The COVID-19 pandemic may have stalled open banking developments, but 2020 is still shaping up to be a crucial year for such sharing and privacy regulations. This is especially true in Asia Pacific (APAC) countries, many of which followed the EU’s lead in launching open banking platforms to more easily connect FIs, FinTechs and third parties over the past two years. They had set 2020 deadlines for these plans, and appear to be keeping them while also safeguarding businesses and consumers during the pandemic.
The APAC is a massive region, and its consumers and banks have varied expectations about what they want from open banking and data privacy. One third of the world’s 1.7 billion unbanked consumers currently live in China, India, Indonesia or Pakistan, and they have different needs than their banked counterparts. China also has one of the highest mobile banking and payment penetrations worldwide, with 57 percent of its consumers able to access personal mobile banking tools as of 2018.
Open banking implementation is quickly progressing despite these polarizing trends, with some countries focusing on privacy while their neighbors work to seamlessly send online transactions or information. Their open banking efforts have caught regulators’ attentions in the EU, U.K. and U.S. as developments move forward, too. Industry experts followed Hong Kong and Singapore last year as both announced plans to foster digital banking growth and connectivity among their FIs and consumers. Their regulators have been using GPDR and PSD2 as blueprints so their banks could connect to European entities on global open banking platforms in the future.
This goal of international interoperability has also impacted how APAC lawmakers approach data privacy, but there are challenges to achieving the level of connectivity many want. The following Deep Dive examines recent APAC open banking and privacy moves, how the COVID-19 pandemic may have impacted their execution or development and why the APAC’s approach to data privacy is important in a global context.
Detangling APAC banking, privacy moves
APAC regulators’ views on open banking and data privacy before COVID-19 help inform how the virus’s spread could alter development. Many have looked to the EU’s GDPR and PSD2 for guidance, for example. This has given lawmakers a map to follow when innovating their privacy standards as well as enabling them to more easily share information or transact with foreign banks and businesses operating under the same standards.
Open banking regulations in the APAC region also follow the EU’s example in the tools and technologies used to create that support. Most are relying on platforms that connect banks and third parties via APIs, which can help them more securely share data. Hong Kong, Japan, Singapore and South Korea are among the markets focusing on API development to push open banking forward. This type of connectivity is a staple in the space, with 53 percent of surveyed APAC industry experts viewing it as critical. Another 45 percent claimed that connectivity between banks in different countries is essential to open banking’s future, and local data regulation approaches appear to be keeping these principles in mind.
This concept is evident throughout the APAC region, including in Japan, Thailand and India. The former was granted an Adequacy Decision by the European Commission in 2019, for example, meaning its data protection rules followed those of GDPR closely enough that information can securely be passed between the two areas. Thailand used concepts borrowed from GDPR when it passed its Personal Data Protection Act in May 2019, with the rule applying specific standards for transferring personal or financial information from foreign entities. Indian regulators have been workshopping a Personal Data Protection Bill since 2018 — the year GDPR passed in the EU — which also details how data can be shared domestically and internationally.
APAC regulators appear to maintain the EU’s view that sharing and protecting such information must evolve with the digital world. South Korea’s advancement of open banking places particular focus on the security of the platforms handling such transactions, thereby ensuring they are also in line with GDPR concepts. Its Financial Services Commission (FSC) launched a regulatory sandbox in April 2019 following an announcement that it would be revising its Electronic Financial Transaction Act to create a secure open banking foundation. A pilot platform was opened several months later for 10 South Korean banks — 7 million consumer accounts were registered on the service as of Dec. 18, 2019.
A number of these data privacy rules came just one year after GDPR and PSD2 launched in the EU, meaning many are being put to the test for the first time during the COVID-19 pandemic. The outbreak has led to privacy standard debates in the APAC, EU and U.S. as the need to rapidly share financial and healthcare information has brought consumer data privacy firmly into the spotlight. This has always been an important part of open banking discussions, but COVID-19 is adding new fuel to the fire.
COVID-19 and data privacy
Regulators in the APAC, EU, U.K. and U.S. have their own opinions on privacy, and they could see their approaches to online privacy split further in the pandemic’s aftermath. The main difference is in how these markets view the concept: U.S. consumers are used to handing data to corporations, rather than the government, while those from the APAC and EU are used to the opposite.
U.S. businesses are currently asking California lawmakers to postpone CCPA implementation during COVID-19, for example, citing difficulties complying with its data sharing rules as the virus continues to spread. Eighty percent of U.S. consumers report being more concerned about privacy now than in past years, however, and 65 percent feel it is unsafe to provide their information to businesses. Rules like the CCPA could help restore user trust, particularly if firms can comply when outside factors like the pandemic have created additional insecurities for consumers.
APAC and EU regulators are seeing different responses. Forty percent of the latter’s consumers believe GPDR is impacting how well their data is protected, for example, and the EU is therefore focused on making sure data can continue to be sent seamlessly and securely by its own standards. The European Commission endorsed finding a “common” approach for using mobile data and personal information during the COVID-19 pandemic in a recent recommendation, for example. Several APAC countries have had similar responses, with governments in China, Singapore and South Korea asking citizens to share healthcare data through mobile apps.
Regulators’ main focus is slowly shifting from how they can respond to COVID-19 to what those responses mean for data privacy standards in its aftermath. Consumers in some countries may end up comfortable using mobile health apps in the long term, which could lead to privacy standards that are very different from those that emerge elsewhere. This would create additional discord on the global privacy stage, meaning financial and industry leaders in the APAC, EU and U.S. must carefully track current developments to better understand their potential trajectories.