Open Banking, where customers can elect to share their banking transaction information with third parties went live in the UK.
This initiative is designed to lift completion across financial services, and of course in Australia, there are early moves in this direction, though the shape of those here are not yet clear. An issues paper from August 2017 outlines the questions being considered by the Australian Review into Open Banking.
What data should be shared, and between whom?
How should data be shared?
How to ensure shared data is kept secure and privacy is respected?
What regulatory framework is needed to give effect to and administer the regime?
Implementation – timelines, roadmap, costs
The report was due to report end 2017. So the UK experience is useful.
In essence, consumers (if they choose to) are able to give access to the data on their bank accounts to selected third parties, which allows them potentially to offer new and differentiated banking and financial services products. In practice, whilst some firms rely on simple (and risky) “screen scraping” the idea is that banks will provide a standard application programme interface (API) to allow selected third parties to access agreed data. Screen scraping is based on sharing the standard internet banking password and credentials, whilst API’s are more selective, using special passwords, which can time-limit access. This is more secure.
In addition, customers give access by logging on to their bank account, and establishing the data share from there, so again is more secure. Also, in the UK, firms wanting to access the data must be registered, and will be listed on an FCA directory. This is to avoid fraud. In addition, there is some protection for consumers if validly shared credential are misused, unlike the current state of play, where if banking passwords are shared, banks may avoid liability.
It is too soon to know whether this is truly a banking revolution, or something more incremental, but in the light of the emerging Fintech wave, we think the opportunities could be large, and the impact disruptive.
For example, Moody’s says the UK’s Open Banking initiative is credit positive for consumer securitisations.
By directly accessing current accounts, the lenders will gain valuable data about its customers’ disposable income and spending patterns. This data will complement the less detailed data that credit reference agencies provide and will result in stronger underwriting and better risk-adjusted returns when prudently applied.
The improved access to information also will benefit the debt collection process. Data on disposable income provides a realistic picture of a consumer’s debt repayment patterns. A clearer picture of consumers’ repayment patterns increases the probability of successful debt collection while ensuring compliance with the UK’s Financial Conduct Authority’s guidelines on fair treatment of customers.
Of the approximately £32 billion of UK consumer securitisations that we publicly rated in 2017, around half were backed by pools solely originated by non-banks. The exhibit below shows that auto and consumer pools, which will benefit most from improved underwriting, are almost entirely originated by non-banks lenders. We include auto-captive bank lenders in the non-bank category since they do not have a material current account presence.
The nine banks with the largest current accounts market share in the UK that will be obliged to share their data are Allied Irish Banks, Bank of Ireland (UK), Barclays Bank , Danske Bank, HSBC Bank, Lloyds Bank, Nationwide Building Society, The Royal Bank of Scotland and Santander UK plc. Four of the nine banks have been granted an extension of six weeks and the Bank of Ireland has until September to meet the technical requirements.
There is an initial six weeks trial during which only bank staff and third parties will be able to test new services.
Moody’s also notes that “the Open Banking requirements coincide with the European Union’s (EU) Second Payment Services Directive (PSD2), which requires all payment account providers across the EU to provide third-party access. For as long as the UK remains part of the EU, it will need to comply with the EU’s legal framework. However, the regulatory technical standards on customer authentication and secure communication under PSD2 have yet to be agreed, meaning that full data sharing under PSD2 likely will be applied no earlier than third-quarter 2019”.