Global Interoperability is critical for the success of Open Finance
Open Finance is taking hold around the globe, but we’re only at the beginning of this exciting journey. Each market has taken a different approach to regulations, standards and implementation, which has resulted in lots of ‘wheels being reinvented’, with associated risks, delays and costs, holding back the enormous potential. These barriers will be overcome if we achieve the nirvana of Global Interoperability, resulting in increased benefits for the financial services sector, not to mention personal and business customers..
What is Open Finance and why does it matter?
Open Banking is a concept which enables customers to securely share access to their accounts held at a bank with a trusted Third Party Provider (TPP). This enables the TPP, which could be a fintech or another bank, to provide additional services to the customer, which their existing bank cannot provide themselves.
Open Finance extends this concept to include more Financial Institutions (FIs), such as alternative lenders, investment houses and insurers. More data equals more value, so the benefits are thus much greater for all.
Example applications include personal wealth management, business financial management, better access to credit, lower cost and more secure payments (compared to cards), automated bill payments, lower cost FX, service initiation (e.g. loan applications), service management (e.g. users, beneficiaries), account opening and account switching.
Open Finance offers a huge number of benefits:
- FIs can grow revenue by embedding existing services into other channels – e.g. apply for a loan directly inside a car website.
- Fintechs can develop innovative new products with new revenue streams, faster and for a lower cost than established FIs.
- Personal and business customers can manage their money better, increasing savings, reducing unplanned debt and improving their financial health.
- Regulators and governments can reduce fraud and improve their economies.
What is the current status of implementation around the world?
Open Finance as a concept has been around in several markets for many years, but it is now being implemented all over the world.
For many years Open Finance has been mostly based on screen scraping (which is complex and expensive for TPPs to create and manage) and credential sharing (which has encouraged customers to share usernames and passwords, thereby posing a security risk and limiting the take-up of stronger security measures, such as biometric authentication). This resulted in a 2-tier system whereby there are only a limited number of TPPs and FIs in any market who can provide such services and the scope of these services is limited.
In effect there was no interoperability, because every FI had a different web interface and every TPP had to build their own code to screen scrape and manage the customer credentials.
In 2017 this all changed, starting in the UK, with the introduction of a structured Open Banking ecosystem which included four things not seen before in combination:
- Regulations which set requirements for FIs (initially the largest 9 banks) to build standardised APIs, and for TPPs to meet certain criteria to be granted access to the ecosystem and to manage and honour customer consent.
- Standards to define the security, consent and data models for these APIs.
- Conformance testing tools and a certification framework, aimed at FIs, to ensure consistency of implementation.
- Central Infrastructure for a trust framework, including a directory of FIs and TPPs (with the identity and role/permission of each) and the Private Key Infrastructure (PKI) to enable the secure identification and connection between FIs and TPPs.
The following year, Open Banking was introduced across the European Union (EU) via the second payment services directive (PSD2). Since then Brazil has moved straight to Open Finance, by copying much of the UK model, but adding on Open Insurance. Australia has moved conceptually even further with their Consumer Data Right (CDR), which introduces other sectors, such as Energy and Telecommunications.
In the MENA region, Bahrain was the first GCC market to introduce Open Banking, again copying much of the UK model, but without the certification tools/framework or central infrastructure.
The Kingdom of Saudi Arabia took a different and more innovative approach. The regulator (SAMA) defined a simpler set of high level regulations but then developed both standards and business rules (acting as secondary regulations) based on a set of clearly defined use cases. The certification tools were also significantly enhanced to cover TPPs as well as FIs.
Recently the UAE has published its Open Finance regulations and framework. This builds on several other markets, specifically the UK, Brazil and KSA, but is perhaps the most advanced and ambitious implementation of any so far, covering:
- Regulations – simpler regulations but which bring all FIs into scope.
- Standards and Rules – which cover a much wider set of use cases, including delegated authentication, richer data sets, many more payment types and insurance (starting with Motor). These rules also include a clear liability model and a commercial model, which sets out a simple low cost for TPP access and allows FIs to monetise their APIs.
- Certification – comprehensive but also simpler to implement than in other markets.
- Central Infrastructure – covering both the trust framework (based on a step up from the UK and Brazil models) and a single API Hub (to reduce the cost and complexity for LFIs, enforce standardisation across all LFIs, and thereby speed up adoption by TPPs and end customers).
Many other markets are now looking to introduce Open Banking and/or Open Finance. Indeed, those who have already introduced the former are now looking to extend to the latter. But each market is taking a different approach to these four key themes.
Why do we need Global Interoperability?
Each market will have a different driver for introducing their Open Finance initiative. For some, this will be financial inclusion – to reduce the cost of banking services, especially lending. For others, this will be to drive innovation, encourage inbound investment and increase the wealth of its citizens. For many it will be a mix, albeit with different priorities.
If each market does their own thing, there are several issues:
- Regulators will spend more money than needed developing bespoke regulations and standards, which creates a specific risk to the security of customer data, versus following established best practice..
- Technology vendors will have to build different solutions for each market and FIs will spend more money developing their own API infrastructure, due to the lack of such solutions – particularly expensive for FIs who operate in multiple markets.
- TPPs will have to go through a steep learning curve in each market – especially cost prohibitive for TPPs who operate in multiple markets.
- The implementation will therefore take much longer, cost more money and delay the benefit to customers.
Global interoperability can lower, or even remove, these barriers completely. This concept is critical in several ways.
Interoperable Regulations
While regulations will always differ in each country, the differences can be minimised if regulations are kept light touch. A blocker to many use cases (especially in the GCC) is the restriction on allowing personal data to cross borders. This can hinder or even prevent TPP applications which help customers manage financial data across multiple markets.
Interoperable Standards
We already have a global security standard for Open Finance – the Financial Grade API (FAPI) profile. This has been adopted as the underlying standard in the UK, Brazil, Bahrain, KSA, UAE, Australia and now the USA. The guardian of the FAPI profile is the OpenID Foundation, which also publishes and maintains a conformance suite and certification programme.
However, the API scopes, consent flows and data models differ significantly across markets. This is a more complex problem to solve, because of the need to support different regulations, use cases, currencies and payment rails. While the ideal solution is to have a single global standard, the challenge is to agree how this standard will be governed. Global standards bodies generally take years to introduce new versions, and we know that many regulators need to iterate every few months. So, for now at least, this will require patience and, perhaps, an agreement that all standards bodies contribute towards a global ‘mega-standard’. Conformance tools and certification frameworks will also need to be adapted separately for each standard, at least for now.
Interoperable Infrastructure
A centralised trust framework has been adopted in the UK, Brazil and now in the UAE. This is essential to ensure that only authorised TPPs can access the APIs from each FI, and only for the role for which they are licenced by the regulator. The lack of this under PSD2 has proved too complex and expensive. Fortunately each is based on the same open standards. It is a quick win for regulators to follow the same approach.
A centralised API hub has been adopted now in the UAE. While the implementation phase is only just starting, regulators would be well advised to watch this space closely. It is set to significantly reduce the complexity and cost for all parties, and thereby to speed up the implementation and benefits for all.
Where to next?
The underlying services offered by TPPs and FIs will and should vary widely. However, the Open Finance plumbing which connects these TPPs and FIs should be standardised – not just within a single market, but globally across all markets.
USB standards offer a good analogy. Every USB device needs to conform exactly to these standards, regardless of the connected device. If every printer had a different interface, printers would be a lot more expensive and offer limited functionality.
Global Interoperability is absolutely essential to ensure that Open Finance delivers on its promise – to transform financial services globally.