Consumer Directed Finance — the advisory committee for open banking in Canada has called on the federal government and the finance sector to create a framework for enabling what the committee calls “consumer-directed finance.”
Current examples of “Open Banking” and one-off partnerships include Mint, Lending Club, Stripe & Braintree.
- Nearly four million Canadians currently use “screen-scraping” apps to access financial data, increasing their risk of identity theft and fraud. Screen-scraping can require the sharing of log-in credentials with applications, which in itself exponentially increases the risk of your data being breached and compromised . With open banking (API-driven token models) proposes a more secure way to share/aggregate data.
What is Open Banking
- The concept of open banking is to put consumers at the heart of controlling their personal financial information, which will be in standardized and interoperable across financial institutions. Consumer-directed finance is consumer controlled, secure and protects privacy.
- Open Banking allows a consumer to give instructions to a financial institution to share their financial transaction information with an accredited third party of their choosing.
- Consumers can choose and control what type of data are they sharing with accredited third parties, with whom do they share it with, for how long and for what purpose (under what context).
- Third parties could use this data to design products and services for consumers. Open banking could encourage more account-switching and increase competition in the financial sector.
- Examples include switching banks, comparing accounts at different banks on one screen, securing an online loan to refinance credit card debt, receiving personalized recommendations for products that would provide better mortgage rates, getting access to alternative sources of financing or faster adjudication of small business loans, and using spend/expense data to enable customized loans.
- Open banking exists in the U.K., which has created an Open Banking Standard. The European Union, through its Second Payment Services Directive (PSD2), and Australia are well on their way.
- Digital identity and APIs are the technologies that can be used for open banking.
- APIs (Application Programming Interface) will be used to secure the transfer of customer data between companies. Such APIs eliminate the need for screen scrapping.
- Digital identity can be used for secure online authentication, identification and access management.
Opportunities for Canadian Banks
- Data can serve as a catalyst for new products and business models. Open Banking can be critical to advance public sector transparency and integrity.
- Spur Innovation — Banks have trusted customer relationships built over a long period of time and rich financial transaction data. The opportunity for Canadian banks is to innovate rapidly to provide alternate choices to customers within their own ecosystem — a wider range of options (maybe with wider price points, lower fees, faster processes and transaction times, more options on refinancing, loans, alternative financing etc.)
- Platform economy, dis-intermediation — At their very core, banks act as intermediaries, connecting consumers with purveyors of goods and services, or with other consumers: A bank may help someone pay for an airline ticket, or it may help them send money to a friend. Disintermediation strips banks of their pivotal role as the main conduit for these transactions. It changes the direct relationship that a bank has with its customers, where instead the bank connects customers to various third party products and financial services in addition to their own. This kind of Platform service would enable banks to keep their customer’s interests in mind, rather than just their own.
Risks for Canadian Banks
- Especially for the more incumbent players, the risk is that there will be more competition in the market place and more choice for customers, and hence a potential loss of revenue or market share (if the banks don’t keep up with innovation as fast as the new fin-techs).
- The more information is shared in a standardized format greater the risk to data if there is a data compromise/ breach. Open banking approaches have to minimize those risks.
- The fin-techs and other third party services providers would need to be held to the same regulatory, privacy and compliance standards tat federally-regulated banks have to meet. Otherwise bigger more established banks are at a risk of competing in an unfair environment.
- Rules have not been defined over the necessity to redact “sensitive data” in certain circumstances as well as third-party providers’ obligations to delete/destroy data after a period. Any mis-step will directly radiate back to their brand. Hence reputational & brand recognition risk is something that Canadian Banks can be worried about.
- Central repository of permissions — with open banking, there won’t be any central repository of permissions, because now there are multiple players accessing the same data. So if the customer has withdrawn their consent at one party, does a right to privacy exist for the corresponding payor/payee? Hence consent process becomes infinitely more complex.
Roles and Responsibilities of Government, Banks, and Fintech Community
- One question is whether open banking will be driven by government regulations (as in Europe) or be self-regulated by the financial sector.
- Government should set the standards/framework or the regulation for Open Banking across the country, by bringing together the private, public sector as well as representation from citizens onto one common forum.
- An economy and Government-wide lens is needed to understand how existing regulatory and policy frameworks apply and to ensure these frameworks are well adapted for the digital economy. Any framework must ensure that the data transferred to, and stored by, the new participants meets the same standard federally-regulated banks have to meet.
- Third parties accessing and collecting customer financial transaction data “must be held to appropriate standards, including with respect to privacy and security.” Third parties must also be accountable under Canadian privacy laws for the security and appropriate use and disclosure of customer information.
- Regulations need to be in place to keep customers interested in mind, whereby consumers are properly informed so they can give meaningful consent to third parties accessing their financial data.
- Banks would be the initiators and need to play a pro-active role in Open Banking, partly because the top 5 Canadian banks have the majority coverage of citizen data, and also because banks are sources of rich personal financial information of their clients.
- Among incumbents, a first-mover advantage would be beneficial by being proactive and nimble enough to be first to deliver innovative, appealing products that customers want and need (for example, intuitive interfaces and value-add services such as budgeting, expense categorization such as that offered by digital entrants like Monzo).
- For large banks that provide a full spectrum of financial services to Canadians, open banking may provide a new means to leverage their brands and extensive customer base to develop partnerships with firms that bring together other services with banking.
- It may also increase their global competitiveness with other banks and technology companies that are forging ahead with new platforms for customers.
- Platform Banking — In a diverse ecosystem of fintechs, banks can create value by connecting providers of financial services to their customers who are looking for new products. They could become platforms like Amazon, but for financial services.
- While open banking could one day bring Canadians outside their banks and to the marketplace for financial goods and services, customers will still need to distinguish the signal from the noise, and banks could keep customers from leaving by bringing a curated marketplace to them.
- Fintech community should leverage this new data source opened up through Open banking by creating better products and services to provide more choice for customers/consumers.
- For small and mid-sized financial banks, open banking may also increase their ability to attract new customers, through easier account-switching processes or reduced friction in having accounts across different providers.
- For new financial service providers, such as FinTechs, open banking may increase their ability to grow and scale their business more quickly and independently by providing them access to data.
- With consumer consent, FinTechs could access the financial transaction data needed to bring tailored consumer and business centric products and services to market irrespective of whether they have an existing contractual relationship with a bank or which bank provides services to a given consumer.
Key areas of consideration in a Data Sharing environment
- Federally-regulated banks, fintechs, and other accredited third party service providers should be upheld to the same regulatory, compliance and privacy standards to ensure fairness to all parties in the ecosystem. Third parties must be accountable under Canadian privacy laws for the security and appropriate use and disclosure of customer information.
- With Open Banking, a key success factor for all parties (banks, third-party providers, and the gateways envisioned above) will be the ability to build processes that ensure security and reliability without sacrificing speed.
- The customer has to be at the center of the ecosystem, mandating that the customer has to control to decide who they want to share their own financial personal data with, what kind of data they want to share.
- The more information is shared in a standardized inter-operable format, the greater the risk of data being compromised and hacked. Data sharing should not create more risks with data breaches, compromises and privacy hacks. Open banking has to minimize these risks from the current levels.
- Open Banking should eliminate the need of sharing of log in credentials, the way screen scraping services work.
- Consumers should be properly informed so that they can provide their consent to third parties accessing their financial data. Additionally, consumers and small business can opt-in and opt out at any time.
- In jurisdictions that have adopted open banking systems, participating service providers must meet standards with respect to privacy, security and operational stability.
- A clear system should exist to manage inquiries and address complaints.
Greatest disruptive forces in the Digital world
Open banking could let customers give Amazon access to their banking data, but it wouldn’t let users give banks and fintechs access to their Amazon data. One of the banks may become the Amazon of financial services, but it’s more likely that Amazon will become the Amazon of financial services.
- One of the greatest disruptive forces in the digital economy is Tech companies such as Amazon, Facebook and Google providing banking services and competing with traditional banks. Tech companies have the advantage of having tons of customer psychometric and demographic social data and the ability to use that data to their advantage.
- Banks, even though more than open to remove inefficiencies and improve processes, on the other hand are very siloed and fragmented in terms of how they create a single source of data (360 deg view) of their customers, and hence are not able to use this data to their advantage.
- Hence tech companies might directly compete with banks, by providing better user experience (faster, more efficient, removing redundancies, reducing costs) and removing inefficient processes from the mix.
- This might result in faster transaction times, faster identification and verification, lower or no banking fees, and a friendlier, more approachable environments for clients.
- To disrupt retail banking, the tech giants are now zeroing in on what’s called disintermediation. At their very core, banks act as intermediaries, connecting consumers with purveyors of goods and services, or with other consumers: A bank may help someone pay for an airline ticket, or it may help them send money to a friend.
- Disintermediation strips banks of their pivotal role as the main conduit for these transactions, inserting a tech company in the middle of the equation. It “changes the direct relationship that a bank has with its customers,
Rise of Crypto-currencies in a social setting — With Facebook launching their Libra currency, banks are at a disadvantage in leveraging this new type of currency for their banking services, or even if they can, they might not be fast enough in adopting this new way of storing, lending and moving money. FinTech crypto banks and crypto exchanges are affecting the core business of banks in a number of areas with tokenization and digital assets.
What can banks do?
- start acting more like digital giants (offensive play).
- Actively partner or m&a up with fintechs to improve capabilities and scale
- Attract and retain digital talent,
- Simplify technology and data infrastructure
- Ensure cybersecurity resilience
- Reinvent banking through new channels, capabilities and processes
- Change mindset from “bank to customer” to “customer to the bank”
- Flatten the organization, co-locate, build product management practices
What does it help solve? Potential use cases in Canada?
- Lengthy in person interactions and physical documents —Traditionally, an individual had to have in-person interactions and provide physical documents to receive a service from a business, which is cumbersome and time consuming.
- Governments, public and private sector organizations frequently collect the same information as part of their thorough identification processes, hence there is room for significant cost savings for other service providers who would want to identity and verify an individual for their own interactions.
- Digital Identity leverages the identity/identities you’ve already created with trusted parties to identity/verify you with other service providers from whom you want a service. It cuts down the lengthy processes of having to verify a customer’s identity through in-person interactions and documentation, thereby saving time, effort and energy for everyone involved in the equation.
- It allows a customer to have greater control and autonomy of their own data, in terms of what they want to share vs. partially share with a service provider who is requesting this data. The end user is at the center of this universe with service providers acting as either as consumers (relying parties) of this data or trusted identification parties (identity providers).
- On the other side of the equation, we have service providers such as banks, insurance companies, financial institutions, telecoms, government agencies and other businesses who would be able to save resources and time by creating this circle of trust with other trusted parties by leveraging the sharing of digital identity among themselves.
- It is an efficiency play, but also a client engagement /client value driven play, whereby service providers can lift the friction out of client experiences and provide more intuitive value driven experiences /solutions.
- Customer loyalty, engagement, retention are a few of the benefits for service providers with digital identity.
- The use of blockchain for digital identity creates a more secure infrastructure, with the potential of reducing fraud while giving users more control over misinformation.
- The ultimate goal should be a “federated digital identification framework”. A federated framework would store information on a person’s attributes and electronic identity across linked but distinct systems. This way there is no central repository with all of an individual’s information, and individuals can authenticate using different linked pieces of information.
Other benefits —
- reduced administrative costs for managing users and their access by increased automation
- reduced integration cost for new applications through centralised IAM capability based on repeatable processes
- reduced operational risk through streamlined and effective processes that ensure people only have access they require to do their job
- improved staff productivity by providing a single identity based on role and seamless user experience
- reduced security exposure by effectively managing external users and ensuring access is removed when no longer required
- improved compliance with security policy and regulations
Usecases of Digital Identity
- Speedier transactions or processes — bank account opening, new application processing, renting out an unit (demonstrating credibility to the landlord), creating a new service contract such as for home internet or mobile services, payments (donations etc.)
- Condo/apartment/house owner can verify the identity of a potential tenant — tenants won’t have to dig up their credit report scores, income statements, tax statements etc. when applying for rental units
- Citizens can verify their legal drinking age at bars using digital identity — they won’t have to carry their passports and driving licenses around
- Telecom providers can verify the identity of potential customers — customers won’t need to fill in their extensive paperwork etc.
- Working citizens will be relieved by the burden of taking days off in order to complete bureaucratic procedures; they will have to manage a considerably lower amount of paper personal documentation.
- Opening of bank account, getting a mobile connection or getting social security benefits.
Role of Banks, Government, and Industry in Digital Identity
- Government needs to take an active role in helping develop the infrastructure and bring the digital identity system to market before providing a role for private sector.
- In many countries, digital identity strategy was outlined in government legislation, creating certainty for business and government decision makers.
- Banks can act as Identity providers Identity providers (IdPs). IdPs are entities that hold user attributes, attest to their veracity and complete identity transactions on behalf of users.
- Banks need to actively participate in creating this secure infrastructure and work together/collaborate together keeping the client’s needs in mind, rather than our own business objectives.
- FIs already act as stores of customer attributes for their own commercial purposes, and therefore are positioned to act as identity providers without extensive incremental effort.
- FIs are one of very few types of institutions that can verify user information; they already perform this function for commercial and regulatory purposes.
- FIs are incentivized to collect accurate user information for their own commercial purposes.
- The financial services industry has near-complete coverage of users (people, legal entities, and assets) in developed economies.
- Global FIs have interconnected operations across multiple jurisdictions, giving them a structural advantage in enabling cross jurisdictional identity transactions and systems.
- FIs act as established intermediaries in many transactions and are therefore well positioned to act as identity intermediaries.
- FIs are typically trusted by consumers beyond other institutions to be safe repositories of information and assets. FI operations and use of customer data are rigorously regulated.
- The industry needs to trust, be open to change and have the ability to work with different partners in the ecosystem. Relying parties (RPs) are entities that accept attestations from identity providers about user identity to allow users to access their services.
- Public sector could also assume a major role, working with providers, for example, in the development of federated identity for government services — whereby a single sign-on is used across multiple organizations.
Elements of an effective Digital Identity solution
- Key to this vision are social networks and mobile phones, which will enable the creation of an identity infrastructure that can enhance both privacy and security.
- Incumbent banks have very important assets — trust from their banking clients, as well as critical verified data about their customers — the data that is needed to create digital identities. data attributes or datapoints of an individual — birth-related information (name, place of birth, date of birth, etc.), descriptive information (height, weight, physical traits, etc.), personal identifiers (e.g. social security number), biometric data (fingerprint, DNA, iris, etc.), etc.
- Ideally there should not be a single point of failure; there should not be a single database or “honeypot” of data.
- Privacy should be upheld so that an Identity Provider cannot tell where an identity claim is being used
- No data should be visible to the operator of the network
- There should no way to track an individual across relying parties
- There should be a common understanding that the data is provided “as-is” and is not warranted to be error-free, and that requestors have no recourse back to the providers of the data.
- The user provides explicit consent each time data is requested e.g., Are you willing to share these attributes with this party for this purpose? Each action is recorded in the ledger and the user receives a secure notification
- Governments, telecoms, banks and other large scale service providers partners should be willing to share citizen’s data with each other, as well as other service providers, keeping the end customer/citizen in mind (simplicity to consumers, security for businesses)
- The data need not be concentrated in one single system. eg. a person’s financial data can be in a bank, vs. their citizenship records can be stored in government infrastructure
- The solution must access the right identifying information at the right time — ensure access to the right data at the right time.
- Leverage a flexible data infrastructure (one that brings together different types of structured and unstructured data) — biometrics (such as fingerprint patterns and face and retina scans), IP addresses, device IDs, geolocation data, and even behavioral analytics (recognizing, for example, the typing style of a user). Providers will also need a flexible infrastructure, one that uses APIs to integrate — with plug-and-play ease — external sources of data, as well as new sources that may become valuable in the future. Working with many data types and determining identity with a high degree of precision requires the right mix of technology and processes.
- Digital identity should be built around actual consumer behavior, since consumers have made it clear that they don’t want to jump through hoops to verify their identity.
- Sharpen the focus via use cases — Industry- and country-specific requirements make a one-size-fits-all identity solution unlikely. Banks, for instance, must satisfy regulatory standards that don’t apply to retailers.
- First, empower customer privacy. Keeping customer data secure is critical to protecting customer loyalty. Important to give those same customers granular controls over who can access their data, for how long and under what conditions.
- Consideration for contextual security. It is imperative to provide continuous security verifying user authenticity and securing interactions to combat fraud and cyber attacks.
- Finally, companies should implement identity enabled ‘DevOps’. As the need for digital identity grows, it is important that the development team is supported with a suite of digital identity tools that integrate seamlessly into continuous delivery environments for agility and faster time to market.
Are there any risks?
- Customer adoption. We’re asking consumers to change their way of working, asking them to trust and understand this new technology and play an active role in protecting and verifying their identity. 41% of Canadian citizens declined to use two-factor authentication when offered the option for their social media accounts.
- Liability risks — Who will own the digital identity? The bank? Or the customer? Who will be liable if a digital identity is wrongly authenticated with damaging results?
- Data breaches and cyber attacks
- The use of mobile phones can also create risks. First of all, it is important to note that, even in countries with widespread access to mobile telephony, there are still many people who lack access to a mobile phone. This is often people who are already in marginalised situations, who would further have difficulty getting or using ID.
- Concepts like decentralized identity and self-sovereign identity, which put control of personally identifiable information back in the hands of individuals, are emerging.
- Recent developments include the European Union’s General Data Protection Regulation (GDPR); India’s Aadhar program, which assigns every citizen a digital identifier; the California Privacy Act; and China’s cybersecurity law, which puts stringent requirements on the transfer and use of personal data outside that country.