Targeting Trust in Open Banking

Building on a recent presentation at the Open Banking World Congress, OBIE’s Miles Cheetham discusses the options available to maximise consumer trust in open banking – a key consideration in any conversation around increasing end-user adoption.

Targeting Trust in open banking

In May 2020, OBIE’s Miles Cheetham and Nathan Kinch of Greater Than Experience presented at the Open Banking World Congress, on the topic of “Informed Consent; Meaningful Ethics; Achieving Trust.”

Here Miles Cheetham expands on that presentation, providing an insight into key considerations around consumer Trust in open banking, and a vision for the future.

Trust: the key to adoption

Consumer Trust is a critical factor in the success of open banking. Key to this is the way in which the consumer grants and manages consent to use their personal data. The potential of open banking – and by extension open finance and Smart Data Initiatives generally – relies on this crucial point.

Here at the Open Banking Implementation Entity, we have looked hard at the whole customer journey, breaking much new ground with the widely referenced Customer Experience Guidelines, particularly how Third Party Providers request consumer consent, and then enable that consent to be managed or revoked.

In mid-May, Nathan Kinch and I presented a case study at the Open Banking World Congress on the progress that has been made to date. Now, I’d like to share some of the insight we’ve gained, as well as our vision for the next stage of enabling consumers to place their Trust in open banking.

Solving for X-perience

Great things can happen when you set out to solve a genuine consumer problem. You know how it goes.

Set up a new app, click and move on…oh… a set of T&Cs…scroll to the bottom…click “I Agree”. And there you have it. Did you stop and read them? Probably not! Most of us never read the T&Cs.

We are all agreeing to things that we might question if we had the time, energy and (occasionally) the law degree required to read them. What is worse is that the ‘small print’ can obscure things that maybe we wouldn’t be so keen on. At worst, companies can shield themselves and a business model that customers simply have to accept if they want to get what’s on offer. To me, that’s not acceptable.

So back to Trust. A thriving, successful open banking-enabled ecosystem demands it – not least as empowered consumers are starting to understand the value of their personal data, question the status quo, and demand far greater transparency and control.

Comply, Compete, Innovate

Trust is a complex thing to achieve however and raises many questions. We have seen at first-hand how TPPs actually create and provide their services – and noted in particular the onward sharing of data: the ‘provisioning chains’ between parties that combine to create the end product. So, how should TPPs ensure that they meet their regulatory obligations, while delivering a great customer experience? How confident should TPPs be that they are, indeed, compliant?

If a consumer has numerous active consents – likely impacting multiple parties in the provisioning chain – can a TPP really be confident that where data is shared, their regulatory obligations are met? What if the lawful basis for data processing in a fourth party may need to change?

Some of the parties in a provisioning chain will be regulated under PSD2, some may be outside the regulatory perimeter. Some may fall within the scope of more than one regulator. Not all parties will be visible to each other, particularly where they fall outside the regulatory perimeter. All parties would need to consider GDPR obligations which apply to them.

As Nathan and I explained at the Open banking World Congress, there are still questions to answer – and there is work to do to highlight key points to the consumer. This is already underway, as detailed in the latest version of the OBIE Customer Experience Guidelines.

So, as open banking and data sharing generally grows exponentially, the ecosystem evolves, and data volumes increase, how do we protect the consumer and keep their Trust?

A vision for the future

A critical component to any discussion about the future-state of open banking is the recently published Open Banking Roadmap – which includes TPP-side Customer Protection. Ensuring that TPPs maintain the highest standards in this area is crucial: customer consent sits at the very heart of open banking and, let me stress again, is one of the foundation stones of customer trust.

We know from both our own as well as published consumer research, That consumers have limited appreciation of the data ecosystem. They are unaware of the extent of data sharing, and some believe, incorrectly, that data transactions are bounded.

The time has come to push forward on this new frontier and build on the strong foundation we have established to date.

In response, the future of open banking will build on the existing TPP Guidelines in addressing all aspects of consent and permissions, paying particular attention to the codification and purpose of data sharing.

Codification of consent

A codified approach to consent could, if done well, bring data protection laws to life in a more meaningful way to the benefit of consumers and TPPs alike. We will be working with the Information Commissioner’s Office (ICO) to explore relevant best practice, which interestingly already makes a series of recommendations about what information should be included within a data sharing agreement. These recommendations include:

• The purpose of data sharing
• Other organisations involved in the data sharing
• What data items will be shared
• The lawful basis for sharing (for GDPR)
• Inclusion of special category or sensitive data
• Access and individual rights of the consumer
• Information governance arrangements (such as accuracy of data, the deletion of data, termination of data sharing and complaints management)
• Review periods for the agreement

We’ll be exploring the feasibility and design of consent capture as well as the feasibility of enabling traceability and auditability. This, of course has far-reaching consequences as it will reveal the potential for a consent standard – possibly with the associated API specifications and metadata.

Put simply, this is a very exciting time for shaping the future of consent for services, alongside the use of data. These components could result in really effective consent management dashboards, by establishing a foundation for the transparency, tools and controls, that consumers will require to feel confident about how their data is being used.

This work will go deeper than Customer Experience as we’ll be building on the best practice Operational Guidelines already published. There are process and procedural implications when considering data that is onward shared across the provisioning chain, and we want to ensure that all parties have access to information on applicable regulatory considerations and best practice.

Progressing together as an industry

Today, we are standing on the frontier I mentioned earlier. We are charting a way forward into exciting new opportunities and looking for the right way for consumers to stay protected and informed, with greater control of their personal data. We’re looking for strong benefits and above all, Trust.

This activity must work for the ecosystem, whether TPP, ASPSP or non-regulated parties that combine to enable open banking to thrive and succeed. After all, if it doesn’t work for the market, it won’t deliver to the consumer. Therefore, I’ll leave you by urging you to be part of this discussion and help to shape what the OBIE does in this space.

The consultation on this work will start in July and run for two months. Let’s be bold in our ambition, because if this is done well consumer trust will be high and propensity to use OBIE enabled services will therefore continue to climb – key ingredients of a successful data-sharing economy and setting the bar for data sharing across other sectors and markets.

Miles Cheetham

May 2020