Everything You Need to Know About Complying with Open Banking in Australia
By Seshika Fernando
- 11 Sep, 2018
Open Banking can seem a daunting task for any bank who is working towards a compliance deadline. It requires you to understand the regulation, map your internal systems to meet the needs of the regulation, keep your customers happy, and stay competitive all at the same time.
Our experiences with PSD2 compliance in EU and Open Banking in the UK taught us that while compliance is a large task, it can easily be addressed by assigning priorities. Once your priorities are set, you can then build a team and strategy towards each priority and get to your compliance goals much faster.
Here’s how you need to go about it.
1) Understanding the Regulation
What is the regulation?
The Consumer Data Right (CDR) is a regulation that gives customers the right to direct that their data be shared with others they trust. This improves their ability to compare and switch between products and services and encourages competition between service providers. This leads to better prices for customers as well as more innovative products and services.
It will initially be implemented in the banking (open banking), energy, and telecommunications sectors and then rolled-out economy-wide on a sector-by-sector basis.
Who’s in charge?
The regulation is implemented under the dual-regulation model where the Australian Competition and Consumer Commission (ACCC) will act as the lead regulator, with strong support from the Office of the Australian Information Commissioner (OAIC).
The Treasury will manage amending the necessary laws to enable the implementation of the CDR in Australia. Data61 will act as the data standards body that will develop open standards on how to securely open up access to customer data.
How does the phased implementation work?
- The Big 4 Banks of Australia — National Australia Bank, Commonwealth Bank of Australia, ANZ and Westpac will make data available on credit and debit card, deposit and transaction accounts by July 1, 2019. Data on mortgages will be made available by February 1, 2020.
- Data on all products recommended by the Farrell Review will be made available by July 1, 2020.
- All other banks in Australia will be required to implement open banking 12 months after the timelines applicable to the Big 4 Banks.
How does the bank, customer and TPP relationship work?
Banks need to enable the opening of the above datasets via secure APIs. Third Party Providers (TPPs) will be given an accreditation by the ACCC based on their competence to receive and manage customer data in a secure manner. Banks will need to onboard accredited TPPs to access their data APIs. Once the APIs are connected to the TPP applications, consumers will provide the bank with their consent on which data should be shared with whom for what purpose and which period. Once the bank receives explicit consent to share the customer’s data, the bank will issue a unique access token to the TPP on behalf of the customer so that the relevant customer data can be consumed through the API.
2) The Technology Building Blocks You Need
Open banking involves securely opening up data via APIs. This makes it evident that the two most important technology components you’ll need are API management and governance technology and a robust identity and access management platform.
A few key features that your API management platform will have to facilitate include TPP onboarding and accreditation validation, sandbox environments and production access, tooling for TPPs and API lifecycle management, creation, versioning and security (OAuth2).
In order to ensure that data and its access is secure, your identity and access management technology will have to facilitate strong customer authentication, by way of multi-factor authentication, and consent management, which allows users to provide data sharing consent based on data sets, for a specific period, to a specific set of recipients. Users should also be able to revoke or update consents as and when they need to.
The above is the bare minimum required to securely open up data via APIs. The next step is to ensure that you create great customer experiences. You can do this by providing strong authentication exemptions by way of adaptive authentication for low risk data accesses. You can also fix customer pain points through detection and analysis of delays within the customer journey. Additionally you should identify fraudulent attempts at accessing data without permission and DDOS attacks that can bring down the system. In order to meet these requirements, you need a strong data analytics platform, which can easily collect, correlate and analyze the data, and provide notifications and outputs in real time.
To accomplish open banking compliance you first need to understand which of your existing technology components can be reused to achieve regulatory requirements. Then fill the missing gaps with new technology, preferably with purpose built components that are pre-configured for Australian Open Banking compliance. A good integration layer will also allow you to easily introduce new technology components while leveraging the capabilities of your existing technology.
3) Agility for the Future
Staying agile is a critical part of open banking success. Implementing an open banking solution that caters to the current compliance needs is not the end of the road. New iterations of specifications and features will be introduced down the line and a bank should be able to adapt quickly with minimum invasion to status quo. Furthermore, the number of TPPs will keep increasing and your systems need to ensure that the control of the third party providers are monitored for any anomalies or misuse.
So, how does being agile help you? By becoming agile you can respond to market, regulatory, competitive or customer-driven changes faster. This means that you get these initiatives to your customers quickly, with the added bonus of gaining new customers through first mover advantages. The bottom line is, agility helps you become a market leader and not a follower.
All in all, open banking does not have to drive you up the wall. All you need is to do is get a good understanding of what your priorities are, get the right people for the job and ramp up your technology to do the work. This will make compliance that much faster and simpler.
Find out more about WSO2 Open Banking for Australia.
- Seshika Fernando
- Head of Financial Solutions