[Kishan Gupta is a B.A. LL.B. (Hons.) student at Dr. RML National Law University, Lucknow and Managing Editor of the RMLNLU Arbitration Law Blog]
Understanding Open Banking Standard
Until now, the names of large banks like SBI, ICICI and PNB were considered synonymous with custodian of customer’s financial data. Generally, these traditional banks store customer’s financial information for their own use and cite various reasons for not sharing the same with their competing banks or other service providers, with “privacy concerns” being the most dominant one. However, the rationale behind taking such a stance is simple: why should the banks share all these invaluable insights when they had to invest a huge amount of resources to obtain it?
The answer to the above question lies primarily in the first-ever UK initiative launched in 2015 by the Open Banking Working Group (OBWG). The initiative was aimed at exploring the ways in which free access to customer’s financial data can be used to benefit not only the customers but also the banks who, until now, acted as a depository of financial information. The efforts of the OBWG culminated into European Union’s (EU) Revised Payment Services Directive (PSD2) which came into force in January 2016. The PSD2 requires all the banks in the EU to disclose performance and fee data, thereby providing customers with an option to compare their facilities and ensure customer satisfaction in the new age of banking services through technology. It also requires the banks to permit their customers to share their financial data with other providers, hence leading to an “open banking” era.
As the term itself suggests, open banking is a co-operation model where the banking information of customers, for instance account and transaction details, borrowing or lending frequency, borrower’s health vitals, etc., are shared with third-party companies providing financial services. The bank financial data of customers are made ‘open’ to unaffiliated financial companies like fintech firms and aggregators, only with the prior consent of such customers. This is done with the wider objective of enhancing the capability of the finance and banking sector by devising innovative customer friendly products, software and services.
The sharing of the data takes place through open application programming interfaces (APIs) established by banks, which can be understood to mean the communication protocols and tools for building brand new products or softwares. These APIs ensure interoperability of softwares of different companies – they grant the software or applications of fintech firms or financial service providers access to the financial data stored in the core banking softwares of banks, thereby helping such providers in carrying out specific functions related to the banking data and creating customized products and services. Further, even banks do not have anything to lose by exposing their core infrastructure for other’s use as partnering with fintech firms offers them access to new and untapped customer segments (like students, migrants and small shop-owners) as well as improvement of their own banking operations hence, resulting in cost reduction. Such collaborations also save these traditional banks from the trouble of developing mobile app, maintenance, support and customer services as they work in the background as a facilitator while the front-end is held by fintech firms with their customer-friendly services focusing on customer engagement and interaction.
Open Banking: The Indian way
India stands out from the rest of the world when it comes to the implementation of open banking framework in the country. While PSD2 is only about payments, the concept of open banking was endorsed and adopted by Indian regulators and market participants in two separate stages: one in relation to payments and the other with respect to sharing of financial data. The former is implemented through the Indian Government’s unified payments interface (UPI) which has largely been successful so far and the latter is managed by non-banking financial company – account aggregators (NBFC-AA) as notified by a 2016 master direction issued by the Reserve Bank of India’s (RBI) Department of Non-Banking Regulation and is yet to be implemented by major banks.
UPI is an instant real-time payment system which allow users to perform inter-bank money transfers and pay retail merchants directly from one’s bank account through innovative mobile applications like Google Pay, PhonePe, Paytm and BHIM. These applications are operating through API for banking services (UPI API) launched by around 150 banks in the country (also called “UPI Enabled Banks”), thereby changing the conventional way of retail banking. By contrast, an NBFC-AA acts as a facilitating or interoperability link between a bank, i.e., financial-information provider (FIP), and a fintech firm, i.e., financial-information user (FIU). It is an RBI licensed entity which provides the service of retrieving or collecting the financial information of an individual from FIPs and consolidating, organizing and presenting such information to FIUs. Generally, the FIU will use the data received from NBFC-AAs to offer unconventional financial services and products dealing with online lending, robo-banking, etc. However, despite such clear RBI directions, most of the banks (except a few like Yes Bank and Ratnakar Bank Ltd.) are reluctant to open up to the idea of NBFC-AA. Be that as it may, the full adoption of NBFC-AA infrastructure presents an exceptional opportunity to fintech firms, banks and other financial entities to innovate and transform core services.
But What about Data Privacy?
With such smooth flow of financial data between different enterprises, one is bound to question the measures that the banks are adopting to ensure data privacy and security. Therefore, ‘customer consent’ has been made the bedrock principle for an open banking framework. To simplify, since data ownership is the reason that led to the advent of an open banking standard, strict privacy laws requiring prior customer consent has been made a pre-condition before sharing customer’s data with external parties. For example, the European regulators under the PSD2 Directives require two-factor authentication for all electronic payments. Similarly, in India, the Ministry of Electronics and IT (MeitY) is conscious of the necessity ‘to protect the autonomy of individuals in relation with their personal data’. Ergo, just like the EU General Data Protection Regulation (GDPR), the proposed Indian Personal Data Protection Bill, 2018 by MeitY qualifies ‘financial data’ as one of the categories of ‘sensitive personal data’ which requires ‘explicit consent’ of the subject before the data is processed by any entity. On similar lines, the 2016 RBI master direction also mandates NBFC-AA to obtain ‘explicit consent’ of its customers before transferring his data to any FIU. One cannot over-emphasize the fact that banks are only the custodian of customer’s data, not the owners.
Furthermore, to ensure secure transmission, the financial data shared through APIs with third parties are anonymized, hence revealing only generic statistics containing no personal information of customers. In addition, banks will be monitoring the requests and responses of API which will provide them with useful analytics on how the API is being used by the applicant.
Taken together, all such measures, if properly adopted and implemented by the banking companies, will ensure that the financial data accessed through APIs are not used by black-hat hackers for criminal purposes like identity theft and fraud. At the same time, by giving back the control of financial data to the customers, the open banking standard will ensure that traditional banks do not lag behind in this new age of technology where fintech firms are offering revolutionary digital services.
– Kishan Gupta
 Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, Paragraph 3(1)(iv).
 Clause 2(35)(ii), Personal Data Protection Bill, 2018.
 Clause 18, Personal Data Protection Bill, 2018.
 Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, Paragraph 5(a).