The traditional open banking use case is that of an app which tracks financial activity and allows users to access their bank accounts. Services like Mint and others have been enabling these features for over a decade. As the story of open banking has unfolded, however, other, formerly theoretical use cases are coming to life. Potential applications of the same technology which makes open banking possible can be applied to the areas of identity management, device integration, and other value-adding services, with some forward-thinking regulators spurring on the movement.
To summarize: open banking is the practice of making consumer and corporate financial data available to third parties via APIs (which are pieces of software that allow other pieces of software to communicate with one another, not unlike how a translator facilitates communication between two people who don’t speak a common language). Third parties then provide services to the banks or end users, using the data made available to them. The open banking movement has made technological strides in recent years, with the EU’s long-awaited implementation of PSD2 in 2018 and Visa’s acquisition of Plaid for $5.3b last month, among other milestones, feeding hopes that an Open Banking future is just around the corner.
Adoption, however, has been lackluster. Open Banking Limited, the non-profit charged with coordinating the rollout of PSD2-compliant open banking in the U.K., says that the technology has one million users as of 2019 - not such an impressive figure for a supposedly paradigm-shattering tech in a country of over 66 million where an estimated 72% use mobile banking. Some have laid responsibility at the feet of some of the country’s incumbent banks, who have repeatedly failed to meet established deadlines for enabling specific functionalities. Without said functionalities, there’s no way for users to access the value-added services which make open banking an exciting proposition in the first place.
Other hurdles include a possible branding problem; calling it open banking may, for some, “leave the impression that their banking information would be laid out in the open, with little consideration for personal privacy rights,” (according to a report from Canada’s Finance Ministry). In reality, compliance-focused open banking APIs can ensure uniform security and privacy standards, leading to a more resilient ecosystem for users and institutions alike. APIs for regtech can benefit banks’ KYC and AML efforts, for instance. Furthermore, if open banking succeeds in creating greater competition between financial service providers, users may flock to providers who offer more comprehensive data protections, effectively forcing banks to compete on data policy. Given that twice as many records were exposed through data breaches in 2019 compared to the year prior, the public may be relieved to see financial institutions devote more resources to data protection.
Data Ebbs & Flows
The problem with open banking in the minds of many consumers is that it could lead to security and privacy breaches, as well as a loss of control over personal data. Certainly, there is some inherent risk involved when sensitive data is transferred from one party’s custody to another’s, which is the very purpose of open banking APIs. But this already happens -- with or without APIs. Absent open banking, third parties must rely on a process called “screen scraping” to access financial data, which requires users to share their institution login credentials with the third party (who then essentially impersonates the user and “scrapes” the financial institution’s website for the required information). Not only is sharing credentials a no-no in general, but screen scraping lacks some of the safety features like OAuth and TLS encryption which are baked into APIs. Compared to the screen scraping status quo, APIs are a much more responsible way to transfer data.
It also doesn’t take an API to create a data breach. The 2019 breach at Capital One which affected 100 million individuals in the U.S. and Canada was due to a misconfigured AWS firewall, not a third-party service provider. Capital One was using Amazon S3, a cloud storage tool, when a former Amazon employee detected a vulnerability in the server’s firewall and used it to obtain the social security numbers, bank accounts, and credit histories of millions of users. The good news is that the hacker in this case was caught almost immediately; the bad news is that as banks embrace cloud computing and join the alleged 5,000+ companies using S3, we may expect a few more bumps in the road.
Where modern financial institutions are concerned, data moves from one computing environment to another as a matter of course. Whether it comes under the control of a third party via screen scraping or is hosted on a private, public, or hybrid cloud by the financial institution itself, consumer data has to move in order to be useful; why not formalize and secure the process via standardized APIs? In reality, “open banking” is nothing more than a trusted architecture for the movement of financial data. To build confidence in such a project, new use cases must create value for both institutions and end users in the B2C space, as well as demonstrate the model’s increasing B2B viability.
Now Seeking: Killer Apps
As recently as October 2018, Plaid was relatively unknown outside of fintech circles; When Visa acquired the firm in January 2020, the move was heralded as a sign of imminent change across the finance world. Plaid is a star of the open banking movement; it connects “thousands” of financial institutions with thousands more third parties via a unique suite of APIs. Instead of developing their own custom APIs, a bank can work through a data aggregator like Plaid, who offer a turnkey solution on both ends. Banks can sign up and enjoy a ready-made ecosystem of apps, while developers can obtain and develop with API keys that will be compatible with thousands of banks (and thereby millions of end users). And because Plaid is used so widely - not to mention now being under the wing of Visa - they enjoy trust on both sides of the equation. Consequently, the open banking ecosystem has seen a bounty of new use cases, addressing everything from identity management to smart lending.
Plaid would seem to have the answered the riddle of open banking; they created trust where before there was none. However, all aggregators rely to some degree on trust by association. In other words: if institution A trusts aggregator X, institution B is more likely to trust them, too; and so is C, and D, and so on. This doesn’t necessarily mean aggregator X is to be trusted. A data breach at a data aggregator, additionally, would potentially expose more user data than a breach at any of the institutions, and a soured relationship between an aggregator and a financial institution could send ripples through the ecosystem. When a security fix at Capital One blocked Plaid from accessing user data in 2018, for instance, it shut out the entire family of developers who used Plaid’s APIs. So while aggregators facilitate the core function of open banking - connecting third parties to banks via APIs - they consolidate the movement such that the original mission - stoking competition in financial services to users’ benefit - may end up lost in the shuffle.
In the end, there’s no substitute for strong use cases. While aggregators like Plaid, Finicity, and Yodlee create the right conditions for growth, certain risks may also grow as a result. Given the excitement that aggregators have helped stoke, it only seems a matter of time before banks at large realize the power of giving their customers the ability to share their data. Open banking standards could further cement best practices for financial APIs, and democratize financial services by freeing third-party developers from relying on all-powerful aggregators. Sooner or later, however, institutions must learn what developers have known all along: that end users like options.
Image courtesy of Matthew Waring
Click here to subscribe and receive a weekly Mondato Insight directly to your inbox.