Open banking in the UK has been one of the big winners of Brexit. The UK has quickly become a posterchild for open banking success, and that has a lot to do with how the UK government, the tech sector and the financial markets worked all together like grownups to go beyond Europe’s Second Payment Services Directive (PSD2) in the aftermath of Brexit.
However, open banking still has a long way to go to help advance financial literacy, expand trust, and increase engagement between consumers and financial institutions, writes Roxana Mohammadian-Molina, chief strategy officer at Blend, fintech investor and entrepreneur. A belated overhaul of UK data protection laws could propel our open banking industry to new highs.
The General Data Protection Regulation (GDPR) was adopted by the UK on the precipice of Brexit in April 2016 and came into force in May 2018. Since then, its impact has been clear – from high-profile fines against some of the largest companies in the world, to heightened consumer awareness of the importance of protecting data and the responsibilities of data processing companies.
But its critics, led by several Prime Ministers over the past five years, have consistently argued that the GDPR requirements are overly stringent and force excessive amounts of documentation on organisations, shackling businesses by unnecessary red tape.
Under Boris Johnson’s premiership, the government looked to introduce the Data Reform Bill, a new set of data protection requirements to replace GDPR and give organisations more flexibility around how they manage data risks.
But the proposed legislation was paused during the market turmoil that followed the ‘Mini Budget’. Now Rishi Sunak has an opportunity to breath new life into open banking by creating a business and consumer-friendly data rights regime that will help us create a new pro-growth and trusted UK data protection framework based on common sense. A long opponent of retaining GDPR, Mr Sunak has frequently voiced his commitment to growing the UK tech sector, slashing red tape, and supporting investment.
On the same page
On the surface, it might look as though open banking and privacy are on a collision course since the former’s definition is to provide third-party access to our financial data through APIs. But take a deeper look and it quickly becomes clear that open banking and data protection legislation have similar objectives – giving users and businesses greater control over their data.
The key word is consent. While GDPR aims to minimise all data sharing and protect consumers’ privacy at all costs, open banking is built upon the idea that financial institutions can enable third parties, generally fintechs, to instantly access consumers’ account information and offer new financial services as long as prior customer consent has been given.
It is easy to see the potential benefits of open banking: improved experiences for customers, new income streams for companies and a sustainable service model for underserved markets. It is also easy to see how this triple-win sits at the heart of what Brexit stands for, the pro-growth British society it is rooted in, and the agile and dynamic tech ecosystem it represents.
Taking back control of regulation
The business of regulating is a challenging job and achieving regulatory excellence even more so. But given the present crossroad we find ourselves in, the stakes of getting it right are very high. We need to work out what we need from a data regime framework over the next 10 or 20 years, if the UK and London are to remain leading centres of finance and open banking. It means our regulators will need be more forward-thinking, and really get to grips with data and the technology side of financial services more broadly, as well as being more pragmatic.
But let’s be clear, I am not suggesting, God forgive, that we go for a lawless data regime. Instead, what I am saying is that we have an opportunity to move away from a ‘tick-box approach’ to data protection, and instead focus on substance by simplifying certain provisions to enable innovation, particularly in open banking. That will help us remove the burdens of GDPR to create the most dynamic and agile data protection regime in the world.
Does that mean we need a basic framework to ensure consumers’ and businesses’ data are protected? It absolutely does. From obtaining consent to transfer personal data, to ensuring that the API through which financial institutions share that personal data with third parties meets security requirements, to ensuring that financial institutions implement the ‘right to be forgotten’ – consumers’ and businesses’ right to have their personal data erased.
As I’ve said before, the key word is consent. Of course, the risk is if the EU and other countries do not recognise any future data protection regime installed by the UK as offering similar protections, the flow of data between them and the UK could become severely restricted. This would have serious implications for businesses operating across markets. However, this risk can be mitigated by building a world-class data protection regime that fully supports our leading digital economy.
To conclude, Mr Sunak’s government has a real opportunity to create a business and consumer-friendly data rights regime that work better for everyone, and by doing so, to breathe new life into the UK’s Open Banking success story. To do that, the yin of regulation and the yang of competition need to achieve a harmonising balance that highlights our advantages over the rest of the world.
