On the first anniversary of Open Banking earlier this year, many stopped to question how regulatory standards were working, and what could be done to improve the banking ecosystem. How far have we come? Have we done what we set out to? Are we winning the battle to democratise banking and remove friction for the end user?
Open Banking was implemented to enhance consumers’ banking experience, but what’s become evident is that – while Application Programming Interfaces (APIs) have created a more user-friendly system – problems related to the Second Payment Services Directive (PSD2) have also threatened not only to inconvenience consumers, but to undo the Open Banking ecosystem we’ve worked so hard to develop.
Is regulation hindering FinTech?
Open Banking’s potential remains enormous and innovation continues to expand, but the incorrect implementation of Strong Consumer Authentication (SCA) standards jeopardise the progress of Open Banking.
The threats facing Open Banking can be broken down into three groups: unilateral application across non-payment accounts; authentication apathy from consumers; and longer-term threats to consumer data.
Unilateral application across non-payment accounts
The first challenge facing SCA is the unilateral implementation by banks across accounts, regardless of whether they’re PSD2 regulated, or what type of activity requires access to the account. Right now, legally, only payment accounts need to apply SCA standards, and the European Banking Authority (EBA) says that as such, “security measures should be compatible with the level of risk involved in the payment service”. While implementing SCA across all account types seems secure and transparent, if these standards are applied to all accounts, including: savings, individual savings accounts (ISAs), mortgages, and loans, customers may soon experience significant disruption across their banking experiences.
Authentication Apathy
As they stand, SCA regulations mean that consumers must reissue consent for their data to be used by third party providers (TPPs) every 3 months, regardless of whether they’ve granted access previously or not. This isn’t the case for non-payment accounts like savings, loans or ISAs, so I ask: how can we expect to regulate these in the same way?
Longer-term threats to consumer data
SCA implementation and its disruption go beyond User Experience (UX) friction. What users need to be most worried about is potential consequences to consumer behaviour. By making the consumer journey so cumbersome, SCA could ultimately lead consumers to take counterproductive actions putting their data at risk. For example, creating one password across accounts for ease of use. This makes financial data less secure, because if one account is accessed, all accounts are compromised.
Because SCA regulations are likely to be applied unilaterally across accounts, as many as 69% of the UK population who use online banking could be affected, and therefore are at risk of fraud. A recent data breach from password flaws like those mentioned left 2.7 billion customer records at risk.
Companies can resolve this particular problem by making consumers aware of the issue and instituting various levels of authentication for various functions within their banking experience. For example, viewing an account which has no payment capability should shouldn’t require the same levels of authentication as making a payment. This is a simple but important distinction – as banks begin to roll out SCA, step-up authentication needs to be considered seriously as a viable alternative.
Rethinking ‘one size fits all’
Open Banking is founded on the promise that consumers would be able to safely and securely share their data, to make their financial lives more integrated and manageable. Something needs to change, regardless of challenges.
Ultimately, the main concern around SCA is consumer protection, and ensuring users have the tools they need to make the best financial decisions for their lives. This issue is a highly important and urgent one, and if left unaddressed, undoubtedly, consumers will be faced not only with less helpful banking tools, but more critically, in poorer financial health.
Vice President EMEA at Envestnet | Yodlee