Buzzwords like “big data” typically bring to mind quantitative exercises
like the application of algorithms and analytics. While these are certainly
critical steps to gaining insight, a more fundamental building block of the
data market is access. Easier access to data has become a hot topic in all
industries, none more so than financial services. For instance, the G20’s
Anti-Corruption Working Group has identified open data as a priority to
advance public sector transparency and integrity. From a commercial
standpoint, data can serve as a catalyst for new products and business
models. The European Union has been proactive on this front, setting the rules of
engagement through the updated version of the Payment Services
Directive (PSD2).
Data sharing is often accomplished
through an application programming interface
(API), an intelligent conduit that
allows for the flow of data between systems
in a controlled yet seamless fashion (Exhibit
1). APIs have been leveraged in banking
settings for years (see sidebar “How
open banking brings new relevance to
APIs”). Given breakthroughs in
advanced analytics and the market traction
of numerous nonbank fintech companies,
however, APIs are receiving renewed attention
as a means to enhance the delivery of
financial services to both retail consumers
and business customers.
Exhibit 1
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at:
McKinsey_Website_Accessibility@mckinsey.com
While open banking stands to benefit end
users as well as to foster innovations and new
areas of competition between banks and nonbanks,
it is also likely to usher in an entirely
new financial services ecosystem, in which
banks’ roles may shift markedly. It also raises
issues around regulation and data privacy,
which helps to explain why global markets
have taken varying approaches to governance,
contributing to disparate levels of progress.
Regardless of region, the momentum toward
open banking models seems clear, requiring
banks and fintechs alike to position themselves
for success in a new environment and
to anticipate the likely customer impacts.
Open banking reaching a fever pitch
Open banking can be defined as a collaborative
model in which banking data is shared
through APIs between two or more unaffiliated
parties to deliver enhanced capabilities
to the marketplace. APIs have been used for
decades, particularly in the United States, to
enable personal financial management software,
to present billing detail at bank websites, and to connect developers to payments
networks like Visa and Mastercard. To date,
however, these connections have been used
primarily to share information rather than
to transfer monetary balances.
The potential benefits of open banking are
substantial: improved customer experience,
new revenue streams, and a sustainable
service model for traditionally underserved
markets. In addition to well-known players
like Mint, examples include alternative underwriters
ranging from Lending Club in the
United States to M-Shwari in Africa to
Lenddo in the Philippines, and payments
disruptors like Stripe and Braintree (Exhibit
2).
Exhibit 2
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at:
McKinsey_Website_Accessibility@mckinsey.com
Naturally, such advances are not quite as
straightforward as our capsule description
implies. Recent years have brought the development
of digital ecosystems, Tencent
(WeChat) and Alibaba in China being prime
examples. As these ecosystems mature they
begin to collide, and the inability to share
data threatens to curtail innovation in business
and operating models. Moreover, most
advancements to date have come from firms
outside the financial services realm. While
incumbents still hold the keys to the vault in
terms of rich transaction data as well as
trusted client relationships, banks often view
the opening of these data flows as more
threat than opportunity. After all, it is the
nonbank insurgents who have demonstrated
market traction thus far, and gained
valuable new customer relationships—by
presenting data in new forms.
There are inherent risks in sharing data,
however, which is why it is critical to develop
processes and governance underpinning
the technical connections. Although
the core API value proposition lies in
streamlining the systems integration required
for data access, the need for
guardrails to support protections for the privacy
and security of personal data create a
formidable infrastructure challenge.
The data consent/protection elephant in the room
Notably, banks have traditionally viewed the
custody and protection of their clients’ data
as a responsibility, more of a stewardship
role than an asset to be commercialized.
Data sharing in financial services tends to
be risk- and permission-based, with required
audit trails, and subject to regulation
and risk management. If done well, however,
it can deliver increased security
through enhanced know-your-customer capabilities,
identity validation, and fraud detection.
For instance, the current version of
PSD2’s technical standards may put an end
to the practice of screen-scraping, long a
point of contention for banks.
At the same time, customer transparency
and control must remain at the center of
product design decisions. This is a more vexing
rule to follow than it appears on the surface.
Even as PSD2 is advanced by
regulators, it could be argued that through
adoption consumers have already set the
agenda for services they want opened to
third parties. On the other hand, different
data categories warrant different levels of security,
and informed consent requires understanding
the implications of sharing
before approving—no small feat when the
reflexive clicking of “I Agree” on an unread
set of terms and conditions is standard.
There is a fine line to walk: educating and
empowering consumers without confusing,
scaring, or boring them.
Perhaps the most complex of these is educating
end users on data permission and privacy.
PSD2 explicitly empowers account
holders with the authority to share data, removing
the financial institution’s role as
gatekeeper. Further complicating matters,
real-world evidence suggests consumers may
not attach the same value and sensitivity to
certain data elements that banks and their
regulators do. Although the move to open
banking need not be a zero-sum game, there
are several areas where banks harbor legitimate
concerns regarding loss of brand
recognition and reputational risk, especially
given their own required investments to effect
such change.
Further questions persist regarding the duty
to redact “sensitive data” in certain circumstances
as well as third-party providers’ obligations
to delete/destroy data after a period.
Many of these details remain a work in
progress and will be refined as the market
impacts of open banking play out. Banks are
understandably concerned about such details,
as any perceived disclosure missteps will almost
certainly radiate back to their brand.
Would you like to learn more about our Financial Services Practice ?
Another interesting twist revolves around
the right to privacy. GDPR (General Data
Protection Regulation), slated to take effect
in the European Union in May 2018, imposes a substantial
penalty for noncompliance—
4 percent of the offending institution’s
global revenues (not profits). This “right to
be forgotten” significantly raises the stakes
of data sharing. Explicit consent is required
from the account holder. However,
there exists a silent counterparty to every
financial transaction conducted by that
holder; does a right to privacy exist for the
corresponding payor/payee? If so, the consent
process becomes infinitely more complex—particularly when parties to the
transaction bank with different institutions
and there is no central repository of
permissions granted.
Market evolution varies by regulatory approach
Ecosystem development has varied markedly
by region, due in no small part to regulatory
divergence. The most programmatic approach
has been taken in the European Union, through
both PSD2 and a broader effort to foster
competition in retail banking through the
United Kingdom’s Open Banking Standard. A key provision
of PSD2 aims to foster competition and
innovation for payments service provision in
the European Economic Area by opening account
access to nonbanks.
The United Kingdom’s pending separation from the European Union is not expected to alter these data-sharing
protocols, as many of PSD2’s customer protection
provisions are already enshrined in
UK law and both the government and financial
community have signaled a desire
to preserve banking services compatibility—
another strong indication of data sharing’s
momentum. Dating back further, Italy,
Belgium, and Germany each instituted common protocols as early as the 1990s to provide
access to account information to
smaller banks and third parties.
By contrast, the absence of a centralized US
approach to data governance has given rise to
a series of fintech innovators as well as a
patchwork of one-off bank agreements (such
as partnerships struck in the United States by Chase and
Wells Fargo with Xero and Finicity)—a model that
is not scalable in a market with roughly
12,000 financial institutions. Recently, the US
Office of the Comptroller of the Currency solicited
public comments regarding potential
issuance of a new special purpose charter enabling
fintechs to engage in limited banking
functions. While the charter’s intent focuses
more on lending and cost of capital, it also
represents a step toward making it easier for
nonbanks to compete in financial services and
conceivably paves the road for data-sharing
protocols similar to PSD2.
India experienced remarkable fintech growth
in late 2016 in the wake of the government’s
controversial decision to reissue
fully 86 percent of its legal tender. The resulting
cash shortage gave a jolt to an already
growing mobile wallet segment,
which is now beginning to enter a consolidation
phase. Singapore has developed a
large fintech market built largely around
APIs, for instance, for risk-decisioning in
the absence of formal credit-scoring agencies.
The Monetary Authority of Singapore
has now established a fintech division in
order to provide structure and oversight to
the process. Open banking is also gaining
traction in Iran (through the newly established
Finnotech portal), while Australia is considering steps mirroring those being
taken by the United Kingdom and European Union.
Implications for banks and new models in financial services
An open banking model can facilitate a series
of services of value to both consumers
and providers. Many of these exist today in
some form: AliPay and WeChat enable enhanced
e-commerce through their platforms,
offering a smoother personalized
experience and a full suite of payments options
including peer-to-peer. This model
can evolve to all-in-one commerce-centered
apps. Services like Trustly foster the
simplified extension of credit, enabling inquiries
specifically at “the moment of
truth,” such as at checkout or elsewhere
within the shopping value chain when intent
has been established and a purchase
decision can be influenced.
Sharing of limited data on “thin file” consumers
can help to advance financial inclusion
goals, pooling limited information to
arrive at more precise risk-scoring and
credit-underwriting decisions (Angaza in
Africa is an example). By introducing more
consumers to the formal financial system,
open banking increases the market opportunity
and the potential to deliver profitable
services in the future. Incubators and venture
capitalists have shown particular interest
in newcomers looking to incorporate
nonfinancial data with transaction records
to glean new insights—witness automated
advisory service Wealthfront recently adding
a lending product to its portfolio. Banks can
pursue this avenue as well, from the opposite
starting point.
Technology innovations driving change in transaction banking
While it seems unavoidable that open banking
will result in the sacrifice of some degree
of control by incumbent banks, banks will
gain the offsetting benefit of participating in
larger profit pools, ones in which they
should be well positioned to play a leading
role: for example, creating new service
propositions combining predictive analytics,
artificial intelligence, and financing to enhance
consumer and business offerings.
Among incumbents, a first-mover advantage
is open to organizations proactive and nimble
enough to be first to deliver innovative,
appealing products that customers want and
need (for example, intuitive interfaces and value-add
services such as budgeting, expense categorization
such as that offered by digital entrants
like Monzo). The “trusted agent”
status that incumbents currently enjoy will
remain a competitive advantage for some
time, but it must be exploited now to halt
the loss of business to new entrants.
Much attention has been focused on the
need for banks to open their legacy systems
to APIs. However, it is equally true that Payment
Initiation Service Providers (PISPs)
and Account Information Service Providers
(AISPs) will need to develop interfaces to
the banking market. Given that PSD2 has
not defined a precise technical standard, a
new category of “gateway service providers”
could emerge. Google’s acquisition of API
management platform Apigee is an indicator
of this potential, raising the stakes in a
field that also includes players like Xignite
and Plaid. Throughout this process, a key
success factor for all parties (banks, third-party
providers, and the gateways envisioned
above) will be the ability to build
processes that ensure security and reliability
without sacrificing speed.
Banks have several strategic responses at
their disposal. Although a pure go-it-alone approach may be viable for institutions with
ample resources and an agile culture, varying
gradations of partnership may be a more
plausible strategy. Barclays and Santander
have each built open API infrastructures to
deliver a virtually limitless suite of services
via third-party providers (for example, EverLedger).
Fidor and N26 are two intriguing examples
of efforts to reinvent banking from the inside.
Both start-ups are branchless institutions
chartered in Germany with a fintech
focus, best of breed approach, and embrace
of unconventional (for banking) tactics like
crowdsourcing. Their geography is likely not
a coincidence, given that Germany has been
called “the world’s most open banking environment”
by some. Fidor was acquired in
2016 by France’s Groupe BPCE, but continues
to operate as an independent brand.
There are ample opportunities for open
banking to remake small business banking
as well. A UK study found that the country’s
five million SMBs believe existing
models offer a substandard financial service
proposition. A similar sentiment would
likely be found in many other countries.
The UK innovation foundation Nesta has
engaged to tackle this challenge, and Barclays’
Pingit and Buyit solutions offer positive
in-market examples.
Specific challenges will vary by geography,
determined largely by the evolution of regulatory regimes—particularly on the private
information front—and progress made to
date in ecosystem development. Banks with
global footprints will face particular challenges
in reconciling various regions’ regulations
and standards (for example, PSD2 in the European Union,
open banking standard in the United Kingdom, Dodd-
Frank in the United States) while delivering a unified
service to their global customers.
Regardless of location, over the next 18 to 24
months banks should capitalize on their incumbent
advantages by taking the following
actions:
Explore data-sharing agreements with
fintech and nonfinancial services firms to
stay ahead of the curve.
Develop a perspective on APIs and their
benefit to the bank’s service model, both
in leveraging mandated third-party access
and potentially extending access beyond
statutory requirements.
Fully understand both existing data privacy
mandates and likely changes, and determine
their institution’s appetite for a
less conventional approach. And examine
how customer messaging would best facilitate
any such change.
Banks will need to address the potential loss
of revenue from existing payments revenue
streams resulting from the lowered barriers
to competition. Change is rarely comfortable,
but as market evolution in the United
States and other countries illustrates, the
forces of change are inevitable. Banks are
better served getting ahead of and defining
the trend rather than waging a futile battle
to repel it.