Open banking can be a privacy nightmare
The way we pay for things, manage our money, apply for loans, and prepare taxes – almost everything that touches our financial lives – could be transformed by open banking.
But from a privacy and security standpoint, are we ready? This is the crucial question facing a technology movement that’s gathering steam and is on the verge of reshaping the banking industry.
Open banking is designed to give consumers more choice and to make their lives easier by giving third-party financial services providers electronic access to data from banks and other financial institutions through the use of application programming interfaces (APIs). Then the outside partners develop new apps and services on top.
If you’ve used an app that taps into your bank account information, you’ve engaged in open banking. In the coming years, open banking is expected to spur a wave of additional new services, including frictionless borrowing where lenders get information about applicants instantly rather than having to gather it manually from multiple sources, automated tax preparation, easier financial management for small businesses, and new payment systems yet to be imagined.
The European Union and the UK have passed laws that explicitly require banks to create APIs and open them to third-party developers, energizing a new generation of fintechs.
Open banking in the UK, which became the standard in 2018, recently surpassed the 1 million customer mark. Several other countries, including Australia, Argentina, Brazil, Canada, Hong Kong, Japan, Mexico, Nigeria, Taiwan, and New Zealand are creating open banking norms as well, according to a list compiled by EU-Startups.com.
Banks in the U.S. are not obligated to cooperate with third parties, but open banking functionality is spreading nonetheless. Fintechs such as Venmo typically rely on aggregation companies like Plaid that specialize in connecting bank accounts to apps via APIs provided to them by financial institutions or via screen-scraping technology.
By now, you’re probably wondering: What about privacy?
Open banking initiatives typically have specific rules governing how, when, and why financial institutions can share customers’ confidential data. For example, UK consumers must give explicit consent before their information can be given, and they decide which apps and websites can get it and for how long.
Such safeguards aside, however, open banking raises a host of serious questions about the privacy and security of consumers’ most sensitive data.
For example: How vigorous are the security measures used by banks and third parties to monitor APIs and data everywhere they go? What controls are in place to enforce consumer decisions on how, when and by whom their data is being accessed? How are financial institutions validating third parties to make sure rules are being followed? What are the penalties for violations?
A recent survey by marketing consulting firm Simon-Kucher showed a wide disparity between open banking’s appeal to consumers and their suspicions of it. Forty-four percent of bank customers surveyed said they would like the convenience and personalization that open banking brings. Yet 75% said they are unlikely or very unlikely to allow their banks to share their information with third parties.
This shows how high the bar is for open banking to instill confidence in consumers. At a time when cybercrime and identity theft have become huge fears, they won’t engage with it otherwise.
I believe this level of trust will only come with regulation – comprehensive, sharp-toothed government regulation that specifically addresses open banking.
As data privacy scandals like Facebook's have taught us, companies can’t always be counted on to protect our personal data. To be sure, financial institutions aren’t Facebook – they’re not babes in the woods when it comes to guarding customers’ information. But open banking brings in a raft of startups and other new players that may not share their commitment. It can’t become a data-privacy Wild West.
Open banking regulations should amalgamate the best features of existing measures such as the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Payment Card Industry Data Security Standard (PCI).
For example, the regulation should take the strongest features of GDPR – transparency to consumers on how their data is being used, a prohibition on using data outside the agreed-upon purpose, consent requests in plain language rather than legalese, and prompt notification about breaches -- and apply them specifically to open banking.
While open banking to a large extent is covered by GDPR and other codes already in force, it has some unique attributes that require a specific set of rules. Unlike GDPR, the focus of open banking regulation can’t be solely on data itself but must take into account APIs, data repositories, and other infrastructure elements.
It also would help if open banking had a self-policing element like the payment card industry’s PCI. Imagine the power of leading fintechs saying, in effect: We, as a hub of open banking, have strict rules, and third parties can’t connect to us unless they validate that they are following them.
In the end, open banking is such a game changer that both approaches may be needed.
While open banking is a fascinating movement poised to benefit consumers and spark significant innovation in financial services, the world must weigh convenience vs. risk and approach the inherent privacy and security concerns with caution.