Abstract
Open Banking allows consumers to take advantage of data-driven financial services by sharing data held at one organization with another organization, typically between financial institutions and trusted third parties. Open Banking is consumer controlled, secure, and protects privacy. These new services represent an innovative and growing market. Clear and fair rules, industry coordination, and technical standards are needed to avoid fragmentation and to build a robust market that serves all consumers and Small and Medium Enterprises (SMEs). International developments in jurisdictions such as the UK and Australia have demonstrated the expected benefits that Open Banking can deliver to consumers. The challenge to governments in North America is to adopt a consistent framework that provides the security and protections consumers need while at the same time providing flexibility for innovation and streamlining of banking services using the Open Banking model.
A key question for implementation of Open Banking will be the balance of activity and involvement between government and the private sector. An unbalanced Open Banking model will likely fail; a balanced Open Banking model can bring tremendous value to society.
This teaching case asks students to first understand the benefits and challenges of Open Banking for many stakeholders, and then to recommend on how to proceed (or not) with implementation. The case is written from a North American perspective, that is, the USA and Canada.
Introduction
After eight successful years of working in Europe, Jenna Chu returned to her capital city, happy to rest her feet on home soil. The past 10 years flew by quickly. With MBA in hand, she was recruited by a top consulting firm, worked in London and Paris, moving up the ladder, and is now back home without a moment to spare. She leads her own team now and is faced with the most intriguing problem of her career. She and her team would soon deliver a confidential recommendation to the highest level of government regarding Open Banking.
Open Banking allows consumers to take advantage of data-driven financial services by sharing data held at one organization with another organization, typically between financial institutions and trusted third parties. Open Banking is consumer controlled, secure, and protects privacy. These new services represent an innovative and growing market. Clear and fair rules, industry coordination, and technical standards are needed to avoid fragmentation and to build a robust market that serves all consumers and Small and Medium Enterprises (SMEs). International developments in jurisdictions such as the UK 1 and Australia have demonstrated the expected benefits that Open Banking can deliver to consumers. The challenge to governments in North America is to adopt a consistent framework that provides the security and protections consumers need while at the same time providing flexibility for innovation and streamlining of banking services using the Open Banking model.
A key question for implementation of Open Banking will be the balance of activity and involvement between government and the private sector. Recent developments in the United States, where the federal government has examined and acted to address the increasing influence of large technology corporations, reflect a growing public concern about the tech industry. 2 Open Banking should not be an invitation for the already large tech sector to increase its dominance. The public may challenge elected governments who are seen to be supporting increased surveillance capitalism. At the same time, if an Open Banking model can be efficiently and fairly delivered by the private sector, then government’s role may be to simply provide enabling legislation, regulations, and oversight, to provide the “guardrails.” An unbalanced Open Banking model will likely fail; a balanced Open Banking model can bring tremendous value to society.
What is open banking?
Open Banking refers to the “opening up” or sharing of a customer’s or a business’ data held internally by one party to other parties via secure digital channels. Today, this definition is built on the notion that end-use customers or businesses, typically small and mid-sized enterprises (SME’s), own their own data and allow banks to use technology-based approaches to share their data for the customer’s own benefit and with their consent.
The term, FinTech, broadly refers to a company that uses technology, such as the internet or cloud services, to provide B2C or B2B customers with easy-to-use, innovative financial services such as personal budgeting apps for consumers and payment processing and accounting tools for SMEs. Personal financial management, wealth management, robo-advising, and mobile payments are examples of the breadth of FinTechs. The emergence of the internet sparked the growth of FinTechs around the world since 1990 and the increased smartphone user-base in the mid-2000s enabled ease of use of banking apps. The US and China lead in FinTech startups. 3 Banks generally view FinTechs as a threat because they disrupt the market and gain access to their valuable customer data. 4 In the future, customer (B2C or B2B) data may originate outside of a bank or financial institution.
Financial institutions have acquired and/or have entered into partnerships with FinTechs to provide B2C and B2B customers with a greater breadth and depth of products and services. For example, in Canada, Interac, a payments and digital information exchange company, services the Canadian debit card system, through partnerships with a network of financial services.
5
In June 2020, Mastercard announced that it was acquiring Finicity to advance Open Banking. While Mastercard has expanded its Open Banking services in Europe, it needed to strengthen its capabilities in North America: “Finicity has a proven business, built on partnerships with thousands of banks and fintechs, similar to us. Finicity also shares our commitment to consumer-centric data practices, ensuring consumers have a say in how and where their information should be used. It’s through the use of next generation open banking APIs and clear consumer approvals that this financial information can deliver streamlined loan and mortgage processes, rapid account-based payment initiation and personal financial management solutions.” Michael Miebach, president of Mastercard (June 23, 2020).
6
Prepared with data from medium.com/founders-intelligence.
Both banks and FinTechs share an ecosystem that consists of data privacy, customers, and the government and legal environment.
Data Privacy—There are important concerns about whether B2B and B2C customers are aware of who owns their data and for what purposes. What rights do customers have? Are financial institutions co-owners of their data? The “notice and choice” privacy agreements, promoted by the Organization for Economic Co-operation and Development (OECD) and adopted by many countries around the world, including the US and Canada, have led to consumers checking “I agree to these terms and conditions” without reading the privacy policy agreements. Privacy agreements are too long, they are too complicated to read, and it is “normal” not to read them according to research by Obar and Oeldorf-Hirsch (2020). 8 Trust was highlighted as a key factor for building stronger relationships to enable data sharing. Trust must be earned and in the current ecosystem sixty-two percent of Canadians are more concerned about keeping their online data safe now, than they were in the past. 9 Navigator reported that ninety-four percent of respondents in a survey of 2,000 Canadians want to feel in control of their financial information. 10 One of the biggest hurdles may be to convince consumers that their data is safe and well-protected within the ecosystem.
Customers—A customer’s willingness to share financial data is a main factor to enable the growth of Open Banking. In a US study conducted by Srinivas et al. (2019), only thirty-five percent of respondents aged 18–36 years old were willing to instruct their bank to share their financial information with other providers. The average of all respondents willing to instruct their bank to share their financial information was ten percent in this US research. 11
Canadian FinTech, Interac, commissioned a consumer survey in August 2020 during the COVID-19 pandemic. 12 The research revealed that adoption of digital payments during the pandemic increased. Sixty-four percent of Millennials and fifty-eight percent of GenZ consumers increased their use of digital payments. Overall, consumers expressed the need for tools to “stay within budget,” “make in-app purchases,” and “keep track of their spending.” During the COVID-19 pandemic trends included contactless shopping, increased online shopping, and new consumption patterns. 13 These factors appear to positively pave the way for innovative FinTechs’ response to consumer needs. Currently Canadian consumers are using FinTech services to analyse their financial data. However, the mechanisms for accessing that personal financial data are not secure and not efficient.
Financial institutions in the US and Canada should look to improve customer relationships with two target markets to move forward, and especially to succeed in Open Banking. A gap appears to be in understanding the disadvantaged consumer who may have low education, low socioeconomic status, and may be disabled and/or isolated, impeding the opportunity to become educated on banking and data privacy issues. 14 This consumer may be unbanked and underserved through either the US or Canadian banking system (see Exhibit 2). In developed countries such as Canada and the US, the unbanked, who are often low-income consumers, may turn to cheque cashing services and other types of fringe financial institutions which charge high fees, compounding their problems.
In Canada and the US, women may have difficulty accessing credit and start-up funding, eventually paying higher interest fees. This is a recurring theme supported by the World Economic Forum and US surveys. 15 This may result in a backlash on the B2B front with respect to women and Open Banking, given that trust is a key factor in building solid relationships for data sharing.
Government and Legal Environment—There has been no consistent response to open banking around the world. For example, in the EU the Payment Services Directive (PSD2) was implemented in 2016. PSD2 is founded on the premise that banks use Application Programming Interfaces (APIs) to meet PSD2 obligations, although it doesn’t have to be standard. The Open Bank Project API Platform includes tools and software to handle third party registry, API Gateway, Consent Management, Risk Engine, Multi-Factor Authentication, and SCA and Berlin Group specifications. The General Data Protection Regulation (GDPR) adopted in the EU in 2018, pertains to “reasonable” protection of data privacy for personal data and assesses fines for non-compliance.
Australia has taken a consumer-oriented approach. In 2019/20, the Consumer Data Right (CDR) legislation was implemented in Australia. It gives consumers control over sharing their data and provides rules and standards on privacy, information security, and the customer experience. Open banking is to be regulated by the Australian Competition and Consumer Commission. Third parties must become accredited. This legislation initially applied to the banking sector, but the plan is to roll it out to other sectors.
Exhibit 2 indicates the differences in the US and Canadian banking systems that would impact the implementation of Open Banking. In Canada, there have been formal consultations about Open Banking among banks, FinTechs, and governments. In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to banks and private sector organizations. It relates to collections, use, and disclosure of personal information.
In the US, Open Banking is expected to be an industry-driven initiative due to the structure of the banking system (see Exhibit 2). The US the Federal Trade Commission protects consumers against unfair practices with respect to privacy and personal information. Specifically, the Gramm-Leach-Bliley Act pertains to consumer financial privacy.
Your assignment
All governments in North America are now considering how to implement Open Banking that will be fair to industry participants and will maximize the benefits to all citizens. After the COVID-19 recession governments are eager to find new opportunities for economic development and recovery that are not tied to the old carbon intensive economy. Open banking and its economic digital transformation potential provide an opportunity for new careers and the potential to share economic prosperity with those who have been left behind. It also has the potential to enable a faster, more digital, economic recovery. Governments see Open Banking as an opportunity to promote equity, diversity, and inclusion in their respective jurisdictions.
For this case, you and your team of experts have been hired as an expert consulting firm that is a global leader in technology policy development. You have been asked to provide the head of government with recommendations on how to proceed with Open Banking in this jurisdiction. You will need to make assumptions regarding which government and which jurisdiction. As a consulting team, you have prepared for the case by reading and understanding the extensive background materials that describe Open Banking. Your client expects that you understand the fundamental challenges of Open Banking and expects that you are prepared to address the key issues.
Key issues
The most important issue is how to structure the Open Banking model to operate in this jurisdiction. Several models exist, each with strengths and weaknesses. Your final recommendation must clearly identify the most appropriate Open Banking operating model.
What is an operating model for Open Banking? Here are a few components that should be considered: 1. Legal and regulatory. What are the current laws, regulations, and oversight bodies that would need to collaborate or change to support Open Banking? For example, in Canada the Office of the Superintendent of Financial Institutions (OSFI) regulates all large financial institutions. OSFI is part of the federal Department of Finance (DoF). More information can be found at the OSFI
21
and DoF
22
websites. Each province oversees local financial institutions such as credit unions. Would new laws or regulations be required? The Office of the Privacy Commissioner (OPC) of Canada oversees laws pertaining to the protection of personal information. Again, most provinces have a similar role for a provincial Privacy Commissioner. 2. Governance. This component defines how decisions are made, how stakeholders are represented and how direction is set for Open Banking. Clear and fair rules are needed. Various models can be considered. For example, the Open Bank service could be a government operation, owned and operated by an agency or a department. The Open Bank could be an industry shared service, owned and operated by major established financial institutions. The Open Bank could be a private for-profit entity, sanctioned by government to operate as a service where industry can agree to participate. Should competing models be allowed? Lastly, ESG (Environment, Social responsibility, and responsible Governance) are now seen as critical elements for investors and employees in assessing organizations. Open Banking should embrace ESG principles. 3. Participation—Who and How? Many entities will participate in Open Banking, from individual consumers/citizens to global banking institutions. The roles and rights of each participating entity must be defined and operationalized. Who will be included? How will they participate in Open Banking? How will they register, how will they benefit, how will they contribute? Where will the investment come, how will return on capital be determined, to create an Open Banking framework? Can certain organizations be excluded, and on what basis? What incentives (if any) are there for parties to participate in Open Banking? 4. Infrastructure. Modern banking relies completely on information technology, which includes hardware, software, communications, and information. This IT infrastructure is well established in all large organizations and continues to change rapidly with service-oriented software and cloud computing. Technical standards that are already widely acknowledged and adopted are needed for Open Banking. Cybersecurity is critical to protect failures or malicious attacks on the infrastructure. How should Open Banking define the required technology infrastructure?
Some questions to consider as you define the Open Banking operating model: • What have other jurisdictions learned from their operating model? How could that model work, or not, in this jurisdiction? • How would the interests of various stakeholders be protected? The focus here must be the banking consumer and SMEs, but also the investors, the established financial institutions, and start-up entities (e.g., FinTechs). • How much would Open Banking cost, how long would it take to become operational? • What is the best way to articulate consumer and SME value and thus gain adoption for Open Banking? • How will consumers be protected in terms of unauthorized information disclosure, the need for informed consent, and potential redress in case something goes wrong? • What are the risks of failure?
Other key issues that must be addressed include the following:
Protection and privacy of personal information
Governments have grappled with the technology and legal challenge of privacy for several decades. Most recently, in 2020, the State of California began to implement The California Consumer Protection Act (CCPA). The California law is aligned with the European Union General Data Protection Regulation (GDPR) which began implementation in 2018. Both provide for personal control allowing a consumer to request their data be corrected or erased. Similarly, the State of Illinois implemented a Biometric Information Privacy Act (BIPA) that is now being used to challenge big technology firms who store and interpret facial images of individual consumers.
The Canadian government has recently announced an intention to revise the Personal Information Protection and Electronics Document Act and to implement a new digital charter that defines the rights of citizens with respect to their digital personal information. In November 2020, the Canadian Government put forward Bill C-11, the Consumer Privacy Protection Act (CPPA) to improve protection and privacy of citizen data. However, it has been noted that the ability of governments to pass and then enforce legislation that protect the privacy of personal information will be slow and time consuming. For example, the COVID pandemic and economic recession has delayed the Canadian government’s new digital charter. In contrast innovative technology companies in the financial services sector, such as FinTech companies, have been rapid and creative in delivering new technology-based capabilities that are far ahead of slowly evolving government laws.
Cybersecurity
The rise of malicious attacks on digital information and infrastructure has made cybersecurity the top management issue in all organizations. Cybersecurity issues range from very simple ransomware that has affected many public and private organizations to national level cyber warfare where digital infrastructure has been attacked by unfriendly government actors. Cybersecurity examples include the 2017 data breach at Equifax where personal information of 147 million US consumers was stolen by organized hackers. In 2018, two Canadian banks announced that about 90 thousand clients had been exposed in a data breach by outside hackers. In 2019, one of the largest Canadian data breach attacks occurred at LifeLabs, a medical service firm, where 15 million customer data records were stolen.
In January of 2021, a US intelligence task force accused Russia of a cyber attack that managed to infiltrate dozens of government agency digital infrastructures, in both the US and Canada. Citizens, governments as well as corporate executives are rightfully concerned about the vulnerabilities of personal digital information, including the liabilities associated with the inability to protect that information.
Many countries are taking action to improve both commercial and national cybersecurity capabilities. For example, the US Department of Homeland Security announced a national Cybersecurity Strategy in 2018. 23 Similarly, in 2019, the Canadian government announced a National Cybersecurity Action Plan. 24 Throughout North America, and in other regions, the cybersecurity industry is growing rapidly, adding thousands of jobs, and attracting significant investment.
Other issues your team may wish to consider include: • Value—will the value to consumers, to the industry and to the economy justify the investment of time and capital to create Open Banking? • Building trust—how can the government and the Open Banking model build trust with consumers so that the new services will be seen as reliable, secure and worthwhile? How can consumer trust be maintained and protected? • Jurisdiction—Should Open Banking be within this jurisdiction, or should a multi-jurisdiction model be adopted, for example for all North America? • Politics—is this an issue that the government will need to justify or defend to the electorate? Could opposition parties challenge the government on this topic? • Risk of Inaction—what will be the impact of not moving forward with Open Banking?
Deliverables
Jenna Chu and team have been asked to make a short (20 minute) presentation, with supporting slides, to a panel of government leaders. After the presentation, they should be prepared to respond to a few questions (10 minutes).
The panel plans to evaluate the presentation using the following criteria: 1. Demonstrated knowledge of Open Banking (20%) 2. Analysis and recommendation clarity—address the key issues (40%) 3. Implementation practicality—timing, costs, risk management (30%) 4. Presentation persuasiveness and supporting evidence (10%)
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
Notes
Author Biographies
External reference documents
Deloitte: Executing the open banking model strategy in the United States, Executing the open banking model in the United States | Deloitte Insights
a. Government of Canada: A Review into the Merits of Open Banking, https://www.canada.ca/en/department-finance/programs/consultations/2019/open-banking.html
b. Government of Canada: Consumer-Directed Finance: The Future of Financial Services, https://www.canada.ca/en/department-finance/programs/consultations/2019/open-banking/report.html
c. Government of Canada: Open Banking Report—Open Banking 101 Open Banking Report—Open Banking 101—Canada.ca
d. Interac (video): What is the Future of Open Banking? https://newsroom.interac.ca/video-what-is-the-future-of-open-banking/
e. Mastercard: Chronicles of the New Normal: How Open Banking Can Address New Customer Needs Chronicles of the New Normal: How Open Banking Can Address New Customer Needs | Mastercard Data & Services (mastercardservices.com)
f. Mr. Open Banking Podcasts
g. PWC, 2019 Consumer Digital Banking Survey, 2019 Consumer Digital Banking Survey (pwc.com)
h. Pymnts.com: An Open Road for Digital Banking? https://www.pymnts.com/news/digital-banking/2020/open-road-for-open-banking/