The accreditation bar for third parties to gain access to banking data needs to be handled carefully.
The Government will need to be careful in the requirements it sets for accreditation for third parties to access banking data through the consumer data right or it could result in a low take-up of users, a key player has warned.
Last week Commerce Minister David Clark announced open banking would be the first cab off the rank to use the consumer data right (CDR) under which banks will be required to share a customer’s data with a competing bank or other business, should the customer request it.
It’s expected to take up to two years to bring the systems into place needed to enable the data sharing to happen seamlessly and safely. Part of it is deciding what criteria companies will have to meet to be accredited to access the data.
Josh Daniell co-founder of Akahu, a fintech start-up which already enables customers of the big banks to use their financial account data in third-party apps, said the accreditation needed to be designed carefully to get it right.
“In some countries, like Australia in particular, there have been complaints that the accreditation process is too heavy-handed and that means there hasn’t been a great up-take of the CDR regime. More people are instead just using the traditional methods of connectivity. It is one of the things I think MBIE is alive to and they are trying to make sure it is designed in a balanced way rather than being overly heavy-handed.”
Daniell said Akahu had its own accreditation process for the app customers that use its service.
Daniell said the first question the app companies had to answer was how they would deliver value to consumers.
“We want to be comfortable that the product is actually using the consumer data to drive value for the consumer. Rather than just harvest it for some business purpose.
“The second thing is feeling comfortable that the people that are managing the product are equipped with the skills to handle the responsibilities of that access well.”
Daniell said it had a tiered approach which depended on the type of data being requested, whether it was a one-off or ongoing access and whether the third party was asking the consumer for the ability to initiate payments and if so whether they want to ability to pay anyone or just pay to a single destination account.
“We try to tailor our accreditation requirements based on the risks that are presented from the access that the consumer is being asked to give. We do a review of the app which is similar to how Apple and Android would review an app before it is approved to go into the app store. And if any enduring access is being requested of the consumer rather than one-off we require that that app also gets an external penetration test.
“If you connect your bank account to some other app we want to make sure that app doesn’t have lighter authentication requirements than if you just logged directly into the bank account. So we are just making sure we are at least at the same or higher level of authentication requirements than your bank has so there is no back door entry to initiate payments from some other app.”
Banks already experience high levels of cyber attacks and third-party providers would need to be able to stand up to that as well.
Daniell said rising frauds and scams would make it harder to gain the trust of the public to hand over their data.
“And I think for good reason. We should have a high bar to convince consumers to connect their data or share account access with someone else. We should have to have a compelling reason for them to do that.”
The public’s understanding of open banking and how it works is still low.
Last week the New Zealand Bankers Association urged the Government to invest in a public awareness campaign about consumer data rights.
“Our research shows that around two-thirds of New Zealanders think sharing your banking information with third parties to access other financial services is either a bad idea or they don’t understand it,” CEO Roger Beaumont said.
Daniell said consumers shouldn’t have to understand exactly how open banking worked and it was the usefulness of the products that was likely to convince them to give access to their data.
“For consumers, the value gets unlocked through great products. I don’t think they should ever have to care how it works. For the people that want to know they should be able to understand it and make an informed decision but for most people they will look at a product and understand the value proposition from connecting their accounts and then make a decision as to whether that is for them and most consumers shouldn’t ever have to dig into the real technical detail around how this all works.”
One of the common use cases for open banking in New Zealand is when you apply for a home loan the broker will invite you to connect your bank accounts and that avoids going through a year’s worth of transaction data and populating a form.
The loan applicant grants access to their bank account for a one-time connection to get the transaction data required for that application.
“So there’s a real convenience there for the consumer and it also makes it faster for the lender to process that application because they can fetch the data and put it into the form so they can process it quickly.
“As a consumer you look at that and make a decision as to whether you are comfortable with it, whether you see enough value in connecting your accounts for that purpose.”
He said an example that resonated was an app like Pocketsmith where you could connect your bank accounts, KiwiSaver, Sharesies and any other accounts which made up your financial life and see it all in one place.
“You can unify the transaction data and categorise it and it will automate budgets for you. I think our finances have become more and more fragmented as we engage different financial service providers rather than having everything with one bank. So here is a way to connect everything back again and make it simpler to manage.”
For Akahu itself, it should make life a lot easier.
“The current way we connect with banks is via the APIs [application processing interfaces] that power their mobile apps. And with most banks we do that without their collaboration.
“What this new regulation will do is provide standardised access to bank APIs. So the banks will have to deliver APIs to a certain spec and once we are accredited into that regime we can plug into those APIs without seeking the permission of the banks.”
If it is done well he is also hoping it will give a boost for consumer take-up.
“What we think the CDR regulation will do, if it is designed well, is give a tailwind to adoption from consumers.”
OPINION: Economic and fiscal forecasts demand more aggressive reform.