22-06-2016 | POINT OF VIEW
Payment Services Directive 2 and Open Banking – A Risk Perspective

The sharing of big data has been with us for some time now, largely to help firms identify trends in customer behaviours and categorise them with ever increasing sophistication. Emerging analytics providers and major consulting firms have been promoting the opportunities of big data across many retail industry sectors, but its uses within financial services firms have to date been primarily limited to customer trends. Credit reference agencies have made more extensive use of data such as the turnover of credit balances in current accounts, but this data is typically aggregated and the insights about customer income are limited to predictive estimates by their own admission.

The requirement for financial services firms to comply with the EU’s Payment Services Directive 2 (PSD2) by January 2018 is now opening up opportunities for precise data sharing that is going to revolutionise the way that both banks and their customers are going to operate – so 2018 is going to come quicker than we think.

The UK’s interpretation of PSD2 has been defined as the ‘Open Banking Initiative’, which takes PSD2 one step further. It will define common data dictionaries, and stipulates the sharing of Personal Current Account (PCA) data. Whilst the HM Treasury-led Open Banking Working Group published its Technical Standard at the start of 2016, there is more to do to define how the banks will work with each other to share data, which is likely to be consent-led, for the lifetime of the product and only for the use of the product – this framework will require explicit agreement between the banks.

For now, it’s understood that only the UK’s largest banks and building societies will need to comply to PSD2 and Open Banking although it is likely that the challenger banks will be compelled to implement in order to remain competitive.

PSD2 has potentially major implications relating to the various roles a bank and building society would like to play. It also has some key considerations for the risk function and we have listed a number of these below.

Cyber Vulnerability

PSD2 and Open Banking will operate extensively from the use of Application Programming Interfaces – or APIs. This has an impact to a bank’s cyber resilience as vulnerabilities from elsewhere in the new and extensive PSD2 infrastructure can persist across this boundary and compromise the overall cyber resilience. These APIs will need to be sufficiently robust to enable banks and building societies to share data and validate that it’s encrypted on behalf of consenting customers and their customers’ authorised third parties. We also see the need to ensure that banks and building societies maintain real-time monitoring of themselves and authorised third parties to check for new vulnerabilities and confirm adherence to encryption standards to ensure there are no data breaches. The impact of a data breach in relation to customer transaction data could be catastrophic, so it’s vital this risk is mitigated in the design of infrastructure and risk controls to support PSD2 and Open Banking.

Secured Credit Risk and Product Management

Whilst lenders and retailers will provide an unsecured loan, e.g. a credit card on the basis of a credit reference agency report, this is not always the case for mortgages, where data needs to be more precise; the latest MMR thematic review published by the FCA in May proposed that current use of credit reference agency data to automate should be restricted to customers with simple income types. If banks and building societies share transaction-level PCA data, and consume this data in automated risk processes, it will enable straight-through-processing for customers when coupled with Automated Valuation Modelling (AVM) during origination. We know through our experience with large UK lenders, that 9 out of 10 retail customers would have been lent to on the basis of their PCA transactions alone. Alongside initial origination is the opportunity for banks and building societies to pre-approve a re-mortgage for customers by using up-to-date transactions to verify income, and an AVM to assess any LTV requirements, so that an appropriate product can be offered ahead of term completion of an existing mortgage. In short, the automated use of PCA transactions data in this way will be transformational, particularly for early-adopters.

Capital and Risk Models

When PCA data is available for the length of a mortgage product, lenders who use customer income as an input into their capital and risk models will be able to consume this data real-time and re-calibrate their models in a way that is not currently available to them. This has a potential to have a positive impact to reduce impairment provisions, as when customer incomes rise during the term of their mortgage, capital risk models can re-calibrate automatically on the basis of increased income.

Exploitation of FinTech

Whilst technology firms like Amazon update their systems with multiple daily releases, this is simply not the case for most financial services firms. In the brave new world of PSD2 and Open Banking, where large technology consultancies are racing to define the “look and feel” of potential apps, the reality is that no one really knows the full-suite of opportunities as a result of data sharing. With that in mind, the banks and building societies that are most able to innovate and deliver technology quickly are likely to differentiate themselves and take market share. The exploration of new ways to deliver technology quickly into firms is paramount, including the use of encrypted, cloud-based micro services which can be designed and launched by FinTech firms in a matter of weeks.

Whatever the opportunities for banks and building societies, the biggest winners from PSD2 and Open Banking will be their customers. Customers increasingly require that all areas of their lives are digitally-enabled and provide the instant outcomes they now demand. With January 2018 fast approaching, banks and building societies must act now to define the strategy to use this data in order to stay ahead of their peers.

For more information contact:

James Clark
James Clark
Email: jclark@pfg.uk.com
Phone: +44 (0) 207 100 7575

@p_f_g - Parker Fitzgerald