Open Banking
The ongoing global transformation from analog to digital began, arguably, with the invention of the first computer. For the purposes of this article, digital transformation refers to the integration of traditional business processes and digital technology.
The internet’s journey from relatively obscure technology to, as it were, a ubiquitous household service, along with always-on access since the advent of smartphones, has powered rapid digital transformation; now big business is paying attention.
From the early implementation of online banking to today’s complete online financial services platforms, the financial services sector has always been a pioneering force in digital transformation. Until recently, a bank’s digital financial products could be accessed online only via the bank’s digital platform, seriously inconveniencing consumers utilising the products of several banks simultaneously. Now, however, technology developed by fintech providers allows consumers to access all their financial products and perform all transactions on a centralised digital platform in accordance with financial services regulations.
The Open Banking Concept
Conceptually, open banking implements a secure channel through which an individual’s bank-held financial information can be accessed – with the individual’s consent obtained primarily through application programming interfaces (APIs) and similar means – by certain third parties to facilitate financial transactions. Thus, for the benefit of consumers, open banking breaks the longstanding institutional monopoly of banks over consumer data and encourages competition within the sector.
Within the financial services sector, potential benefits of widespread implementation of open banking APIs include:
- allowing consumers to aggregate their accounts and conveniently conduct all transactions using an efficient single platform;
- helping lenders to evaluate an individual’s credit risk and offer appropriate loan products;
- encouraging development of new analytical products;
- allowing auditors to more easily access an individual’s financial data;
- providing a convenient, single platform for managing recurring consumer payments;
- reducing EFT and wire fees;
- providing an avenue for user-specific, user-targeted budget guidance; and
- making it easier to open and close accounts.
Potential benefits of open banking extend beyond financial services, including facilitating the generation and presentation of tailored products – eg, housing, shopping, education, and transportation.
Open Banking in the Fintech Market
Fintech, or the Financial Technology Industry, uses the combined resources and know-how of the financial services and technology sectors to provide enhanced, improved, convenient, fast, and user-friendly digital financial solutions.
According to Allied Market Research1, overall, open banking generated revenue of USD7.29 billion in 2018; by 2026, revenue is projected to reach USD43.15 billion, representing year-on-year growth of 24.4% for the period. Within the marketplace, banking and capital markets produced the lion’s share of open banking revenue in 2018, due to a surge in new services. The payments segment is projected to see year-on-year growth of 27.3% through 2026, due to the increase in consumer use of digital banking platforms for initiating debt payments. Accordingly, open banking is poised to power rapid growth in fintech.
Recent Developments Due to COVID-19
Lockdowns, quarantines, social distancing, and similar COVID-19 pandemic restrictions have resulted in a dramatic increase in consumer demand for online services of all kinds; and specific to fintech, increased demand for online financial services and contactless payment platforms. According to a survey by Ipsos MORI and the Open Banking Implementation Entity, 50% of small and medium-sized businesses in the UK use open banking services; 60% of them due to the pandemic. Furthermore, according to the Open Banking Implementation Entity, during the pandemic the number of open banking users in the UK increased from one to two million.
The extent of open banking penetration in Turkey cannot be meaningfully estimated at present. What is certain, however, is that digital banking in Turkey continues to expand at a remarkable rate. According to the Banks Association of Turkey, active digital banking customers totalled approximately 50 million in the period July–September 2019, and 63 million in the period July–September 2020; a dramatic increase attributable primarily to the pandemic.
Regulation of Open Banking in the EU
The Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (“PSD2”), amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, is the primary EU legislation on open banking. The initial EU directive on payment services was introduced in 2007. Thereafter, to address insufficient competition in the financial services sector and to improve consumer transactional security, a comprehensive set of amendments comprising PSD2 was enacted into law on 13 January 2016. EU member states were given a two-year window for internal implementation.
Notable PSD2 provisions open parts of the financial services market to third-party payment providers by allowing them access to bank-held consumer financial data. PSD2 provides that banks and other financial institutions holding consumer deposit accounts, accessible online and set up for online payments, are permitted to give third-party financial services providers access to data associated with those accounts.
PSD2 contemplates two primary third-party services, namely:
- Payment Initiation Services (PIS); and
- Account Information Services (AIS).
PSD2 defines PIS as “a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider”. PIS services simply facilitate interparty online payments and EFTs.
PSD2 defines AIS as “an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider”. With AIS, consumers can manage their aggregate financial affairs on a single platform and without institutional limitations. Thus, AIS facilitates effective financial affairs management by presenting consumers with a complete financial picture.
The key concept which enables the third parties to participate in the financial services and thus compete with the banks and other financial institutions is, as explained above, the obligation of the banks to open their financial services and data to third-party applications. However, as per PSD2, the use of these services depends on the explicit consent of the user. PSD2 and the General Data Protection Regulation (GDPR) contemplate different aspects of explicit consent. The GDPR deals with it within the context of secure processing of personal data, whereas PSD2 does so within the context of open banking processes. PSD2 does address the secure transfer of personal data, eg, Article 66 provides that PIS/AIS user data obtained during provision of payment services may be provided to the payee only with the payer’s explicit consent.
Aiming to promote open banking through user trust in applications, PSD2 increases online fraud protection by requiring strong electronic payment security measures to safeguard consumer data.
Notwithstanding PSD2, EU fintech companies must register with and obtain a licence from competent member state authorities regulating capital and other requirements for market participation.
Regulation of Open Banking in Turkey
Banking regulations
The Regulation on Information Systems of Banks and Electronic Banking Services (“Regulation”), which is published in Official Gazette No 31069, dated 15 March 2020, and effective as of 1 July 2020, defines open banking as “[a]n electronic distribution channel where customers or parties acting on behalf of customers can perform banking transactions by remotely accessing financial services offered by the bank through API, web service [or] file transfer protocol, or give instructions to the bank to perform these transactions”.
The Regulation applies only to bank-offered services, and open banking is addressed only in an article which provides, in the relevant part, that one-factor authentication may be used for open banking, provided that communication between the bank and the consumer or consumer’s agent is secured by, among other data protections, end-to-end encryption; and that the Banking Regulation and Supervision Board (“BRS Board”) in its discretion may determine the universe of open banking services and regulate same.
Since open banking services are included in the Regulation’s definition of electronic banking services, its provisions on electronic banking services are also applicable to open banking services.
Payment regulations
In Turkey, AIS and PIS, considered basic services under PSD2, are regulated by the Law on Payment and Securities Settlement Systems, Payment Systems and Electronic Money Institutions No 6493 (“Law No 6493″), which, though originally intended to align with the initial EU Payments Services Directive 2 as amended (amendments effective as of 1 January 2020), includes AIS and PIS in its definition of payments services (see Law No 6493, Article 14), thus placing it under the rubric of open banking.
Article 14 of the Law No 6493 makes licensing mandatory for open banking services providers wishing to participate in the marketplace. Licences are issued by the Central Bank of the Republic of Turkey (CBRT) which, under Article 14/A of Law No 6493, regulates AIS/PIS data-sharing among open banking service providers. Although secondary legislation has yet to be enacted, the CBRT has prepared draft AIS/PIS regulatory guidelines.
The Communiqué on the Management and Audit of Information Technology Systems of Payment Institutions and Electronic Money institutions (“IT Communiqué”) governs management and auditing of IT systems maintained by open banking market participants, and imposes certain obligations on payment institutions, including open banking companies, eg, preparing policies, making risk assessments, assigning duties, and ID authentication. In addition, payment institutions are required to store transaction logs for three years before disposing of them. Furthermore, the IT systems of payment institutions are subject to biennial independent audits.
Of note, particularly for foreign players seeking entry into the Turkish open banking sector, primary and secondary payment institution systems must be housed in Turkey.
Outsourcing is also regulated by the IT Communiqué.
Personal data protection
Data protection is the foundation of consumer trust in systems that process personal data. Personal data is protected by strict laws permitting processing only if necessary to carry out an intended and agreed upon consumer service. If the data is special category personal data, then explicit consent to process it is required. Otherwise, provided processing is narrowly tailored, explicit consent is not required.
Notification of data subjects is crucial in open banking. Data subjects have the unequivocal right to full disclosure regarding processing of personal and financial data. In particular, where provider performance requires data processing beyond mere monitoring of accounts or initiation of payments, the data subject must be given prior notice with adequate detail in clear, easily understood language.
In cases of data breach, open banks are liable as data controllers. Currently, it is unclear whether, in the absence of a services agreement between bank and consumer, a bank must provide data to an open banking services provider. This is a material divergence from PSD2, which prescribes such access. Accordingly, under Turkish law banks may, in the interest of data privacy, refuse to allow service providers to access consumer data. Furthermore, unlike PSD2 which mandates certain third-party access to bank-held consumer data, under Turkish law it is not clear whether, even with explicit consent, a bank is obliged to share consumer data.
What is missing/awaited?
Open banking is developing in Turkey. Full implementation is not expected before the enactment of secondary legislation, in which the BRS Board is expected both to specify permitted open banking services and present a regulatory scheme; while the CBRT is expected to promulgate a regulatory scheme for open banking data transfer.
Furthermore, since a functioning open banking system requires mandatory data-sharing with service providers – according to PSD2 – and since Turkish law does not provide for this, amendments to Law No 6493 are expected. It is noteworthy, and perhaps indicative of future developments, that CBRT’s most recent draft regulations conform to PSD2.
Moreover, in due course, amendments to the Law on Personal Data Protection No 6698 are expected to align it with the GDPR and – in the context of open banking – address, among other things, consumer data portability and joint data controllers.
*This content was originally published in Chambers and Partners’ Fintech 2021 Guide.