On 19 November 2019, the Basel Committee on Banking Supervision (Basel Committee) has published a report on open banking and application programming interfaces (APIs).
In the report, the Basel Committee focuses on aspects of open banking related to customer-permissioned data sharing where the customer initially grants permission to a third party to access their data, either directly, or through the customer’s bank.
The Basel Committee has observed that traditional banking is evolving into open banking and open banking frameworks are being adopted across numerous jurisdictions, with variations present in terms of stage of development, approach and scope. Section 3 of the report provides a global legal and regulatory overview of developments in open banking, highlighting how some jurisdictions require banks to share customer-permissioned data and require third parties to register with a particular regulatory or supervisory authority. Other jurisdictions have taken a facilitative approach by issuing guidance and recommending standards, whereas remaining jurisdictions follow a market-driven approach and currently have no explicit rules or guidance on the sharing of customer-permissioned data by banks with third parties.
While open banking has the potential to transform the banking industry, the Basel Committee has identified several challenges for banks and supervisors to consider. Open banking encompasses a high volume of data resulting in a larger surface area for cyber-attacks, requiring effective data management to limit data breach risks. In addition, oversight of third parties can be limited, especially in cases where banks have no contractual relationship with the third party, or where the third party itself has no regulatory authorisation. Therefore, in the event of financial loss, or erroneous sharing or loss of sensitive data, which becomes increasingly complex with open banking, it may become more difficult to assign liability and the amount of damages to the affected customer.
In light of this, the Basel Committee urges banks and bank supervisors to pay greater attention to the risks that arise from an increased sharing of customer-permissioned data and the growing connectivity of third parties involved in the provision of financial services.