Out-Law Analysis | 03 Nov 2016 | 2:50 pm | 3 min. read
There are a number of different initiatives underway that promote open APIs as a means of opening up the banking market to innovation, both from incumbent banks and new financial technology (fintech) businesses.
There is, though, a danger that the initiatives are run in silos and that solutions are developed that are not joined up. It is a risk that was highlighted by Gavin Littlejohn, founder of Money Dashboard and chair of the Financial Data and Technology Association at a recent fintech conference in Edinburgh.
UK banks are required to implement an open banking standard by early 2018, to allow businesses and consumers to share their own current account data with other banks and third parties and manage multiple providers through a single app. The obligation was laid out in August by the Competition and Markets Authority (CMA) in its final report on its retail banking market investigation.
The CMA has recently published subsequent details of the initial work (2-page / 214KB PDF) being undertaken to work towards this requirement. It includes work to set up an 'implementation entity', containing representatives from industry, to "act as the forum for the discussion and agreement of the application program interface (API), data and security standards".
Andrew Pinder CBE, a former government consultant who has a breadth of experience working in senior tech roles in the financial services sector, will chair the implementation entity. Its work will be guided by a steering group and subordinate advisory groups. The nine major UK banks tasked with making proposals on for "the structure, membership, governance and funding arrangements" for the implementation entity have recommended that fintech companies, challenger banks and payment service providers feed into the work, with government and regulators playing an oversight role.
In their proposals document, the nine banks refer to an ongoing EU initiative expected to result in open APIs being developed in the payments market. This relates to forthcoming reforms that will be mandated in national legislation across EU countries in accordance with a new Payment Services Directive (PSD2) finalised earlier this year.
They have specified the need for the implementation entity's work to "iterate with the clarification of standards for PSD2" and will set up "a specific advisory group … to help achieve a successful outcome". This is a welcome step, but the banks have themselves warned of potential difficulties ahead in aligning the two projects.
They said: "The European Banking Authority have recently published the initial draft of the Regulatory Technical Standards (RTS) for PSD2, which provides some additional guidance, however there remain many open questions that are unlikely to be resolved before mid-2017 and the RTS are not likely to be final until late 2018. Resolving the competing tensions across this complex regulatory landscape will be challenging, as there are obvious conflicts and contradictions that need to be balanced."
As the nine banks have alluded to in their proposals, their standards will need to be set prior to EU standards for PSD2 are finalised to meet the CMA's deadlines. While this presents an opportunity for the UK market to lead the rest of Europe on the development of open APIs, it risks UK solutions being out of step with EU requirements which might serve to limit their cross-border application.
The recently published proposals also note a need, as the major banks see it, to establish standards for open banking APIs under the CMA initiative "from the ground up". They said there is "a lack of suitable open standards" currently.
Yet, there was initial scoping work on new open API standards in banking undertaken by a government-backed industry working group in 2015 and early this year.
In February the Open Banking Working Group, established by the UK Treasury, published a new framework for supporting the use of open APIs in the banking sector. The government previously threatened to legislate to deliver better access to bank data through APIs "if necessary" if industry did not embrace the changes.
The OBWG's proposals envisaged open APIs being used in a broader context than the payments market which PSD2 standards will apply to, as well as the limited scope of the CMA's project on business and consumer current accounts.
Among the OBWG's recommendations was for an "independent authority" to be identified to take on responsibilities for complaint-handling, and on "how data is secured once shared, as well as the security, reliability and scalability of the APIs provided". It said that authority should also "vet third parties, accredit solutions and publish its outcome through a whitelist of approved third parties".
A central registry for open APIs is envisaged by banks under the CMA's project, signalling that there is work done by the OBWG that industry can build on to meet the regulator's requirements.
A divergent approach between the two UK initiatives on open APIs and the PSD2 project is in no one's interest. It is vital that UK industry, regulators and policy makers consult with one another and their EU counterparts to develop standards that apply universally across Europe. Without joined up thinking the aim of open APIs delivering innovative solutions and greater competition to banking and payments might not be fully realised.
Luke Scanlon is an expert in fintech at Pinsent Masons, the law firm behind Out-Law.com.