“Open Banking” is an emerging term in financial services / financial technology that refers, among other things, to the use of open application programming interfaces (“APIs“) enable third party developers to build applications and services around a financial institution. This requires a financial institution to throw open the doors to its customer data and allow it to be used by developers and other third party providers. Think of it as an app store for banks, where the apps allow consumers to compare rates, manage their accounts, obtain credit and make payments – all without having to actually engage a bank.
In Europe, this is set to become the norm in early 2018, thanks to the revised Payment Services Directive (“PSD2“) which was passed in January. PSD2 is designed to create a more level playing field for third party payment processors by making banks in Europe offer APIs that provide access to account information to third parties.
Some banks are embracing this, and see it as an opportunity to drive value in innovative new ways. Other banks are not as keen, and are taking steps to cut out the interlopers to preserve existing value and protect the customer relationship.
Long before there was a concept of “open banking”, there were similar products available, products that don’t rely on the openness of banking but rather the willingness of an account holder to share his or her login information. Users provide their user IDs and passwords for the financial accounts they want to consolidate, so that the aggregation service can access these accounts to gather their financial information (a process known as “screen scraping”). A single third party web portal then displays the information, dashboard-style.
Concern in Canada and the US
In March of 2011, the Financial Consumer Agency of Canada (“FCAC”) issued a statement, warning Canadians to be aware of the possible risks of disclosing their online banking and credit card information to financial aggregation services. Aside from the obvious data security and privacy risks, the FCAC cautioned that using such a service could also violate the terms and conditions of the account:
Consumers should be aware that if they disclose their online banking information to any other party, including financial aggregators, they may risk losing their protection against unauthorized transactions. Some financial institutions’ user agreements clearly state that users will be responsible for unauthorized transactions if they provide other parties, including financial aggregators, with their passwords and account information.
The FCAC reminded consumers it was their responsibility to manage their online banking and credit card credentials in accordance with the terms of their user agreements, as well as to review their user agreements and to understand their responsibilities thereunder.
In 2015, media reported that a number of US banks had cut off data to these financial aggregators, citing concern that the rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers. The aggregators charged that the banks, facing increasing competition from these companies, were becoming too protective of their customer information.
Germany Finds Banks’ Data Rules Violate Competition Law
The German competition regulator has now weighed in, finding that rules set buy the German Banking Industry Committee violate both German and European competition law by imposing “special conditions for online banking” that mean customers cannot use their PINs (personal identification numbers) and TANs (transaction authentication numbers) in non-bank payment systems.
This, said the German regulator, has “significantly impeded” the use of non-bank providers for online purchases, preventing people from using lower-priced alternatives.
The German Banking Industry Committee had cited security concerns as the basis of the rules but the German competition regulator (the Bundeskartellamt) dismissed this, saying that “the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors”.
Andreas Mundt, president of the Bundeskartellamt, said:
The online banking conditions of the German Banking Industry Committee hinder the offer of new and innovative services in the growing market for payment services in the e-commerce sector. In essence, it is about whether non-bank payment services can also use PINs and TANs. We have taken careful consideration of the justified interest of the banking industry that security in online banking has to be safeguarded. However, the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors.
The Bundeskartellamt has only declared certain specified clauses of the banks’ terms and conditions illegal, not the entire agreement. It also suspended the enforcement of its decision, meaning the parties are not under tight deadlines to change their course of action, although they must make the necessary changes. The Bundeskartellamt also noted that rules governing the activity of non-bank payment solution providers are currently undergoing a European legislative process.
© McCarthy Tétrault LLP
Kirsten Thompson is Counsel in McCarthy Tétrault’s National Technology Group.