Data Sharing and Open Banking

16 McKinsey on Payments July 2017

McKinsey on Payments July 2017 Data sharing and open banking

Buzzwords like “big data” typically bring to mind quantitative exercises like the application of algorithms and analytics. While these are certainly critical steps to gaining insight, a more fundamental building block of the data market is access. Easier access to data has become a hot topic in all industries, none more so than financial services. For instance, the G20’s Anti-Corruption Working Group has identified open data as a priority to advance public sector transparency and integrity. From a commercial standpoint, data can serve as a catalyst for new products and business models. The EU has been proactive on this front, setting the rules of engagement through the updated version of the Payment Services Directive (PSD2).

Laura Brodsky Data-sharing is often accomplished While open banking stands to benefit end through an application programming in- users as well as to foster innovations and new Liz Oakes terface (API), an intelligent conduit that areas of competition between banks and non- allows for the flow of data between systems banks, it is also likely to usher in an entirely in a controlled yet seamless fashion (Ex- new financial services ecosystem, in which hibit 1). APIs have been leveraged in bank- banks’ roles may shift markedly. It also raises ing settings for years (see sidebar “How issues around regulation and data privacy, open banking brings new relevance to which helps to explain why global markets APIs,” page 20). Given breakthroughs in have taken varying approaches to governance, advanced analytics and the market traction contributing to disparate levels of progress. of numerous non-bank fintech companies, Regardless of region, the momentum toward however, APIs are receiving renewed atten- open banking models seems clear, requiring tion as a means to enhance the delivery of banks and fintechs alike to position them- financial services to both retail consumers selves for success in a new environment and and business customers. to anticipate the likely customer impacts. Data sharing and open banking 17

Data sharing and open banking

Open banking reaching a fever like Mint, examples include alternative un- pitch derwriters ranging from Lending Club in the Open banking can be defined as a collabora- United States to M-Shwari in Africa to tive model in which banking data is shared Lenddo in the Philippines, and payments through APIs between two or more unaffili- disruptors like Stripe and Braintree (Exhibit ated parties to deliver enhanced capabilities 2, page 18). to the marketplace. APIs have been used for Naturally, such advances are not quite as decades, particularly in the United States, to straightforward as our capsule description enable personal financial management soft- implies. Recent years have brought the de- ware, to present billing detail at bank web- velopment of digital ecosystems, Tencent sites and to connect developers to payments (WeChat) and Alibaba in China being prime networks like Visa and Mastercard. To date, examples. As these ecosystems mature they however, these connections have been used begin to collide, and the inability to share primarily to share information rather than data threatens to curtail innovation in busi- to transfer monetary balances. ness and operating models. Moreover, most The potential benefits of open banking are advancements to date have come from firms substantial: improved customer experience, outside the financial services realm. While new revenue streams, and a sustainable incumbents still hold the keys to the vault in service model for traditionally underserved terms of rich transaction data as well as markets. In addition to well-known players trusted client relationships, banks often view

Exhibit 1

Three types of APIs API models Model type Attributes

Public/open Innovation through engaging developer APIs used by external community Public partners and developers who build innovative apps Extended market reach and products Partner

Partner/B2B Reduced partner costs Internal APIs used by business API monetization partners, including Enhanced security suppliers, providers, resellers and others for tighter partner integration

Internal Cost reduction APIs are used by Operational efﬁciency developers within Enhanced security enterprise

Source: McKinsey Payments Practice

2 18 McKinsey on Payments July 2017

Data sharing and open banking

the opening of these data flows as more custody and protection of their clients’ data threat than opportunity. After all, it is the as a responsibility, more of a stewardship non-bank insurgents who have demon- role than an asset to be commercialized. strated market traction thus far, and gained Data-sharing in financial services tends to valuable new customer relationships—by be risk- and permission-based, with re- presenting data in new forms. quired audit trails, and subject to regulation and risk management. If done well, how- There are inherent risks in sharing data, ever, it can deliver increased security however, which is why it is critical to de- through enhanced know-your-customer ca- velop processes and governance underpin- pabilities, identity validation and fraud de- ning the technical connections. Although tection. For instance, the current version of the core API value proposition lies in PSD2’s technical standards may put an end streamlining the systems integration re- to the practice of screen-scraping, long a quired for data access, the need for point of contention for banks. guardrails to support protections for the privacy and security of personal data create a At the same time, customer transparency formidable infrastructure challenge. and control must remain at the center of product design decisions. This is a more vex- The data consent/protection ing rule to follow than it appears on the sur- elephant in the room face. Even as PSD2 is advanced by Notably, banks have traditionally viewed the regulators, it could be argued that through

Exhibit 2 In the EU and UK, PSD2 and the Open Banking Initiative are giving more control to the customer over personal account Global open-banking data. Digital banks such as N26 and Fidor, and digital lenders (e.g., Klarna), are seeking to reinvent banking. developments

New digital ﬁnance ecosystems (e.g., WeChat, AliPay) are emerging in China, based on data-sharing capabilities.

In South and Southeast In the U.S., large banks In East Africa, Asia, ﬁntechs are are striking data-sharing new under- experiencing strong deals with individual writing models growth around APIs and partners in a departure are emerging from data-sharing. Examples from the aggregator access to alternative include mobile wallet model. Examples include sources of data, like growth in India after Chase’s partnership with mobile phone usage. demonetization, and Intuit and Wells Fargo’s Examples include formal ﬁntech governance partnerships with Xero MShwari, Tala and at the Monetary Authority Source: McKinsey Payments Practice and Finicity. Branch. of Singapore.

3 Data sharing and open banking 19

Data sharing and open banking

adoption consumers have already set the Protection Regulation), slated to take ef- agenda for services they want opened to fect in the EU in May 2018, imposes a sub- third parties. On the other hand, different stantial penalty for noncompliance— data categories warrant different levels of se- 4 percent of the offending institution’s curity, and informed consent requires un- global revenues (not profits). This “right to derstanding the implications of sharing be forgotten” significantly raises the stakes before approving—no small feat when the of data-sharing. Explicit consent is re- reflexive clicking of “I Agree” on an unread quired from the account holder. However, set of terms and conditions is standard. there exists a silent counterparty to every There is a fine line to walk: educating and financial transaction conducted by that empowering consumers without confusing, holder; does a right to privacy exist for the scaring or boring them. corresponding payor/payee? If so, the consent process becomes infinitely more com- Perhaps the most complex of these is educat- plex—particularly when parties to the ing end users on data permission and pri- transaction bank with different institu- vacy. PSD2 explicitly empowers account tions and there is no central repository of holders with the authority to share data, re- permissions granted. moving the financial institution’s role as gatekeeper. Further complicating matters, Market evolution varies by real-world evidence suggests consumers may regulatory approach not attach the same value and sensitivity to Ecosystem development has varied markedly certain data elements that banks and their by region, due in no small part to regulatory regulators do. Although the move to open divergence. The most programmatic ap- banking need not be a zero-sum game, there proach has been taken in the EU, through are several areas where banks harbor legiti- both PSD2 and a broader effort to foster mate concerns regarding loss of brand competition in retail banking through the recognition and reputational risk, especially UK’s Open Banking Standard. A key provi- given their own required investments to ef- sion of PSD2 aims to foster competition and fect such change. innovation for payments service provision in Further questions persist regarding the duty the European Economic Area by opening ac- to redact “sensitive data” in certain circum- count access to nonbanks. stances as well as third-party providers’ obli- The UK’s pending separation from the EU gations to delete/destroy data after a period. is not expected to alter these data-sharing Many of these details remain a work in protocols, as many of PSD2’s customer pro- progress and will be refined as the market tection provisions are already enshrined in impacts of open banking play out. Banks are UK law and both the government and fi- understandably concerned about such details, nancial community have signaled a desire as any perceived disclosure missteps will al- to preserve banking services compatibil- most certainly radiate back to their brand. ity—another strong indication of data-shar- Another interesting twist revolves around ing’s momentum. Dating back further, Italy, the right to privacy. GDPR (General Data Belgium and Germany each instituted com-

4 20 McKinsey on Payments July 2017

Data sharing and open banking

mon protocols as early as the 1990s to pro- conceivably paves the road for data-sharing vide access to account information to protocols similar to PSD2. smaller banks and third parties. India experienced remarkable fintech growth By contrast, the absence of a centralized US in late 2016 in the wake of the govern- approach to data governance has given rise to ment’s controversial decision to reissue a series of fintech innovators as well as a fully 86 percent of its legal tender. The re- patchwork of one-off bank agreements (such sulting cash shortage gave a jolt to an al- as partnerships struck in the US by Chase and ready growing mobile wallet segment, Wells with Xero and Finicity)—a model that which is now beginning to enter a consoli- is not scalable in a market with roughly dation phase. Singapore has developed a 12,000 financial institutions. Recently, the US large fintech market built largely around Office of the Comptroller of the Currency so- APIs, for instance, for risk-decisioning in licited public comments regarding potential the absence of formal credit scoring agen- issuance of a new special purpose charter en- cies. The Monetary Authority of Singapore abling fintechs to engage in limited banking has now established a fintech division in functions. While the charter’s intent focuses order to provide structure and oversight to more on lending and cost of capital, it also the process. Open banking is also gaining represents a step toward making it easier for traction in Iran (through the newly estab- nonbanks to compete in financial services and lished Finnotech portal), while Australia is

How open banking brings new relevance to APIs

At its core, an API is a documented set of connecting points that ners will elect to comply. Firms with less leverage, however, may allow an application to interact with another system. The concept face the prospect of separate, administratively onerous negotiations dates back to the days of mainframe computing. Investment man- with a long list of potential partners. agement firms were among the early power users, importing data This is why open banking has brought renewed attention to the API on rates, fund performance, trade clearing and more from third par- model. While the innovation potential of unleashing countless fin- ties onto desktop programs in a seamless fashion. tech teams to address longstanding financial services pain points is The advent of the consumer-centric internet in the early 2000s cre- formidable, the need in a regulated industry for governance and ated valuable new use cases for APIs. Notably, eBay was a pioneer safeguards in areas like data privacy and fiduciary responsibility is in sharing its APIs with approved partners who could then build out equally clear. With the aid of an oversight body—whether public or an eBay-centric ecosystem. At roughly the same time, industry-led—open APIs stand to reduce the friction in bringing Salesforce.com published its APIs as part of a comprehensive inter- such solutions to market. net-as-a-service cloud strategy. Later in the decade, Facebook and API software/management firms such as Plaid, Apigee, Yodlee and Google Maps leveraged APIs to greatly expand the reach of their Xignite stand to play an integral role in open banking ecosystems. services by enlisting developers motivated to find innovative uses. Meanwhile screen scraping—which despite material improve- A key factor to bear in mind is that APIs can be open or proprietary. ments remains a source of frustration for many banks—is being A company with the scale of Apple or Google can likely issue a set phased out, either by regulation or market forces delivering a more of APIs with a standard set of terms and conditions to which part- efficient solution.

5 Data sharing and open banking 21

Data sharing and open banking

considering steps mirroring those being of control by incumbent banks, banks will taken by the UK and EU. gain the offsetting benefit of participating in larger profit pools, ones in which they Implications for banks and new should be well positioned to play a leading models in financial services role: for example, creating new service An open banking model can facilitate a se- propositions combining predictive analytics, ries of services of value to both consumers artificial intelligence and financing to en- and providers. Many of these exist today in hance consumer and business offerings. some form: AliPay and WeChat enable en- Among incumbents, a first-mover advantage hanced e-commerce through their plat- is open to organizations proactive and nim- forms, offering a smoother personalized ble enough to be first to deliver innovative, experience and a full suite of payments op- appealing products that customers want and tions including peer-to-peer. This model need (e.g., intuitive interfaces and value-add can evolve to all-in-one commerce-cen- services such as budgeting, expense catego- tered apps. Services like Trustly foster the rization such as that offered by digital en- simplified extension of credit, enabling in- trants like Monzo). The “trusted agent” quiries specifically at “the moment of status that incumbents currently enjoy will truth,” such as at checkout or elsewhere remain a competitive advantage for some within the shopping value chain when in- time, but it must be exploited now to halt tent has been established and a purchase the loss of business to new entrants. decision can be influenced. Much attention has been focused on the Sharing of limited data on “thin file” con- need for banks to open their legacy systems sumers can help to advance financial inclu- to APIs. However, it is equally true that Pay- sion goals, pooling limited information to ment Initiation Service Providers (PISPs) arrive at more precise risk-scoring and and Account Information Service Providers credit underwriting decisions (Angaza in (AISPs) will need to develop interfaces to Africa is an example). By introducing more the banking market. Given that PSD2 has consumers to the formal financial system, not defined a precise technical standard, a open banking increases the market opportu- new category of “gateway service providers” nity and the potential to deliver profitable could emerge. Google’s acquisition of API services in the future. Incubators and ven- management platform Apigee is an indica- ture capitalists have shown particular inter- tor of this potential, raising the stakes in a est in newcomers looking to incorporate field that also includes players like Xignite non-financial data with transaction records and Plaid. Throughout this process, a key to glean new insights—witness automated success factor for all parties (banks, third- advisory service Wealthfront recently adding party providers, and the gateways envi- a lending product to its portfolio. Banks can sioned above) will be the ability to build pursue this avenue as well, from the oppo- processes that ensure security and reliability site starting point. without sacrificing speed.

While it seems unavoidable that open bank- Banks have several strategic responses at ing will result in the sacrifice of some degree their disposal. Although a pure go-it-alone

6 22 McKinsey on Payments July 2017

Data sharing and open banking

PSD2, GDPR and the alphabet soup of open banking

The Payment Services Directive (PSD2) is administered by the Euro- opens the field to actual money movement. Although Klarna and Alipay pean Commission in an effort to harmonize payments regulation and are examples of thriving PISPs, the full effect of PSD2 mandates in consumer protections across the EU. Of particular interest in the this area will not become apparent until their 2018 effective date (note PSD2’s 2015 release (updating 2009’s original directive) is an empha- that at the time of finalizing this article, Klarna has secured a banking sis on online protections and attempts to foster marketplace innova- license). tion through open banking principles. Notwithstanding the effects of The UK’s Open Banking Standard applies specificity to many of the Brexit, it is believed the UK will elect to adhere to the provisions of principles set forth by PSD2, creating a framework for implementa- PSD2, given the market opportunity and the fact that many of its con- tion including a security protocol. Effective in early 2017, the UK’s cepts have been championed by London’s financial services industry. nine largest retail banks were required to standardize current ac- A key principle of the PSD2 stipulates that upon the account holder’s count and retail banking product data to permit access by regis- consent, a third-party provider (TPP) must be granted access to exe- tered third parties. cute instructions on the account holder’s behalf. TPPs can take several The General Data Protection Regulation (GDPR) is a related EU initia- forms. Account Information Service Providers (AISPs), which include tive aimed at unifying personal data protections across member coun- offerings such as Mint in the US, are already empowered by the UK's tries. Its provisions are relevant to payments data—for both payor and open banking standard to deliver less sensitive information such as payee—pursuant to “access to account” regulation. The regulation branch and ATM locations. mandates data portability between processing systems; however, It is widely believed that enabling Payment Initiation Service Providers much-publicized “right to be forgotten” language has been softened to (PISPs) will drive significantly more innovation—and disruption—as it the “right to erasure” under many circumstances.

approach may be viable for institutions with 2016 by France’s Groupe BPCE, but contin- ample resources and an agile culture, vary- ues to operate as an independent brand. ing gradations of partnership may be a more There are ample opportunities for open plausible strategy. Barclays and Santander banking to remake small business banking have each built open API infrastructures to as well. A UK study found that the coun- deliver a virtually limitless suite of services try’s five million SMBs believe existing via third-party providers (e.g., EverLedger). models offer a substandard financial serv- Fidor and N26 are two intriguing examples ice proposition. A similar sentiment would of efforts to reinvent banking from the in- likely be found in many other countries. side. Both startups are branchless institu- The UK innovation foundation Nesta has tions chartered in Germany with a fintech engaged to tackle this challenge, and Bar- focus, best of breed approach, and embrace clays’ Pingit and Buyit solutions offer posi- of unconventional (for banking) tactics like tive in-market examples. crowdsourcing. Their geography is likely not * * * a coincidence, given that Germany has been called “the world’s most open banking envi- Specific challenges will vary by geography, ronment” by some. Fidor was acquired in determined largely by the evolution of regu-

7 Data sharing and open banking 23

Data sharing and open banking

latory regimes—particularly on the private • Fully understand both existing data pri- information front—and progress made to vacy mandates and likely changes, and de- date in ecosystem development. Banks with termine their institution’s appetite for a global footprints will face particular chal- less conventional approach. And examine lenges in reconciling various regions’ regula- how customer messaging would best facil- tions and standards (e.g., PSD2 in the EU, itate any such change. open banking standard in the UK, Dodd- Banks will need to address the potential loss Frank in the US) while delivering a unified of revenue from existing payments revenue service to their global customers. streams resulting from the lowered barriers Regardless of location, over the next 18 to 24 to competition. Change is rarely comfort- months banks should capitalize on their in- able, but as market evolution in the United cumbent advantages by taking the following States and other countries illustrates, the actions: forces of change are inevitable. Banks are better served getting ahead of and defining • Explore data-sharing agreements with the trend rather than waging a futile battle fintech and non-financial services firms to to repel it. stay ahead of the curve.

• Develop a perspective on APIs and their Laura Brodsky is a consultant in McKinsey’s benefit to the bank’s service model, both San Francisco office, and Liz Oakes is an associate in leveraging mandated third-party access partner in London. and potentially extending access beyond statutory requirements.