Mastercard's strategy for open banking addresses risk, trust
Mastercard wants to build confidence in open banking by addressing regulatory compliance, liability, and technology integration issues on behalf of its issuers and fintechs.
Mastercard’s focus on open banking reflects a change of strategy linked to the trend toward account-to-account payments, which led it to acquire non-card payments businesses operating on bank rails such as the U.K.’s Vocalink, Transfast, and Nets’ account-to-account payments operation.
“These acquisitions demonstrate that we are not a card technology company but a payments technology provider,” said Jim Wadsworth, open banking lead at Mastercard. “We’re agnostic about the underlying rails. Our role is moving data, so participating in open banking is a logical extension of that.”
The European Union has mandated open banking through its PSD2 regulation, which facilitates bank account-based consumer payments to merchants as alternatives to credit cards. PSD2 and its Open Banking regulatory counterpart in the U.K. create new payments and account information service providers known as trusted third parties, and require banks to allow customers to share their data with these companies, typically via APIs. Service providers are regulated by national competent supervisory authorities.
“Open banking will drive a migration to bank account payments in direct billing, particularly for direct debits and other recurring bill payments,” said Todd Clyde, CEO of Token.io, Mastercard’s European open banking software partner. “It will also replace cards with bank accounts for card-on-file transactions; and, for installment loan repayments, banks will be able to replace Klarna with bank account payments.”
However, it’s still early days for open banking in Europe, as the level of open banking activity is low, and payments are a small fraction of that.
“In the U.K., which has an 18-month lead on open banking implementation compared to the EU, 99% of open banking transactions are data-related,” Clyde said.
According to Mastercard’s January 2020 Open Banking Tracker, 268 third-party providers have registered with European national competent authorities under PSD2 rules. The U.K. leads Europe with 48% of total third-party registrations, and 42% of total European third parties are registered to provide both account information and payment initiation services.
As of January 2020, there were 1 million open banking users in the U.K. One of the U.K.’s key open banking use cases is loan applications.
“Open banking is quietly transforming lending,” said Wadsworth. “Instead of lenders asking borrowers for three months’ bank statements, they can ask for access to their checking account. This gives them the data they need, such as consistency of income, in real time, enabling them to make quicker and more accurate lending decisions with lower underwriting costs.”
Last June, Mastercard launched its Mastercard Open Banking Solutions platform, which enables European third-party providers of account information and payment initiation services to connect to multiple banks through a single API using Token’s technology. The platform offers connectivity, dispute resolution, and fraud prevention tools.
Mastercard’s partnership with Token mirrors Visa’s alliance with open banking software vendor TrueLayer to make it easier for FIs to connect via APIs to merchants and third-party providers.
“If fintechs want to benefit from open banking, particularly if they want to serve one of the bigger countries or create a regional offering, they have to connect to hundreds if not thousands of banks’ APIs,” Wadsworth said. “That’s not realistic. Fintechs want their techies to spend their time building their service, not dealing with the vagaries of bank plumbing."
When talking to European banks about connecting to third-party providers, Mastercard found that banks were concerned about the risks.
“Banks told us that the challenge of PSD2 is that the underlying bank is the primary accountable party,” said Jason Lane, Mastercard’s executive vice president market development in Europe. “Banks are left with most of the risk from open banking, including data breaches and fraud losses. Using machine-learning technology to analyze transactions, Mastercard Open Banking Solutions’ Protect module helps banks mitigate risk and certifies third parties as good ecosystem players.”
Mastercard has partnered with U.K.-based regtech Konsentus to verify in real time that, when banks receive account information or transaction initiation requests from third parties, these entities are regulated and PSD2-compliant.
"The other service we’re providing to banks is building a fingerprint of normal behavior for a particular fintech," said Wadsworth. "Does it normally request a balance inquiry or a £100 transaction request? If they do something abnormal, such as requesting £100,000, we flag that risk to the bank.”
Mastercard’s open banking platform is live in 11 European countries, following pilots last year in Poland and the U.K., and is expected to achieve Pan-European coverage by mid-2020.
According to Mastercard’s Open Banking Tracker, at Dec. 31 of last year, 1,800 European banks’ APIs were "production ready" and available for third-party providers via Mastercard Open Banking Connect.
Token, which also operates its own open banking platform, has connected via API to a total of 2,400 banks in 18 European countries, covering 90% of the checking accounts in those countries.
Currently, PSD2 doesn’t provide dispute resolution mechanisms for open banking transactions to enable consumers to be refunded if there are problems.
So far, because of the very low volume of open banking-based payments transactions, there haven’t been any material transaction disputes yet. “We’re designing our dispute resolution mechanism for the long haul and are getting a very positive response from stakeholders,” Wadsworth said.