Open banking is all about sharing data, but what data are banks legally bound to share, and which third-party providers (TPPs) have the right to request?
The answer depends on the legislation. This question applies only to regulatory-driven open banking economies where the mandate to share data is established by law. In market-led countries, like the U.S., the access to data relies on bilateral negotiations, and the scope of the data shared varies.
Despite any legal mandate, the limits on data sharing are established by the user. Even if the legal instrument allows TPPs to access the data in regular accounts, savings accounts, credit cards, or any other information stored on a user’s bank account, the customer can simply refuse any access or limit access to just one account. In this article, we describe the legal frameworks of the two earliest adopters of open banking, Europe and the U.K.
Europe
Open banking in Europe is regulated by the revised Payment Services Directive (PSD2). This directive establishes that authorized TPPs can access “payment account information” on behalf of their customers. Thus, the question is, what is a payment account?
According to PSD2, a payment account “is an account held in the name of one or more payment service users which is used for the execution of payment transactions.” While the definition seems straightforward, the exact scope also depends on the legal frameworks of the 27 member states.
In any event, an account in which the user can deposit and withdraw money, as well as execute transactions, should be regarded as PSD2; other accounts are non-PSD2 data. Regular bank accounts fit in this definition, but most savings accounts don’t, as the user can’t execute transactions, but again, it depends on the features of the savings account. This doesn’t mean that a bank won’t provide access to this data if the user offers consent for that. This may not be covered by the directive, but it is not forbidden.
What about mortgages or credit cards? The answer for the former is a straightforward no. Mortgages are not in the scope of PSD2. The answer to the latter is less clear. Most credit cards don’t fall under the definition of a payment account because the user cannot deposit funds, but the customer is allowed to withdraw money and make transactions, so the answer depends on the specific features of the card and the banking legislation in each EU member state.
PSD2 is limited to payment accounts and payment providers, or account information payment providers. This means that other financial products offered by financial institutions (FIs), like wealth management services or loans, are not covered by the directive. However, a possible transition from open banking to open finance in the future could include more information than payment accounts. The European Commission is planning to review PSD2 in 2022, and it could include a wider legal mandate to share data.
Yet, access to payment accounts is not perpetual. In addition to the limits imposed by the user, TPPs can only access information for the purpose they seek, like a payment, a comparison of banking services, etc. They can’t store any data for other purposes nor can they access sensitive payment data linked to the payment account. A user’s consent adds another layer of limitations on gathering and storing data. In many cases, TPPs can only accumulate data for three months unless the user re-authenticates, but if the user doesn’t use a TPP often, there will be a gap in the accumulation of data.
UK
In the U.K., open banking is only mandatory for the nine largest banks because of an investigation conducted by the U.K.’s Competition and Markets Authority (CMA). Yet, many other banks have joined the open banking wave. In the U.K., unlike other countries, relies on open and standards application programming interfaces (APIs), which benefit its expansion and reduce the risk of screen-scrapping.
In terms of data accessibility, the scope of open banking legislation is greater than PSD2, as it allows TPPs to access payments accounts, including current accounts, credit cards, prepaid cards and some savings accounts. Additionally, the U.K. is trying to remove any limits to the accessibility of data, as a recent decision by the U.K.’s Financial Conduct Authority (FCA) to remove the 90-day rule for customer authentication to foster open banking shows.
The data consumers may choose to share is very granular. For instance, on current accounts, this includes if the customer pays a fee, has direct debits (and the amount), the balance and the transactions. For credit cards, it includes charges and fees to pay, limits and interest-free offers.
See also: UK Is Moving to Open Banking 3.0
In 2022, the U.K. is expected to continue expanding its open banking capabilities, with the Open Banking Implementation Entity and the New Payments Architecture. While these initiatives will facilitate the adoption of open APIs and the sharing of data, it is not yet clear if there will be a mandate to share more data, or if, perhaps, market expectations will encourage banks and TPPs to share additional data.