The enormous amount of private financial data that will be made available to third parties will be an equally large target for those seeking to obtain it illegally and they will have more avenues available by which to gain access to it.
Since the beginning of this year, PSD2 (Europe) and the Open Banking Standard (UK) have mandated collaboration between banks and third-party providers. Banks are required to share — with client approval, via Application Programming Interfaces (APIs) — access to client accounts and account information with third parties, mainly fintech providers, opening a door to a significantly transformed future payments landscape.
These third-party providers will be of two types: Account Information Services Providers (AISPs) and Payment Initiation Services Providers (PISPs). AISPs will be allowed to access and extract client information — balances, history, transaction data — and PISPs will be allowed to initiate and make online payments, drawing directly from a client’s account, without bank intermediation.
The ways this access can be used are myriad. For example, an AISP might be able to compare offerings from numerous banks and provide them to clients. This could include information on car loans, mortgages, business loans, savings account returns, and checking account charges. For businesses or banks themselves, a client’s creditworthiness could be readily and directly ascertained, potentially without the intermediation of a ratings company.
AISPs might serve as financial advisers to both corporates and individuals, with the ability to manipulate and analyze massive amounts of data virtually and provide investment information in real time. This would enable them, as one example, to advise that monthly bills are coming due. PISPs could pay those bills, oversee spending and provide budget advice. Competition will drive ideas and shape the market, all ostensibly to the consumers’ benefit.
To appreciate the magnitude of this change, consider that since the advent of banking, banks have held a monopoly on the information they retain on their clients. That such information would be privileged and unshared has been core to the very idea of banking and maintaining the security of such proprietary information has been strictly regulated by law and typically enforced with various firewalls within individual banks, access allowed on a need-to-know-only basis in order to thwart inappropriate pooling, leaking or misuse. Such protections are largely within the domain of Operations Management.
The role of Operations Management within banks is to ensure that processes and transactions are executed properly in a controlled way while providing a superior level of service to clients. With non-bank providers gaining access to what has been historically private data, operations functions within banks will face significant shifts in order to maintain the integrity of their transaction processing. The enormous amount of private financial data that will be made available to third parties will be an equally large target for those seeking to obtain it illegally and they will have more avenues available by which to try to gain access to it. Operations management regularly addresses the risks associated with data loss, identity theft, data protection, money laundering and financing terrorism. Open banking allows for all these issues to be exacerbated in the absence of appropriate protocols and the complexity of dealing with that may put significant pressure on Operations departments.
The creators of the initiatives have taken steps to address this, codified within the legislation. AISPs and PISPs, in order to be licensed, must convince regulators of the soundness of their data security and will be required to submit to annual inspections. They will also be required to acquire fraud insurance, adding another layer of prevention, in that insurers have a clear stake in seeing that security procedures are optimal. Also, regulations requiring more robust authentication and two-step verification will help enhance the security of on-line payments.
Still the management of these risks is crucial. Regulations on paper and put into practice can be very different issues. This will be a rapidly changing and unpredictable market and the regulatory environment must be fluid, not static. Replacing a single bank portal with numerous lines of access will provide many more opportunities and points of attack for criminal activity.
For UK and Euro Zone banks, these are issues of great concern, but they must be addressed to meet the regulation. Open banking has been mandated and banks have no choice but to respond. Below I outline three approaches that might be taken in Operations Management.
One way to address these concerns might be for Operations to function as essentially two departments. One would serve the needs of an open banking model and could be accessed by third-party providers on a back-office or private label basis, with the bank functioning primarily as a utility provider. The second department would be dedicated to traditional banking, servicing a bank’s own client base directly. At issue and of maximum importance in this approach is that the bank not allow its own reputation for transactional excellence to be tarnished by any mismanagement by a third-party provider. This is, however, a defensive and potentially short-sighted way to proceed.
Although its intent is to safeguard a bank’s reputation, the drawback to the above approach is that, in pursuit of operational integrity, it could cut the bank off from taking advantage of an array of opportunities of which they might otherwise avail themselves. By being more open to the ideas of third-party users, banks may participate in and benefit from the inflow of new ideas and talent and the new revenue streams they could provide. High standards of risk management would still need to be maintained and solutions for doing so would need to be created. But, if possible, it would provide a far less draconian framework.
An even more aggressive and proactive approach would be for banks to develop APIs, either in-house or in collaboration with developers, for third party providers to implement; that is, not merely being open and accommodating to new providers, but actively courting them and their businesses. In the US, BNY Mellon took such an approach with its Real-Time Payments offering, becoming an early adopter and seeking out potential clients even during the development process, thereby both gaining access to their ideas and needs, and positioning them as providers to their clients immediately after the go-live date.
Since the open banking initiatives are still in their infancy, most banks are still struggling with the implications and few, if any, banks have developed clear strategies as to how best to proceed. This is no less true of the third-party providers coming into this redefined world. The potential for change and upheaval is huge and many of the ideas and technologies that will shape open banking are likely still to be invented.
So one can imagine banks taking a three-step approach that incorporates in varying degrees each of the models described above. But, in any case, the open banking initiatives are certain to transform traditional means of Operations Management – soon and forever.
The views expressed herein are those of the authors only and may not reflect the views of BNY Mellon. This does not constitute Treasury Services advice, or any other business or legal advice, and it should not be relied upon as such.
©2018 The Bank of New York Mellon Corporation.
Head of Global Payments and Treasury Services Delivery, BNY Mellon Tresury Services
Matt Wells is Managing Director, Head of Global Payments and Treasury Services Delivery. He is responsible for the enterprise-wide services that support our clients’ payments, trade finance and treasury services needs. Strategically located across the globe, Matt’s nearly 3,000-strong team leverages industry-leading solutions to deliver seamless, around-the-clock coverage for our clients.View Profile