Open Banking: Data-Related Risks and Governance Mechanisms

April 15, 2021

The advent of Open Banking in Canada has sparked significant debate in the financial services sector. While some believe that banks that have invested in customer relationships have earned the right to be the custodian of their data, others view it as a strategic opportunity that will enable new channels and promote innovation in an otherwise stagnating industry. For newer age fintech companies, Open Banking poses an unprecedented opportunity to compete with established financial services players, leveraging a pre-existing pool of customer data.

Keeping divided opinions on data ownership aside, however, nearly all stakeholders agree that Open Banking has the potential to transform the financial services industry. It will essentially create a new playing field for both old and new players, and access to additional customer insights will help drive revenue from existing products/services, allowing financial services companies to tap into new markets and better meet their customers’ emerging needs. From a customer perspective, Open Banking will bring a wider array of more competitive products and services and open the doors to greater personalization and customization.

However, it is of some solace to existing banks and Financial Institutions (FIs) that Open Banking cannot completely level the playing field. Banks will still have a significant advantage over new entrants, owing to the strength of their existing relationships with customers and because they have vastly more data than fintech players can imagine, or consumers will ever consent to share.

All in all, a trusted Open Banking ecosystem will benefit all the stakeholders involved to some degree. However, it also comes with potential risks, and its roll-out needs to be carefully governed and managed to ensure successful widespread implementation.

Data-Related Risks in the Open Banking World

The customer is at the center of the Open Banking ecosystem. As Open Banking gives consumers the ability to use their financial data to their own benefit, it will also create opportunities for FIs, data aggregators, and data platforms to help consumers access, store, and use their financial information for the duration of the consent period. However, without industry standardization and some form of governance, there is a risk of proliferation and mass fragmentation of customer data.

The absence of regulations or standards to govern the use, transport, and maintenance of data, introduces multiple forms of risks, including:

Data quality risks: With multiple FIs and third-party providers (TPPs) using the same data, it will be easy for information to get out-of-sync with the book of record. Moreover, information for the same data attributes, with different content from different providers, might get overwritten without a trace, rendering individual records inaccurate, incomplete, or unreliable. In turn, this poor quality data could end up being used for analytics by different FIs, resulting in incorrect or potentially conflicting insights for decision-making. A robust data governance and data quality policy/standard could mitigate such risks and ensure a single source of truth of clean, trusted customer data.

Security risks: As the custodian of customer data, banks presently store data within their environments. However, Open Banking will introduce new mechanisms for sharing data among banks and TPPs. This expansion of the ecosystem could expose data to breaches and cyberattacks. In many cases, data classification challenges arising due to mass data proliferation may make it impossible to trace breached data back to its source. To address these risks, standards will need to be put in place to ensure appropriate data use, storage, retention, and disposal. Authentication and verification protocols will be needed to lower these risks and to protect both customers and FIs against data breaches.

Privacy risks: Under Open Banking, consumers will be able to authorize sharing of their data amongst FIs for a specific purpose. However, this may also pose the risk of accidental or malicious unauthorized use or misuse of customer data or may inadvertently expose customers’ personal information, resulting in privacy-related concerns. Data privacy policies and regulations will likely need to be strengthened to accommodate Open Banking.

Regulatory Oversight and Standards for Risk Mitigation

Interestingly enough, despite their potential implications, data-related risks are yet to be included in most Open Banking standards and deliberations worldwide. The UK Open Banking Standard makes no mention of these risks, and the EU Directive 95/46/EC merely stipulates that “personal data must be… where necessary, kept up to date” without proposing a realization mechanism for the same. In the US, Open banking is essentially an industry-driven initiative with some CFPB guidance. The US’ NIST Cybersecurity Framework touches upon these issues with its CIA triad – Confidentiality, Integrity, and Availability – but there is a lot of work to be done to make it implementable.

Australia, on the other hand, has taken data integrity and security into account and published the Australia Consumer Data Right (CDR) Rules for Open Banking, which includes a mechanism for TPPs to request corrected data from data providers, data security practices TPPs need to implement, and rules for handling duplicate data.

While the Canadian Government’s consultative papers have acknowledged the risks associated with the proliferation of sensitive consumer data across multiple platforms, at this point, they focus mainly on security and privacy concerns.

However, with the ball already rolling on Open Banking in Canada, it is clear that the industry will need to take the lead in drafting standards, at least until regulatory measures can be put in place. Since there are no controls to prevent TPPs from storing and re-using data, and no regulatory mechanisms exist to ensure data currency and prevent data drift, there is no way to stop data proliferation. The only possible solution in the current context is to combine industry standardization with a data governance ecosystem to enable TPPs to maintain and trace data.

An industry-driven standardization and governance ecosystem will entail the following:

• Neutral technical standards: First, the industry will need technical standards that are neutral, interoperable, and royalty-free. Organizations like Financial Data Exchange, LLC (FDX) are already working closely with financial institutions, fintechs, payment networks, and data aggregators to develop technical standards. The FDX API, for instance, offers secure authentication with a restful API for data access and aims to strengthen consumer control and data permissions in the Open Banking ecosystem. FDX Working Groups are also looking at several aspects of Open Banking, including API and Data Recipient Certification, Request for Comment, and Data Quality.
• Governance policymaking: Second, an organization will have to be set up to establish and maintain data governance policies, processes, and tools. These governance policies will have to enable, rather than hinder, ecosystem collaboration to further the development and roll-out of technical standards. This organization will also need to have or build resources (trained people, tools selection, etc.) to enable the governance ecosystem for Open Banking and get buy-in from TPPs for the use of the established technical standards.
• Governance execution: Lastly, such an organization, in concert with all TPPs, should be able to execute data governance processes and use the tools.

While work on the technical standards is already underway, what remains unclear is who will fulfill the role of data governance. So far, regulators have not demonstrated an interest in addressing this problem. Moreover, given that significant regional and national differences exist in regulatory approaches and the data governance challenges need to be addressed holistically to ensure interoperability, regulators will likely not be best placed to take on this responsibility.

The best bet, in this case, would likely be to establish a governance ecosystem through the confluence of an industry association, NPO, or SRO, with commercial market participants. The industry has a vested interest in ensuring the success of Open Banking and mitigating risks, and industry associations/NPOs/SROs have pre-existing relationships with market participants that can be leveraged to get buy-in and enable roll-out swiftly. Such a combination of forces can pave the way for a flexible yet robust self-governing model, which will ensure the integrity of data regardless of its ownership.

Governing Data Proliferation in Open Banking

The target operating model for Open Banking data governance would encompass three key pillars:

Organization: To govern data proliferation in Open Banking, the organization will require a supervisory body, a standard-setting body, and implementers. The supervisory body will play an Executive Steering role to establish a governance strategy, prioritize objectives, and oversee resourcing. The standards body or working group should bring together members of Open Banking-focused organizations like FDX, commercial market participants/TPPs, and regulatory stakeholders from various departments including privacy, consumer protection, USDT, NIST, etc. Finally, the implementers will have to be a certified community of TPPs adhering to standards set by the standards body/working group.

Enablement: Technological solutions will be needed to enable governance and manage data proliferation. Some of this technology already exists, such as distributed ledgers to ensure all certified TPPs have the latest version of customer data. An automated, possibly blockchain-based, system may have to be deployed to track metadata for all data transmitted between participants and improve traceability. Work is already underway at FDX to create a solution to track consent parameters. In addition to the technology itself, technical know-how of data quality validation, data/API specifications, consent management, TPP information security and data handling requirements, and data disposal will need to be built to enable development of standards.

Execution: Setting up of business processes and governance standards will be a key part of execution. Clear business processes will be needed for TPP customer data currency validation, data quality monitoring, requesting and delivering corrected data, metadata management, and data classification. Similarly, standards for customer data currency, acceptable customer data use, data disclosure and security, and data retention will have to be drafted.

Although some work is already in progress, standing up such a governance organization and establishing policies and processes will likely take time. Still, looking at the progress made on the technical standards, it is clear that with a collaborative ecosystem in place, the risks associated with Open Banking can be mitigated, and the implementation can be made smooth and efficient.