07 Apr 2021

Who owns your bank data?

For years, the answer to this question was straightforward: your bank. But then digitisation happened, and with it came many new services: Spotify suggested music you might like, Uber plotted your best route home. Slowly, people started to see the power of data to deliver more convenient and personal services.

Tellingly, so did EU lawmakers through the updated Payment Services Directive (PSD2) requiring all banks in the bloc to create APIs that are shared with officially approved third parties. Customers can then give their bank credentials to these brands to access new services or simplify payments.

For example, UK start-up Funding Options matches businesses with lenders. By using bank APIs to scrutinise accounts, Funding Options helps customers avoid filling out forms and sharing sensitive identity documents thereby reducing a lengthy process to a few minutes.

However, PSD2 doesn’t just promote open banking but also security through strong customer authentication and it will continue to apply in post-Brexit UK.

Opportunities and threats

It's easy to see why banks might be nervous.There's the liability issue: in the event of a data breach, most consumers will direct their complaints to banks, even if it was the fault of a third party.

They also worry that disruptive newcomers – whether small start-ups or established brands such as Amazon and Facebook – could steal their customers.

A recent Payments and Open Banking survey, suggests customers’ reluctance to share personal data remains a problem. According to the survey, payment service providers are trusted by 9% of respondents internet giants by 7%, while online banks and FinTechs would only receive data only from to 3% of consumers.  Traditional banks still have advantage over newcomers as 17% of European respondents say they trust traditional banks and card providers to exchange their personal information (17%). This would suggest that banks themselves may be best placed to explore the new opportunities.

Banks as data aggregators

France's Crédit Agricole opened its APIs as early as 2012 and launched its own CAStore to showcase applications and services created on top of them. Spain's BBVA opened its APIs in 2013. Banks can commandeer developers to build innovative new services on top of their own customers' account information.

Another option is for the bank to be the aggregator itself. In Germany, challenger bank Fidor has already done this. It offers customers access to a range of products from multiple providers inside its portal. Analysts argue that more transformative innovations are yet to come with APIs set to move banking services into everyday life.

But for this to materialise, users will have to overcome their trust issues.

Strong authentication 

To reassure them, EU regulators are insisting on strong two-factor authentication for all PSD2-related transactions. But the legislation hasn't yet precisely defined what strong consumer authentication is. The good news is that security specialists are already developing secure digital banking solutions that go way beyond two factors.

Risk management services, for example, analyse thousands of attributes from the user and the device, such as geo-location, device profiling, IP address, device assessment, and behavioral biometrics.

Crucially, it provides the trust to make the authentication process not just strong, but also fast and friction-free.


Guest blog by Howard Berg Senior Vice President North Central Europe, Thales DIS. Howard Berg is responsible for all business activities up to and including responsibility for region P&L, customer engagement and ongoing strategic development and growth. You can also follow him on LinkedIn.

To find out more about ThalesUK, follow  Twitter and Linkedin pages.

To read more from #OpenFinanceInclusion Campaign Week check out our landing page here.