From Open Banking to Open Finance: OECD's Analysis of Global Data Sharing Frameworks
Introduction
Organization for Economic Co-operation and Development (“OECD”) has published its paper[i] presenting an outline of the diverse frameworks implemented for open banking and other data sharing arrangements in different jurisdictions, discussing expansion of open banking related data arrangements, which is referred to as open finance (“OECD Report”). Even though this expansion is happening at varying speeds, there are similarities in the approaches and experiences of different OECD and non-OECD countries, and challenges such as security, privacy, consent management, liability, reciprocity, incentivizing account servicing payment service providers, still need to be resolved.
Legal Framework
OECD Report discusses how different countries have established frameworks for open banking. In European Union (“EU”), as Directive 2015/2366 on payment services (“PSD2”) has been adopted by national law of EU member countries, third party providers who are authorized to have access to payment accounts can collect data from an account in order to provide services to that account owner. Payment initiation service providers have even greater access as they can initiate payments on behalf of the customer. The banking law in Japan underwent an amendment in 2018 to encourage open banking initiatives. This involved a non-binding obligation for banks to open their application programming interfaces (“APIs”), allowing financial technology (“fintech”) companies such as electronic settlement agents to access their system. Following the amendment, over 90% of banks have signed API agreements with one or more electronic payment service providers. In some countries, such as Mexico and Israel, the framework has been introduced into law, but implementing regulations have not yet been issued. The US and Switzerland have primarily market-led approaches. Colombia has recently issued regulations for the open financial architecture, while Australia has extended its framework to other sectors beyond banking, for example a framework for data sharing in energy and telecommunications sector has been covered and Brazil has included insurance, open pension funds, investment and foreign exchange. In Korea, an open banking platform has been established to support the exchange of various financial information data between fintech and financial companies.
A Definition for Open Finance and Open Banking
As OECD Report analyzes different types of data sharing frameworks that have been established in OECD and non-OECD countries, it states that open banking, which allows for the secure sharing of a customer’s financial information with third-party service providers with customer consent, is generally “well understood”. In the UK, open banking is defined as the secure sharing of a customer's financial information with third-party service providers, with customer consent. In the EU, open banking primarily refers to payment account-related data in accordance with the rules set down in the PSD2. Several countries including Australia, Brazil, Colombia, Israel, Korea and Türkiye have an explicitly defined open banking framework.
OECD Report defines the concept of open finance as an extension of open banking, which refers to the practice of sharing banking data via standardized and secure interfaces with third party service providers. OECD Report highlights the objectives of open finance, such as fostering innovation, encouraging competition and customer experience quality, and the positive impacts data sharing frameworks have had on customers and financial services. According to OECD Report, open banking frameworks implemented in Japan, the Netherlands, and Lithuania have led to the creation of new financial services and innovative ways of offering existing services. This has resulted in increased competition in various countries, including Estonia, Germany, Lithuania and the Netherlands. In the UK alone, more than 6 million consumers and 660,000 small and medium enterprises have benefited from open banking-enabled products and services, with an estimated potential benefit of £12 billion for consumers and £6 billion for small businesses. Open finance is expected to further encourage competition, provide better access to information, and generate more affordable and superior financial products and services for consumers. It is important to examine the rules and conditions of data sharing arrangements in open banking and open finance especially around data access and sharing, consumer safeguards, operational and technical specifications.
Data Sharing Arrangements
Financial Data Intermediaries:
OECD Report discusses financial data intermediaries and their regulation in different countries, with a focus on PSD2 and the new EU Data Governance Act. It explains that companies offering services based on payment account data can choose to work with API aggregators, which save them time and cost on applying for PSD2 licenses and developing APIs. The report also discusses privacy and data protection requirements that intermediaries must comply with, such as the Privacy Act in Australia and the consumer data right (“CDR”) framework for receiving data under the consumer data right.
Data Portability:
OECD Report discusses data portability provisions in different countries around the world. The situation is straightforward in EU member states, where data portability is regulated by the requirements of the General Data Protection Regulation (“GDPR”). GDPR provides individuals with the right to receive personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller. Reforms promoting data portability are underway in Switzerland, Canada, and other OECD countries. However, in the US, there are no specific federal regulations regarding data portability. The Dodd-Frank Act and state-level regulations such as CCPA and VCDPA contain provisions related to data portability but are not comprehensive. Data portability is stipulated in laws other than open banking in Korea, while in some countries like Japan and Hong Kong China, financial services authorities have no jurisdiction over data portability.
Liability:
OECD Report discusses the importance of including liability provisions in data sharing arrangements to clarify who is accountable for issues such as data access, quality, privacy, confidentiality, processing, sharing, storage, and cyber security breaches. In EU, these provisions should align with GDPR guidelines and cover details about redress, dispute resolution, and consent mechanisms. OECD Report further states that in some jurisdiction settlement of liability and associated compensation can be sought and voluntary arrangements for settlement of liabilities and complaint handling mechanisms might be in place.
Understanding Best Practices from Implemented Frameworks
Open banking and other data sharing frameworks have led to the development of various services in the financial industry, according to OECD Report, including payment services, credit scoring applications, debt management tools, wealth management applications, alternative payment services, product comparison, and account verification by third parties. These frameworks are active in 25 out of 34 countries surveyed in OECD Report. Data sharing frameworks have led to the development of various services in the financial industry:
- Account Information Services:
OECD report states that account information services are widespread services within data sharing frameworks. As an example, payment account information services are offered by various banks in the Netherlands to give their customers an overview of their payment accounts held at other banks.
- Payment Aggregation Services:
Payment aggregation services are also common in some countries, such as Italy and Estonia, allowing customers to see all their banking products from different providers in one interface.
- Payment Initiation Service Provision (PISP):
PISP offers diverse payment options. For example, in Lithuania, PISPs are being utilized as an alternative to card payments for e-commerce transactions, while in Spain, they are facilitating alternative payment options for in-store purchases through payment initiation services.
In addition to the above-mentioned services, OECD Report further states that credit scoring services, debt management services, financial management, and wealth management applications have also developed in different countries.
Based on the information provided, concerns around open finance are data misuse, data leaks, and cyber-attacks. According to OECD Report, only one country reported a case of data misuse, which was associated with a firm that collected data based on screen scraping in violation of data protection requirements. This case supports the view that screen scraping has increased security risks in open finance. It is important for regulators, policymakers, and industry participants to work together to ensure that appropriate safeguards and measures are in place to protect against these risks and to promote the responsible and secure use of data in financial services.
Data Sharing Arrangements in Türkiye
Türkiye is among the countries with an explicit definition and set of rules in terms of open banking. Regulation on Information Systems and Electronic Banking Services of Banks enforced by the Banking Regulation and Supervision Agency (“Regulation”) defines open banking as “an electronic distribution channel through which customers or parties acting for and on behalf of customers may execute banking transactions or may instruct the bank for execution of banking transactions through remote access to financial services offered by bank via such methods as API, web service, file transfer protocol, etc.” The Central Bank of the Republic of Türkiye (CBRT) has officially launched the open banking services in the payments area in December 2022 and participating banks start providing services through the 'Open Banking Gateway' (GEÇİT) infrastructure, developed by the Interbank Card Center, that allows third parties to provide open banking transactions.
OECD Report states that Türkiye is one of the countries considering granting access to supervisory data for the purposes of research and innovation, alongside Italy, Greece, and Colombia and Türkiye is also looking to establish a cyber-security intelligence framework that depends on data-sharing agreements across institutions. OECD Report further states that Türkiye, along with Germany and Brazil, allows for reciprocal data access between all parties involved in data sharing arrangements. According to Regulation, APIs are not mandatory means to providing open banking services from. The definition of open banking services proves that alternative methods like web services and file transfer protocols are also acceptable means to provide open banking services. The same regulation defines open banking services as an electronic distribution channel that allows customers or parties acting on their behalf to perform banking transactions by remotely accessing financial services through methods like API, web service, or file transfer protocol.
Additionally, OECD Report states that as many OECD countries are considering expanding their data sharing frameworks beyond transactions and payments, in Türkiye there are plans to add different payment types like batch and recurring payments in the second phase of implementation.
Conclusion
The OECD countries expect that open finance will promote competition by increasing information availability, improving customer choice, and offering cheaper and better financial products. However, as OECD Report concludes, there is a need to ensure access to financial customer data in a responsible and safe manner, attribute liability, and implement other consumer safeguards such as consent, and support the development of technical infrastructure that will promote data interoperability.
- OECD (2023), Shifting from Open Banking to Open Finance: Results from the 2022 OECD survey on data sharing frameworks, OECD Business and Finance Policy Papers, OECD Publishing, Paris
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.