To kick off this piece let’s look at some of the progress that Open Banking has made since it was launched just a few years ago. It’s safe to say that it is definitely going in the right direction. The number of API calls for Open Banking services in the UK has increased from 66.8 million in 2018 to almost 6 billion in 2020, which is a pretty significant uptick in usage. However, the vast majority of those calls were related to account information requests, which is effectively the read only part of Open Banking, being able to give permission to share historical account information. Perhaps the more interesting volume is for actual payment initiation, where a third party can, with your explicit permission of course, make a payment from your bank account, and that stats a bit lower, at 4M in 2020. It is up from 360k in 2018 though, so a significant jump. In our view at CGI, 2021 is going to be the year of payments initiation through Open Banking, with overlay services such as request to pay driving the volume here.
That increase in usage is matched by the increase in the number of organisations registered with the Open Banking Implementation Entity (OBIE) in the UK. There are now almost 1,000 organisations registered with OBIE in some form or another, which may be just using the OBIE sandbox, but there are over 300 organisations providing live services right now. Obviously these include banks in the UK who are acting as account providers, but who are also acting as third parties in their own right, using Open Banking to provide their customers with access to account information and payment services that may be held in other accounts belonging to their customers.
But it’s not all positive, research from WHICH? found that 7 in 10 people were unlikely to consider sharing their financial data, and that was regardless of whether those services would be better tailored to their needs as a result. Interestingly the top 2 reasons for this were that, firstly, they were happy with what their current provider offered and so didn’t see the need for the extra services, but then secondly, and perhaps more significantly for the growth of Open Banking, they were concerned with sharing their banking data with a 3rd party.
I think the first point here says more about the underlying banking industry than it does about Open Banking itself. If all the banks’ products are pretty similar then why would I need to have multiple accounts with multiple providers that I might need to aggregate and why would I need to allow some 3rd party to initiate payments when my bank can do it well already?
It’s the 2nd point we need to focus on, and not perhaps for the reasons you might think. When we talk about Open Banking we talk about fraud, because we have always been told by our banks to keep our account data private and not to let any 3rd parties access it, so on the face of it, Open Banking breaks this rule. But that’s not quite what we’ve been seeing in the market.
Open Banking, and particularly payment initiation through Open Banking is in it’s infancy, and unsurprisingly it’s attracting some fraudsters, but, from what we’ve seen so far not through compromising the APIs or consent models, but by exploiting poor Know Your Client (KYC) processes at the organisations that hold the actual payment accounts. We have seen a number of instances where fraudsters have been able to use Open Banking to get customers to initiate fraudulent payments. This is because the organisation that is responsible for the fraudsters’ account holder had not properly checked that they were who they said they were, and this is at the customer on-boarding point in the journey, way before an Open Banking transaction is initiated.
For Open Banking to be a commercial success we absolutely believe that solving these KYC issues is an area of key focus. Ironically, some of these challenges can be addressed by using Open Banking itself, in conjunction with things like Machine Learning and AI. This can be improved by utilising better models for KYC when on-boarding customers such as better biometric identification and doing things like using account information requests through Open Banking to verify that the person opening the account is who they say they are.
KYC and fraud prevention are both complex areas to address in financial services, but with the growth in new participants in the industry and the desire to foster more innovation in the sector it is incumbent on us all to find ways to make things as safe for consumers as possible.
I find this such an interesting area, and if you would like to continue the discussion, I would love to hear from you.