Will GDPR Inhibit Or Improve The Adoption Of Open Banking?

Jonathan Charley

GDPR is a set of EU created rules designed to give citizens more control over their data. It comes into effect on May 25, 2018, and aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy. It not only applies to EU-headquartered entities but to all organizations that have European operations.

In the wake of the Facebook/Cambridge Analytica scandal, there is an even greater focus on the way that customer data is used by businesses and what control customers have over that.

Open banking is intended to create more competition in the banking industry and to encourage better services and more innovation to improve the customer banking experience. A cornerstone of this is encouraging customers to give third parties access to their data to enable them to offer new services in ways that their current banks are not offering. GDPR can, at first glance, appear to be something that will work against the adoption of open banking.

GDPR is not the biggest threat to open banking; customer apathy is a far greater one. Banks and fintechs have been pouring money into getting ready for open banking, creating open APIs and new services and offerings for customers. However if there is one lesson that the UK’s Current Account Switching Service (CASS, designed to make switching current accounts effortless and completed in under seven business days) has taught us it is that the majority of customers are simply not interested in banking and see all banks as the same.

Most customers would like to spend the absolute minimum amount of time thinking about their finances and see banking as a means to an end – not the end itself. The volumes for the CASS have been disappointing, with an average of 75,228 per month in 2017. The expectation that there would be a mass move away from existing primary account providers has not happened.

Even when customers have switched, it hasn’t been to either the neobanks (Monzo, Atom, Starling) or the challengers (Metro Bank, Clydesdale Bank, Yorkshire Bank, etc). With the exception of Nationwide Building Society, the net beneficiaries have been the large, global banks – First Direct (HSBC), Santander, TSB (Sabadell), and Halifax (Lloyds Banking Group). The neobanks are becoming secondary banks for the majority of their customers, not the customer’s primary bank.

If being able to switch current accounts in seven days hasn’t gotten customers excited about banking, will the offer of open banking be enough to get customers spending more with their existing banks or switching their primary banking relationship away from their current provider?

One way of improving the experience is to provide a single place where a customer can see all their bank accounts regardless of which bank provides them. This is not a new idea. Yodlee, the best known player in the aggregator market, has been around for over 17 years, providing services to over 1,000 financial institutions and fintech providers. Account aggregation, which sounds like a good idea, has not taken off in the mass market. Apart from the customer apathy described above, the screen-scraping technique deployed by many aggregator tools involves the customer breaking their agreed terms and conditions with their banks. This is where GDPR, open banking, and the EU’s second Payment Services Directive (PSD) jointly provide a regulatory framework to give consumers the knowledge, should they wish to take up such services, that they are legally protected.

GDPR is about putting consumers back in control of how their data is used. From a customer’s perspective, it is a prerequisite for open banking, as it will give them the confidence that their personal data will be used only for the specific purposes that they explicitly agreed to when signing up for the service.

Account aggregation is not the only new service that banks, fintechs, and non-banks are beginning to offer to customers. Real-time spending analysis, the ability to split restaurant bills, and lower-cost foreign transactions are among the services that both existing and neobanks are offering.

A question that the banks must answer is whether the current open banking offerings are providing an experience that is sufficiently differentiated from the competition that it will make customers actively switch to them.

Neobanks being built using cloud first, modern technologies have advantages in both complying with GDPR and offering new services as a result of open banking. They have been able to build from the start a single view of the customer in real time using open APIs and microservices. However, they lack scale in terms of both the number of customers and the depth of resources.

The existing big five banks have all the advantages of the size of their customer base and IT budgets. They are, however, hampered by the complexity of the legacy infrastructures and the fact that customer data is spread across multiple legacy systems that were designed for batch-processing. This makes building a real-time view of a customer’s relationship with the bank a significant challenge. It is for these reasons that a number of the major banks either have elected to work with fintech firms to help them address this or have designed new digital banks using modern technology.

For banks and non-banks (since the legislation was drawn up to encourage challengers from other sectors such as telcos, retailers, and fintechs), GDPR increases the potential financial and reputational risks of entering the open banking market. While most people know little about the details of GDPR, almost everyone seems to know about the fines of up to 4% of global revenues for a breach of the regulation. No organization knows how strictly it will be enforced and certainly none want to be the test case for the first fines. The fall in the share price of Facebook following the investigation into the activities of Cambridge Analytica is evidence of the potential reputational and financial risk of a breach.

Given the risk of fines and the cost of meeting regulation, the revenue upside of open banking needs to be significant. Providing an aggregator service or a breakdown of expenditures in real time are good customer experiences, but they don’t directly bring in additional revenue, as the neobanks are finding. open banking is of course about more than just providing aggregation and personal financial management, and the revenue growth is forecast to come from the provision of additional financial and non-financial services.

All the neobanks have realized that offering current accounts alone is not a profitable business. To be successful they need to be able to offer other services and are positioning themselves as marketplaces. One of the most successful organizations operating as a marketplace has been Moneysupermarket, but even it is finding that competition is driving down margins, and the barriers to entry (helped by the intervention of regulators) have significantly impacted their profitability.

A key criterion to be a successful marketplace is to have scale – Amazon, eBay, and Ariba (in the B2B world) demonstrate this. As open banking becomes a reality, the winners will be the ones that have the scale. For the moment, that advantage lies with the incumbent banks.

The success of open banking will neither be enabled or inhibited by GDPR. The success of open banking in the retail segment will be measured by the level of switching activity. This will only happen by providing an offering that so engages the customer that it overcomes the disinterest that most customers have about banking.

Find out more about how you can turn GDPR compliance into a growth opportunity with our GDPR resources.


Jonathan Charley

About Jonathan Charley

Jonathan Charley is the EMEA North General Manager of Financial Services at SAP. He is responsible for EMEA North Financial Services sharing thought leadership and leading customers through their digital transformation