Trust is essential for open banking to realize its full potential.
This is especially important as we quickly move toward an open-data economy where our financial information is increasingly shared between multiple, external parties.
And ultimately, this is the true promise of open banking. A technology-driven solution that enables the sharing of data not only between a bank and its customers but between any number of third-party services, other banks, retailers, and much more.
For the customer (whether retail, corporate, or an individual) this can result in an easier, faster, and more user-friendly experience. They’ll have more choice, more options, and more tailored offerings, which gives them greater control over their financial information.
Banks will be able to provide more services, expand their offerings, even monetize their customers’ data. It can also impact their bottom line. A 2017 Accenture report noted that banks that adopt an open banking model could increase revenue by 20 percent, while those that don’t, could lose 30 percent.
For financial service start-ups with immediate access to consumer financial data, they’ll be in a stronger initial position, be better able to innovate and create new revenue models. And for app developers, who use an application programming interface (API), the potential is limitless as APIs enable them to collect and utilize data to develop new services without customers having to access their underlying accounts.
For all institutions, simply having access to so much data can be extremely beneficial.
As with all disruptive models, open banking has its fair share of challenges and opportunities. But in the end, it all comes down to trust. Can customers trust all involved to keep their financial data secure? And yes, there’s also the generational divide to consider.
With younger customers more open to data sharing, they find open banking is more valuable to them. But the level of acceptance in older generations isn’t as strong. And as with online banking, it will take time and effort to have everyone fully accept open banking.
As new, game-changing opportunities are explored and the next important thing is being developed, it’s trust that will lead the way.
So, what exactly is open banking?
It’s the digital sharing of financial information with third parties via an API (secured according to PSD2 regulations). For banks and other financial institutions, specifically in the EU, this is mandatory. If a customer gives ‘explicit consent’ for the data to be shared, they must share it. For licensed third-party service providers, this means they can (using the API) develop financial services and applications utilizing the financial data of a bank’s customer.
A question of security
To build that trust, security is essential. It’s not surprising that many customers aren’t confident with sharing their account details, payments, and more, with a third-party provider. Even when the benefits include a faster, more convenient experience.
Within the European Union, these concerns prompted a relook at existing regulations. This led to the development of the second Payment Services Directive (PSD2), which impacts the entire European Economic Area – and its 31 countries/regions. While the first PSD was largely about instigating uniform payment services across the European Union (to help drive innovation, competition, and increase transparency), the PSD2 (as noted by the European Central Bank) “supports innovation and competition in retail payments and enhances the security of payment transactions and the protection of consumer data”.
This protection comes through the use of open (or public) APIs – and that banks must leverage Strong Customer Authentication (SCA) – which is basically ‘two-factor authentication’ to prove a customer is who they say they are. Also, based on PSD2 regulations, only licensed third-party providers can build financial apps and services.
Keep in mind!
These regulations are only for the European Union. Most countries, the United States in particular, are yet to develop such strong nation- or region-wide regulations.
Providers are also regulated and can only provide one of two services: Account Information Service (AIS) and Payment Initiation Service (PIS). Both services handle the customer consent that is required to access open banking data but do so in diverse ways. Becoming a regulated provider is also a tough process. In the United Kingdom, for example, you must undergo a rigorous application process with the Financial Conduct Authority.
AIS brings together a customer’s accounts across multiple providers and delivers the information from within a single interface. PIS commences payments from a single access point, using any account of the customers for payment. Payments are confirmed using Strong Customer Authentication.
The directive also specifies that third parties must capture and store consent from the account holder. Having that consent is essential.
But how to gain it when there is still a clear need to change the public’s perception when it comes to their data and open banking?
A recent Simon and Kucher Partners’ report highlighted the difficulties in building trust. With a focus on data sharing the report noted “an overwhelming majority or 75 percent of bank customers said they are unlikely or very unlikely to allow their banks to share their account information, transaction history, funds overview and other data with third parties.”
Working on your assets
Anyone that wants to develop an open banking solution is under immense pressure to ensure their solutions can earn the trust of consumers.
One key step is placing a strong focus on authentication.
As open banking steadily grows in popularity, there’s little doubt that hackers, cybercriminals, and all colors of fraudsters, will be targeting users through the APIs to gain access to their data. For banks, in particular, mitigating fraud is important, especially as third-party access to accounts increases.
Such authentication must apply (as per the PSD2) every time a customer accesses their payment account online, initiates an electronic payment transaction, or carries out any action through a remote channel that may imply a risk of payment fraud or other abuses.
Developing this can be a complex, arduous process. Not only is two-factor authorization required, so is a user-friendly interface. Then there’s the need to develop methods that are flexible enough to comply with existing requirements, deal with cross-border differences, and change with ever-changing regulations. Appropriate quality assurance, user experience, and usability testing can remove a lot of stress at this stage.
Quick tip!
One method of compliance is through Fast Identity Online (FIDO) authentication, which leverages a range of on-device verification methods, including biometric capabilities, combined with strong cryptographic authentication.
The challenge is made even more complex when enabling secure, easy, and transparent access to different banks and markets through a single interface. Especially as all have different systems, processes, and standards. If one institution’s nomenclature is radically different from another, can the unified system cope?
Securely linking data via AIS and enabling transactions with PIS for multiple bank accounts within one interface has clear benefits for banking customers. As it does for developers of such a service, where their application becomes the ‘go-to’ hub for customers wanting to manage and control their linked accounts.
In addition to simply viewing data, one of the biggest benefits to open banking is the ease of making a transaction. Today, many retailers already allow small transactions by letting shoppers simply swipe their card – with no need to input a PIN. However, with the range of different payment types available, and whether they’re high or low transactions, recurring, domestic, or international, card on file, require SCA, etc., priority must be given to providing an adequate test coverage; particularly when using an open API that may be used across multiple devices.
Validating that the API can be accessed via an appropriate physical device and that data is securely sent and received is vital: whether it’s web to mobile (and mobile to web), mobile to mobile redirection, or going through an AIS or a PIS.
This is where a robust testing approach is essential.
If you test it, they will come
Open banking and the technologies that are driving it are highly disruptive.
This is resulting in a range of operational changes and new systems being quickly incorporated alongside legacy solutions. Banks are having to shift from a siloed approach to one that is far more open – and all while trying to develop open banking solutions that keep them ahead of the competition.
And this means testing is vital to ensure any open banking solution works as intended. Is it secure? Does it perform correctly/quickly enough? Is end-to-end testing carried out with third parties? Are consent and AIS, PIS, and fund confirmation validated? Does everything conform to regional guidelines and regulations – do you know if the UK’s Open Banking Implementation Entity’s regulations differ from the EU’s PSD2? Can a traveler from the US connect to their bank(s) while in the UK?
But most importantly, are you confident your solution will work once it’s released into the real world? All involved need to know, for example, that your payment process will work across devices and that all authentications are correctly triggered. This alone requires substantial testing before any solution is released.
When a single error can erode customer trust, you need to get it right the first time.
At Testbirds, we’ve been working with many banks and merchants as they’ve prepared for PSD2 and understand the difficulties involved in getting their solutions right – and released on time.
Through our range of crowdsourced testing services, utilizing over 500,000 testers on more than 1,500,000 devices, we can perform multiple transactions to validate your PIS, AIS, and SCA, across an extensive range of payment types. If you’re entering a new market, we can also use one of our test cases to run through a range of scenarios.
Such testing usually takes place on a monthly (recurring) basis to cover new devices, changes to the product, regulations, and more. This is especially important when new features are to be released. You need to know they work across payment types and exactly where you need them to.
Grow your trust fund
When one negative experience can stop someone from visiting a store, looking at a website, or reusing an app, ensuring your solution meets their needs is important. Especially when it comes to their highly personal financial data.
It may take years to build trust, but it could take one rejected payment for a customer to walk away.
As open banking becomes more widespread and adopted throughout the world, the greater the need to constantly, and thoroughly, test each product. Not just to identify and fix bugs before release but to be assured that it works with your existing legacy systems.
It’s also an excellent way to smooth out any user experience issues. By testing a range of scenarios on multiple devices you can best prepare for any situation your customer may face. You should work out any problems first, not let an annoyed customer do it for you. And, of course, to ensure your solution is PSD2 compliant, security and reliability testing is necessary.
Open banking presents many challenges. Building trust is just one of them. But to fully realize open banking’s potential, it’s an essential challenge you must solve. And with adequate testing, you can.
