Policy Aspects of Open Banking Schemes - Fredes Montes, Senior Financial Sector Specialist The World Bank
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Policy Aspects of
Open Banking
Schemes
Fredes Montes, Senior Financial Sector Specialist
The World Bank
Open Banking gives customers a right to direct that the
information they already share with their bank be safely
shared with others they trust.
Customer Data
Trust in TPPs
held by banks
Greater Access Greater Control
Context
Term Explanation
Open Banking The provision to enable access to customer’s data in a
readable manner (that facilitated its transfer and use) to
TPPs.
Implementation of the Consumer Data Right (Australia) or
the Data Portability Right (EU)
Open Data
Open Finance The provision to enable access to customer’s data in a
readable manner to TPPs when the scope of participants
opening customer’s data is beyond banks.
APIs Automated programming interfaces
TPP Third Party Providers (PISPs and AISPs)
Methods to access data
Web Scrapping Reverse Engineering APIs
Flexible Secure and stable
Easy to implement More control to banks
Requires that Consumer control
customers share through consent
username and mechanisms
password High costs
Stability Less flexible to Fintechs
No revoking rights
Accuracy of data
Policy Motivations of Open Banking
Motivations Examples & Elements
• Structure and Secure access (read) and
• PSD2 regulatory framework
Third party usage (right) by TPP
• New Zealand
access • Enable services to Scale beyond individual
institutions
• Enable new players to contest the market
and build services reliant on incumbent • UK Open Banking regime;
Competition &
infra. • Australian Consumer Data Rights
Contestability • Brazil Communique
• Strengthen consumer choice & data rights
• Provide a market environment that reduces • Singapore sector strategy
Foster barriers of entry for innovation, fintechs and • Mexico Fintech Law
INNOVATION other new players • API guidelines for product
• Invites experimentation, sets guidelines, development, security
standards • Publication of CB’s own APIs
Challenges and Opportunities
Supervisors Banks Fintechs Consumers
▪ Support their sup ▪ New business ▪ Enables ▪ Access to a
tech efforts models ecosystem wider range of
▪ ▪ New revenue development products and
streams ▪ New business services
▪ Deep customers models ▪ Improved user
insight ▪ Collaborative experience
▪ More user-centric business ▪ Lower prices
solutions models with ▪ Financial
banks inclusion limited
▪ Scale faster to underserved
but not to
unserved.
▪ Lack of APIs ▪ Need to develop ▪ Cybersecurity ▪ Privacy
Standards APIs infrastructure ▪ Compliance ▪ Data Security
▪ Oversight might be (cost and time) ▪ Consumer’s
limited and requires ▪ Competition and Consent
cooordination with revenue loss
other authorities ▪ Customer
▪ Acreditation disintermediation
criterio and process ▪ Cybersecurity risks
Open Banking Development
2009 2011 2015 2016 2017 2018 2019 2020 2021
• UIDAI • Midata • Open • PSD2 (EU) • RBI WG • First Open • Communi • Secondary • Philippines
(India) Initiative Banking • API report API que Regulation • Indonesia
(UK) WG (UK) Protocol (India) Launched (Brazil) (Mexico) • Colombia
(Singapore • Farrel • GDPR (EU) • EBA WG • Peru
) Report • PSD2 on APIs
• UPI (India) (Australia) applies (EU)
• NACHA (EU) • PSD2 RTS
API (US) • Open deadline
• Payments Banking extended
(NZ) Review (EU)
• AFIN (Canada)
(ASEAN) • Open
• Amendme Banking
nt to Review
Banking (Australia)
Act • Fintech
(Japan) Law
(Mexico)
Open Banking Ecosystem
Financial Sector Competition Consumer and Data Protection
Market data Transaction Data
(Maps, location of access points, ( payments flows, credit
fees, commissions) accounts , investment)
Banks
TPPs
Financial Institutions
PISPs
Insurance
AISPs
Others API
Governance
Technical Regulatory
Standards authorities
Self-regulatory body
Design Features Technical Requirements Read/ Write or both Security Measures Customer Authorization Scope of Data Scope of Participants Governance scheme *directory of TPPs Type of Participation
Regulatory Approaches
European Union United Kingdom (Open India (Universal Payments Other countries
(PSD2) Banking UK) Interface)
Second Payment Enforcement action by the Regulatory action Australia has issued Open
Legal basis
Services Directive competition authority (CMA) Banking regulations
earlier in 2019,
(PSD2)
following the
Institutions affected All banks Nine largest banks All banks completion of public
consultations. Japan,
Scope of API access Read and write: Read and write: accounts, Read and write: access to balances, Singapore and Hong
“account information” balances, account statements, payment initiation, payment Kong are considering
similar measures.
and payment initiation beneficiaries, standing orders, request initiation. Account address Elsewhere, banks (e.g.
direct debits, scheduled resolution service (routing the API BBVA) provide API
payments, payment initiation call to an appropriate institution access to selected
based on an e-mail-like account partners.
address)
Mexico started the
Institutional setup The directive does not “Open Banking Implementation API service provided by a payment open banking journey
prescribe any Entity”: a utility (Open Banking system operator (National with APIs to access 3
institutional setup. UK Ltd.) created by the CMA to Payments Corporation of India) levels of data
Banks are free to set up steward the standard and
their own consortia if oversee its implementation.
they wish so (e.g. “The Funded by the participating
Berlin Group”) banks
Technical standards No precise technical Prescribed API based on A custom messaging standard
standards prescribed, RESTful principles; where based on XML/Web Services.
but “strong consumer practicable, ISO 20022 field
authentication” (2FA+) names and definitions are used
required
ImplementersData Portability Right
Ability of consumers to decide whether service providers can access their existing
information stored by other service providers. In the EU the PSD2 aimed at enhanced
competition and security and is consistent with the GDPR.
The Hong Kong Monetary Authority issued an Open API Framework in July 2018,
setting out a four-phase approach for banks to implement Open APIs, starting with
information sharing on products and services, and ending with sharing of transactional
information and payments initiation services. The HKMA will also defined a detailed set
of standards in 2020 for Phase III and IV Open APIs
In Australia, the Consumer Data Right Act enables consumers to share their data with
whichever authorized parties they choose. standards and guidance on data security
issued by the Australian Prudential Regulation Authority (APRA) and Privacy Act’s
requirement to secure personal information
In Singapore, MAS and The Association of Banks have published an API playbook to
support data exchange and communication between banks and FinTechs. the API
Playbook contains detailed guidelines on information security standards in domains
such authentication, encryption, authorization, hosting security, secure coding,
vulnerability assessment.
Mexico introduced the concept of data portability through the adoption of the Fintech
Law under its article 76 on Application Programing Interfaces (APIs) which envisions 3
11
different levels of data sharing . It also introduced very detailed security measures.Approaches to Consent Mechanisms
the consent
consent from the data
customers architecture
subject and mandates
able to give established in the RBI
to inform on
specific Master Directions
mandatory or
Explicit instructions determines that no
consent which voluntary data supply
consumer on type of financial information of
can be the purpose of using
consent and data shared, the customer shall be
withdrawn at data and the
withdraw of users, retrieved, shared or
any time categories of person to
consent purpose, transferred by the
whom their data may
duration the Account Aggregator
be transferred. There is
sharing without the explicit
the right to withdraw
arrangement consent of the
consent.
customer.
Customers should be able to grant persistent authorization , revoke the authorization
and manage this authorization transparently.Payment Initiation Service Providers (PISPs)
Issuer bank Customer’s bank
TPP
Card network Acquirer bank PISP
Merchant
MerchantAccount Information Service Providers (AISPs)
Financial
Services
TPP
AISP
Bank A Bank B Bank C
Bank A Bank B E-money service
providerGovernance Arrangements
Berlin Group Central Bank Industry driven
Open Banking Financial Sector Collaborative
Europe Authority approach
Konsentus LAC Competition
NPCI Data Protection
Consumer
ProtectionAdoption of Technical Standards
Approach to Adoption Country examples
Standards adopted through regulation UK, India, Australia, Mexico
Industry US and to a certain extent EU
Collaborative approach Singapore
Self-regulation (institution) Brazil
➢ Protocols (JSON,REST, SOAP, YAML or XML) .
➢ (Swagger, Mashery, blueprint, Google discovery service WADL (W3C)
➢ Scalable by design
➢ Secured (encryption for default storage and in transit, reduce the possibility
of data breach, minimize damage when data breach occur)
➢ User Authentication (API key, credentials, Oauth)
➢ Developer enablement (portal, source code, integration tools)
➢ Hosting flexibility (decoupling frontend channels from other systems)
➢ Data availability for analytics and data miningUse Cases
New products Implement
Improve Increase and services fast payments
Customer client
onboarding acquisition (e.g. credit, (e.g. FPS in
bill payment ) the UKAPIs
Open architecture/ Collaborative approach/ Proprietary
Example flow in banking
▪ ▪
▪
▪
▪
▪
▪ ▪
▪
▪
▪
▪Data Dimensions
Open Banking Policy and Regulatory Journey: Brazil
Developing Faster Payments: EU, India, Brazil
Customer-facing services: Acting as the customer’s interface to the payments system, especially for corporate
treasury.
Payment services provider (PSP): Enabling customers to use their online banking credentials to make instant
payments and engage in e-commerce.
Technology provider for corporates and merchants: Helping corporates like large merchants and airlines manage
access to accounts, identity services and process payments.
“Request to Pay” (RtP) for Europe: RtP—highly successful in the UK—is an overlay on Instant Payments that creates
a more convenient user experience. Retaining control of overlays like RtP will help banks maintain their direct
customer relationships.
2015 European regulators want to 2020
Pan European Card
Brazil PIX
Scheme EU
UPI india
Rely on phone numbers, break the international card users to select a phone
account numbers and schemes in Europe—and the number, e-mail address or
domain-based aliases at the ERPB SEPA API Access other alphanumeric as their
choice of the customer Working Group is alias.
considering ways to enable
Customers can use the app Europe’s national schemes to
of any bank or non-bank to link up.
initiate a UPI-based paymentSetting up API Framework: Singapore
API PLAYBOOK
• MAS Developed advice and used soft regulatory power
• to encourage banks to publish APIs and promote usage.
• Guidelines are quite detailed
• API publication fair – usage not yet matching expectations
A classification and lexicon of APIs Guidelines on setting robust APIs Examples of use casesConsent Mechanism: India Source: DEPA, https://niti.gov.in/sites/default/files/2020-09/DEPA-Book_0.pdf
Consent Mechanism: Experian EU
For any further questions on Open Banking you
can always reach out
fmontes@worldbank.org
25Policy Aspects of Innovation in Payments
•
Dorothee Delort
Payment Systems Developement Group
World BankInnovation in payments
large-scale disruption at an unprecedented speed
27Innovation in payments
products, access modes & technologies
28innovation in payments
The 3 pillars
29changes to the way payment services are linked to an account
the rise of e-money
- The e-money revolution:
- leveraging third-party agent networks
- regulatory simplification of know-your-customer (KYC) requirements
- alternative pricing models
- From MNOs offering basic person-to-person money transfers using feature phones, to the
generalized offering of electronic wallets, to “super apps” that have adopted a platform business
model
- Crypto-assets and stablecoins, a more radical disruption, but actual usage of crypto-assets for
payments (i.e. cryptocurrencies) is very limited
- Central bank digital currencies (CBDC) are another innovation that have the potential to disrupt the
prevailing tiered structure in which banks and other authorized PSPs provide access to transaction
accounts
30changes to the way payment services are linked to an account
e-money, cryptocurrencies & stablecoins
31changes in payments processing
the fast payments surge
32changes in payments processing
the fast payments surge
33changes in user engagement & market structure
QR code or merchants' payments made easy
34changes in user engagement & market structure
QR code or merchants' payments made easy
35changes in user engagement & market structure (2/2)
the big upset: Fintech and Bigtech
36A challenge for central banks
SUPPORTING FAST PAYMENTS
OVERSIGHT AND SUPERVISION OF NON-BANK PSP
CYBER RESLIENCE
CBDC, CRYPTOCURRENCIES & STABLECOINS
ENABLING INNOVATION
COMPETITION IN PAYMENTS MARKET
CONSUMER PROTECTION AND DATA PROTECTION
37A challenge for central banks
38Considerations to inform a strategy on innovation in payments
39QUESTIONS?
40You can also read
