It's no surprise the financial service industry's move toward open banking may not be the most favorable trend among banks. With data considered under ownership of the customers and not the bank, financial institutions are exposing themselves to market competition, security risks and other threats in the name of enhanced customer service and choice.
In Europe and the U.K., PSD2 and open banking are making data sharing a requirement. In the U.S., however, the regulatory future of an open banking ecosystem is less certain – and according to George Anderson, founder of software firm Ninth Wave, it probably won't look like PSD2.
"It's an apples-to-oranges comparison," he told PYMNTS about the regulatory approach toward open banking in Europe versus the U.S. One of the biggest challenges is the number of financial regulators in the U.S. across which open banking rules would have to coordinate; in the U.K., only two regulatory authorities had to collaborate to implement open banking, while Australia only had one, according to a recent American Banker report.
But market forces dictate that open banking is coming, whether banks like it or not – and whether or not regulators will be able to guide FIs along the way. Sixty percent of consumers surveyed last year by Bain & Co. said they are willing to try a financial product from a technology conglomerate they're already using, like Amazon, Google or Facebook. Another report from TD Ameritrade found more than one-fifth of consumers agree the biggest impact of technology has been on how they manage their money.
Without regulation, this shift is leaving traditional financial institutions to take the reins on developing best practices when it comes to standardization, data security and more, Anderson said.
His firm, Ninth Wave, launched only weeks ago from its parent company Enterprise Engineering, which provides software to FIs. Ninth Wave was established to facilitate FIs' data flows between third-party data aggregators, like FinTechs. Anderson explained Ninth Wave's initiative as acting as the connection between banks and the "outside world" of data aggregators while maintaining security and compliance.
Privacy and data security are undoubtedly core aspects of existing open banking regulations around the world. But in the U.S., a lack of regulation has the financial services industry working to understand the best way to enable the free flow of data between a FinTech app and a traditional bank without exposure to bad actors. It's critical to customer security and satisfaction, but Anderson noted that banks are struggling with what can appear to be a free-for-all in data aggregation.
"They're going out there and getting data without me asking," he explained of a third-party FinTech platform authorized by a user to log into their existing accounts to collect information necessary for that app to run. The issue, he continued, is that sometimes these data aggregators collect more data than needed.
"Depending on what financial institution they're going to, they may very well be screen-scraping that data," he said. "Maybe all [that app] needs is my checking account balance, and my transactions for that checking account. But they can go out and gather other information, anonymize it and resell it."
Banks can struggle with making sure these third parties are collecting only the data their customers have authorized them to collect, or only the data their customers want them to collect, even if they unknowingly gave that app free rein of their financial accounts.
This process introduces a far less discussed problem for financial institutions: traffic overload. One Ninth Wave client will sometimes see 65 percent of system traffic coming solely from these data aggregators, Anderson said. Another client, on one particularly "volatile" day earlier this year, was charged $250,000 in mainframe capacity-on-demand over charges, a direct result of aggregator and screen scraper traffic.
"These FIs obviously are spending a lot of money to support things that clients aren't asking for," he said, also pointing to the risks of bad actors who hide behind these data aggregators and API companies to breach data systems, and the discussion over which entity holds responsibility in the event of a data breach.
"There is a lot of animosity between aggregators and FIs – and, in my position, with good reason," Anderson said. "There are a lot of problems with the system right now, and many more that nobody wants to talk about."
The financial services industry in the U.S. will have to work through many of these challenges without the dictation of regulators – for now, at least. According to Anderson, while there are signs that U.S. regulators are exploring potential open banking regulations, they are likely far off. Until then, financial institutions should find guidance in trusted partners.
"It's a matter of timing, and I do think initial efforts will fail," he said. "I do think it will be regulated, but not for a while. There will be best practices put out there, and banks will lead the efforts. Yes, I do believe there will be some degree of regulation at some point in time, though I'm skeptical as to what the initial efforts will be, and what the time frame will look like."