Table of Contents
The Consumer Data Right, which was announced by the Australian Government in May 2018, gives Australians greater control over their data. It empowers customers to choose which trusted parties they share their data with and for what purpose. It will initially be implemented in the banking, energy, and telecommunications sectors and then rolled-out economy-wide on a sector-by-sector basis.
The Big 4 Banks of Australia were required to start complying with the open banking standards set forth in the Consumer Data Right by February 1, 2020, while the rest of the authorized deposit-taking institutions have to start complying by July 1, 2020. Given the fast approaching deadline and the need to achieve agile compliance, this may be a cause for concern for many CIOs in the financial sector.
From confusion on how to comply to risk of losing customers within the new ecosystem, open banking seems to be a daunting task. In this white paper we help Australian banks answer and resolve the most pressing questions on their minds.
2. Can I learn the requirements AND comply on time?
This isn’t the first time open banking has been implemented in the world. In fact, the Australian Data Standards Body is currently taking United Kingdom’s Open Banking implementation specifications and localizing it. An astute way of approaching the problem would be to understand the UK Open Banking requirements and watch out for the localization changes that are discussed in the Open Forum.
While understanding the regulation and its requirements, a good practice would be to get acquainted with open banking technology. Getting your hands dirty with an open banking setup that was designed for the UK will enable you to understand what services need to be exposed from your core banking system — which is half the battle towards compliance.
You also need to keep in mind that the open banking regulation, unlike most other banking regulations, is more a journey than a destination. Banks should not expect to complete all compliance requirements by the conformance deadline and stop there. The regulation will evolve upto and beyond the deadline, as seen in Europe and the UK’s current situation. Therefore, preparing the people, processes and technology that can take you on this journey is recommended.
3. Will my technology systems need a complete overhaul?
Open banking involves securely opening up data via APIs. The two most key components you’ll need are an API management platform and a robust identity and access management (IAM) platform.
The major features that your API management platform should enable are:
- Data Recipient (i.e. Third Party Provider (TPP)) onboarding
- Data Recipient accreditation validation
- Sandbox environments and production access
- Tooling for Data Recipients
- API lifecycle management, creation, versioning and security
The major features that your IAM platform should enable are:
- Strong customer authentication: Secures access by way of multi-factor authentication (including SMS, One Time Passwords, FIDO devices, etc.).
- Comprehensive consent management: Allows users to provide data sharing consent based on data sets, for a specific period, to a specific set of recipients. Users can also revoke or update consents as and when they need to.
- Integration with the API platform: support for tokens and API authentication alongside and in conjunction with customer authentication.
While these form the basis of a regulatory compliant open banking system, there are several other aspects that are required. In particular, an effective open banking approach comes with pre-defined APIs and schemas. For example, in the UK the Open Banking sector has defined the Open Banking Read/Write API Standard which fully complies with the PSD2 regulation. In addition, the API management system will need to be connected to your core banking system via some integration technology such as a message broker or Enterprise Service Bus (ESB).
The above capabilities are the bare minimum required to securely open up core banking via APIs. The next step is to ensure that you create great customer experiences. This could be by:
- Providing strong authentication exemptions by way of adaptive authentication for low risk data accesses.
- Fixing customer pain points through detection and analysis of delays within the customer journey.
- Identifying fraudulent attempts at accessing data without permission and DDOS attacks that can bring down the system.
In order to meet these requirements, you need a real-time data analytics platform which can easily collect, correlate, and analyze the data, and provide notifications and outputs in real time.
It will be ideal to choose a solution that has all the above components, pre-configured to work with each other, and is purpose built for the Australian Open Banking regulation, so that there is no requirement for additional configurations. Because the regulation is ever-evolving, the compliance technology will also have to support the regulatory changes that take place within each technology area.
" You need to choose a solution that has all compliance requirements pre-configured and is purpose built for the Australian Open Banking regulation. "
4. What will it cost me?
While Open Banking in UK has cost banks as much as GBP 150-200 million [Source Commonwealth Bank of Australia’s Submission to the Treasury’s Review into Open Banking] Australian banks do not need to face the same fate. Open banking in Australia happens through a phased implementation. This gives banks time to plan, prepare and set budgets accordingly. Additionally, Australian banks have the luxury of learning from their UK and EU counterparts in terms of how to become compliant without breaking the bank.
Following are a few strategies that banks can employ to reduce the cost down to a fraction:
- Once the regulatory requirements are well understood, the first step is to analyze your current technology stack and identify which components can be reused to meet the requirements. This will save a significant portion of your budget since it eliminates the need to duplicate technology as well as the cost of maintaining two different technologies that essentially do the same functions for different projects.
- Invest in a good integration layer (if one doesn’t exist at present). This will allow you to easily introduce new technology components while leveraging the capabilities of your existing technology.
- Fill the gaps that cannot be serviced by existing technology by investing in purpose built components that are pre-configured for Australian Open Banking compliance. This ensures that you save money on lengthy configurations and modifications and eliminates maintenance costs for those custom modifications.
- When looking for the right technology, try to get all the components from one vendor to reduce the number of expensive evaluation rounds you need to do for each requirement. This also eliminates the need for multiple procurement processes that are usually lengthy and cumbersome.
- Work with a technology provider that is well acquainted with the regulation. They should ideally undertake the task of keeping the technology up-to-date with the evolving regulation requirements. This eliminates the cost of hiring and maintaining specialized staff to follow the regulatory changes and implement them.
5. Will Data Recipients become my competitor?
Data Recipients will now directly interact with the consumer, introducing a middle man to the mix. Because of this there seems to be a common misconception that banks will lose their customers to the Data Recipients. Many banks are also afraid of losing their identity as an exclusive financial service provider and becoming a mere utility to Data Recipients.
This is not true. Contrary to popular belief, the future is not bleak for banks that open up their data. Banks can use Data Recipients to augment the customer experiences and focus more on their core competency - creating great financial products and services.
To ensure that you retain your existing customers and use this opportunity to grow your customer base, you need to empower the Data Recipients to promote your products and services through their applications. This can be done through a user-friendly API portal that enables Data Recipients to easily onboard, test and use your APIs. The more attention you give to your Data Recipients in terms of tooling, version control, alerts, and analytics, the more they will promote your products and services and contribute to your customer base.
If you can aggregate customer financial information across multiple banks,
then you have the unique power of understanding your
customer beyond the limits of your bank. "
6. How do I provide compelling services so that my customers stick with me?
The new open banking ecosystem shifts the balance of power from the banks to the customers. It thins brand loyalty and makes switching between products from different banks much easier. This makes it critical to have the right strategies in place to maintain brand loyalty. Creating stellar experiences for customers is more important than ever before. Here are a few ways to achieve this.
Ensure security is not compromised
The biggest concern customers have is that their data will fall into the hands of unauthorized users. Your IAM technology should ensure that at each stage of the open banking cycle, customer data is protected and that they can take back their consent anytime. You should do this without compromising on the overall customer experience.
Customer trust through education
Even though open banking is tipped to put the customer in control, the majority of them are still unsure of how secure the new open banking regime is and what benefits it can provide. While implementing all the processes internally to make open banking as secure as possible, you need to take this message to your customers. A secure open banking experience will make customers happy, but a bank who goes the extra mile to educate customers about how they are guaranteeing this secure experience will create trust.
The great thing about the Consumer Data Right specification is that the moment a data holder opens up their data via APIs, they automatically become accredited data receivers. The banks that thrive within this new world will be those who capitalize on this capability.
If you want to not only keep your existing customers but also expand your business, you need to start consuming APIs of other banks and financial service providers. If you can aggregate customer financial information across multiple banks, then you have the unique power of understanding your customer beyond the limits of your bank. This will enable you to cross-sell, up-sell, and acquire new customers.
7. WSO2 Open Banking for Australia
WSO2 Open Banking for Australia is the only purpose-built solution for meeting all the technology requirements driven by the Australian regulation. This includes API management, third-party onboarding, strong customer authentication, consent management, regulatory reporting and anomaly detection. These requirements are preconfigured in WSO2 Open Banking for complete compliance.
We also ensure that regulatory obligations are fulfilled without having to dedicate large teams to follow the regulation and implement the compliance strategy. The solution’s componentized architecture helps reduce costs by allowing banks to mix and match technology requirements as necessary. Additionally, WSO2’s Open Banking training programs can get bank staff up-and-running with the technology in record time.
Furthermore, our experiences in UK and Europe revealed some key concerns consumers had with open banking globally. We’ll use these as examples to address perceptions for Australian banking customers.
As open banking takes off, your customers will demand more services and products that make their lives easier. Your IT infrastructure needs to scale to meet these new demands. Our platform and domain expertise make us the ideal technology partner to help you become a market leader in digital banking.
Contact us for more information on your specific needs on open banking and CDR compliance.