Fireside chat with Dave Birch and Tim Richards on the asymmetry of open banking

Still, many of the businesses who stand most to gain from this have their own siloed data which they have no intention of sharing with the banks. In this asymmetric world banks, upon which the world relies for financial stability, are relegated to being highly regulated sources of capital and customer identity verification, with little customer reach.

Dave:   Hi Tim, OK ... So what is this issue with asymmetric data under PSD2?

Tim:     Hi Dave, basically... PSD2 forces banks to open up access to any third-party that has consent to access account data. But that’s a one sided transaction which significantly disadvantages banks.

Dave:   What kind of data are we talking about – what’s accessible to third-parties?

Tim:     Roughly, anything you could screen-scrape. That’s not quite true though, because you’ve got issues around GDPR consent; with the right permissions anything a customer can see when they login to their account online.

Dave:   And these third-parties are the Account Information Service Providers, right?

Tim:     Yeah – they’re AISPs who are regulated and authorised entities.

Dave:   But that authorisation isn’t exactly difficult is it? We’re not talking about anything like bank regulation are we?

Tim:     Right. It’s a relatively light process – at least here in the UK. The idea of PSD2 is to allow competition, so that’s understandable – but it does mean that these companies are getting bank level sensitive data if the consumers let them.

Dave:   Right, so I know you think there are some issues around that?

Tim:     In theory there ought not to be: a customer has to give their consent to allow the AISP access, so it’s the end user who makes the decision. In practice there could be some.

Dave:   Call me old-fashioned – but do I really want some lightly regulated third-party I’ve never heard of handling my banking data?

Tim:     Exactly. What happens if the third-party gets breached – was it the bank or was it the third-party? And who can the third-party give the data to – well, anyone that the end-user has consented to, presumably.

Dave:   So I reckon this is bad news for the banks. I did some work on this earlier this year – you can roughly split a bank into manufacturing and distribution functions. Manufacturing – the core business of running accounts and payments – provides about a half of revenue, a third of profits and only 4% ROE. Distribution on the other hand is two thirds of profits at an ROE of 20%.

Tim:    Yep. That’s where the money is, and that’s where the AISPs, and their customers will be targeting. So banks get turned into highly capitalized, low margin utilities.

Dave:  So what do you reckon banks do about that?

Tim:    Well, they can re-invent themselves – nothing stops a bank distributing data from other banks. HSBC in the UK already have an account amalgamation service, and you can expand that dramatically into other types of application like budgeting or account switching.

Dave:  Or there’s the Danske Bank model in Denmark where they created their MobilePay brand and sat that in front of all of the banks and captured their details. Same thing isn’t it?

Tim:   Yep, they were really smart. But essentially that’s an aggregation process, and clearly there will be less aggregators than banks, so overall some banks, probably a majority, will lose out on the higher value distribution function.

Dave:  OK, so what I’m wondering – given that you’ve got all these insane fintech companies potentially trying to get hold of my data – is are accountholders actually going to do this?

Tim:     I think so. Certainly there are a ton of AISPs setting up out there. As you know we at Consult Hyperion are a bit more sceptical about the payment side of PSD2 and Open Banking – we don’t think it’s logical to expect accountholders to open up their bank accounts to merchants online, especially when they’re then confronted by a banking login screen. That seems bizarre to me – it looks and feels like a phishing attack.

Dave:   And you just know there’ll be fraudsters setting up fake authentication journeys to try and capture the customers about 1 minute after this all goes live ....

Tim:     Yep. On top of that you’ve a lack of interoperability, and no real resolution of how clearing, disputes and settlement will occur. But we do think trusted brands can persuade customers to open up their accounts – think of John Lewis in the UK, who have a fantastically loyal customer base. If JL promise to fix any problems and offer instant credit for large ticket items, that might work. We’re running some research on this at the moment and the early results look really interesting ... But generally, as it stands, no as a widescale interoperable payments scheme.

Dave:   What about the account access stuff – will accountholders do that?

Tim:     We think so – it’s a different use case with a different interaction, and lots of potential benefits if it’s presented correctly. Screen-scrapers have a successful business today and this is screen-scraping ++. Amalgamate this with other data sources and all sorts of new business models are possible.

Dave:  So who do we see entering this market? As if I can’t guess ...

Tim:    Well, we both know that the Internet Giants are eyeing this up – Google, Amazon and Facebook would love to get their hands on our banking data, merge that with the social data they’ve got and come out with a far more accurate picture of customers. We did a project a couple of years ago looking at what you could figure out from social media data alone and frankly it’s astonishing – it’s very hard to create a fake social media account, and with many people it gives a very accurate picture of what a person is like and their preferences. Now add account information and possibly direct payments and you’ve got a very interesting, and slightly scary, proposition.

Dave:  Right, so Google and Facebook can see our bank data, but the banks can’t see our social media data. Do you reckon the European Commission wanted to see the Euro banking sector undermined by a handful of giant US corporations?

Tim:     Precisely. Mark Zuckerberg said in his recent Congressional hearing that the data they hold isn’t Facebook’s but the customers’. But in practice when Admiral Insurance in the UK tried to offer discounted insurance to customers if they’d open up their Facebook data to them for risk scoring purposes FB blocked access. That doesn’t sound like I’d really have control of who uses my social data.

Dave:  And that’s the asymmetry, yeah? And do we think that’s a problem?

Tim:    Hell yes. It’s potentially a threat to the stability of banking in the EEA. If the internet giants are mopping up the majority of banking distribution revenues then the banks are left as high cost, low margin manufacturers. That’s not really the competitive and innovative environment that the Commission was hoping for.

Dave:  Ana Botin of Santander made exactly that point in the FT the other day.

Tim:     Exactly. Let’s be honest, most of the banks wouldn’t be much good at this anyway, but they do have brand and trust advantages that Amazon, et al don’t have. But if they simply can’t offer those services because they can’t get access to the data then they can’t.

Dave:   OK, but to play devil’s advocate for a moment, presumably we might see new companies emerging that can offer new services using the new APIs?

Tim:    Yes, do we think they can scale to compete with the entrenched Internet Giants?

Dave:  Probably not. I reckon there’s a case for regulating for open, reciprocal access to social media data. Instead of trying to get the internet giants to change their behaviour via stupid and complex regulations they should regulate to open up access to all personal data held.

Tim:     Absolutely. If the banks can do it on top of their 60 year old banking systems we can be sure Google, Facebook and Amazon can do it. If it’s properly consented then it’s hard to see where the downside is, other than in those company’s HQ’s.

Dave:   Which is an opportunity for banks?

Tim:     Yes, but perhaps in a different way. The key to PSD2 – which most people seem to be missing – is digital identity.

Dave:   Because identity is the new money ....

Tim:     Of course! They have to “Know Your Customer” and be able to properly authenticate them. The banks are trying to build APIs in a way that allows them to control that, even though PSD2 actually doesn’t mandate that and it’s probably in breach of the directive. But the point is they are the best place to manage these identities, regardless of where the data is held. It’s not hard to conceive of an expanded approach that has banks offering a federated identity service to allow third-parties to authenticate customers for access to other data sources such as social media.

Dave:  So our final thoughts – regulation has unintended consequences and the regulators in Europe need to act?

Tim:    All regulation has unintended consequences: PSD2 may well see many smaller banks disappear and see a concentration of power in the hands of non-banking internet giants. The regulators need to act now to open up all key sources of data. But as it stands many banks will see up to two-thirds of their profits vanish in the next decade. I don’t even want to think about what that does for banking stability in the EU.

Dave:   But it’s great for payment and identity consultants!

Tim:     It is! Thanks, Dave.

Dave:  Thanks, Tim.

About Dave Birch

David G.W Birch is an author, advisor and commentator on digital financial services. He is a Global Ambassador at Consult Hyperion (the secure electronic transactions consultancy that he helped to found), Technology Fellow at the Centre for the Study of Financial Innovation (the London-based think tank), a Visiting Professor at the University of Surrey Business School and holds a number of board-level advisory roles. Before helping to found Consult Hyperion (one of the very first companies on the Surrey University Business Park) in 1986, he spent several years working as a consultant in Europe, the Far East and North America.

About Tim Richards

Tim manages Consult Hyperion’s digital payments practice where he has specific responsibility for digital payments, open banking and tokenisation projects. He has worked on PSD2 and open banking projects for issuers, acquirers, international payments schemes, fraud solution providers and fintech companies and was specified tokenisation solutions for major industry players. Tim has 30 years’ experience in secure processing systems having worked in the payments, transit and digital identity sectors on solutions as diverse as transit ticketing key management, HCE and mobile payments, ICAO e-passports and travel cards, remote management of multi-application smart cards and, of course, EMV.

About Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy, based in the UK and US, specialising in secure electronic transactions. We help organisations around the world exploit new technologies to secure electronic payments and identity transaction services. From mobile payments and chip & PIN, to contactless ticketing and smart identity cards, we deliver value to our clients by supporting them in delivering their strategy. We define, develop, design and deliver.