The Competition and Markets Authority (CMA) published its final report on its two-year review into the UK banking market this week. It contains a number of ‘remedies’ for the lack of competition, switching, customer value and innovation in the UK. You can read all 766 pages if you are so inclined, or the slightly more consumable 55-page summary report, or the 15-page high level summary. Take your pick.
While I have an interest in the research, and the wider findings and remedies, the area I’m most interested in is the push for open banking (i.e., via application programming interfaces, or APIs). The following sections of the 55-page summary report (though you really should read the whole thing) contain the most interesting mentions of APIs: 157, 161, 162, 166-171, 174 and 200 (b). This is the best paragraph in the report, in my opinion:
Of all the measures we have considered as part of this investigation, the timely development and implementation of an open API banking standard has the greatest potential to transform competition in retail banking markets.
I think we can all agree on that. The remedies around providing APIs for financial data only applies to the biggest banks in the UK, which, according to the report, are RBS, LBG, Barclays, HSBC, Santander, Nationwide, Danske, BoI and AIB. This feels like a somewhat strange grouping, and does it mean Yorkshire and Clydesdale Bank isn’t included? Is that because the parent group is Australian, or am I missing something?
The basic timeline set out is that these APIs and access methods for read and write access to transaction data will be provided by Q1 2018. This all sounds good to me (if a little slow). Yet, as the banks rightly point out in their 67 responses to the interim report back in May, which featured tighter timescales, the challenge of implementing these changes while we still have no technical standards for either the formats and types of data (let alone the authorisation and access methods) from either the Open Banking Working Group or, more importantly, the Regulatory Technical Standards from PSD2, means that 2018 is the earliest it could be realistically delivered.
Key to this delivery is a new group – the Open Banking Development Group, launched by the Open Data Institute to “drive open innovation around an open banking standard on a UK and international basis”. It will work in conjunction with a number of organisations, including Payments UK and the nine largest banks. I urge startups and challenger banks to join as soon as possible, so that we don’t just have bankers designing today’s APIs for the financial services we want tomorrow.
I’m very happy that the CMA has stepped up on this issue and is putting in place measures to ensure open banking does happen in the UK. Everyone was pinning their hopes on PSD2 delivering this, but post-Brexit, and with no mention in the last budget, I suspect some UK banks were ready to move it down/off their agendas. That being said, there are still a great deal of hurdles to overcome.
Designing for loss of control
To ensure the swift implementation of the open banking standard, the CMA will create an independent body:
We will ensure that the programme of work to introduce open APIs is effectively managed and does not get bogged down in debates between market participants by creating a new entity, funded by the banks but led by an independent trustee, to ensure the timely delivery of this core remedy.
This is a good thing. How this body will operate and what its remit will be is of great interest. However, an initial draft of the proposed structure for this body does give me a few concerns with regards to having the fintech companies and challenger banks on the outside of the core group.
The responses from the banks feel like this body will give them an element of control over who can have access to this data. It feels to me like the banks want to keep control under the guise of security. Clearly there are security risks, and for aggregators there has to be a code of conduct similar to PCI DSS for storing and use of that data. But how independent will this new control body be, and what measures will individual banks build over the top of any process?
HSBC’s API proposal in response to the interim report from July makes for interesting reading. It’s not a final design, but it still shows a desire to retain as much control as possible for security measures. I do wonder how much effort went into building infrastructure, governing bodies and other security measures for the manual downloading of data? I don’t remember there being any changes following the Midata rollout in March 2015 that allowed people to take 13 months (of slightly redacted) transaction data and do with it as they pleased. Clearly an automated/real-time data feed is a different beast, but the measures don’t seem commensurate to the manual methods. Strange.
Another large challenge I see for the banks building these APIs is not just building to get data out, but building the infrastructure to consume them from other banks is much more difficult. Will two years be enough to alter their apps and services to take in this data and make the most of it for the customer/CRM systems? Definitely not for all banks. We may see some early advantages for the more technically adept banks, and especially for those challenger banks who will have been building for data in as well as out (if they’re smart), as they build their achingly hip core banking platforms.
Lack of clarity
As good as the report is, there are a number of key points I don’t believe it answers well enough. I really would like the CMA/OBDG to quickly clarify a few things.
What APIs will be built?
I would like to see a much clearer definition/list/table of all the proposed APIs and the data items that will be included. The CMA should be able to provide this at a high level today. I suspect the detailed aspect of this will be a key piece of work of the OBDG.
Which segments will the APIs cover?
With the heavy use of acronyms PCA (personal current account) and BBA (business bank account) throughout the report, it’s difficult to get a clear picture of which accounts will be covered. Is this up to the banks to provide a list of their accounts and say whether or not an API will arrive for it, and when? Will basic bank account holders get the same APIs premium account holders do?
For businesses, it’s not clear up to what level/size of business will be covered (i.e., which size business accounts will be exempt? A turnover of x million?). Also, private banking seems exempt. I assume rich people don’t like having good digital interfaces. Credit cards and savings/investment accounts are also not included. There are only 60 million credit cards in the UK, so it’s not like that much spending is done on them. Again, a clear list/table showing what’s in and what’s out would be fantastic.
The downside to this is that, even by the second quarter of 2018, building apps and services that provide people with a holistic view of their finances will still be impossible without manual methods or the dreaded scraping. The hopeful/naive side of me hopes that the credit card companies will not want to be left out of this wave of innovation and will put pressure on the issuers. The same applies to commercial banking when businesses put pressure on them for better links to online accountancy services, for example. Lots of work still to be done.
When will these APIs be available?
The CMA report states that the development and adoption of an open API standard will have a commencement date “by or between Q1 2017 and Q1 2018”. I think this means less sensitive data (though including the Midata redacted transaction data) by Q1 2017, and the full, non-redacted transaction data by Q1 2018. It’s not so clear, though.
PSD2 regulation timelines will also have an impact. The deadline for European Banking Authority draft Regulatory Technical Standards on authentication and communication is 13 January 2017. The draft version is available today. Account Information Service Providers (AISP) registration isn’t open until 13 July. The FCA has said from February 2017, though, for UK companies.
The banks aren’t that happy with proposed timescales, particularly with the burden of other regulatory changes. Ring-fencing is one of the most complex changes in banking systems history, and the failure of RBS’s Williams & Glyn spin-out shows those changes will not go smoothly.
The alignment with PSD2 is welcome from a consistency point of view, but I suspect not so welcome in that it’s a long, slow process to get the RTS guidelines ratified as stated above. Throw in all the other mandatory pieces of work and it’s clear this will not be easy for banks to accommodate. That being said, as the majority of banks are all about “digital transformation” being their number one priority, APIs are a very good sign that you are really on that journey and not just using the phrase emptily.
A lot of moving parts, and quite a bit of resistance, undoubtedly means the deadlines set yesterday will not be final.
Can I build my own app?
Can I access my own API for my own use? Do I have to register to be an AISP or something similar to handle my own data? Even though I can access it manually? Could I feed my data into a Google Spreadsheet, or does Google have to be licensed to hold the data? Is it OK for Google to hold the data if I’ve manually downloaded, then re-uploaded it? What if someone creates a Google sheet template that I then use? Do they need to be an AISP/approved developer? Thankfully, I’m not involved in defining the governance for this.
There has been quite a bit of negativity around the CMA report, including some of the above. However, I’m very happy it has been published and that the CMA is taking control in ensuring APIs get delivered in the UK. I would just like a little more clarity on the what and when, because as the CMA says, “An open API banking standard has the greatest potential to transform competition in retail banking markets”, and that’s what we really need.