Who owns your bank data?
Last updated: 10 December 2020. Estimated reading time 10 minutes
For years, the answer to this question was straightforward: your bank.
But then digitisation happened, and with it came "big data": Spotify suggested music you might like, Uber plotted your best route home.
Slowly, people started to see the power of data to deliver more convenient and personal services.
Tellingly, so did the European Union (EU) lawmakers.
They proposed that people should be able to share banking data with any trusted brand, and the result was the updated Payment Services Directive (PSD2), already adopted in 2015 and being implemented now. However, due to delays in the implementation, the European Banking Authority (EBA) allowed for a time extension of the PSD2 strong customer authentication (SCA) until 31 December 2020.
PSD2 requires all banks in the EU to create application programming interfaces (APIs) and then share them with officially approved third parties. Customers can give their bank credentials to these brands, which then use the data to create better products or facilitate easier payments.
For example, UK start-up Funding Options match businesses with lenders. Previously, to do this, it would have required a customer to fill out lengthy forms and disclose sensitive identity documents.
By using bank APIs to scrutinise accounts, Funding Options eliminates these requirements and does the job in minutes.
New ways of thinking bank data
But will customers really entrust their bank data to a third party?
Conrad Ford, CEO of Funding Options, thinks so.
Funding Options is one of the dozens of start-ups approved to access banking APIs in the UK (via the Open Banking initiative – a UK-specific version of PSD2). These companies clearly want to bring innovation to the banking sector. It's what the regulators want too.
But is it what the banks want?
Some observers argue that the banks fear this competition and that they are culturally unsuited to embracing the concept of openness.
Opportunities and threats
It's easy to see why banks might be nervous.
There's the liability issue: in the event of a data breach, most consumers will direct their complaints to banks, even if it was the fault of a third party. But the bigger concern is existential.
They worry that disruptive newcomers – whether small start-ups or established brands such as Amazon and Facebook – could use the new openness to steal their customers.
Recent Payments and Open Banking survey, conducted by Strategy& part of the PwC network, suggests customers’ reluctance to share personal data remains a problem currently facing all players, both traditional, banks, and new, FinTech. According to the survey, payment service providers are trusted by 9% of respondents and retailers by 8%, internet giants by 7%, while banks that operate exclusively online (neobanks) and FinTech would receive data only from to 3% of European consumers. However, traditional banks still have a reliable advantage over competitors. According to the survey, European respondents say they trust more traditional banks and card providers for the exchange of personal information (17%).
This would suggest that banks themselves may be best placed to explore the new opportunities.
In fact, some already are.
Banks as data aggregators
These examples show how banks can commandeer developers to build innovative new services on top of their own customers' account information. Another option is for the bank to be the aggregator itself – in other words, to access the APIs of other financial institutions.
In Germany, challenger bank Fidor has already done this.
It offers customers access to a range of products from multiple providers inside its portal. The concept has become known as "banking as a marketplace" and helps new banks offer complementary services without building them in-house.
Analysts argue that the more transformative innovations are yet to come. Broadly, they believe APIs will move banking services into everyday life.
But for this to materialise, users will have to overcome their trust issues. For decades, consumers have been told never to surrender their credentials to anyone.
Now they are being encouraged to do it.
To reassure them, the EU regulators are insisting on strong two-factor authentication for all PSD2-related transactions.
But the legislation hasn't yet precisely defined what strong consumer authentication is.
The good news is that security specialists are already developing solutions that go way beyond two factors.
Thales' risk management services in Gemalto IdCloud, for example, analyses thousands of attributes from the user and the device, such as geo-location, device profiling, IP address, device assessment, and behavioral biometrics.
Crucially, it then rolls them into one score to make the authentication process not just strong, but also fast and friction-free.
Banks can be less rigid about security when they anonymise data.
There can be immense value in analysing data sets that contain no personal information but reveal more generic insights.
Louise Beaumont, Co-Chair of TechUK's Open Bank Working Group believes this is exactly the direction the banks should be taking.