The FCA has called for suggestions by 17 March 2020 as to how it can support more open access to customers’ financial data. This revives the debate about whether regulation can catalyse markets. The major stumbling blocks, as ever, are genuine customer problems and demand for solutions, as well as supplier appetite, and who gets access to the data and for what purpose. To date, the open finance focus has been quite narrow, enabling access to payment account data for use in digitising the preparation of accounts and filing of tax returns, for example. The question is whether longer-term financing challenges will produce a wider spectrum of open finance services. It appears that existing regulatory models could be adapted to cover the risks (except in relation to artificial intelligence where there is plenty of work to do). Whether and how quickly regulation evolves remains to be seen. Ironically, it may happen in the EU first, as with payments regulation: a British person’s red tape is a French person’s business plan.
What is open finance?
The FCA’s approach to open finance policy is rightly based on the principle that the data supplied by and created on behalf of financial services customers are “owned” and controlled by those customers, so re-use of that data by third-party financial service providers (TPPs) must take place safely, securely, ethically and with the customer’s fully informed consent.
We’ll come to the challenge with the notion of ‘ownership’ shortly. But what this means in practice is that a financial services customer could consent to a TPP accessing their financial data held by existing financial service providers, with a view to the TPP analysing that data to offered tailored products and services (or passing it to another service provider for that purpose). This type of data access already operates in relation to payment accounts, which the FCA refers to as “open banking” but is really just ‘open payments’.
In theory, open finance has the potential to improve the way consumers and businesses use financial services; make it easier to compare and switch; broaden access to advice; support in decision making; increase access to finance; boost productivity; and spur competition, innovation and demand.
Yet the very nature of the main questions posed by the FCA in chapters 2 to 6 of its paper tells you there is little by way of demand or supply at this stage:
- Is open banking (i.e. open payments) on track to achieve its potential?
- What are the potential benefits of open finance in the markets we regulate and to our operational objectives, and will those benefits materialise without intervention?
- Could open finance pose any risks to our operational objectives, and would our current rules be sufficient to mitigate them?
- Under what conditions would open finance develop in a way that delivers the best outcomes?
- Given the above, what role should we play, do we need to intervene, and if so, in what way?
Open finance can’t just be about financial services
We’ve seen official initiatives like this before, such as the UK Government’s ‘midata’ programme from 2011. But this focused on the mechanics of data sharing and ran into challenges around customer identity and authentication, and looked at types of industry data rather than specific customer activities. In July 2019 the Government Digital Service and the Department for Digital, Culture, Media & Sport were still calling for evidence of how the Government can support improvements in identity verification and the development (and secure use) of digital identities generally. And the Department for Business, Energy and Industrial Strategy wants to establish a Smart Data Function to oversee the delivery of initiatives to allow consumers to instantly, safely and securely share their energy data with third parties, rather than considering what problems outside the energy consumption scenario this might solve.
Yet the expansion in scope of the second payment services directive (PSD2) and related standards designed to open up the payments accounts to third-party service providers (“open payments”) actually related to customer activities, rather than features or products. There were already unregulated services providing lenders with access to loan applicants’ current account statements via screen-scraping, and enabling the remote initiation of bank transfers via e-commerce checkouts. Regulation arose as a solution to new competitors encountering a distinct lack of co-operation from banks who were not already participating in such services (ironically, the two payment initiation services in the Netherlands and Germany cited by the European Commission as the basis for regulation were led by banks). Specific regulation was forthcoming to resolve banks’ resistance on the grounds of security, fraud and who would be liable if things went wrong. Resolving those issues has certainly helped new account information and payment initiation services proliferate and scale, but the regulation did not itself catalyse either the demand or the services themselves.
Even with regulatory support for open payments, however, the customer and supplier focus has been focused on quite narrow day-to-day customer activities: automating the inclusion of payments data in the preparation of business accounts and digitising the filing of tax returns (although reconciling receipts with payment transaction data still seems bizarrely difficult – why can’t the till send the receipt directly to an app in your phone, instead of needing to be scanned or emailed?).
I’ve also advised on arrangement to incorporate payment ‘account information services’ in wider financial service data portals, which may be an early sign of ‘open finance’ services, but …
What customer problems could open finance actually solve?
Perhaps understandably, the FCA has not explored the scenarios in which customers might either mix financial and non-financial data, or consent to TPPs sharing their financial and non-financial data with non-financial, unregulated third parties – just as payment ‘account information service providers’ help automate the preparation of accounts and tax filings via accounting software-as-a-service providers and accountants.
People face real challenges in achieving long-term goals, like financing the growth of their own business (there are 5.5 million micro-businesses in the UK), their children’s education, buying their home or investing in property or other assets. Changes in the nature of work and employment are making these things much more complicated to achieve (without some kind of windfall). Such long-term challenges involve not only evaluating the cost of the relevant item to be financed but also being organised in terms of saving and investing spare cash, exploring and taking advantage of pensions and other tax breaks, maintaining critical illness and life cover, as well as efficiently managing the basic accounting and tax filings. Data related to savings, investment, pension and insurance products is only part of the problem or any solution.
At any rate, it will be interesting to see whether the FCA receives evidence of such wider ‘open finance’ problems and related services whose growth is genuinely stymied by issues that can be resolved by regulation.
The risks of open finance
Among the risks of open finance, the FCA mentions the potential for non-participating customers to be excluded from the benefits to be derived from open finance, while those opting in could have their data abused or suffer fraud or other harm from, say, system failures, errors in the data being shared or automatically being switched to the wrong product.
Until we know what open finance actually means in practice, it’s too early to say whether non-participants are at risk. Maybe they just don’t have the problems that open finance services might solve …
The operational risks – hacking, systems failures etc. – are better understood and existing regulatory solutions could be adapted, as discussed below.
Of course, the elephant in the room is who will get access to customers’ data and for what purpose.
A particular concern is that customers may not even be aware of the ways they already rely on artificial intelligence technologies, such as big data analytics. The risks of AI include lack of good quality data, the fact that AI does not “understand” what it’s being asked, no AI is 100% accurate or free from bias, and the algorithms are not explainable. As such, AI should not be used in situations where a false negative/positive means a person loses their life, or compensation that is actually due to them or their freedom or some other fundamental right.
In this respect, it would be particularly interesting to know when the FCA and PRA will begin to actually audit the use of AI technologies by financial services providers, rather than merely survey the industry on a self-disclosure basis.
Perhaps the FCA’s research project with the Alan Turing Institute (for data science) will be helpful, but if the financial authorities are true to form, we’ll see a few major train wrecks before they really address the issues, and any solution will require co-operation between the FCA, the Information Commissioner and other bodies developing standards, guidelines and so on, which will take time …
The regulatory model for open finance
The AI-related risks in open finance are not unique to that sector and probably need to be addressed in horizontal fashion across the field, possibly by extension of data protection regulation.
Aside from the risk of abuse via AI, the various issues with open finance could be addressed through a similar regulatory model to open payments under PSD2. The TTP registration requirement could be applied to any third party who directly accesses a person’s online financial services account to obtain data, while authorisation could be required where the TPP is able to actually submit transactions on the financial services account. Both the TPP and the provider of the customer’s financial services account would need to comply with regulatory technical standards for secure communication between their systems; and the TPP could use the customer’s financial services account credentials to obtain access. The liability frameworks under PSD2 could also be co-opted for this purpose, as could the requirements for complaints handling and redress.
While the contractual and information requirements under PSD2 and the Data Protection Act 2018 (incorporating GDPR) would also be part of the open finance framework, it is important to note that information services that draw on personal accounts are not really (just) financial services at all.
There are numerous issues relating to copyright and database rights to consider regardless of whether the data being shared comes from a payment or other regulated financial services account or some type of unregulated data account. Indeed, the data being contributed and shared could come from the customer herself (user-generated information or ‘UGC’) and the customer’s own behaviour effectively generates the financial services transactions anyway. Yet, service providers will also be concerned to protect their investment in databases and data quality.
These licensing issues must be considered in terms of what licences are required ‘upstream’ from the customer, the service provider and any sources of data, as well as downstream licences and usage restrictions from the standpoint of the service provider, the customer and third parties receiving the data.
These licences are likely to be reflected in an array of different contracts, including customer terms and commercial agreements. Appropriate disclaimers, exclusions and limits on liability must also be considered, particularly in terms of whether the service provider takes responsibility for data quality, accuracy, timeliness and so on. Some of the typical commercial requirements may conflict with the liability and information requirements relating to a financial account service, which would need to be ‘carved out’.
The FCA is undoubtedly right to consider the risks and opportunities associated with opening up financial data beyond just payment transactions. But regulation will not catalyse a market.
Open finance data services are more likely to develop around longer-term financing challenges such as financing the growth of small businesses, private education or buying the family home in a world without traditional jobs. In those scenarios, customers will need to merge and analyse numerous types of financial and non-financial data, and consent to TPPs sharing that data with both financial and non-financial, unregulated third parties.
To the extent that open financial services do develop across the wider spectrum, AI poses a significantly greater regulatory challenge than the other types of associated risks, which can be covered by adapting the open payments model. There will be extensive upstream and downstream data ownership and licensing issues to consider.
Ironically, given Brexit and the differing attitude between common-law and civil-law countries, the evolution of an appropriately regulated market for open finance might actually take longer in the UK (where the law follows commerce) than on the continent (where governments are expected to decree what services are lawful and how they may be offered). In effect, a British person’s red tape is a French person’s business plan.
If you need assistance with any aspects outlined in this Keynote, please get in touch with Simon Deane-Johns using the contact details below.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.