Open banking has reshaped the way we manage and interact with our finances. As banks unlock their vaults to digital innovation, and financial transactions take on new dimensions, open banking’s regulatory intricacies become increasingly vital.
Here Akshata Namjoshi, associate partner, and Ratul Roshan, senior associate, at legal consulting firm KARM Legal Consultants, explore the regulatory intricacies of open banking, focusing on the contrasting approaches of data-centric regulation and payment services-oriented oversight across global jurisdictions.
Ask Chat GPT why you need open banking and they/it says: ‘Open banking: because even your Grandma’s secret cookie recipe deserves a digital vault!’. Probe further and they/it will tell you that ‘Open banking is like a love story between your finances and innovation, where every transaction is a sweet, harmonious dance’.
But isn’t it true though?
The cookie recipe is the wealth of data that sits with banks and financial institutions. The romance between finances and innovation is the power that payment services generate. The two main components of open banking are: data sharing and bridging financial services.
The open banking ecosystem enables financial institutions who hold a customer’s data to share such data with third-parties, with customer consent. The data shared may include account information, transaction history, direct debit history, credit history, savings and investment data and so on.
When it comes to regulating open banking, the fundamental question is – what is being regulated: the financial data which is processed as part of these services or the payment service providers facilitating this sharing/ processing? These are the two regulatory approaches most jurisdictions have followed in regulating open banking. While overlaps exist, there are also significant differences. KARM Legal has had an opportunity to discuss these differences in detail with various regulators.
The data-led approach (Data Led Approach) demands stringent data protection and privacy measures, including clear guidelines for customer consent and compliance with data protection regulations. Whereas, the payment services (PSP Approach) focused approach calls for appropriate licensing, robust security standards, and fraud prevention, among other things.
Regulators taking the PSP Approach regulate players in the open banking ecosystem as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Jurisdictions like EU, UK, UAE and Saudi Arabia are prime examples of jurisdictions who have followed this approach and accordingly released robust regulations. Even within this bucket, some regulators have issued standalone regulations for open banking, while others have included open banking within their payment services regimes. The latter approach is more common.
AISPs and PISPs access, process and transmit data related to their financial services without handling customer funds. Examples of primary use cases include financial information aggregation, personal finance management, credit/loan comparison, initiating instant fund transfers and the like. Due to this, multi-beneficiary transactions become more seamless.
On the contrary in a Data Led Approach, the laws which govern open banking are data focused. Due to this, they are broader and enable a larger suite of financial (sometimes even non-financial) services. Here, instead of regulating payment services, regulators regulate the relationship between services providers and financial data recipient across sectors like payments, insurance, investments, utilities and so on.
For instance in India, Account Aggregators (AA) are defined as entities licensed by the RBI that provide the service of, retrieving or collecting information of its customer pertaining to financial assets and consolidating, organising and presenting such information to the customer or any other person as per the instructions of the customer.
Further, the government initiated Unified Payment Interface, a payment system has created a strong base for merging several banking features including instant-payment transfers, merchant payments and bill payments. Mobile applications like BHIM under this regime have given users the ability to pay bills, manage cashback and promotions, in addition to accessing a simplified payment interface.
The most path breaking jurisdiction in this regard has been Australia. The Consumer Data Right legislation (CDR), which includes open banking, was introduced to empower consumers by giving them greater control over their financial data. The CDR is not limited to banking; it extends to sectors like energy and telecommunications as well. Australia and India have developed distinct frameworks for the data sharing requirement. Following the suit, The US and Canada have signed onto the Financial Data Exchange platform to enable open access to financial data between financial institutions.
Thus, from a regulatory perspective, a crucial question is – who’s territory is it to regulate? Central Banks in many jurisdictions like UAE and Saudi Arabia have taken lead and issued regulations. Being the primary regulator overseeing financial stability, monetary policies and payment systems, central Banks have seamlessly expanded their territories in Open Banking. In EU, UK, and ‘UAE-Free zones’ (DFSA & FSRA), Open Banking is regulated by the respective financial regulators.
The implementation of open banking in Australia is overseen primarily by the Australian Competition and Consumer Commission and the Office of the Australian Information Commissioner.
While there is no right answer to which regulator should retain the power, there is one to which approach fares better from a market perspective. The use-cases of the Data Led Approach are diverse compared to those offered by the PSP Approach. Data sharing enables services like personal financial management apps, budgeting tools, and credit scoring services to provide users with a 360 degree view of their financial health.
While there’s some conversation to be had on the challenges of rolling out massive data sharing initiatives – the products greatly enhance user experience. More importantly, it gives consumers a sense of control over their money. Needless to say, the individual financial health of consumers collectively contributes to the health of the broader economy.