Who is the beneficiary of your data?

A year has elapsed since the hype of launching #openbanking surfaced in December 2018. With a bumpy start in its roll-out, the Australian Federal Government has finally passed the Treasury Laws Amendment (Consumer Data Right) Bill in September 2019. Open Banking would now commence on 1 February 2020.

Soon the entitlement and enablement of the use of consumer data will be incorporated into the Competition and Consumer Act 2010 (Cth) (CCA), the Privacy Act 1988 (Cth) and the Australian Information Commissioner Act 2010 (Cth) (AIC Act). 

Much like a reversionary interest in a property, when the owner of an asset grants an interest in the asset to another person for life or for a specified length of time. The vested interest can be revoked and returned (reverted) back to the owner. The asset in the context of #openbanking is your personal data held by Banks, Utilities and Telecommunication companies. As the customer (consumer) of these large organisations, the legislative changes places you as the owner and center of data right [1].

To facilitate the roll-out of #openbanking, the Australian government has mandated the release of associated data against the four big banks #ANZ #CBA #Westpac #NAB in three phases. Wave 1 data held on Credit and Debit Card, Deposit and Transaction Accounts, Wave 2 data held on Mortgages and Wave 3 data held on all other products. All other Banks, ADIs and Credit entities have a 12-month extension in implementation. The announcement for other Utilities and Telecommunications companies will soon embark on a similar trajectory.

A prescriptive open banking framework known as #CSIRO #data61 was created to enable the exchange of personal data between the holder of your data and other authorised data recipients. Most importantly, the sharing of data must be free of charge.

Read more on #openbanking below and how #consumerdataright (CDR) is underpinned by consumer’s consent on data sharing.

I hope you find this article insightful. Thanks for reading.

I Open Banking 101

Open Banking is not the same as Open Data where the information is shared with everyone. Only authorised data recipients (non-bank and other bank entities) are permitted to retrieve such data through #data61application programming interfaces (APIs).

New services and offerings are expected to add benefits and greater value to consumers when businesses start to evolve their business models to respond and stay relevant in the digital economy. The trajectory of Open Banking regulation and the ambition of global tech competitors like Alibaba, Amazon and Tencent suggest that the fund-exchange environment will inevitably become more complex and heterogeneous for banks to compete with.

The ability of national regulators to implement meaningful protection or trade barriers is increasingly politically challenging and will be practically less feasible over time. Thus, Open Banking regime is a timely interception made by the regulators to vanguard changes in the banking sector in giving the power back to the consumer. There is a general perspective that regulators need to identify market failures and provide regulations to safeguard the net safety of banks [2]. However, the approach taken varies and to some degree, the banks may need to lose some to gain some.

II Open Banking Regimes Across the Globe

In the global banking industry, banks are deploying open API Gateway innovative processes to provision account information, payment initiation and responses from third parties. The purpose is to allow more services and offerings to latch onto existing banking platforms to produce greater consumer empowered functions. 

In designing the appropriate regulatory system, often the debate over principle-based versus rules-based regulations loses sight of the underlying focus on the outcome of the matter and succumb to ‘Pareto efficiency’ in the allocation of resources [3]. Conflicting views abound about ideal outcomes, and what processes are required to jointly achieve these objectives.

Open Banking is the UK equivalent version of Payment Services Derivatives (PSD). The difference is that PSD is a principle-based regulation that mandates banks to open up their data to third parties, whereas Open Banking is rule-based regulation that also mandates that the information shared must follow a specific set of standards in a particular format. In practice, the difference in the application between principles and rules is merely a matter of degree. In legal theory, the main difference is on how exception and conflict scenarios are handled differently by different sets of reasonings[4], as was addressed by Dworkin [5] in his interpretation of an ‘all or nothing’ characteristic in the rule-based regime. In contrast, a principle-based regulatory system is a broad set of requirements that permits partial fulfillment. 

Currently, the UK’s nine biggest banks – HSBC, Barclays, RBS, Santander, Bank of Ireland, Allied Irish Bank, Danske, Lloyds and Nationwide – are required by PSD to ensure any data relevant to a consumer’s spending habits and lending and borrowing capabilities they release is in a secure, digital format so that it is an authoritative record that can be easily shared between authorised third parties. The record includes a burst of analytics dataset in everything from electricity bills to mortgage repayments to weekly spend on household items that are currently of little value other than a transaction record. With Open Banking, the passing of such rich information is standardised and brings a wealth of knowledge to third parties that can be used to create new apps and products which are tailored to each individual consumer. To approve data sharing, the consumer (account holder) must give their explicit consent.

In Europe, two regulatory actions came into effect on 13 January 2018 against the banks. Firstly, the second iteration of Payment Services Derivatives (PSD2)[6], and secondly, the General Data Protection Regulation (GDPR), intended to safeguard access of personal data and the privacy of EU citizens [7]. In effect, a rule-based regulatory regime that addresses how data is to be collected, stored, processed, destroyed and shared with non-banks to provide a level playing field by specifying consumer protection rights and obligations for payment providers and users [8]. Apart from these new laws, the EU Parliament and Council are responsible for internal market offerings, while the Financial Conduct Authority (FCA) is responsible for transposing other parts of the PSD2 for external interactions.

In North America and Asia, there is no regulatory compulsion to break apart the traditional bank value chain. However, there is increasing competitive pressure and a presumed first-mover advantage for banks to create a partnership model with retail chains. In Singapore, DBS Bank launched its API gateway in late 2017 that enabled 155 services, including rewards, payments and fund transfers [9]. Retailers like McDonalds and Property Guru, in partnership with banks, are improving their offerings to their customers by jointly developing microservices that benefit their end users.

To assist the regulatory roll-out of Open Banking, a “regulatory sandbox” environment is made available to industries to make a wide range of APIs in which developers can experiment before going live with customer offerings that incorporate atomised banking services like identity management. The role of a regulatory sandbox is to test adaptive regulatory responses to disruption in the market. The BNP Bank is currently in trial within the EU sandbox environment as it provides a standard RESTful (or representational state transfer) interface - the Open Bank Project - for developers to create customer-facing applications for multiple banks and account types [10]. In response to regulatory requirements, BNP is attempting to shift from its fully-integrated banking solutions to banking as a service by segregating its core bank functions [11].

III Regulators in Australia

The Australian Competition & Consumer Commission (ACCC) will be responsible for defining CDR scope and the legislative framework for (a) consumer (b) data holder and (c) data recipients’ authorisation process [12]. The Office of the Australian Information Commissioner (OAIC) will be the initial complaint handler and contact point for consumer and small to medium enterprises’ complaints. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) will act as the Data Standard Body to define the data format known as the Data61 specifications to ensure a high level of privacy and information security protections. The federal budget from 2018-2019 allocated $44.6 million over four years to help implement and establish a national CDR [13]. Civil penalty and Infringement notice provisions are added to enforce the compliance of CDR rules [14].

IV Trajectory and Challenges in Implementation

Regulator’s view

While the CDR rules framework has completed its public consultation phase, its final accreditation and de-accreditation (or suspension or imposition of conditions) processes and rules for authorised data recipients are yet to be announced at the time of writing [16].

The Australian regulators are now actively introducing CDR and defining the applicability of foreign law against CDR [17]. The main focus is on the principle that the sharing of data (at the basic level) must be free, as prescribed by the ACCC under the CDR program. This places consumers squarely in the category of the beneficiaries of Open Banking, and stimulates competition and accountability in the ownership (data holder) of consumer data within Australian financial services providers.

The regulators believe that Open Banking in online channels and API collaboration will create possibilities of new revenue streams for banks by partnering with other commercial entities to retain existing customers. However, there will be winners and losers in the Open Banking initiative [18]. Incumbent banks will be less capable of quickly disseminating service functions whilst still embarking on the journey to be fully integrated as a traditional bank. However, to shape their business and stay competitive, Open Banking offers new opportunities in partnership interfaces with Telecommunication, Utilities companies and trade relationships with businesses to gain a competitive edge in attracting new customers in a new novel way.

Open Banking will be disruptive and equivalent to the building of a platform economy where third-party developers can link Google Maps, Wallets or Sign-in with Facebook functions on apps or websites to provide additional benefits for existing customers of the bank. Without regulatory intervention, apart from tech giants, smaller FinTechs are already competing for tightly held customers of banks by offering a different set of services focused primarily on payment services. An Open Banking framework allows all parties to leverage each other’s strengths and compete by building an ecosystem to co-exist.

Bank’s view

After recent speculations of money laundering failures and investigations conducted by the Banking Royal Commissioner, Commissioner Hayne, under the Banking Executive Accountability regime, banks are keen to be in the ‘good books’ and in a good position with the government on the roll-out for CDR [19][20]. The Commissioner Hayne’s findings on misconduct in the banking, superannuation and financial services industries published in February 2019 [21].

Open Banking is opening the door for tech-savvy rivals to pounce into the banking sector. With the introduction of such a regulatory regime, there are three general perceived threats: (1) loss of relationships; (2) loss of revenue; and (3) loss of relevance and presence in the market. 

Apart from endorsing the compliance requirement of sharing consumer data for free, all banks are actively seeking monetised access on their derived data of their customers and claim proprietary rights over bank’s insights on customer spending habits and aggregated data (e.g customer segmentation, propensity indexes, logic and algorithms that derives credit risk rating). This was evident in their responses to the ACCC’s public consultation on the draft CDR rules framework [15][22][23]. NAB has also requested that the ACCC consider ‘fees’ against chargeable data set according to market-based pricing, while ANZ requested the Treasury to design a fee framework to consider how intermediates may operate with CDR. CBA has requested clarity on ‘material breach of data standards’. Seeing the CRD regime lacking liability shield for banks, Westpac predicts that the initial cost of implementing Open Banking will be $200m [24].

In December 2018, the ACCC also introduced a lower entry barrier for a non-bank authorised deposit-taking institution (ADI) license which allows more digital banks to be operating in Australia once they secure $3m seed capital. This poses a great risk for traditional banks, which are bound by strict compliance rules on credit risk and liquidity ratios. Differences in regulatory approaches in ADI and bank licenses make regulatory arbitrage possible [25].

In addition, within the CDR framework, ADIs and Fintech companies are named as a class of authorised data recipient that will benefit from Open Banking regime. The banks are now actively seeking clarity on the scope of non-ADIs as a class of authorised data recipient from other banks and non-banks in their submissions to ACCC. By declaring on the principles of data reciprocity, data holders would be entitled to request or obtain data from an accredited data recipient before sharing data as directed by a CDR consumer (ie that reciprocity is not a 'quid pro quo' arrangement). Otherwise, banks have expressed in their submissions that CDR framework is creating an unlevel playing field due to differences in regulatory approach which could be exploited.

V Effect of Regulatory Actions

To regulate jurisdictions worldwide, our global markets require a set of common standards for cross-border businesses and enforcement procedures. To facilitate global market access, countries are developing ‘mutual’ benefiting regulatory approaches to protect investors and companies in their investments.

The effect is that compliance requirements not only regulate nations within its own jurisdiction but also have an international impact on how multinational institutions are required to comply when dealing with such countries. This is similar to when the United States enacted the USA Patriot Act [26] post the terrorist attack of September 11, 2001 to strengthen the identities of ‘business records’ in both the recipient and the sender. Once the Act was enacted, implemented verification of identity was mandatory for the prevention of anti-money laundering. The impact is that all international trade would need to follow and adjust their ways of record-keeping to suit the regulatory change in commercial dealings with the US. 

With Open Banking, inevitably once the regulatory framework matures and is adopted by all entities within the financial ecosystem, the sharing of consumer basic data will reach data symmetry (a ‘reciprocity’ state). It is anticipated that public authorities, regulators and banks would need to reconsider permitting monetised access to derived data (analytics) over consumer data held by the banks to stimulate new products and services. Otherwise the development of Open Banking will end quickly and the regulators will once again struggle to push for competition when the market harmonises and returns to an equilibrium state.

VI Conclusion

The onus is now on banks to implement Open Banking services and strategies without alienating their traditional customers. Many industry executives and commentators now view Open Banking as an accelerating structural trend by the year 2020 [27]. A move away from the traditional omnichannel banking to an open sharing banking model now seems inevitable. Banking has been an international activity since the medieval ages. Future trends in banking appear more akin to the 17th-century Dutch economy, which supported globalisation (risk-sharing idea of a joint-stock company), rather than the closed economy model of 17th century Japan, which focussed only on trades within a country’s borders [28]. Regulators must keep pace with the development of the digital economy where the value chain is becoming more fragmented and the competitive environment more intense on a global scale. Regulating the inbound and outbound of information is the first step towards a platform economy (‘banking platform as a service’) to enable businesses and banks alike to create and integrate new services (in digital currencies, payments and value-added analytics) under their own brand.

The answer who is the beneficiary of your data? it will be the consumer themselves. Open Banking promises substantial benefits to consumers and for both existing and future digital economy where smaller businesses can leverage the strength of banks and provide new offerings and banks can co-exist in a digital economy with the uprise of FinTech companies.

__________________________________________________________________________

[1] Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2018.

[2] Xavier Freixas and Anthony Santomero, ‘An Overall Perspective on Banking Regulations’ (UPF Economics and Business Working Paper No. 664. 21 May 2003).

[3] Vilfredo Pareto Edited by Aldo Montesano, Alberto Zanni, Luigino Bruni, John S. Chipman, and Michael McLure, Manual of Political Economy  (Oxford University Press, 2014). Pareto Efficiency (1906).

[4] Brigitte Burgemeestre, Joris Hulstijn and Yao-Hua Tan, ‘Rule-based versus Principle-based Regulatory Compliance’, JURIX 2009

[5] Ronald Dworkin, Taking Rights Seriously (Oxford University Press, 1978).

[6] Explanatory Memorandum, Payment Services Regulations 2017 No 52 (UK).

[7] The European payment services regulation mandates all banks by September 2019 to comply with national laws and regulations pertaining to 2015/2366 (PSD2).

[8] European Commission. Payment services (PSD 1) - Directive 2007/64/EC (13 February 2017).

[9] ‘Singapore’s DBS Bank Launches ‘World’s Largest API Platform’, Royal Media, 3 November 2017.

[10] BNP Paribas, API Sandbox powered by the Open Bank Project.

[11] ‘Open Bank Project’, TESOBE.

[12] ‘Explanatory Materials on Consumer Data Right’, Australian Treasury.

[13] ‘A more accountable and competitive banking system’ Budget 2017, Banking and Financial Services.

[14] See Treasury Laws Amendments (Consumer Data Right) Bill 2018 (Cth), Part IVB Div 2A.

[15] ‘Review into Australian Open Banking’, Australian Treasury.

[16] ‘Consumer Data Rules Outline’, Australian Competition & Consumer Commission, 21 December 2018.

[17]  Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2018.

[18] Accenture, Open Banking Pulse Survey (2017), a global quantitative online pulse survey of 100 payment executives within the Banking industry in North America, Europe and Asia Pacific who are familiar with Open Banking and/or the Revised Payment Services Directive (PSD2). The study focused on organizations with revenue higher than $3bn for organizations in Asia Pacific, Belgium, Denmark, Netherlands and Sweden and higher than $5bn for organizations in the US, Canada, the UK, Spain, Italy, France and Germany. Fieldwork was carried out between August 8th and 28th 2017.

[19] James Eyers, ‘Open banking: a far bigger threat to banks than the Hayne royal commission’, Financial Review (Online).

[20] SBS, ‘Banking royal commission comes to a close’, SBS News (Online) 30 November 2018.

[21] Commonwealth of Australia, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry 2018.

[22] Australian Competition & Consumer Commission, Consumer Data Consultation on Rules Framework 21 December 2018.

[23] Australian Government Treasury, Review into Open Banking in Australia Submissions.

[24] Asha McLean, ‘Westpac predicts Open Banking to cost AU$200m to implement’, ZDNet News (online).

[25] Annelise Riles, ‘Managing Regulatory Arbitrage: A Conflict of Laws Approach’ (2014) 47 Cornell International Law Journal 63.

[26] USA Patriot Act (H.R. 3162).

[27] The Australian, ‘Open Banking Delayed to 2020’, The Australian News (Online).

[28] Accenture, The Brave New World of Open Banking (2018).