How risk management can enhance open banking innovation

Authored by: Jessica Hansen | Executive Director, Privacy Lead Financial Services Risk Management, Sam Nazari | EY Canada Banking Innovation Leader
Co-authors: Preethi Raghunathan and Riyanka Jain

Open banking: how incorporating risk management and privacy principles can enhance innovation

A global view

Implementation of open banking in a number of jurisdictions — for example, Australia (the Customer Data Right), the UK (Open Banking Implementation Entity, 2018), Europe (Payments Services Directive II(PSD2)), Brazil (Regulation on Open Banking) and India (Unified Payments Interface, 2016) — has shown promises of immense value delivered to all kinds of clients.

As more and more consumers continue to shift their expectation to access flexible, alternative, and personalized products and services, businesses are being forced to think more innovatively to meet these expectations. Customers’ demand to take ownership of their data has led to a move where they will provide consent around the sharing of their data, with an expectation of then receiving improved products and services, while the organization still ensures the security of the personal information.

Maturity levels of open banking regulations across globe

How does open banking work?

From a technology standpoint,  third parties will use application programming interfaces, or APIs, to allow banks to share customer data with other banks and/or non-bank financial institutions.  This creates an “open” environment where information such as personal information, transactional information and other custom data can be shared between various financial services providers.  If this is supported by adequate architecture, customers can ask for their data to be shared safely to take advantage of new services and product offerings.

Due to the sensitive nature of the data, the terms and conditions for open data sharing have been specified in the geographies where open banking is regulated. These terms and conditions encompass data-sharing technical standards, security standards and privacy standards.

In many jurisdictions, regulators play an active role in authorizing and managing the third parties entering the data-sharing ecosystems. In jurisdictions where the regulations were behind and had to catch up, many third parties and startups had already started to roll out their services using costly and insecure methods of accessing customer data, exposing consumers, data stewards (primary financial institution) and ecosystem players to a range of cyber, privacy and operational risks.

Open banking and privacy laws in Canada

Privacy laws are developing rapidly around the world, whether amendments to current requirements or brand new regulations. Canada is no different, with the federal government still considering updates to the current PIPEDA (Bill C-11) and various provincial regulators reviewing their current requirements.

Québec was the first to move towards a baseline similar to the EU’s General Data Protection Regulation (GDPR) with the passage of Bill 64 (An Act to modernize legislative provisions as regards to the protection of personal information), in September 2021. This legislation introduced a phased approach, effectively giving organizations subject to the regulations a period of between one and three years to comply.

In August 2021, the Advisory Committee on Open Banking published its final report recommending that Phase 1, including design and implementation, of open banking in Canada be established by January 2023. In March 2022, the Government of Canada officially announced the open banking lead with a mandate to develop a "made-in-Canada" regime based on the final report's recommendations. The need for organizations to develop their strategy is being driven not only by the recommendations, but also by the global move towards banking transparency and accessibility as well as consumers’ ever-growing expectations.

Although it looks like the passing of these new requirements will not wholly align, it’s imperative that as organizations develop their consumer-directed finance strategy, they keep risk management and privacy principles at the heart of their strategies and initiatives. This will enable them to establish a direction that will likely need minimal review at a later stage should privacy requirements become a regulatory requirement after organizations have initiated their future state strategy.

Risk management and privacy considerations

Consent management and the right to be forgotten: Any sharing of information across entities via APIs will require explicit consent from the data subject. For example, Québec’s Protection of Personal Information in the Private Sector states that consent must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. We expect the federal regulations to follow suit, which means that any open banking strategy needs to include consent as a central item to allow an organization to use APIs.

Consent and its management are often underestimated in practice. Many organizations are looking toward fintechs to help them manage consent. Under new privacy laws, data subjects have an additional “right to be forgotten,” meaning that organizations should ensure they have the mechanisms in place to meet this request from a data subject and ensure all third parties do the same. It remains the responsibility of the data controller to maintain the consent, withdrawal of consent and sharing of all personal information.  The data controller is an individual or organization that manages how data is processed and is responsible for complying with data protection regulations.

Data management: Operationally, the flow of data should be mapped end to end to ensure that the data controller can demonstrate they understand how data flows across different business functions and enabling technology components, and who has access to it.

Identification, classification, protection, retention and destruction of client records should be agreed between the data controller and data processor in the organization and/or any third party engaged in any capacity through the data’s lifecycle.  A data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller.

The need to align with regulatory requirements should be kept front and centre when developing policies governing the classification, level of protection, retention and destruction of client records. Further, with many organizations adopting advanced analytics engines, AI and machine learning capabilities gain insights from their data, organizations should also consider the risks associated with data ethics and quality.

Another key aspect for organizations to consider is data portability. How capable would your organization be to actually move the data at the data subject’s request? How quickly could you do it? And have you considered all these checks and balances in your open banking strategy?

Security risk: Process to deal with data breaches or incidents will also be a factor. In a world where the protection of IT systems has become mandatory and fundamental for every kind of business, it is important to be prepared to face cyberattacks in the most cost-effective way.

According to EY’s Global Information Security Survey Results 2019-20, 59% of organizations have faced a material or significant incident in the past 12 months. The EY Global Board Risk survey reveals 48% of boards believe that cyberattacks and data breaches will more than moderately impact their business in the next 12 months. A cyber event such as a successful attack can have a major impact on an organization both reputationally and financially, including potential fines, if they don’t appropriately manage their cybersecurity mechanisms.

In addition to adapting to cybersecurity threats, it’s important for organizations to consider the impact of the API architecture on their security strategy. Additionally, regulators are playing close attention to the development of cyberthreats. For example, the Office of the Superintendent of Financial Institutions (OSFI) published Draft Guideline B‑13, Technology and Cyber Risk Management, with primary focus on cybersecurity and risk management.

The evolving business and regulatory landscape with increasing cyber threats makes it necessary for organizations to take a proactive approach to reduce risk. Organizations should develop security resilience programs using industry leading practices related to specific threats potentially impacting their businesses.

Business risk: As the post-pandemic industry takes shape, consumer expectations are changing. Increased use of technology and the ready availability of information means that consumers’ knowledge around their rights, privacy and data use is growing. Banks can no longer afford not to meet their customers’ expectations and needs with regards to the speed at which they want information, flexibility of product offerings, transparency around how their data is being used and with whom their data is shared.

Retail banks continue to fall out of favour with their consumers in the post-pandemic world. Banks’ ability to meet consumers’ expectations could impact their ability to continue to operate.

Digital adoption is pushing up self-service, empowering client decision-making and reducing the cost to serve. But the shift to digital can also have negative consequences if outdated legacy technologies prevent banks from delivering their full offering to their customers. Organizations should consider investing in technology or partnering with suitable third-party vendors to strengthen their resilience while remaining scalable.

Over and above increasing investments in technology, organizations need to establish practices to govern their data stewardship, ethics, transparency, privacy and protection to demonstrate their commitment to their customers. Adoption of hybrid consumer engagement models, employee training and use of AI and deep learning technology are other considerations organizations should thoroughly evaluate when considering an open banking environment.

Third-party risk: Traditionally, organizations use third parties to enhance scalability and availability, and to support an optimal distribution of additional functions. With open banking, we anticipate organizations will increasingly partner with third parties and fintechs to offer new products and services. Organizations will face unprecedented demand around the speed at which they need to develop relationships, some of which are only API consumers and never envision in third party risk management processes and tech.

The interconnected landscape of today’s business environment and the inevitable increase in third-party interaction in the open banking environment pose a serious risk of disruption to current processes and risk appetite that could result in significant loss of revenue. Organizations need to evaluate the ability of their critical offshore presence and third parties to continuously support critical functions such as IT, human resources, payroll, financial reporting, cybersecurity and others.

The Office of the Comptroller of Currency (OCC) in the US issued its semi-annual risk perspective in the fall of 2018 in which “third party” was referenced across all five key issues. It noted that banks continue to increase their reliance on third parties to deliver key services, support compliance operations and enable efficiency through innovation. An automated robust third-party risk management process that supports the timely completion of assessments will go a long way to make the overall process of onboarding third parties in the open banking scenario more efficient and effective.

While applicable regulations to third party risk management and governance vary from organization to organization, and regulatory interest in third-party risk management continues to rise, it is up to the organization to manage its third-party risk. From third-party identification to contract management, and third-party risk assessments to vendor audits, organizations must build out a combination of policies, processes, tools and enablers to help identify and mitigate third-party risk. Due to the rapid scaling required to operate in the open banking environment, it’s important for organizations to incorporate an agile third-party risk management framework in their open banking strategy.

At this stage, we do not know what dates will be imposed on us to comply with either the open banking or privacy regulations, or what additional regulations may come into play for security or business risk management. What we do know is that operationally, they are closely tied.

Linking your open banking strategy with a comprehensive risk management framework that incorporates privacy and consent management, data risk, security risk, business risk and third-party risk will allow you to develop a scalable and sustainable roadmap. If you don’t have to  take another look at your organizational processes at a later stage when you’ve made substantial investments towards technology and resources to enable your open banking strategy you can save time, effort and money.