UK fintech firms caught a break on Monday after modifications to Open Banking rules by the Financial Conduct Authority (FCA) were released that will no longer require fintechs to reauthenticate customers every 90 days for continued access to bank account data.
Under the current rules, reauthentication is required every 90 days with every app and provider they share their financial data with – a process that has continuously resulted in confusion for customers and higher drop-out rates.
According to a release from the FCA, one trade association reported that Third-Party Providers (TPPs) are experiencing customer attrition rates of around 20–40% at the 90-day mark when a Strong Customer Authentication (SCA) is required. With the 90-day rule abolished, TTPs are likely to experience higher retention rates, although, they will still need to obtain a form of customer consent every three months to ensure data safety in open banking.
“We consider that these measures are proportionate, taking into account the level of risk. They balance the need to protect consumers from TPP access without explicit consent, and unwittingly sharing data, with reducing friction for customers,” the FCA said.
Alongside the removal of the 90-day rule, the FCA also acknowledged the barriers built by existing customer interfaces in the open banking ecosystem. Because many online banking platforms are not specifically designed to access account data, the FCA proposed mandating the use of dedicated interfaces to access said accounts.
“We wouldn’t consider an interface that requires a TPP to access the information through a screen (known as ‘screen scraping’) to be a dedicated interface. In setting the scope of this requirement, we have taken into account where we believe there is a reasonable prospect of TPP demand,” the FCA said.
Open banking has taken over global headlines as an opponent to Banking-as-a-Service arrangements that occur between megabanks and fintechs.
Over the course of the pandemic, increased consumer adoption and usage of third parties siphoned $250B of payments volume (and $25B of payments revenue) from incumbent financial institutions. The UK’s open banking rollout dates back to 2015 when the European Union announced the second Payments Services Directive, or “PSD2.”
However, as third-parties gain admittance to user data, security concerns and regulations arise.
At the start of November, the CA released an analysis of data from 2017 to 2022, that found reports by staff members of suspicious activity rose from 887,500 in the 2017-18 fiscal year to 1,028,260 in 2019-20. That constitutes a 16% increase over that time, with the number expected to grow further as digital transaction volume increases.
Retail banking made up the largest segment for Suspicious Activity Report (SAR) submissions, with 804,105 submissions almost quadrupling the 204,374 submitted in the retail lending sector.
In the US, fintech juggernaut Plaid, alongside a coalition of fintechs and security compliance companies, released a framework known as the Open Finance Data Security Standard (OFDSS) – a working document that establishes 63 individual security requirements across 12 control domains the consortium has deemed as possible “security risks” encountered by early-stage digital finance companies.
Farther North, the Canadian Advisory Committee on Open Banking handed in its three year investigation on the country’s potential for open banking, setting a tentative opening phase date of January 2023 in August. The committee stated that the country’s open banking must be broad enough to provide useful, competitive and consumer-friendly financial services to citizens and include government and industry collaboration to create a roadmap for the country.