Jo Spencer 07 Jun. 2022
John Phillips 07 Jun. 2022
Digital Trust
Open banking is no longer something ‘out there’ in the future. It’s here. And it’s set to shake things up.
When the Customer Data Right (CDR) was introduced in Australia in July 2020, the banking sector was chosen as the first market for the rollout.
10 months after its introduction, there are only 14 accredited companies listed on the Government’s “find a provider” portal. However, there’s a backlog of industry interest. A report by two of the fintech industry players, Frollo and NextGen.Net, The State of Open Banking In Australia, found that 71% of financial industry representatives surveyed planned to use CDR, over half of these within the next 12 months. This mirrors the UK Finance Sector’s experience with Open Banking; not much changed for the first few years, then things got rolling.
Right now, with little to no uptake and limited industry activity in Australia, the CDR implementation model isn’t being stress-tested. There’s a risk increased participation and additional services will highlight unintended consequences and weaknesses in the current solution design. Whether you see CDR for open banking as reasonable or unreasonable, once CDR is rolled out across other sectors, things will get much more complex for industry participants and customers.
We believe there are better ways to implement CDR that could hold the key to resolving these issues.
But, before we get into that, let’s back up the bus.
The stated goal of the CDR is to give consumers choice and control over how their consumer data is shared, so they can compare and switch between different offerings. In doing so, it also aims to increase innovation and competition by opening up the data held about us by a few companies to many companies.
Consumers who choose to use the CDR can share their account and transaction information from a current data holder to an accredited data receiver of their choice using transfer mechanisms called Application Program Interfaces (APIs).
Some are using the terms ‘CDR’ and ‘open banking’ interchangeably, but open banking is just one way the CDR can be applied – in this case to the Financial Services sector. The Energy sector and Telecommunication sectors are next in line for the rollout.
Basically, open banking allows banks to share their product and services data and customers to securely share their banking details and transaction information with other accredited banks and fintech organisations on a once-off or on-going basis. The idea being that the receiver of the information can then use this to offer better services to the customer.
It would work like this:
A customer, let’s call him Joe, has had an account with TrustUs bank for some time.
Over time, TrustUs has collected CDR related data about Joe from two key sources:
NewCo, a Fintech company and an Accredited Data Recipient, offers a service to Joe that requires access to (some of) Joe’s CDR data currently being held by TrustUs.
Joe decides to see what NewCo can offer and wants to give them access to his CDR related data which they can access using a standard set of APIs. He gives consent, via a consent ‘dashboard’, provided by TrustUs, for TrustUs to release that data to NewCo. The consent given by Joe allows TrustUs to share the data with NewCo once or multiple times over an extended period.
Open banking would make it easier for customers to shop around for better deals on things like mortgage and deposit interest rates or even allow a comparison service or budgeting app temporary access to their data to match them up with products or services that benefit their combined personal financial situation.
With customers empowered with more choice and the ability to easily switch providers (not available yet but a future CDR capability recommended by a recent inquiry), a more free-flowing and competitive financial ecosystem is possible.
If you are working in, or with, the financial services sector, energy retail or telecommunications sectors you will be directly or indirectly affected by the CDR. But impacts go beyond mere compliance.
There can be real benefits to the CDR for businesses, especially in terms of attracting, onboarding and retaining customers. First movers who use the opportunity to improve their products and customer experience will gain a competitive edge. The extra level of transparency offered by CDR will also increase mutual trust between the customer and the product provider.
This isn’t just a retail customer opportunity. Businesses are also consumers of products from these sectors. Just like individuals, they can choose to use CDR to get better deals and increase profit margins.
The implementation approach adopted (consent management “dashboards” and special purpose APIs) will create a tangle of relationships and a consent management nightmare for both customers and participating organisations.
Ironically, a current data holder (e.g., a large bank) could gain more than they lose in terms of customer data. Not only do they learn which (potentially competitive) companies their customers are interested in, their customers could also find themselves locked into arrangements via an entanglement of consents. The risk is the benefits of a competitive environment won’t be realised and we’ll end up in a worse place than when we started.
Bottom line: the existing model is too complex, won’t achieve its objectives, and will create a consent management nightmare.
We’d recommend an approach based on customers sharing the bare minimum of their data when they want to that uses a global standard and solution based on W3Cs Verifiable Credentials.
In this scenario, consumers would hold a ‘digital wallet’ containing their personal data and product/service arrangements; verifiable credentials provided and authenticated by the relevant authority – things like drivers’ licenses, utility bills and bank account details. They become the data holder, managing consent and access themselves.
The current CDR approach to sharing data allows all the transaction data relating to accounts to be shared. The receiver can see deep into the soul (and purchase activities) of the customer. Ideally, only specific shared data sets (desensitised, either as a credential or using an API) should be shared, providing only enough information to support the proposed service by the accredited data recipient (NewCo in our example).
Also, once the data is shared, it’s impossible to “tag” it and track where it goes on from there. This allows technical intermediaries to make it “easier” to access and use these APIs. It also, however, introduces further risk into the process and hides who’s using the data and for what.
Putting consumers at the centre of data management would make open banking better and make the CDR rollout across other sectors easier, safer and more transparent. The original intention of the CDR can then be realised.
The CDR has its heart in the right place, but we need the right implementation model to make sure customers and businesses reap the potential benefits, while preserving the security and privacy of customer information.
So, let’s have the conversation. What are your thoughts on the existing model? What other options should be put on the table? Contact us on [email protected] to continue the conversation, or [email protected] to talk to one our CDR or verified credentials experts.
It’s timely to think about how you share, because the unintentional consequences could be dreadful and long-term, if you don’t take sensible precautions. I’m not talking about Covid-19, this time, but about sharing your personal information, like bank account details.
In this whitepaper, we’re showing how SSI can make a massive difference in solving current challenges in Financial Services across the globe.
