Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, was commenting after the Basel Committee on Banking Supervision at the Bank of International Settlements (BIS) published a new report on open banking and application programming interfaces.
Scanlon said: "It is helpful that a number of challenges around developing and implementing effective banking API strategies are being given attention at an international level. Raising awareness about key challenges around the need for coherent customer redress mechanisms, including those required for complaints handling and dispute resolution is a positive step forward. However, it must be said that the report is high level – the issues highlighted in this report are just the tip of the iceberg when it comes to evaluating the different approaches that regulatory authorities have taken to open banking in different jurisdictions."
"What is really needed is for a body like the BIS to review in more detail the lessons that can be learned from the UK, Australia and Japan in particular and other places where initial approaches have shifted as a result of both positive and negative experiences that have been had when attempting to implement each jurisdiction’s respective framework," he said.
Open banking is a term used to describe the push to liberate data held by major financial institutions so as to enable those institutions as well as third parties such as fintech start-ups, technology companies and retailers to use the data to deliver innovative new services for customers.
The Basel Committee's study highlighted that many countries around the world have yet to develop open banking frameworks and that the jurisdictions in which open banking has been implemented each have followed different approaches.
One of the challenges of the move to open banking is developing the application programming interfaces (APIs) needed to facilitate the sharing of data between institutions and third parties, according to the report.
The Basel Committee said: "In jurisdictions where screen scraping or reverse engineering is still prevalent, banks are challenged with balancing security against ease of access. Banks generally prefer, or in some jurisdictions, are required to use more secure methods for sharing data for certain types of accounts, such as tokenised authentication through APIs, as opposed to screen scraping or reverse engineering. These secure methods enable banks to exercise greater control over the type and extent of data shared, and enable more secure access management and monitoring."
"Furthermore, APIs provide advantages for third parties and customers, including potential improvements to efficiency, data standardisation, customer privacy, and data protections. However, some challenges associated with the universal use of APIs remain. The time and cost to build and maintain APIs (particularly when done on a bilateral basis with multiple organisations), the lack of commonly accepted API standards in some jurisdictions, and the economic cost for smaller banks to develop and adopt APIs have been cited as challenges," it said.
Financial services regulation expert Rory Copeland of Pinsent Masons said, though, that the systems and requirements of open banking need to be designed with fraud in mind.
He said: "The report presents the range of open banking approaches being taken across jurisdictions. The EU provides a high degree of protection to consumers. From a financial institution’s perspective, however, the mandatory sharing of customer-permissioned third parties through open banking places a lot of weight on the integrity of tokenised authentication methods. We haven’t yet tested the result where an institution gives customer data to an unauthorised third party which presents fraudulent credentials."
According to Copeland, the new report also highlighted the increasing interdependence in financial services which is arising from customer-permissioned data sharing through open banking frameworks and firm-driven outsourcing arrangements.
"In the former instance the service provider is regulated but not necessarily contracting with the financial institution," Copeland said. "In the latter there is no regulation, but service providers must have a contract with the financial institution."
"As outsourcing and open banking gradually fragment the provision of financial services, regulators must ensure the risks to customer data and financial stability are correctly measured and mitigated. Financial institutions will need to understand the line between outsourcing and open banking and ensure they don’t expose themselves to activity that crosses it," he said.