The U.S. lags other countries in open banking, the practice of enabling the sharing of customer account information between banks and third-party service providers. A White House executive order issued last July may give it a domestic push.
Within the order, broadly aimed at “promoting competition in the American economy” through antitrust and other policy actions, is a clause encouraging the Consumer Financial Protection Bureau to undertake “a rulemaking under section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.”
In the ongoing discussion, the consumer benefit of account-data portability and control runs up against competitive considerations among financial institutions, new-breed fintechs and data aggregators.
Gartner research vice president Alistair Newton said he has seen members of bank executive committees instinctively balking at the notion of sharing proprietary information.
Alistair Newton, Gartner
The European Union paved the way with its 2015 Payment Services Directive that allowed nonbanks to execute financial transactions. The 2018 PSD2 update had a bigger impact by requiring banks to provide access to their data via application programming interfaces (APIs) to authorized third parties.
Building on PSD2, the U.K. has required the country’s nine leading banks to implement a predefined and standard API for secure open banking.
Centralized or Bilateral?
Enabling Open Finance Through APIs, a December 2020 report out of the Bank for International Settlements’ Americas representative office, states that an open-finance ecosystem is heavily influenced by the identification and authentication APIs that underlie it, typically through standards set by a central entity sitting between banks and third parties, or bilateral arrangements between them.
The centralized approach’s benefits, according to the paper, include standard entry requirements being easier to regulate and supervise and less complex for banks to handle. Downsides are failure of the central entity affecting all participants, and less innovation.
The bilateral approach, meanwhile, could be more resilient without a single point of failure, but banks would have to tend to multiple API connections.
The U.K. essentially mandated the centralized approach by introducing a specified set of API technical standards, made workable because of its comparatively concentrated banking market. In other jurisdictions, standards have been market driven, with large banks often pursuing bilateral arrangements, while a growing number of aggregators provide a central platform for banks and fintechs to connect to via APIs.
Whether centralized or bilateral, Newton said, a key distinction will be whether banks view the move to open banking as a catalyst for strategic change, or take defensive postures that slow its adoption. The Gartner analyst pointed to BBVA of Spain, Barclays and Natwest as examples of the former, as well as U.K. upstart Starling Bank, which delivers a broad range of business banking products from third parties through an app marketplace.
“A business can get insurance and software for financial accounting, risk management and invoicing, and Starling enables simple integration through its marketplace,” Newton explained. “The mindset is, we don’t have to do this stuff all ourselves. We’ll go to the best in class to address customers’ needs.”
On the retail front, Newton said, DBS Bank in Singapore can help customers buy an apartment or car, or plan a vacation through “an ecosystem of partners.”
Regulation can accelerate open banking because it gets bank management attention. In the absence of explicit U.S. policy, the private sector has taken some steps in that direction, with large banks like Capital One in the lead.
The $19.6 billion-in-assets Customers Bank of Phoenixville, Pennsylvania, uses Salesforce’s MuleSoft platform to build and store APIs to connect to FIS, its core technology provider, as well as other banks, fintechs and data aggregators. “MuleSoft is the repository for everything we build for API interaction,” said chief administrative officer Jennifer Frost.
Jennifer Frost, Customers Bank
She added that Customers Bank can reuse or modify APIs it has built to leverage internally developed solutions, or to more easily offer services from third parties to its own customers. Its API platform enabled other organizations to connect to the Small Business Administration to process Paycheck Protection Program loans. And it has leveraged APIs to create an ecosystem that includes MaxMyInterest, Upstart and the Tassat blockchain payment solution.
Frost also noted that corporate customers connect to the bank via APIs to perform reconciliations and other functions directly through their treasury management systems.
Banks don’t need significant technology resources to rely on data aggregators acting as trusted intermediaries between banks and fintechs. They authenticate account holders with their financial institutions, collect the permissioned data from the bank, and transfer it in the appropriate format to third-party service providers.
Plaid is one of a growing number of such aggregators. It announced a data sharing agreement last year with Capital One in connection with the bank’s customer transactions API program.
Fiserv, a leading core technology vendor, entered the field by acquiring CashEdge and its AllData aggregation service in 2011, and Mastercard acquired Finicity in 2020.
“Data aggregators have effectively filled a void of regulation-driven open banking,” said Justin Jackson, Fiserv vice president of product management for digital payment solutions.
In Europe, under open-banking access rules, account information service providers (AISPs) and payment information service providers (PISPs) provide data aggregator-type services. With many U.S. banks hesitating, aggregators resort to “screen scraping,” using customers’ log-on information to access their bank data.
That presents a security risk, which could prompt U.S. regulators to impose European-style mandates. Or regulators may view as sufficient initiatives such as the Financial Data Exchange, a 200-member consortium promoting the FDX API standard and associated best practices.
“These are industry-developed reference guides published with the approved technical specifications for the API that can assist in building trust with consumers,” said Steve Smith, chief engagement officer, global open banking at Mastercard. “The industry wants to not only develop great standards, but also create best practices around communicating with account holders, so they have full transparency into what they’re permissioning access to and how that data is being used.”
Newton advises that instead of waiting for a regulatory outcome, banks should consider the strategic implications of open banking sooner rather than later. “One risk may be that CIOs [chief information officers] are not able to persuade their business partners quickly enough about the importance of open banking, and insufficient resources will be put into it,” he said.