Will privacy concerns undermine Open Banking?
Open Banking launched in January 2018, with a whimper more than a bang. Why this was the case is not totally clear.
One possible explanation is that there was a reluctance to cause a panic among consumers. Research by Ipsos MORI in November 2017 found that, while 63% of UK consumers see the services enabled by Open Banking as ‘unique’, just 13% of them would be comfortable allowing third parties to access their bank data.
Clearly there is a still a way to go before adoption really takes off, but these kinds of slow adoption patterns are not uncommon, particularly when there is fear that consumers could become victims of criminals or exploitation. If these concerns are addressed appropriately, they should help to limit any detrimental effects of Open Banking take up.
For years consumers have been told to be careful with their financial information, to be astute and aware of who has access to it, and to guard it at all costs. The message of Open Banking seems to go against this mentality, which can be confusing for consumers.
While Open Banking does allow third parties to access consumers’ bank account and transactional information, there are many checks and balances in place to protect consumers and prevent fraud.
Firstly, consumers’ data will not be shared without their express permission, and the PSD2 legislation on which Open Banking is built makes it clear that this permission must be explicit – meaning that consent must be requested clearly, and in plain language, so that consumers are clear what they are agreeing to.
Secondly, any processes or transactions must be authorised using Strong Customer Authentication (SCA). SCA is based on two-factor authentication processes, by which a consumer’s identity is confirmed using two separate and different types of identifier: something they know (e.g. a password, secret answers), and/or something they are (e.g. fingerprint, voice recognition), and/or something they have (e.g. registered mobile device, digital token).
Thirdly, third party service providers, whether they are Payment Initiation Service Providers (PISPs) or Account Information Services Providers (AISPs), must be registered by the Financial Conduct Authority in the UK.
Registration will help to prevent fraudulent companies requesting data from banks and ensure legitimate service providers are held to high data protection standards.