The Basel Committee on Banking Supervision made public a protocol on open banking

If you are interested in registering a FinTech company in Europe, in this article we offer you to get acquainted with the main aspects of data protection.

Who benefits

Who will win in the new realities? Obviously, the end-user of the services. Fintech companies will also benefit from open APIs by accessing data they don't have right now. Then the innovation will be able to take advantage of small high-tech banks due to the emergence of new channels for monetization of their competencies. But big players can also gain additional benefits by choosing the right partners and the right strategy. For example, by partnering with fintech companies, rather than absorbing them, the problem of integrating a new team, technology and services into an existing business will be solved, which will facilitate the influx of customers.

In the United States, the market has come to realize on its own that without the bilateral exchange of experience and information, the development of innovative products is difficult. Therefore, now it is the business that is putting pressure on regulators in order to ensure the legitimization and standards of interaction of old and new market participants. Thus, we see that the big players themselves are interested in implementing these standards.

Open APIs and banking can greatly change the landscape of the banking industry, lead to the emergence of mobile aggregator banks, breathe new life into fintech companies and make traditional banking products easier, more convenient, and cheaper. But how fast can this happen? The first changes are possible within two years from the implementation of the approaches described above and the transfer of rights to dispose of information to the user. Such changes will be expressed primarily in the emergence of new players in the market, which confirms the world experience. The pioneer in the implementation of the principles of open banking is the UK, a little later the EU joined the initiative. 

Key aspects:

• The open banking system requires banks to exchange data with the consent of their customers, and third parties accessing such data to register with local regulators;
• Regulators with an “incentive” approach intend to issue guidelines instead of rules, as well as open API standards and technical specifications; while the "market" approach will not have any clear guidelines governing the exchange of data banks with third parties with the permission of their customers;
• Although the protocol recognizes that the legal framework is different in all jurisdictions, the client's consent remains the basis both when banks request the client's consent to provide his data to third parties and when the bank accepts the client's consent through confirmation provided by third parties. Almost all jurisdictions restrict the use/resale of data by third parties for purposes beyond the original consent and arrangements. In addition, they require third parties to obtain additional consent from customers before using/reselling their personal data. And the exchange of data with third parties is possible only if it is explicitly stated in the contracts and under the terms of the revised directive on payment services;
• Supervision and monitoring of third parties in the absence of a contractual relationship or in cases where third parties are not registered with the regulatory body is a rather difficult process. Regulations in one jurisdiction are different from others, with some holding banks accountable for third-party compliance, while in others the responsibility lies with supervisors. However, there are precedents where a third party has no contractual obligations to the bank and does not have permission from any regulator, which makes it difficult to establish risk control requirements for the third party.

A growing trend

FinTech business owners in Europe note that the trend of using APIs is growing every time, as is the need to develop open API standards in all jurisdictions for open banking. For this reason, banks should commit to reviewing and preventing possible operational and cybersecurity risks associated with APIs, such as cyberattacks, infrastructure failures, and IP tampering, and to implement systems to respond to such threats.