Data sharing and open banking

Buzzwords like “big data” typically bring to mind quantitative exercises like the application of algorithms and analytics. While these are certainly critical steps to gaining insight, a more fundamental building block of the data market is access. Easier access to data has become a hot topic in all industries, none more so than financial services. For instance, the G20’s Anti-Corruption Working Group has identified open data as a priority to advance public sector transparency and integrity. From a commercial standpoint, data can serve as a catalyst for new products and business models. The European Union has been proactive on this front, setting the rules of engagement through the updated version of the Payment Services Directive (PSD2).

Data sharing is often accomplished through an application programming interface (API), an intelligent conduit that allows for the flow of data between systems in a controlled yet seamless fashion (Exhibit 1). APIs have been leveraged in banking settings for years (see sidebar “How open banking brings new relevance to APIs”). Given breakthroughs in advanced analytics and the market traction of numerous nonbank fintech companies, however, APIs are receiving renewed attention as a means to enhance the delivery of financial services to both retail consumers and business customers.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

While open banking stands to benefit end users as well as to foster innovations and new areas of competition between banks and nonbanks, it is also likely to usher in an entirely new financial services ecosystem, in which banks’ roles may shift markedly. It also raises issues around regulation and data privacy, which helps to explain why global markets have taken varying approaches to governance, contributing to disparate levels of progress. Regardless of region, the momentum toward open banking models seems clear, requiring banks and fintechs alike to position themselves for success in a new environment and to anticipate the likely customer impacts.

Open banking reaching a fever pitch

Open banking can be defined as a collaborative model in which banking data is shared through APIs between two or more unaffiliated parties to deliver enhanced capabilities to the marketplace. APIs have been used for decades, particularly in the United States, to enable personal financial management software, to present billing detail at bank websites, and to connect developers to payments networks like Visa and Mastercard. To date, however, these connections have been used primarily to share information rather than to transfer monetary balances.

The potential benefits of open banking are substantial: improved customer experience, new revenue streams, and a sustainable service model for traditionally underserved markets. In addition to well-known players like Mint, examples include alternative underwriters ranging from Lending Club in the United States to M-Shwari in Africa to Lenddo in the Philippines, and payments disruptors like Stripe and Braintree (Exhibit 2).

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Naturally, such advances are not quite as straightforward as our capsule description implies. Recent years have brought the development of digital ecosystems, Tencent (WeChat) and Alibaba in China being prime examples. As these ecosystems mature they begin to collide, and the inability to share data threatens to curtail innovation in business and operating models. Moreover, most advancements to date have come from firms outside the financial services realm. While incumbents still hold the keys to the vault in terms of rich transaction data as well as trusted client relationships, banks often view the opening of these data flows as more threat than opportunity. After all, it is the nonbank insurgents who have demonstrated market traction thus far, and gained valuable new customer relationships—by presenting data in new forms.

There are inherent risks in sharing data, however, which is why it is critical to develop processes and governance underpinning the technical connections. Although the core API value proposition lies in streamlining the systems integration required for data access, the need for guardrails to support protections for the privacy and security of personal data create a formidable infrastructure challenge.

The data consent/protection elephant in the room

Notably, banks have traditionally viewed the custody and protection of their clients’ data as a responsibility, more of a stewardship role than an asset to be commercialized. Data sharing in financial services tends to be risk- and permission-based, with required audit trails, and subject to regulation and risk management. If done well, however, it can deliver increased security through enhanced know-your-customer capabilities, identity validation, and fraud detection. For instance, the current version of PSD2’s technical standards may put an end to the practice of screen-scraping, long a point of contention for banks.

At the same time, customer transparency and control must remain at the center of product design decisions. This is a more vexing rule to follow than it appears on the surface. Even as PSD2 is advanced by regulators, it could be argued that through adoption consumers have already set the agenda for services they want opened to third parties. On the other hand, different data categories warrant different levels of security, and informed consent requires understanding the implications of sharing before approving—no small feat when the reflexive clicking of “I Agree” on an unread set of terms and conditions is standard. There is a fine line to walk: educating and empowering consumers without confusing, scaring, or boring them.

Perhaps the most complex of these is educating end users on data permission and privacy. PSD2 explicitly empowers account holders with the authority to share data, removing the financial institution’s role as gatekeeper. Further complicating matters, real-world evidence suggests consumers may not attach the same value and sensitivity to certain data elements that banks and their regulators do. Although the move to open banking need not be a zero-sum game, there are several areas where banks harbor legitimate concerns regarding loss of brand recognition and reputational risk, especially given their own required investments to effect such change.

Further questions persist regarding the duty to redact “sensitive data” in certain circumstances as well as third-party providers’ obligations to delete/destroy data after a period. Many of these details remain a work in progress and will be refined as the market impacts of open banking play out. Banks are understandably concerned about such details, as any perceived disclosure missteps will almost certainly radiate back to their brand.

Another interesting twist revolves around the right to privacy. GDPR (General Data Protection Regulation), slated to take effect in the European Union in May 2018, imposes a substantial penalty for noncompliance— 4 percent of the offending institution’s global revenues (not profits). This “right to be forgotten” significantly raises the stakes of data sharing. Explicit consent is required from the account holder. However, there exists a silent counterparty to every financial transaction conducted by that holder; does a right to privacy exist for the corresponding payor/payee? If so, the consent process becomes infinitely more complex—particularly when parties to the transaction bank with different institutions and there is no central repository of permissions granted.

Market evolution varies by regulatory approach

Ecosystem development has varied markedly by region, due in no small part to regulatory divergence. The most programmatic approach has been taken in the European Union, through both PSD2 and a broader effort to foster competition in retail banking through the United Kingdom’s Open Banking Standard. A key provision of PSD2 aims to foster competition and innovation for payments service provision in the European Economic Area by opening account access to nonbanks.

The United Kingdom’s pending separation from the European Union is not expected to alter these data-sharing protocols, as many of PSD2’s customer protection provisions are already enshrined in UK law and both the government and financial community have signaled a desire to preserve banking services compatibility— another strong indication of data sharing’s momentum. Dating back further, Italy, Belgium, and Germany each instituted common protocols as early as the 1990s to provide access to account information to smaller banks and third parties.

By contrast, the absence of a centralized US approach to data governance has given rise to a series of fintech innovators as well as a patchwork of one-off bank agreements (such as partnerships struck in the United States by Chase and Wells Fargo with Xero and Finicity)—a model that is not scalable in a market with roughly 12,000 financial institutions. Recently, the US Office of the Comptroller of the Currency solicited public comments regarding potential issuance of a new special purpose charter enabling fintechs to engage in limited banking functions. While the charter’s intent focuses more on lending and cost of capital, it also represents a step toward making it easier for nonbanks to compete in financial services and conceivably paves the road for data-sharing protocols similar to PSD2.

India experienced remarkable fintech growth in late 2016 in the wake of the government’s controversial decision to reissue fully 86 percent of its legal tender. The resulting cash shortage gave a jolt to an already growing mobile wallet segment, which is now beginning to enter a consolidation phase. Singapore has developed a large fintech market built largely around APIs, for instance, for risk-decisioning in the absence of formal credit-scoring agencies. The Monetary Authority of Singapore has now established a fintech division in order to provide structure and oversight to the process. Open banking is also gaining traction in Iran (through the newly established Finnotech portal), while Australia is considering steps mirroring those being taken by the United Kingdom and European Union.

Implications for banks and new models in financial services

An open banking model can facilitate a series of services of value to both consumers and providers. Many of these exist today in some form: AliPay and WeChat enable enhanced e-commerce through their platforms, offering a smoother personalized experience and a full suite of payments options including peer-to-peer. This model can evolve to all-in-one commerce-centered apps. Services like Trustly foster the simplified extension of credit, enabling inquiries specifically at “the moment of truth,” such as at checkout or elsewhere within the shopping value chain when intent has been established and a purchase decision can be influenced.

Sharing of limited data on “thin file” consumers can help to advance financial inclusion goals, pooling limited information to arrive at more precise risk-scoring and credit-underwriting decisions (Angaza in Africa is an example). By introducing more consumers to the formal financial system, open banking increases the market opportunity and the potential to deliver profitable services in the future. Incubators and venture capitalists have shown particular interest in newcomers looking to incorporate nonfinancial data with transaction records to glean new insights—witness automated advisory service Wealthfront recently adding a lending product to its portfolio. Banks can pursue this avenue as well, from the opposite starting point.

While it seems unavoidable that open banking will result in the sacrifice of some degree of control by incumbent banks, banks will gain the offsetting benefit of participating in larger profit pools, ones in which they should be well positioned to play a leading role: for example, creating new service propositions combining predictive analytics, artificial intelligence, and financing to enhance consumer and business offerings. Among incumbents, a first-mover advantage is open to organizations proactive and nimble enough to be first to deliver innovative, appealing products that customers want and need (for example, intuitive interfaces and value-add services such as budgeting, expense categorization such as that offered by digital entrants like Monzo). The “trusted agent” status that incumbents currently enjoy will remain a competitive advantage for some time, but it must be exploited now to halt the loss of business to new entrants.

Much attention has been focused on the need for banks to open their legacy systems to APIs. However, it is equally true that Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will need to develop interfaces to the banking market. Given that PSD2 has not defined a precise technical standard, a new category of “gateway service providers” could emerge. Google’s acquisition of API management platform Apigee is an indicator of this potential, raising the stakes in a field that also includes players like Xignite and Plaid. Throughout this process, a key success factor for all parties (banks, third-party providers, and the gateways envisioned above) will be the ability to build processes that ensure security and reliability without sacrificing speed.

Banks have several strategic responses at their disposal. Although a pure go-it-alone approach may be viable for institutions with ample resources and an agile culture, varying gradations of partnership may be a more plausible strategy. Barclays and Santander have each built open API infrastructures to deliver a virtually limitless suite of services via third-party providers (for example, EverLedger).

Fidor and N26 are two intriguing examples of efforts to reinvent banking from the inside. Both start-ups are branchless institutions chartered in Germany with a fintech focus, best of breed approach, and embrace of unconventional (for banking) tactics like crowdsourcing. Their geography is likely not a coincidence, given that Germany has been called “the world’s most open banking environment” by some. Fidor was acquired in 2016 by France’s Groupe BPCE, but continues to operate as an independent brand.

There are ample opportunities for open banking to remake small business banking as well. A UK study found that the country’s five million SMBs believe existing models offer a substandard financial service proposition. A similar sentiment would likely be found in many other countries. The UK innovation foundation Nesta has engaged to tackle this challenge, and Barclays’ Pingit and Buyit solutions offer positive in-market examples.

Specific challenges will vary by geography, determined largely by the evolution of regulatory regimes—particularly on the private information front—and progress made to date in ecosystem development. Banks with global footprints will face particular challenges in reconciling various regions’ regulations and standards (for example, PSD2 in the European Union, open banking standard in the United Kingdom, Dodd- Frank in the United States) while delivering a unified service to their global customers.

Regardless of location, over the next 18 to 24 months banks should capitalize on their incumbent advantages by taking the following actions:

• Explore data-sharing agreements with fintech and nonfinancial services firms to stay ahead of the curve.
• Develop a perspective on APIs and their benefit to the bank’s service model, both in leveraging mandated third-party access and potentially extending access beyond statutory requirements.
• Fully understand both existing data privacy mandates and likely changes, and determine their institution’s appetite for a less conventional approach. And examine how customer messaging would best facilitate any such change.

Banks will need to address the potential loss of revenue from existing payments revenue streams resulting from the lowered barriers to competition. Change is rarely comfortable, but as market evolution in the United States and other countries illustrates, the forces of change are inevitable. Banks are better served getting ahead of and defining the trend rather than waging a futile battle to repel it.