Interview with Imran Gulamhuseinwala, Trustee of the Open Banking Implementation Entity (OBIE)

Key milestones

The revolution began in January 2018, sparked by the release of version 1.0 of the UK Open Banking Standard intended to stimulate innovation and competition.

Version 3 of the Open Banking Standards was published in September 2018 – which builds significantly on Version 2 of the Open Banking Standards that was launched in March 2018, giving account providers, a solution that complies with the EU’s Second Payment Services Directive (PSD2). Whilst previous versions of the Standards covered business and personal current accounts, Version 3 covers all products with payment capabilities (for example, credit cards, pre-paid, and e-wallets) in any currency.

What is the status on the progress of Open Banking in the UK, as well as Open Banking Implementation Entity’s highlights and key milestones in 2019?

Although the Open Banking regulatory directives in the UK only went into effect in early 2018, the stars are aligning for Open Banking and the industry is moving forward ambitiously.

A huge amount of work throughout 2018 and 2019 resulted in the Standards being all created, and they were implemented by the mandated banks under my supervision by September 2019 – which accounts for over 90% of the market.

The Open Banking Implementation Entity currently has over 135 regulated entities in the Open Banking ecosystem made up of 85 third-party providers (TPPs) and 52 account providers, with 32 regulated entities that have at least one proposition live with customers. Alongside this, in addition to the nine mandated banks required to build to the Open Banking standards (the CMA9), there are now more than 30 banks using the Open Banking Standard.

A major milestone in 2019 was broadening the technical standards to also include user experience standards, which are already implemented by 50% of the banks and are in final stages for the other 50%, thus almost doubling the completion rates.

We have come a long way since the development of Version 1 of the Standards (live in 2018), and we’re seeing real progress and production volume go through; whilst we cannot quantify and anticipate the size of this growth, it is happening consistently, month on month.

In a nutshell, more and more third-parties are entering the ecosystem, drawn by real APIs that they can use in their live production environment. The UX standards are being implemented, and the banks should have finished completing all the implementation to be fully PSD2 ready by September 2019.

However, there’s still more to do and, for us, September was an important milestone, but most definitely was not the end of the journey. Having PSD2 covered does not necessarily mean you can make Open Banking work, as there are details not touched upon by the regulation. Looking forward, we will be seeking to design and implement solutions for those details through Q4 of 2019 and also going into 2020.

What are banks’ latest propositions and offerings on the back of Open Banking?

Since banks haven’t finished implementing everything yet, it’s still a little early to tell. Of our large number of production-ready TPPs, many of their propositions are still in design and testing, and only a small number are live in the market.

However, we do notice quite a lot of engagement from customers in the area of marketplace propositions as well as overdraft unbundling, a way in which fintechs can provide overdrafts directly so that customers don’t have to take them from their bank.

We’re also noticing credit enhancement for customers (both with or without credit files), as third-parties can build a credit file for them, and do affordability and suitability checks on their behalf. Finally, another area where we see a good degree of traction and innovation is in SME lending.

To sum up, some parties in our ecosystem are able to deliver decisions to customers in under an hour, instead of a couple of weeks.

How does UK deal with GDPR and consent management?

In the UK, Open Banking – and probably across all of Europe – the consent piece sits with the TPP; and because of that, everything around that has to start with the third-party. And obviously, the consent absolutely needs to be both PSD2-compliant and GDPR-compliant.

However, GDPR talks about high-level principles. What we need, in order to make it clearer for third-parties to meet those GDPR requirements, are guidelines, which we have already set up for ASPSPs, and we are currently working on the ones for TPPs.

Mainly, these guidelines break down what consent means under GDPR, and what is the purpose of it, referring to what the TPP is looking to do with the data. Moving forward, we break down and codify consent, so that both the customers and the ecosystem can have a deep understanding as to what information is going to be used and how. This has future benefits for the onward sharing of the information from the financial services sector to the other sectors.

Enforcement by supervisory authorities is central to GDPR, so we are now working very closely with the Information Commissioner’s Office (ICO), the UK’s data protection watchdog that enforces the rules of the GDPR and makes sure that businesses within the UKare compliant with its data protection rules. The organisation is also investigating companies that have suffered data breaches, imposing fines where appropriate and generally auditing companies for their data collection and storage practices. It also publishes regular reports on the state of data protection in the UK, emerging threats and updates to how it operates.

In that scenario, PSD2 is clear: from the customers’ perspective, their first port of call is always their ASPSP (bank) with respect to any unauthorised transactions

Where there is an unauthorised transaction (eg a fraudster faked the customer’s authorisation) and the payment was initiated through a PISP, it is the ASPSP where the customer holds his account that is responsible for refunding the customer and for sorting out the allocation of liabilities with the PISP as between themselves.

If the PISP is found to be actually liable for the unauthorised or deficiently executed transaction, then the PISP must compensate the ASPSP upon the latter’s request. So the customer is protected from a liability point of view and it is for the PISP and the ASPSP to figure it out.

However, all of this doesn’t happen by magic and you actually need to have a process so that all participants in the ecosystem can make this operate – no individual entity can do it on its own, it requires some coordination. To this extent, one of the assets that we built here in the UKis the Dispute Management System (DMS), a communication process that helps organisations manage enquiries, complaints, and disputes among themselves. The DMS was set up by OBIE, in consultation with stakeholders from the UKGovernment, regulators, the financial services sector and consumer groups.

Its purpose is to help any organisation manage enquiries, complaints, and disputes related to Open Banking, such as requests for information or exchange of information, requests for a redress repayment, complaints forwarding etc.

All participants in the UKcan use it – the system will allow for the customer to make a complaint which will then be triaged, looked after, inquired against by the different participants within the ecosystem, allowing for a much more efficient journey for the customer as well as for the other participants – banks and third-parties.

Also on the matter of customer education, how are banks taking steps in demonstrating and teaching how Open Banking works and on how their data is secure?

 As we’re still very early in the process, most customers’ knowledge about Open Banking is limited, but that’s fine and to be expected, not least because so are the propositions.

That will change very quickly particularly going into 2020, now that the banks have to get involved and contact their UK customers to explain how Open Banking works. They’re also required to make that information available to them through online, branch, and telephone.

Open Banking UK also has a website and customers can reach us to understand more about what Open Banking is and how it works. We also host pages where customers can see and verify which third-parties are authorised and what their propositions are.

When it comes to trust towards Open Banking, it helps to know that some of the UK banks themselves have begun acting like third-parties, with almost all the large banks now offering aggregation services. For example, if you’re a customer of NatWest, you can now see your Barclays accounts through your NatWest app. And this helps with education because it has enabled millions of customers around the UK to see how Open Banking can work, being provided to them by a bank that they know, work with and trust. It adds another layer of trust to the consumer. The fact that the largest banks in the UK are invested in researching Open Banking and building on this initiative. They’re basically endorsing Open Banking to their customers by building on the relationship that they have with their customers and the relationships that they have with them.

The deadline to comply with PSD2’s Regulatory Technical Standard (RTS) was 14 September 2019. One of the concerns raised with Open Banking is that fintechs need to be able to connect to different banks’ APIs. Is RTS driving a greater degree of API standardisation?

RTS on its own does not require standardisation, there’s nothing in the legal framework that requires banks to use a standard. However, local regulators are very much encouraging banks to use a standard, considering that if the banks are using a single standard, it enables a simpler customer experience, as well as an easier connection for the TPPs, because there’s less variation amongst the banks. And it’s also easier to regulate, since banks are all doing pretty much the same thing and using the same standard.

There are many good reasons behind why standards should be used by the banks, but it’s not technically within the regulatory technical standards. It’s much more that the local regulators are encouraging the banks to use it. And one of the mechanisms that they’re encouraging the banks to use it is by offering exemptions – it’s easier for a regulator to grant an exemption if a bank is actually using a standard.

We have helped in the UK by providing all our standards with a checklist, and if the bank meets all the checklists, then it will receive a certificate from Open Banking. Obviously, we tried to align our checklists as much as possible with the regulators’ criteria for an exemption, which means that the banks can actually take that checklist, and take that certificate and use it as part of their exemption process.

Do you see Open Banking widening its scope of services beyond payment initiation, account & transaction data, and product data?

The vision in the UK was always that Open Banking would be bigger than just current and payment accounts. This is a starting point.  

In the UK now, we’re talking actively about open finance and smart data. Open finance enables customers to access their data in a whole suite of finance products (including mortgages, savings, insurance, pensions, and more).

Nevertheless, smart data is also about customers accessing their data in non-financial services sectors such as energy, water, mobile, broadband, including big tech sectors that the government is investigating at the moment. Although all of these things are going to take time to play out, it does very much feel that we’re at the starting point, not the end point.

What is the future roadmap and where do you see the major initiatives going forward in Open Banking? For banks that have got over the compliance hurdle, where do you see the most interest and opportunity in terms of future developments?

We certainly have come a long way over the last two years, a lot of work being done to build and implement the standards, as well as to create the ecosystem and the propositions against those implementations. We thus have a great foundation for Open Banking.

In order to make Open Banking a success, we need to look beyond PSD2, which, despite being an amazing piece of legislation, it did not have a background of understanding of Open Banking potential when it was created, and there are some areas not addressed in PSD2, which we need to build. Once we’ve done that, we can look beyond Open Banking as it relates to AIS and PIS, towards the opportunity to harmonise across other sectors and other products – from open finance and smart data to digital identity – to really empower consumers.

About Imran Gulamhuseinwala

Mr. Gulamhuseinwala was appointed Implementation Trustee for the Open Banking Implementation Entity on 13 April 2017. He has oversight and responsibility for Open Banking’s development and delivery of the common technical standards underpinning the Competition and Market Authority’s Open Banking initiative. He is a former Partner of Ernst & Young where he was also Global Head of FinTech. 

About Open Banking Implementation Entity (OBIE)

 Open Banking was created to enable innovation and competition for financial services. It is tasked with delivering the APIs, data structures and security architectures that will make it easy and safe for customers to share their financial records. Open Banking is a private body; its governance, composition and budget were determined by the CMA. It is funded by the UK’s nine largest current account providers and overseen by the CMA, the FCA and HMT.