Open Banking’s European success has kicked off interest in similar regulations worldwide, most notably in China, India and Singapore, where digital banking’s popularity among general consumers is rapidly rising. These markets’ proposed privacy and banking rules are largely modeled after GDPR and PSD2, so regulators must avoid the stumbling blocks that banks and businesses hit soon after implementation.
GDPR and PSD2 have significantly shifted how EU banks and businesses exchange online funds and consumer data. However, the pace of that change and its ensuing costs have meant that some financial entities and merchants — which also varied based on their countries of origin in Europe — have responded quicker than others.
Further requirements, such as Strong Customer Authentication (SCA), widened this gap, as regulators in individual markets scrambled to identify exactly where and how regulations would affect them before the September 2019 deadline. Numerous regions then announced internal deadlines for compliance that often diverged from their neighbors’ deadlines. Growing concerns about online security, fraud and infrastructure costs intensified in the period after the rollout, and generated ongoing questions over the safety of the API-driven Open Banking platforms developed to comply with PSD2 and GDPR.
These questions and concerns caused certain European markets to temper their financial and privacy innovations, which could hamper Open Banking’s worldwide growth. Newly affected markets must be aware of these issues as their local regulators debate similar rules’ scopes, and as walking into the same obstacles could again halt Open Banking development.
SCA Questions Stall Innovation
The main strength of Europe’s Open Banking legislation is also its major weakness: It applies to the entire EU. The sweeping compliance requirements affect all members, but execution can differ country by country. This reality can cause friction, as some entities will respond faster to regulatory requirements than others.
The most recent and powerful example of this is SCA, which rolled out about a year after PSD2’s implementation. Its authentication requirements were robust, yet confusing. Knowledge and innovation gaps exacerbated by its deadline led several countries to declare grace periods of different lengths. Each country had its unique business and bank concerns to address, and each firm had disparate resources to make the required changes. This fractured SCA’s ability to innovate, and challenges persist months after its deadline.
Online security further widened the gulf between countries with businesses and financial institutions that could readily embrace SCA’s requirements — such as Norway or Sweden, where many consumers and businesses were already used to Open Banking — and those that could or would not. France, the U.K. and other countries in the latter camp scrutinized the potential for fraud growth under Open Banking, and questioned SCA’s range, pointing out weaknesses that fraudsters could exploit via mandated API-connected platforms. Those countries extending their compliance deadlines the farthest may bring additional fraud protection problems in and outside of the EU.
Security Concerns Mount
Some attribute Europe’s Open Banking growth rift to outstanding fraud protection issues that SCA aimed to solve, and fraud losses are likely to continue. One recent study projected that $48 billion will be lost annually through online payments fraud by 2023, and predicted that instant payment and online money transfer scams — which take advantage of online interconnectivity and digital transactions’ accelerating speeds — would increase in this time frame.
Such fraud will likely expand as long as gaps persist between countries with upgraded online banking authentication standards and those still debating over which measures to implement. Fraudsters can attack protected platforms through one weak point in a system. It is likely that weak points will continue to be a reality until all affected countries fully adopt the regulations.
Many EU countries have decided upon Dec. 31, 2020 as the new SCA compliance deadline, but the U.K. will not require additional authentication from affected banks and businesses until March 2021. This affects those using the EU as a model for Open Banking. Australia has already pushed its own regulations back by six months, thanks to similar security concerns, and regulators in India are set to debate online data protection rules this spring. Both are likely considering SCA’s impacts in Europe, while writing their own regulations. It is, thus, critical for EU stakeholders to iron out their remaining SCA and online security qualms, as Open Banking may potentially become the global norm.