The EU enacted open banking rules in 2018, inspiring regulators worldwide to reconsider how they were transacting funds or transmitting data.
The two years since have led governments around the world to launch initiatives exploring innovative digital connection strategies for financial institutions (FIs) and merchants as well as their customers. The COVID-19 pandemic’s impact on daily business has generated new questions surrounding these initiatives that regulators are now scrambling to answer.
Rising frustration over online payment transaction limits, security and data privacy have begun to crop up now that consumers and merchants are settling into the new normal, showcasing just how rapidly the banking world is changing. Customers are relying less on cash than ever: 69 percent of adults in the U.K. are using contactless payments, for example — a touch-free payment method. Mobile and online payments are also on the rise for this same reason.
This growth in digital payment volume is testing the open banking networks proposed by regulators in multiple regions, including the U.K. and the EU. Whether the contactless payment limits proposed under Strong Customer Authentication (SCA) — requiring merchants to authenticate any payment over 50 euros ($54) — are truly scalable has become an essential question for merchants operating during the pandemic and for those considering money movement in its aftermath.
Data privacy and security standards are critical for regulators to address in regions such as the U.S., Australia and Canada. The pandemic has essentially stalled the advancement of open banking in Canada as lawmakers grapple to finalize data protection rules there. Businesses in California, meanwhile, are reporting numerous struggles with the California Consumer Privacy Act (CCPA) as the pandemic continues, sparking debates about how the act’s data privacy standards are working for merchants within the state.
The following Deep Dive explores just how much the COVID-19 pandemic has impacted open banking and online privacy regulations worldwide and details potential effects on the regulations’ future development.
COVID-19 Exposes Online Payment Concerns
The COVID-19 pandemic had two instant implications for merchants and consumers worldwide that relate to open banking. The first — and more immediate — effect of the virus for FIs and their regulators was how quickly it advanced digital transaction volumes. The second, more complicated effect concerned data privacy and whether the open banking networks put in place to share information could really help facilitate transactions and safeguard information in the ways that customers and merchants require. It is important to examine both of these impacts to understand how open banking will continue to progress and what it will mean for merchants globally.
Looking at how growing volumes of online payments interacted with existing open banking rules was the first priority for regulators in the EU and the U.K., for example, because frustrations occurred almost overnight for the regions’ businesses as they struggled to fulfill more online transactions. The majority of merchants were prioritizing seamless and secure services as online orders flooded in.
Fifty-seven percent of European shoppers reported purchasing goods online more often than before, according to one recent study, and another study found that 32 percent of global consumers anticipate they will be shopping online more frequently as well. This represents a massive bump in online orders that need to be processed swiftly by FIs and quickly shipped by merchants, leaving little time to change payment processes to comply with new regulations such as upgraded SCA limits or changes to data privacy rules under GDPR.
The pandemic is acting as a quick litmus test on whether SCA — and open banking by proxy — is truly scalable. The problem has a simple fix, however, and regulators are able to respond with some ease. The U.K. Financial Conduct Authority (FCA) postponed the SCA deadline by six months, while the European Banking Authority (EBA) increased contactless payment limits from 45 euros to 50 euros ($49 to $54) to help merchants process transactions at scale — although these measures may be temporary. The more crucial effect of the pandemic on open banking concerns data privacy, and it is this second area that FIs and regulators everywhere are facing the most scrutiny from merchants and consumers.
Data Privacy's Starring Role in Open Banking
COVID-19’s effect on data privacy was as rapid as its effect on payments, but its data privacy influence was demonstrably wider. This is because it impacted not just countries with existing privacy and open banking standards but those where such regulations are just emerging. Securing shared information online — whether financial and payment information or more personal consumer data such as names and addresses — has always been essential to open banking regulations. The COVID-19 pandemic is forcing lawmakers in multiple regions under extreme scrutiny.
Those regions that already have data privacy standards in place, such as lawmakers in the EU and the U.K., are struggling to pass the first major test for GPDR in the two years since the rule was implemented. The European Data Protection Board (EDPB) has issued guidance to help companies better understand what data can be collected during the pandemic while remaining compliant with GPDR. There are still some points of confusion left to clarify, however, such as if new biometric data such as employees’ body temperatures or geolocations can be collected under GDPR to help minimize COVID-19 exposure risks. The regulators that are seeing the strongest reverberations to how they can treat data privacy are in countries like Australia and the U.S., where nationwide data security standards are still being debated.
The Australian Competition and Consumer Commission (ACCC) has extended the deadline for its Consumer Data Right (CDR) rule for another three months to Oct. 1, for instance. This gives the financial service providers covered under the rule more time to examine their data sharing operations, but the ACCC has also drafted a set of amendments to its rule in this three-month period, and the pandemic could widely impact what these amendments cover.
U.S. lawmakers in California, meanwhile, are seeing a rush of inquiries surrounding CCPA, which defines what data merchants in the state can collect and how it can be collected. It only recently came into effect on Jan. 1. California merchants are currently dealing with compliance challenges that affect how they can collect medical data. They are also asking how this rule could potentially impact how they are allowed to operate in the pandemic’s aftermath, including questions concerning the legality of screening employees for health risks on-premises.
These are among the more difficult considerations both merchants and their regulators are facing, and their answers are crucial for how privacy and open banking will take place in the future. Maintaining the balance between the convenience of the connections open banking enables for merchants and the privacy many consumers are expecting has always been the challenge in open banking’s development. The COVID-19 pandemic has shaken up the rulebook’s presumptions, however, and regulators will need to work quickly to catch up.