Open data on bank IT security spurs competition, investment in U.K.

Register now

A more open approach to banking will bring major changes, with quality data on banking services and IT security now becoming a significant factor for consumers in selecting a provider.

The U.K.’s Financial Conduct Authority implemented a new set of rules last week affecting all U.K. banks, requiring them to publish detailed information on the services they offer, how they can be accessed and how often they have been affected by outages, security breaches and other incidents.

The new requirements are part of the Open Banking initiative being driven by the Competition and Markets Authority as part of its response to the openness components of the EU’s PSD2 legislation, ratified in 2015 and with some features already in force.

The CMA issued a detailed report on the U.K.’s retail banking sector in August 2016. Among many other things in its 700-plus pages, this report included recommendations for greater openness from banks and more standardized access to service-quality information.

The Financial Conduct Authority new rules are the first of several steps in response to the CMA’s recommendations, aimed at encouraging bank customers to take more interest in who they choose to bank with, breaking the monopoly of the established players, and allowing new and innovative service providers better access to the market.

All banks must now provide a page listing various data and metrics about the services they offer, including a breakdown of their account types, how various activities can be carried out (in branch, online, by phone or using a mobile app), contact information, and details of complaints received from customers. The FCA maintains a list of links to the data served up by each bank.

There is also a requirement to display numbers of security incidents and other outages that banks have needed to report. This data has already been reviewed by some market watchers, who note that larger banks and banking groups report higher numbers of incidents but add that comparison remains less than ideal thanks to a lack of clarity over exactly what constitutes an “incident.”

There’s also the problem of those larger banking groups, most of which have provided aggregated figures for all group members. As many of these may operate their own IT systems, this makes it difficult to accurately judge just how secure an individual brand may be.

It’s not clear either how global events such as the recent European Visa outage should be recorded.

Larger banks are now required to provide API access to this data, so third parties (such as price-comparison websites) can automate polling of the latest data and create simple comparison charts. They also have to publish survey data on what their customers think of them, and of their online and mobile banking provisions.

Engaged customers looking to ensure they select the most secure bank may also want to consult the stats provided by, a project created by a Swansea University student which rates banks based on the security features on their websites and online banking pages.

Various technical elements are measured to provide a weighted score out of 100 — the highest performer in the U.K. is Virgin Money with 52 points, while the bulk of the larger brands are in the 40- to 50-point range and several well-known names, including Barclays, Co-operative Bank, HSBC and First Direct, score 35 or less.

Worldwide, the best banks (three in the Netherlands, one in Germany and one in Spain) are currently scoring 64 points, while at the bottom of the table is Israel’s Bank Massad with just eight. The system includes a history feature to track improvements, or downgrades, in security features.

Again the data is not perfect; little information is provided on how the scoring process weighs individual features and configurations, which can be based only on a fairly subjective estimate of the value of a given setting, and it’s not clear how important a homepage is compared to the actual online banking system.

As this data expands, matures and becomes more standardized, and sees more analysis from both market watchers and consumer advocates, it looks likely to prove a major driver of competition between banking service providers. While IT costs are likely to increase further, the benefits of better security should be felt by all.

For reprint and licensing requests for this article, click here.
Open source APIs Compliance Data security U.K.