It is the sharing and leveraging of customer-permissioned data by banks with third-party developers and firms to build applications and services.
Open banking may potentially pose significant risks and concerns around financial privacy and data security, customer liability, cybersecurity and operational risks, among others, cautioned Reserve Bank of India (RBI) Deputy Governor M Rajeshwar Rao.
In open banking, there can be wide-ranging third-party arrangements such as fintech firms, intermediary firms engaged in data aggregation and other service providers which may not have a contractual agreement with the bank over which regulators can exercise jurisdiction, Rao said in a webinar on Open Banking organised by Tata Consultancy Services (TCS) in association with the Embassy of India in Brazil
Further, it may be possible that several of these firms may not fall under the regulatory purview of any financial sector regulator. In such situations, it may become difficult for regulators to set requirements, specifications, and exercise regulatory jurisprudence, he added.
Loss/theft of personal data
“In open banking frameworks, risks associated with the loss or theft of personal data on account of poor security, data protection violations, money laundering, and terrorist financing concerns cannot be ruled out.
“Therefore, large scale adoption of open banking frameworks should ideally be preceded by strong data protection and privacy laws,”the Deputy Governor said.
Rao emphasised that such laws should anchor the ownership rights and ensure control and consent-based use of the data. They should also establish the boundaries of rights and obligations of third-party use, down-streaming data to fourth parties and reselling it.
“India has already embarked upon the same and The Personal Data Protection Bill, 2019 has already been introduced. The Bill seeks to provide for the protection of personal data of individuals and establishes a Data Protection Authority for the same,” the Deputy Governor said.
Redressal of grievances
Rao noted that in the absence of explicit arrangements for redressal of customer grievances and limiting their liability in case of erroneous or fraudulent activity, the acceptability of open banking frameworks may remain limited.
Therefore, the jurisdictions should address customer liability for third party access of data through customer protection or indemnity laws.
In this regard, Rao underscored that RBI had issued Charter of Customer Rights in December 2014, which lists ‘right to privacy’ along with ‘right to grievance redress and compensation’ among others.
Increase in surface area for cyber frauds
Rao cautioned that open banking architectures, which are premised on the enhanced sharing of data, increase the surface area for cyber frauds.
As the open API (Application Programming Interface) provides uncluttered access to customer banking data such as transactions and balance stored within the infrastructure, it may also pose a severe cybersecurity risk, he added.
“Losses caused to customers on account of cyber events would require financial institutions to compensate customers for such losses.
“Institutions may also face a variety of potential operational and cyber security issues related to the use of APIs, including data breaches, misuse, falsification, denial of service attacks and infrastructure malfunction,” the Deputy Governor said.
Difficult to assign liability
Rao remarked that with more parties and intermediaries involved in providing financial services in an open banking model, it is more difficult to assign liability. Suppose the regulations governing customer grievance redressals are not updated to consider available banking business models. In that case, the national authorities may find it challenging to provide the customers with adequate levels of protection.
In India, RBI implemented a separate Ombudsman Scheme for Digital Transactions in January 2019. The number of complaints received under the Ombudsman Scheme for Digital Transactions (OSDT) has been consistently increasing reflecting increased digital modes of banking, he said.
“Open banking is a potential disruptor in the financial system and may change the way of doing banking for both- customers and banks.
“New pure tech-play entities have the potential to snatch market share from established but traditional financial institutions because they are technologically more advanced, digitally agile to cater to customer needs with higher efficiency, have better user interface, and are more competitive in pricing,” the Deputy Governor said.
At the same time, all stakeholders need to appreciate that while technological innovation is of paramount importance, customer privacy and data protection are non-negotiable, he added.