Open Banking: Act 1

24 septembre 2020

In the trend towards « open innovation », but also towards disintermediation, the emergence of « platforms » and other forms of « uberization », the concept of open banking is taking shape today under pressure from the European regulator and the DSP 2. But in what way could the bank of tomorrow be more open than the one of yesterday? In the digital age, the various financial services are increasingly accessible online, via banks’ websites and mobile applications. So why should the institution that produces these services be the only one to provide access to them? Why not allow third parties to distribute them as well, for example on the model of Amazon? The e-commerce giant, after having sold its own goods online, has in fact continued to develop as a marketplace with a wide variety of independent sellers. But this opening of the value chain also requires the opening of information systems: the « machines » of the producers must be able to dialogue with the « machines » of the distributors in a fluid and instantaneous manner (see Box on APIs).

However, opening up banking systems that are constructed in a partitioned manner and as hermetically sealed as possible with respect to the outside world, in the interests of security, is a delicate process. This is evidenced by the tough negotiations on the technical standards of the PSD 2 that marked the year 2017. The second directive on payment services, voted in 2015, had made it possible for duly authorised third parties, mandated by customers, to access the data on their payment accounts and initiate transfers on their behalf. A way for the regulator to legitimize services already offered by FinTechs such as Bankin, Linxo or Sofort, while setting clear rules. [1]. The drafting of these rules, left to the level of technical standards, has proved difficult. There were two opposing views: that of the account-keeping banks, which want to guarantee the protection of information without increasing investment, and the new third party payment service providers, who are worried that the banks may not be playing the competitive game sufficiently.

A complex compromise was finally reached at the end of November (see Aggregators and banks: how will they exchange account data?); it is now time to implement it, with the publication of the first APIs in 2018 and the development of the first business models in « open banking » mode. The new Instant Payment, which will also be deployed from next year, should reinforce the impact of the opening up of banking systems driven by PSD 2. Tomorrow – or the day after tomorrow – a trusted platform could very well aggregate your accounts, advise you on the most attractive offers on the market and then make the transfers for you in real time to benefit from them, why not using an artificial intelligence algorithm. And in this scenario, who will be the central platform? The question also remains open…

They said

2 CVs or Ferrari?

« It should be kept in mind that the issue of APIs and their standards are only the tip of the iceberg in open banking. Once these access issues [aux données bancaires] Once these issues have been settled, the players, whether historic institutions or new entrants, will be able to get to the heart of the matter and work hand in hand, for example on security issues, as is already the case in the United Kingdom. […] As essential as they are, the data in the bank account are only fuel that will be used indifferently in a 2CV or a Ferrari. The difference between the two vehicles will be the customer experience that we will be able to create from this data. »

Bruno Cambounet, VP Finance Services and Banking Solutions, Axway, Revue Banque n°813, November 2017, p.15.

Free or paid APIs?

« The question of the economic model is paramount. We must not be naïve: opening IPAs to external actors has a cost, especially to ensure a good quality of service as we intend to do. This cost depends on each bank’s existing IT architecture, the need to overhaul databases and upgrade systems to cope with the burden of third-party requests. This is a subject for discussion within the profession and with the regulator. It is also an issue for the users of these APIs, who need a flawless service to keep their applications running over time. The question of cost must therefore be a point of absolute vigilance that should be given greater prominence. »

Yves Tyrode, Managing Director in charge of digital, BPCE, Revue Banque n° 805, February 2017, p.28.

Technological and cultural barriers

« There are technological roadblocks [au sein des banques traditionnelles] They need to reorganize their core banking system, both the data itself (back-end) and the interfaces to access it (front-end). These are major investments and they are struggling to know where to start. There are also cultural barriers: management is struggling to see the benefits of openness. However, it can offer them new sources of income. Banks should go beyond what PSD 2 requires them to do, i.e. access to the account (balance, checking availability of funds, account verification…), and offer fee-based services, such as real-time money transfer, conditioned payments or KYC checks. »

Sophie Guibaud, Vice-President European Expansion, Fidor Bank, Revue Banque n° 805, February 2017, P32-33.

Open banking and data protection

« [Un des défis] to be noted relates to data security, a risk that is singularly increased by the growing interconnection of information systems, particularly in view of the developments that will result from recent European texts. Thus, the Second Payment Services Directive stipulates that new non-account-keeping payment service providers, account information aggregators and payment initiators will be able to access payment accounts held at banks via secure computer interfaces made available by the banks. This move to open up the data held by financial firms suggests opportunities, but also fairly significant risks, particularly with regard to cybersecurity.

In addition, the law for a digital republic and the GDPR regulation introduce the right to portability of personal data. Thus, data subjects have the right to receive the personal data they have provided to a data controller in a structured, commonly used and machine-readable format and have the right to pass these data to another data controller or to request that these data be passed on directly to the latter where this is technically possible. This provision, which aims at increasing competition between data controllers and thereby allowing the development of new services in the context of the single digital market (preventing the « lock in » of customers), may have important impacts on financial actors. Thus, the technical modalities of data transfer may generate new security risks. »

Nathalie Beaudemoulin, coordinator of the FinTech Innovation Cluster, ACPR, Revue Banque n° 810, July 2017, p. 28-30.