Mar 2015 | 5:33 pm | 4 min. read

FOCUS: In this week's Budget the UK government will take another step towards transforming retail banking by asking banks to create systems that will share customer data easily.

The automated sharing of customer data has the potential to re-shape the banking industry. It will put the big retail banks in more direct competition with startup competitors but will also open up opportunities to collaborate with them and benefit from those startups' ideas and innovation.

Economic secretary to the Treasury Andrea Leadsom said earlier this month that the next steps in this process would be revealed alongside Wednesday's Budget. Chancellor George Osborne said in his Autumn Statement in December that he wanted the UK to be the global hub for financial technology, or fintech, and the leading nation when it came to open source data in banking.

The banking industry will share data via application programming interfaces (APIs), which allow software applications to automatically talk to each another and access data.

The use of APIs in banking will enable customers to access transaction and other bank account data and share it with third party businesses, helping them to make more informed choices than before about what financial products and services best suit their needs.

Big banks will be expected to share credit data with alternative finance providers such as peer-to-peer (P2P) lenders, and will refer small and medium-sized enterprises (SMEs) that they have turned down for loans to them, giving these firms a second chance to raise money.

For the banks themselves, opening the doors to their customers' data is likely to increase competition within the sector but doesn’t necessarily have to mean going head-to-head with alternative sources of finance or other banking services; instead it could lead to partnerships and collaborations with new entrants to the banking market or a broader range of technology firms.

The political will is certainly there to push these changes through: the government's policy is to make it easier for people to access and use financial services and to create "stronger and safer banks”, and open data has a role to play in realising both aims.

The government commissioned a report on data sharing and open data for banks (91-page / 4MB PDF) by the Open Data Institute (ODI) and Fingleton Associates and used it as the basis for a consultation on open APIs in banking.

A perceived benefit of open APIs is improved data security. At present any bank customer who wants other service providers to act on their banking data has to give their internet banking log-in details to third party operators at their own risk in the event of a security breach. Where log-in and passwords are handed over online banking guarantees are often forfeited. 

Some of these operators use screen-scraping technologies. This allows third parties to gather information about the customer's finances to carry out tasks like calculating how much money from their various accounts has been spent on travel or groceries over the past month in what is generally recognised to be an insecure way.

In contrast, the use of APIs will bypass the need for consumers to hand over their log-in details and passwords to third parties.

But while the advantages of standardising APIs are clear, the shift towards open data does raise a number of concerns for banks, especially over costs, data protection and liability.

The ODI report estimated that it would cost around £1 million per bank to develop an open API standard and that creating a standard platform would take about 12 months from start to finish.

Together with the costs of developing an API platform, banks would also need to take into account the considerable costs involved in integrating an open data platform with their existing legacy systems, which could raise a number of technical challenges.

Opening up a bank’s data warehouse also raises questions over privacy and who would have access to what information. A key concern for banks would be the extent to which any proposed legislative reform would impose liability on banks in the event of a privacy or data security breach resulting from a transfer of data via an open API. The ODI report said that if a bank is following a user’s explicit instruction to share their data with a third party, then the bank has no liability for what happens once the data has been shared.

This is in contrast to the position currently being discussed at European levels in relation to access to bank accounts under payments laws through the Payment Services Directive II (PSD II). It is expected that under PSD II banks will be exposed to greater liability in the event of a security breach in connection with third parties accessing their customer's bank accounts.

Open APIs require banks to think more carefully about their data protection obligations and those of the parties which can access data through their systems. Reputational consequences could be severe if they engage with businesses that are more lax about data security or customer authentication than they are.

The expectation may be that in future banks could be liable were a security breach to result in customer data being compromised as a result of being accessed through a bank’s API. Banks should engage further with the government to clarify who is liable for authentication and security breaches resulting from a transfer of data through APIs.       

Banks need to ensure that they have informed consent from their customers giving them permission to share their data in this way. This means helping customers to understand the quite complicated, sophisticated use of their data.

Banks and the government will need to pay attention to changes in data protection law currently being negotiated at an EU level. And EU lawmakers will need take changes in fintech into account when deciding how to protect consumers.

Working with fintech companies, which are often start-ups with limited resources, also means that banks need to be confident that they are partnering with firms that have the resources not only to fend off cyber-attacks but also to offer redress to customers if their data is stolen or used inappropriately.

French bank Crédit Agricole is already using external APIs to let its customers access their bank data through third party APIs.

Wednesday’s Budget will reveal if the chancellor has provisions inside his red ministerial box that will help the UK’s banks to follow suit.

John Salmon is a financial services specialist at Pinsent Masons, the law firm behind