ING Viewpoint September 2022
Open Finance: a blueprint for more customer control over financial data
We envisage a future in which people are in complete control of their personal data, financial and otherwise, determining who has access and for which purposes.
In such a world, businesses will focus on offering differentiating services based on data the user chooses to make available. At the same time, certain internally generated data, beyond those directly provided or generated by the user, should remain the intellectual property of businesses.
The free flow of data provided and generated by the user, under their control, will help to build better services, promote European innovation, empower users and result in more efficient digital markets.
Ron van Kemenade
Chief Technology Officer ING Group
Few European citizens feel they have complete control over their personal data, despite the General Data Protection Regulation (GDPR) providing a framework for the processing and porting of these data across the EU. This lack of data control limits citizens’ freedom of choice, reduces competition, and prevents innovative services from flourishing. This is also true for the financial sector.
Granting customers better control over the data they provide and generate by interacting with financial service providers is beneficial for all parties. It would provide customers with a more comprehensive overview of their financial situation, based on data from banks and other financial services entities. It would also allow the financial sector to become more competitive, and supports the development of innovative data-driven businesses. As a result, customers can be offered a wide range of products, compare them with ease, and receive timely, competitively-priced and bespoke advice based on their personal situation.
ING has consistently advocated for a cross-sectoral EU framework for real-time, near-instant personal data management. Beyond data portability requirements for Big Tech companies under the Digital Markets Act (DMA), the EU regulatory agenda is now focusing on Open Finance; a data sharing model for financial data. While we welcome data portability spanning the entire financial sector, we continue to believe in the merits of an economy-wide Open Data framework. This paper sets out the conditions for an effective digital finance market, and outlines key principles for developing an innovative and customer-centric “Open Finance” framework.
The limitations of data portability under GDPR and PSD2
GDPR provides people the right to port their data. This user control however is hindered by practical limitations. Requested data may be delayed; are limited to a snapshot of past history; and lack interoperability with other platforms. The lack of real-time user data control leads to vendor lock-in and limited usability when intending to change or combine service providers. Open Banking under the Payment Services Directive (PSD2) provides an alternative approach, under which customers may grant standardised real-time data access to regulated third parties. PSD2, however, is limited to payment account data whereas GDPR has a broad scope (all personal data).
PSD2: a prelude for Open Finance
As PSD2 enabled the first experiences with user-controlled real-time data portability, its implementation contains helpful lessons that should be addressed when considering next steps in data portability.
Lessons from PSD2 for real-time data portability
- Ensure real technical standards. The ecosystem should converge on market-led, standardised APIs and parameter sets as this allows third parties (TPPs) to access data in a uniform way (through plug and play). Having clear, binding standards will help TPPs to create scalable solutions, and bolsters security and efficiency for customers.
- Supervisory harmonisation. Account Information and Payment Initiation Services under PSD2 are licensed and monitored by national supervisors, and governed by a nationally transposed Directive. Combined with passporting, this leads to a fragmented landscape in which providers in the same market may be subject to different home supervisors, each applying their own interpretation and prioritisation. Supervisory harmonisation is key to promote a single digital market, increasing choice for customers.
- Consumer trust. For Open Finance to really take off, customers need to trust that third parties accessing their data will use only what is needed to provide a given service, and will ensure data privacy and security. Revocation of access should be made easy and the availability of dashboards for data access management would help users.
Key principles for consumer-centric Open Finance
We believe people should be in control of their own data. Customers should be able to freely choose which party to port their data to in a real-time, continuous and standardised way. To establish such a framework for the financial sector, there are five important principles for regulators to keep in mind:
Open Finance must be secure
PSD2 introduced additional safeguards on top of GDPR. Firms must be licenced, customers’ explicit consent is required, and there are further rules for example on (re-)authorisation. PSD2 also pushed against less secure methods to collect data such as screen-scraping. Open Finance should have sufficient built-in safeguards from the outset, as more businesses join the European data sharing economy. European digital identity wallets are one example of a tool that could help users stay safe and secure.
Embedding Open Finance in the wider rulebook
Open Finance is one component of a wider digital finance regulatory framework. It should collaborate with other components, such as the European framework for digital identities, which provides users with trusted and easy access to different services, while respecting data minimisation principles. The EU DMA recognises the importance of data as a competitive factor and takes vital steps in strengthening data portability obligations for gatekeeping digital platforms.
Small business users in scope of Open Finance
Many of the benefits of Open Finance for citizens would also apply to SMEs. They could e.g. benefit from porting their data to access better financial services, to switch providers, or for accounting purposes. Large corporates have more bespoke characteristics and needs, and should remain out of scope.
All financial data in scope
Customers do not distinguish their data based on which entity holds it. Hence, an entity-based regulatory approach lacks clarity for end-users and risks creating competitive distortions. Moreover, benefits of Open Finance can only be fully reaped if all observed and user-provided financial data are in scope. A case-by-case regulatory approach, prioritising certain use cases, should be avoided. This also means that any future financial services, e.g. those related to crypto, stablecoin and the digital euro, should be in scope from the outset.
Compensation for infrastructure costs
Building the infrastructure to enable data portability requires innovation and significant long-term investment. A key incentive for firms to do so will be reasonable returns on their investment. This should be done under FRAND conditions. In line with Data Act Art.9, the compensation that data holders charge for making the data available should be paid by third parties receiving data, not by the end-user or consumer. To ensure that the user is in full control of their data, data themselves should not be paid for.
Compensation for telecom local loop access
The idea that institutions should receive fair compensation for providing a sharing infrastructure, has been applied before. In 2000, regulation 2887/2000 established the right of access to copper telecom networks for competitors without their own infrastructure. Importantly, this regulation also established that network providers should receive fair compensation, to ensure continued investment in infrastructure. Pricing by providers should be “transparent, non-discriminatory and objective, to ensure fairness”.
A financial sector-spanning Open Finance framework will put consumers at the centre, allowing them to control their own data and to choose the most suitable products and providers. We recommend the following:
- Seek consistency between Open Finance and related frameworks: GDPR, Data (Governance) Act, EU digital identity, PSD2, DMA, Regulation on Crypto assets and a possible digital euro.
- Ensure institutions receive fair compensation for their investment in data portability infrastructure.
- Implement Open Finance sector-wide, rather than a focus on restricted use cases.
- Implement real-time and continuous data portability using standardised technical specifications.
- Expand the scope of Open Finance to include small business users as well as individuals.
- Make Open Finance a Regulation and ensure harmonised supervision at the European level.