US officials are fighting over who should have jurisdiction to regulate financial technology firms, while Europe and Asia are driving ahead with the formulation of detailed technical standards for open banking apps.
The idea behind open banking is to allow innovative new players take on established banks, offering online services to suit customers’ needs in the digital age.
The European Union is leading the charge. Under its revised Payment Services Directive, known as PSD2, banks must now allow any approved third-party firm access to customer information or to request payments on a customer’s behalf.
Uniform standards for application protocol interfaces (APIs) between banks and third-party apps are designed to keep customers’ money safe as well as to ensure banks do not use technical barriers to keep more nimble competitors away from their customers.
Piecemeal Development
With no national licenses yet granted to fintech firms, and no national API regulatory standards in place, development in the US is piecemeal.
Last month, the Office of the Comptroller of the Currency (OCC) vowed to fightOpens a new window a legal challenge to its plans to issue special national bank charters.
As the OCC has not yet issued any license, or even decided to grant one, the outcome of the case is uncertain. But it is likely to delay the emergence of the likes of Google or Amazon as giants in the US financial sector that could replicate the success of Alipay and WeChat Pay in China.
At stake is whether America’s many federal agencies should be able to oversee the innovative firms seeking to aggregate consumers’ financial data, develop national in-app purchase platforms and operate digital and mobile banks throughout the US.
Legacy Bank Concerns
The emergence of a bank from Silicon Valley with national reach, with the financial firepower and reputation to attract millions of savers, borrowers and checking account users, has the established national, regional and community banks deeply worried.
The Federal Reserve has concerns, too. In the UK, certain fintech companies can already plug directly into the Bank of England’s infrastructure that moves trillions of pounds around the country at low cost every day.
So-called challenger banks like Monzo that are taking on established institutions such as Barclays, Lloyds, HSBC and Royal Bank of Scotland can now manage full checking accounts at less than one third of the costOpens a new window of providing a credit card. But the Fed and US banks argue that fintech firms should face the same rigorous standards as the legacy banks if they want to get into the payment settlement business.
Like the US, Canada suffers from overlapping regulators and tensions among the federal government and the provinces, but banks have been quicker to cooperate on technology development to bypass the barriers.
Established E-Payment System
The national Interac e-Transfer service has offered payments to email address for more than 15 years. Including online and payment-to-mobile transfers, Canadians shifted CAN$92 billion (US$69 billion) between accounts in 2017.
The Canadian government is now consideringOpens a new window fully embracing open banking, although drafting new regulations and agreeing technical standards is no quick process; it could be 2022 before open banking goes live.
But as Canada already has a system for digital payments, the banking industry is gearing up. Royal Bank of Canada opened its API portalOpens a new window to developers in March 2018, allowing limited access to information such as branch locations and credit card rates.
Asian banks are not waiting for legislation either. Singapore’s DBS Bank already offers more than 200 APIsOpens a new window that enable customers to apply for credit cards or mortgage loans and make instant payments or settle utility bills via third-party apps. Thirteen banks in Hong Kong have placed their APIs on a shared platformOpens a new window , making it easier for developers to create new services for all mobile users, no matter whom they bank with.
Enhanced Security Standards
In Europe, fintech developers are already working on their next challengeÂ: How to ensure clients are who they say they are when they log on to online banking, payment apps or aggregator services.
Under enhanced standards dubbed Strong Customer AuthenticationOpens a new window (SCA) that apply from September this year, banks and fintech firms may no longer rely on a single method of verification, such as a password or fingerprint. Instead, they will have to use at least two and alternate between ‘knowledge’ (PIN or password, for example), ‘possession’ (like a card or a phone) or ‘inherent’ (biometrics).
The increased security is not about being over-cautious. The UK’s Metro Bank recently acknowledged that its mobile text messages to customers had been hackedOpens a new window , using weaknesses in the Signal System 7 protocol used by telecommunications providers to route texts and calls.
SCA should render text messaging redundant, according to Hakkan ErogluOpens a new window , senior manager for payments and open banking in Europe at consultancy Accenture. But he admits that stricter verification methods could annoy consumers: ‘The strict PSD2 [technical standard] requirements may lead to friction in the payment process in online and [point-of-sale] checkout.â€
In the meantime, American developers will keep waiting to see whether federal API standards ever make it into law.