A 20/20 View Into the Current State of Open Banking
| Just a few years ago, financial institutions and fintechs seemed to be squarely positioned on a collision course, with institutions working to protect their customer and member bases and fintechs laser-focused on disintermediating those very institutions by marketing directly to consumers. More recently, the two have realized that they need each other in order to succeed in the marketplace. For financial institutions, fintechs provide a level of innovation and rapid go-to-market capabilities that would be difficult to replicate in-house or through their core banking providers. For fintechs, banks and credit unions provide a more viable channel to get their wares into the hands of consumers through business-to-business (B2B) relationships versus the slower process of going direct to the consumers. Also, the financial institutions are necessary partners in navigating the complex regulatory environment that governs financial services. With consumers having top-notch digital experiences outside of banking, banks and credit unions need to ensure that they can choose the right products to meet the consumer’s ever growing needs and be nimble in changing courses as technology continues to shift and customer expectations change. Initially, fintechs and other third parties relied on screen scraping technology to acquire customer data from banks’ and credit unions’ digital banking environments, but over time, as consumers’ use of digital banking and PFM solutions became more sophisticated, it required direct access to the data, which caused concern for FIs. In recent months, fintechs have started to see some push back from large institutions who have banned financial technology applications from using customer passwords to access data to screen scrape the customer’s information. JPMorgan has gone so far as to indicate it will now issue tokens to allow third-party fintechs to access customer data. PNC customers recently found themselves without access to Venmo when the bank conducted a security upgrade that blocked access to customer account and routing number information. This begs the question - who owns the personal financial data, the FI or the customer? In Europe, regulators have gone so far as to mandate the Second Payment Services Directive (PSD2) requiring banks to create or expose their application programming interfaces (APIs) to third-party fintechs and other banks authorized by the customer to access data. The UK has taken it a step further with its “Open Banking” initiative that requires that data be available in a secure, standardized form that is more easily shareable between authorized third-party providers and fintechs. The idea is that doing so will foster innovation that will make banking services more equitable and readily available to the public and encourage better personal financial management behavior by giving consumers greater access to (and control over) their own data. Here in the U.S., there is no (as of yet) single, comprehensive PSD2-like regulation to force financial institutions and their core providers into sharing customer and member data. After initially constructing a series of roadblocks for fintechs to overcome, the industry has seen a host of FI-fintech partnerships and/or large institutions’ acquisitions of fintechs in response to consumer demand. Today’s consumers are beginning to demand the integration of their banking and finances into a unified experience. As the fintechs and the FIs begin to partner, banks and credit unions must thoroughly vet all third-party fintechs to ensure that each meets the same level of information security, cyber resilience, and businesses continuity requirements as the institutions themselves, per the requirements of the Federal Financial Institutions Examination Council's (FFIEC). This has proven problematic for some fintechs, who simply do not have an understanding of financial institutions’ perspective of risk management. Fintechs (particularly early-stage companies) tend to focus most of their attention on designing a product, raising capital, going to market and quickly building a user base, but rarely direct an appropriate amount of attention towards creating a due diligence package that adequately outlines the stability of the fintech’s business structure, its business continuity and security. Increasingly, the industry is seeing financial institutions begin to develop their own APIs and partnering with providers like Plaid (who was recently acquired by VISA for $5.3 billion) to make customer and transaction data available through a secure environment. The acquisition by VISA is significant in that it essentially allows thousands to fintechs to connect directly with more than 10,000 financial institutions. There is now an initiative underway in the U.S. that is more analogous to PSD2 in terms of setting an industry standard. The Financial Data Exchange (FDX) is a non-profit consortium of financial institutions, fintechs and industry providers whose mission is to develop a standardized API for the industry to utilize. It is worth noting that JPMorgan....-->
|