Too much of the narrative on Open Banking today is centered on the promise to delight customers with personalized financial services without a balanced view of the risks being taken. Are organizations doing enough to identify all potential risks inherent in Open Banking? And are they implementing the right mitigation measures? Pretty challenging thing to do in these early stages of the Open Banking evolution. And since customers are expected to exercise increased control over the use of their data, their participation will also be required as critical ingredients in the success of Open Banking.
“Consumers deserve clear and direct control over how their financial data is shared."
Wells Fargo - Financial Data Exchange 2020
“An open bank carries strategic, operational, model, conduct, financial crime and reputational risks”
American Banker – 2020
New risks emerge as a consequence of increased volumes of data and the speed at which it is consumed by Open Banking. Ecosystems partners from non-banking industries will not always share the same level of sensitivity towards customer data as regulated banks do. They will not readily recognize the hidden cost associated with the compliance, risk, and security protocols required to protect data or more broadly the integrity of Open Banking transactions. So how can an organization proactively take steps to anticipate risks that don’t even exist today? One must see Open Banking as a “system” whose primary components: players, technology, processes, and data are constantly evolving and inherently introducing risk.
Starting with player risk.
The Open Banking playing field expands beyond traditional financial institutions to include fintech firms, digital banks, data aggregators, credit bureaus, payment networks and third-party providers (TPPs). Firms from telco, healthcare and retail have also joined the game. Risk begins the moment data is shared. Not adhering to standard privacy protocols, industry-specific regulations governing healthcare data or using of customer data for unintended purposes are all risky activities. If a data breach occurs within an ecosystem, which partner is held accountable for losses and impact? Partner additions or exits disrupt ecosystem services temporarily or longer – causing one to really think about ecosystems as an extension of a traditional organization. Finally, there are legal and reputational risks – risks of not establishing sound legal agreements regarding data sharing between partners and reputational risk exposure originating from poor partner selection.
Moving on to Process Risk. Process risk increases with complexity of services. In the simplest transaction involving a customer, a bank and a third party (shown below), there are several risks, including mis-use of customer data by TPP, lack of process execution controls, fraudulent TPP access, lack of traceability of customer data use, risk of accountability by all parties and data security across devices. For complex lifestyle events, such as a customer business trip that involves services from many providers, transactions may remain “open status” for several days and require hundreds of data transmittals and dozens of analytic models to support.
The platform business model championed by Amazon, Google and Alibaba is what Open Banking is to financial services. For technology, the “risk of risks” is execution risk – the failure of a platform and all ecosystem components to deliver on the high-performance required for customer interactions. The SLA of a mobile app is only as good as how well it interfaces with underlying analytics engines or a payments processor closing a transaction. What happens when volumes of new customers are onboarded, and the primary bank’s platform APIs configuration can’t keep up? What redundancy features are included in your ecosystem? Platforms of the future must operate at high-performance to support frictionless customer experiences. Failure in technology adversely impacts all ecosystem in a world of where customer loyalty is fleeting.
Aside from security issues, there must be consideration for what happens when data is shared across industries – for example, retail, healthcare and others – come together. Will HIPAA, ECOA and the remaining alphabet of industry-specific regulations apply? And when during a customer interaction? Will the document retention policies of a primary bank apply across all ecosystem players? Which partner should bear credit losses stemming from incorrect credit data used in an offering? These are unprecedented new challenges stemming from data, ironically the same data that gives life to Open Banking.
How to tackle these risks.
The highest level of risk management is one guided by an absolute commitment to excellent customer experience. At this level, organizations strive to not only prevent bad experiences, but deliver excellent ones. At the lower end of the scale, organizations must adopt a minimum level of risk management that ensures compliance with regulatory mandates.
Open Banking Risk Management Guiding Principles:
- Aspirational – Customer First: Customer transactions generate revenues for ecosystem players and the same customer regulators seek to protect. An aspirational state of customer risk management implements mechanisms preventing loss of customers and promoting loyalty.
- Competent – Integrated Player Accountability: Ecosystems needs every player to align accountability to the customer, closing any inter-player gaps that hinder transaction processes. Every player must be responsible for successful execution of workflows.
- Basic – Regulatory Compliance: A de minimis level of risk management is achieved by simply adhering to regulations. Compliance and supervisory oversight mandates will center on consumer protection, data security and privacy, financial crime, financial disclosures, third parties or technology standards.
The reality is that net new risks will be created in proportion to the new types of in-moment services created by Open Banking. Organizations need not wait for regulatory oversight and form-fitting risk frameworks that are yet to arrive. The adoption of sound risk management practices as an integral part of Open Banking services will help ensure delivery of frictionless customer experiences.
In the final discussion in this series, the dialog of Smart Ecosystems is expanded.
Frank is a financial services professional with extensive global experience as an executive and consultant serving the largest financial institutions in North America, Asia, Eastern Europe, South Africa, and Australia. He specializes in the design, planning, and implementation of risk operating models and supporting infrastructure inclusive of: data analytics and predictive modeling, process redesign, and risk applications development. Frank enjoys a track record as a risk technology innovator credited for conceptualizing and developing patented risk technology solutions for Fortune 100 firms. He has served as an executive panelist at the GARP annual risk management convention, was appointed Risk SME for PRMIA, and is the author of a 2018 Risk Management of the Future Study - a collaboration with the MIT Golub Center For Finance and Policy.
View all posts by Frank Saavedra-Lim