A timely disruption – open banking

2018 is the year “open banking” becomes a reality. Bank customers, including small and medium-sized businesses, can share their current account information securely with other third party providers starting from this month.

This is a consequence of the Competition and Markets Authority (CMA) and their 2016 report on the UK’s retail banking market. It found that established banks didn’t have to compete particularly hard for customers’ business, whilst smaller, newer banks were finding it difficult to grow and access the market. Who ever knew?

While it’s being called “open” access, the process will happen via secure application programming interfaces (APIs) that provide third parties certified by the Financial Conduct Authority with direct access to customer accounts – provided the customer has given their consent and authorisation. The aim is to encourage more competition and innovation in the market, to the (presumed) benefit of consumers.

Also happening in parallel is the European Commission’s Revised Payment Service Directive (PSD2 as it’s known to its friends). Banks across the EU will similarly open up their systems and securely share their customers’ account data with third parties through open APIs. Dave Birch usefully highlights some of the potential benefits that will flow from these various changes in his recent blog “Merchants, payments and the open banking ecosystem“.

I’m pleased to see this happening, although (almost) surprised by just how long it has taken to get here. Back in 2007, I gave a presentation to a major bank. I challenged them about what they thought their bank was and what its future role would be. I asked them whether they thought they were (a) a bank (b) a financial (services) organisation or (c) something else?

It was “something else” I had in mind. I was trying to persuade them they needed to think of themselves not simply as a dull but worthy organisation storing digital bits relating to money, but digital bits relating to any other item of personal data we might want to store. And in particular, their great potential role to move beyond banking into trusted identity and authentication.

Roll forward 7 years later to 2014 and the Financial Times ran a piece “Banks want to keep your digital ID in their vaults“, commenting that another bank – Lloyds Bank – was apparently exploring this space, “working with the prime minister’s office to test whether banks could vouch for their customers’ identities to other organisations via a simple smartphone app.”

It also claimed that “Britain’s high street banks believe their future role will be as repositories of more than just money: they want to be the safe place where customers store their digital identities.” This suggests that by 2014 some progress had taken place in the 7 years since I gave my presentation. Gripping stuff. Banks move at lightning speed you know (coughs) – nearly as fast as governments.

And now 4 years after that FT report – and some 11 years since my presentation – finally we should see major changes as a consequence of this (entirely predictable) evolution of the role of the banks.

Naturally, there are various security concerns given that our bank accounts will be opened up to third parties. These include concerns around accountability and liability in situations where customers have authorised third party access, with the fear of accounts becoming more vulnerable to cybercrime. However, the way the APIs are being secured and the regulatory regime and protective monitoring around the new model should help manage the risks involved. But we shall see. After all, the history of “secure APIs” is a slightly shaky one.

My wider interest is the impact of these changes on identity and authorisation – the area I flagged with the bank back in 2007. PSD2 requires the use of Strong Customer Authentication (SCA) for all online payments. As a result, users will need to verify who they are by using at least two (of three) factors – such as UserID/ password, a chip and PIN card and a biometric. This should help reduce some fraud and provide a higher level of assurance that someone online is who they claim to be.

These changes mean that account holders will be able to use their banks to prove who they are to trusted third parties, providing us with a system that can prove who we are with an appropriate level of risk assurance when we are online. However, whether security concerns will deter many account holders from using open banking and hence fail to unleash all of this new potential remains to be seen.

And there’s a sense in which I can’t help feeling this is all a bit “back to the future” – after all, use of third parties to prove identity online is hardly a “new” thing. Previous attempts at using trusted third parties to assure identity have not typically gone well – as the original Government Gateway discovered back in 2001, when it was using trusted third parties such as the Royal Mail and its ViaCode product and the British Chambers of Commerce; nor more recently with the GOV.UK Verify identity assurance programme, which started back in 2011 and is still struggling to get meaningful adoption.

The UK needs to resolve the long-standing problem of online identity during 2018. It’s an essential, and currently missing, ingredient of a successful digital economy. Right now open banking and PSD2 look to be one of the most promising ways of making this happen – and in ways that will interoperate beyond the borders of the UK. It would enable us to use a trusted organisation with whom we already have an existing relationship – our banks – to prove who we are to others.

But even if we crack identity it will still only solve part of the problem. We also need to be working on other essential aspects across the identity / data divide. Only if we achieve both of these inter-related aspects will we finally see the realisation of ideas to bring, say, all our pension information together – from across state pension scheme, employer and private pension schemes – so we can view and interact with them in one place to see how destitute we shall be in retirement (the type of thing the Pensions Dashboard is trying to do).

Ideas such as this, of giving us access to and control over our personal data regardless of where it resides (across private and public sectors), have been doing the rounds since at least 1997. It would be nice if 2018 actually saw these ideas finally coming to fruition rather than just being spoken about, piloted and then abandoned. But as my experience between my presentation of 2007 and today demonstrates, progress on tackling these issues has been ridiculously slow.

I am now going to use the B-word here: Brexit. Sorry about that. But as we exit the EU, we need rapidly to minimise the overheads and frictional costs of current bureaucracy and admin, enable an identity ecosystem that works across our border (to ease the movement and related costs of goods, services and people), and help make the UK far more productive and efficient than it is right now. This would seem a good reason to make 2018 the year when the UK finally gets identity and related aspects fixed.

Now that would be a timely and very welcome disruption and outcome on the back of open banking and PSD2 – almost worthy of the hype about it being a “revolution“.

Advertisements

2 comments

  1. One of the missing elements in identity verification schemes is a willingness on the part of those deploying them to address the question of who carries the risk of fraud. If despite all the efforts at security a criminal successfully impersonates me, I and the victim who is deceived need to know which of us carries the loss (assuming the criminal is either not caught or has no recoverable assets). And if a scheme leaves me with the loss when I’m impersonated, then I’m not going to use it.

    1. Yes, the issue of liability / risk is one that has never been fully resolved. So far as I understand PSD2, it at least sets out that “the payer” is not liable for unauthorised payment transactions, unless they’ve acted fraudulently, failed to keep safe their security credentials or failed to report the loss/theft/misappropriation etc. of their payment instruments. I’m less clear about the open banking provisions around liability given it’s not necessarily “payments” that may be involved so much as say me using my bank credential to prove to the bank who I am in order to authorise third parties to access potentially sensitive financial data. I assume there will be no liability on the bank if they’ve followed KYC and SCA procedures, but where that leaves liability when inevitable problems arise I’m less clear … any pointers happily received 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.