Open banking, or the sharing of banks’ data with third-party service providers via a platform, could give Malaysians access to more innovative financial products and change the way they manage wealth.
Such platforms allow service providers — usually financial technology (fintech) start-ups — to access the banks’ data so that they can come up with new products and services in addition to providing their own comparative tools. This data could be product information related to the banks’ credit cards, personal loans and housing loans or even customer information such as credit histories and transaction records, which banks say can only be shared with third parties with the consent of customers.
In the UK, for instance, HSBC recently launched an app that would allow its customers to view their accounts at other banks. The HSBC Beta app will initially be available to 10,000 customers, who will be able to add up to 21 accounts on the app. From the data the app collects, it will be able to provide features such as spending analysis and alert users if they spend too much.
While there are currently no open banking platforms in this country, the Financial Technology Enabler Group (FTEG) — formed by Bank Negara Malaysia last year to spur innovation in the financial industry — is studying the open banking concept. RHB Banking Group is also looking into this area. Rohan Krishnalingam, the group’s chief operating officer, tells Personal Wealth in an email that the bank is “working closely with industry players and Bank Negara” in this regard.
Igor Pesin, partner and investment director at Life.SREDA, says local mid-sized banks are keen to explore the idea of open banking. “Second-tier banks in Malaysia are showing strong interest in open banking, partly due to the support of regulators and government bodies,” he adds.
“[Digital infrastructure start-up] BAASIS is working with one of them on a pilot project. For now, we cannot disclose the party with which we are working. We hope to reveal the details soon.”
Life.SREDA is a fintech-focused venture capital firm based in Singapore. In September, it entered into a strategic partnership with another venture capital firm — Leonie Hill Capital — to set up BAASIS. The new entity aims to unify and transfer financial and payment data from banks to fintech start-ups in a secure manner. Its main goal is to help banks and fintech start-ups work together to implement open banking.
Banks already sharing data
Even without an open banking platform, local banks are already sharing some of their product information with online aggregators on an individual basis. iMoney.my and Gobear.com are some of the online aggregators operating in the Malaysian market.
“Theoretically, these online aggregators have to approach each bank separately to acquire its consent to obtain this information. This requires a lot of work and is time-consuming,” says Clarence Chan, associate director at PwC Risk Services Sdn Bhd.
The sharing of product information with these start-ups, albeit in a less efficient way, has clearly benefited the consumer, he adds. “First, it allows you to make comparisons and discover products that suit you better. Banks would not do this as they cannot go to another bank, ask for information and make comparisons for the man in the street.
“Second, you don’t need to go to the bank branches to ask for information from bank tellers, who will share with you whatever they know about their products. The tellers could also push the bank’s products, which can be quite annoying.
“Or no one picks up the phone when you call the bank branch. You can probably get this information processed, summarised and tailored automatically to meet your needs via a mobile app or website before signing up for a product.”
Chan says if the open banking concept is implemented, the sharing of data will become easier and the financial industry will become more robust as a result. By being able to tap more data, fintech start-ups can provide better services to consumers.
For instance, if a fintech firm could efficiently tap the data pool of various banks (with the consent of account holders) to know what individuals have invested in with each bank, it would be able to consolidate the investments into a single investment portfolio. Then, the firm, with the help of artificial intelligence, could analyse the risks and returns of the portfolio and recommend the amount of funds to be invested and the types of products that could optimise their returns.
“Banks typically only assign dedicated relationship managers to its high-net-worth clients while the lower-net-worth clients may not be offered the same service. With open banking, fintech companies will be encouraged to develop channels that will enable banking services to be brought closer to consumers, improving the way they transact, save, borrow, lend and invest their money. Automated financial advice platforms are one example of this,” says Chan.
“This [robo-advisory platforms], however, requires consideration of other issues such as data privacy and security. Regulators have to find a way to balance innovation with these concerns if they were to enable such services.”
To a certain extent, the open banking concept represents the democratisation of personal banking information. It means personal information stored by banks could be used by third-party service providers in exchange for better services with the consent of the bank account holders, says Chan.
“Banks can limit the access to their information to only approved parties. With open banking, fintech firms would need to get the consent of the bank account holders. This means the decision on how the personal banking information can be shared remains in the hands of the individual consumer,” he adds.
The younger generation may not mind sharing their personal information if it means gaining access to more and better options. “At the end of the day, yes, we all need banks as they are very well regulated and have our trust. But do we need them to serve the masses [on the front end]? Or we would prefer to provide our information to a third party to have better service and experience? The younger generation tend to choose the latter. Open banking provides them a choice,” says Chan.
Pesin says banking data, including personal information, has remained within the banking system of many countries and is not shared. This has led to a lack of competition within the banking industry, he points out. When that happens, there is not much innovation in the products and services offered by banks. But fees and charges continue to rise.
“When the data remains with the bank, it is harder for businesses and individuals to move from one bank to another [as they do not have available information to assess their financial status and conduct the Know Your Customer verification]. Meanwhile, people and businesses also find it troublesome to go through the whole customer onboarding process of other banks to gain access to their products and services. So, they tend to stay with the same bank for many years. As a result, banks tend to operate relatively independently without much competition,” says Pesin.
With an open banking environment, data will be readily available to all banks and third-party service providers as long as they acquire the consent of the consumers. This will enable banks to assess new clients more easily. It will also allow consumers to switch banks more conveniently as they will be able to skip the lengthy onboarding process of filling in forms and providing documents.
“This would create stronger competition within the industry and banks will beef up their efficiency and improve the quality of their products and services. This is another aspect of how consumers can benefit from open banking,” says Pesin.
Challenges on a few fronts
With open banking, there are genuine concerns on the part of the banks and regulators in terms of giving third parties access to their data pool. Traditional banks are worried about the security of their customers’ information because when fintech firms extract data from the banks, it will be stored on the third parties’ servers. There will be a higher chance of the data being compromised.
“The safety and security of the customers’ data would not just be with the banks, which have high standards in terms of IT security and customer confidentiality,” says Krishnalingam.
A recent case that made the headlines
involved the loss of customer data. CIMB Group Holdings Bhd recently announced that it had lost some magnetic tapes that contained backup customer data. However, the bank reiterated that the leak did not occur online or involve any authentication data such as PINs, passwords or credit card security numbers.
Another worrying incident occurred last month. Local online forum Lowyat.net that 46.2 million Malaysian mobile phone numbers and other details had been hacked in a data breach that occurred in 2014.
Krishnalingam says one of the things being discussed is if a third party’s server is hacked and the customer data is leaked, which party actually owns the data and who should be held responsible for the leak. “Who really owns the customer data is still being debated. This will be an ongoing challenge as we move towards on open banking model.”
Pesin says this is partly why traditional banks with strong brand names are less willing to participate in the open banking space. They are worried that if anything happens, their brands and reputations will be affected.
He adds that these banks also prefer to serve their clients directly instead of through third parties, which will reduce their control of their clients. “These banks also want to make sure that their clients remain with them and them only.”
Meanwhile, there are concerns on the regulatory front about whether fintech companies have the capability to ensure that the money flowing into the financial system is clean. If not, it could lead to money laundering, says Brian Lim, senior analyst at Rainmaking Innovation Asia, a global cooperative of entrepreneurs that provides consultation services to corporates and co-invests in start-ups with them.
An industry player says the regulators could face a challenge in maintaining the fine balance between protecting the public and regulating fintech firms. Fintech start-ups, especially local ones, would not be able to survive if the regulations are too tight.
“Fintech start-ups will have to put in place good processes to filter money flowing into the system. At the end of the day, the money still flows through the banking system and poses a risk if it is not properly managed,” he says.
“Foreign fintech players that are backed by huge funders and already have a more mature business model should be capable of implementing such processes. But local fintech players could face problems.”
Banks and regulators will need a road map to address all the key issues in open banking, says Krishnalingam. “While application programming interfaces (APIs) are not a new thing, the readiness to adopt open banking requires an assessment of the readiness of the various parties. We also need to develop a proper, thoughtful road map to contemplate issues such as cybersecurity, customer confidentiality and banking secrecy regulations,” he adds.
“An open and market-driven approach has to be adopted. The regulations of open API banking has to be thoughtfully considered in these aspects.”
The trend is coming and it would be wiser for us to be forward looking and embrace it, rather than avoiding it, says Krishnalingam. “Competition drives innovation. It is imperative that Malaysia moves forward and solidifies its future and prepare for open banking — but in a safe and thoughtful way, where it is driven by market forces. Enabling open banking will allow the country to move forward in terms of digital adoption.”
What is open API and how is it related to open banking?
To understand how open banking works, it is important to know what an application programming interface (API) is. Put simply, it is a conduit for mobile applications (which could be built by third parties such as fintech start-ups) to communicate with banks’ servers, explains Clarence Chan, associate director at PwC Risk Services Sdn Bhd. “Its main purpose is to allow the server and app to grab data from each other in a standardised format.”
A YouTube video titled “What is API”, posted by MuleSoft Videos, offers a clear picture of how it works. Essentially, an API is like a waiter who links the diners with the kitchen.
The same thing happens between an online aggregator and the banks’ servers. A user looking to sign up for a credit card keys in information on the website. Then, the website pulls out relevant information from the bank’s server and suggests to the user several credit cards they can choose from.
Chan says APIs are not a new technology and have been used by banks internally for many years to retrieve data. This is known as an internal API.
An external APIs are used by banks to share information with approved third parties. From the perspective of the banks, it is considered an act of opening and allowing the access of banking data to business partners and third-party developers for them to build their apps.
The sharing of a bank’s data via an external API requires the third party to get the consent of the bank. And if the third party intends to extract data from several banks, it has to approach them separately for their approval.
The third party then develops different tools to engage with the APIs of the various banks as each API could be constructed differently. In such situations, the third party would require a lot of time and effort to retrieve the data. This could hinder other fintech start-ups from entering the financial market and innovating the industry, says Chan.
He says this is where an open API, which could be used to build an open banking environment, comes into play. “With open API and open banking, all banks will have a standardised API that allows third parties to tap their data. Of course, these third parties will need the consent of the bank account holders to use the data. But they are less likely to approach banks individually.”
In other words, an open API functions like a common platform for third parties to tap the banks’ data pool more easily and efficiently. An open API can be used across industries, government agencies and ministries, not just banks, says Chan.
“Government agencies, such as the National Registration Department, can have an open API that allows banks to conduct their Know Your Customer and anti-money laundering checks more easily. Meanwhile, the players in other industries could open up their data pool to more new players and start-ups so that they can create an ecosystem that will benefit the public,” he adds.
How the financial system can be more robust with an open banking structure
While the term “open banking” is fairly new in this part of the world, it is already a huge trend in developed markets such as the European Union and the UK.
Brian Lim, senior analyst at Rainmaking Innovation Asia, a global cooperative of entrepreneurs that provides consultation services to corporates and co-invests in start-ups with them, says the EU and the UK are currently establishing an open banking structure. “The emergence of the likes of online aggregators show that a country is in the first stage of establishing an open banking structure. Developed countries and regions such as the US, the UK and the EU have had them for many years and are now at the next stage. Today, there is the emergence of challenger banks in the EU and the UK that share their data more freely with fintech start-ups and work closely with them,” he adds.
Challenger banks, also known as neo-banks or digital-only banks, operate with a banking licence and are governed by the same regulations as traditional banks. Thus, the banks are able to take deposits from retail customers and provide them with loans and other financial products, just as the traditional banks are doing.
What sets the challenger banks apart from their traditional counterparts is that they offer their services to retail customers via the internet and mobile applications. They do not have a physical presence like the traditional banks.
Lim says challenger banks are sharing their information more openly with fintech start-ups than traditional banks. Thus, banks’ data is more openly shared today because of the efforts of this new breed of banks.
Clarence Chan, associate director at PwC Risk Services Sdn Bhd, says traditional banks could be willing to share their data with fintech firms and pass their front-end services to them. By doing this, the banks could reduce their distribution costs and focus on creating better products and systems.
Take a bank that partners an online aggregator. Instead of selling its products via its own distribution channel, the bank can focus on creating credit cards with attractive features for its targeted customers. Then, the people who visit the online aggregator can sign up for the credit cards as their features could be more appealing than others.
“Yes, the same pool of data is not only accessible by fintech start-ups but by the banks themselves. Banks can also invest in their own front-end system to acquire customers instead of via a third party. It depends on the strategies of each bank,” says Chan.
Ultimately, the emergence of challenger banks and the open banking trend is the result of technological advancements and the rise of millennials, he says. “The millennials and the younger generation are comfortable sharing personal data in exchange for better banking services and customer experience. They are also used to getting things done online via mobile apps,” he adds.
“Consumer behaviour has changed rapidly in the past few years, especially in the developed countries. And the banks and regulators are aware of this.”
These are the reasons why the Council of the EU passed the Revised Directive on Payment Services (PSD2) in November last year. In a nutshell, the PSD2-enforced open banking is to be implemented in the region by next year. This is done by regulators requiring banks to share their data with different parties. In fact, other industry players will also be obliged to share their data with third parties under the directive.
“The main aim of the directive is to create more competition for a better customer experience as well as giving consumers more choices when it comes to choosing a bank and financial institution that they would like to associate with,” says RHB Banking Group’s chief operating officer Rohan Krishnalingam.
In line with this, the UK’s Competition and Markets Authority (CMA) has issued a ruling ordering the nine biggest banks in the country to allow licensed start-ups to have direct access to their data. With the approval of account holders, third parties could extract readily available personal data such as current account transactions as well as electricity bill payments and mortgage histories.