Open banking is meant to increase competition in retail and small business banking, but the banking data it relies on can be used to infer consumer information, raising questions of consumer consent and data management. Edgar Whitley and Roser Pujadas identified significant gaps in the regulation of open banking and customer consent for the use of their data, resulting in better consumer protection.


Impact Case Series — Research Excellence Framework (REF)

What was the problem?

Open banking and the second European Payment Services Directive (PSD2) allow consumers to share access to their bank accounts with third-party providers in new and more secure ways, using program interfaces. application (API). These allow people to make payments directly from their bank accounts without using a card; they also allow third parties to use transaction data, with the aim of improving financial products and services for the consumer.

Open banking aims to increase competition in banking services for individuals and small businesses by stimulating innovation. However, the banking data it relies on can be used to infer a lot of consumer information, raising questions of consumer consent and robust data management.

The open banking system is presented as an example of how consumer data can work for them. However, the innovation in this area comes at a time of growing concern about the misuse of data following the Cambridge Analytica scandal and ongoing instances of data leaks.

This raises important questions about the concept of data ownership, the nature and forms of consent for data sharing, and the cost – both implicit and explicit – of the service to consumers.

What have we done?

Our research has made important contributions to the open banking and consent agenda. At its core is the principle of dynamic consent, whereby individuals can review and control the consents they have given and modify them in response to new information. This concept was born from theEnsuring consent and revocation(EnCoRe), which was a collaboration between one of us (Whitley), HP Laboratories, QinetiQ, HW Communications and the universities of Warwick and Oxford.

It explored the technical, regulatory and organizational issues associated with making consent – ​​and its revocation – as simple and reliable as turning on and off a tap. The goal of dynamic consent is to provide a transparent, flexible, and user-friendly model for consumers to engage with consent, which is particularly relevant when the data is sensitive, such as health data or financial records. In a world where data protection laws are evolving, dynamic consent aims to allow individuals to have real control over their privacy preferences and how their data is used.

Health is a key case for dynamic consent. Together with our EnCoRe colleagues from HW Communications and Oxford, and a new team from the University of Manchester, we conducted further research on dynamic consent in the context of electronic medical records. We found that participants appreciated the ability to review consent decisions over time and to have access to a record of their prior consent decisions. These groundbreaking studies have influenced ethical discussions about health data consent.

Dynamic consent has been less widely adopted for financial data. In August 2017, we were commissioned to lead a research project for the Financial Conduct Authority (FCA) Financial Services Consumer Panel, exploring data governance and security in the context of open banking. This included qualitative research with 50 people who already allowed a third-party provider to access their bank account and quantitative research with over 190 people who were not using these products.

We have found that even when sharing financial data with third-party providers, consent is often neither freely given nor fully informed in the manner required by the General Data Protection Regulation (GDPR) 2018. More half of the participants said they had not read the terms and conditions of these products, and those who did often did not find them useful. A key idea, therefore, is that terms and conditions are not helpful for informed consent and are not in line with advances in technology.

While valuing privacy, participants valued it less than speed of access to goods and services, in part because they assumed data and finance regulators would ensure their fair treatment. Finally, participants showed a poor understanding of the value of their data and how it can be used to earn money for third-party vendors.

Based on these results, the to research identified significant gaps in the FCA’s regulation of open banking. Specifically, it demonstrated that all parts of the open banking ecosystem failed to meet the requirements of the FCA’s business principles, including the principle of fair treatment of customers.

What happened?

Our research has been instrumental in ensuring the fair treatment of open banking customers. In presenting our research to the FCA’s Financial Services Consumer Panel, we highlighted how customers expect existing regulations to cover the services they subscribe to. However, FCA members noted that these assumptions did not apply to all parts of open banking at the time, since third-party providers were only regulated under weaker regulations for services. of payment.

In 2019, the FCA amended its rules in line with the research findings, strengthening the customer experience for open banking more broadly. As a result, the more than five million customers currently using open banking in the UK now enjoy stronger protections and more effective, consent-based controls over the use of their financial data.

Since May 2014, Whitley has also served as co-chair of the UK’s Privacy and Consumer Advisory Group (PCAG), which advises the government on data security and trust. In early 2017, several consumer groups raised concerns with PCAG about how the industry was driving the development of open banking, with little regard for privacy issues and limited consumer awareness. Whitley has discussed these issues with open banking representatives, suggesting that his work on managing digital consent and dynamic consent would be particularly useful to the Open Banking Implementation Entity (OBIE) in the UK. Whitley also contributed to OBIE’s guidance for open banking dashboards. Dashboards allow users to see what consents they have given to third-party providers and, optionally, revoke them. This is a response to research evidence that people appreciate being able to revisit consent decisions over time and access an electronic record of their previous consent decisions.

LSE research has also shed light on some aspects of the codification of open banking customer data agreementwhich sets out guidelines covering data usage statements (“how we will and won’t use your data”) and business monetization statements (“this is how we make money”).

Together, the impact of research on consent understanding, guidance, and best practices has led to significant reforms in customer protection and consumer control over the use of their financial data. These improvements are essential to enable more people to access the potential benefits of open banking in a safe and secure way.

♣♣♣

Remarks:

  • This blog post originally appeared as an impact of the LSE Research Excellence Framework case study.
  • The post office represents the point of view of its author(s), and not the position of LSE Business Review or the London School of Economics.
  • Highlighted image by Tech Daily on Unsplash
  • When you leave a comment, you agree to our comment policy