Below is FDATA Europe’s response to the consultation put forward by the CMA on UK Finance’s report on the proposed Open Banking Future Entity; we are grateful for the additional time provided in order to properly respond to the questions raised. We would like to highlight few points before presenting out formal response and recommendations: Do not rush this decision: any future entity needs to be future proof.
Member Spotlight: Codat
Codat works with small businesses across the globe to help them harness their data in a way that allows firms to grow. Founded in the United Kingdom in 2017, Codat recently expanded its operations into North America.
How will businesses in the United States and Canada benefit from this move?
During the COVID-19 crisis, Codat’s products have been a lifeline for small firms. Tens of thousands of small businesses have used apps, services, and financial products powered by Codat to allow them to harness company data. With Codat, these businesses no longer have to spend hours collecting the data required to submit a loan application, for example.
Via its single API, Codat’s Core product enables real-time data access and visibility, offering deep insight into the business’s financial picture. This unlocks scores of opportunities for small businesses, and allows them to more quickly streamline application processes. Thanks to Codat, which integrates everything from accounting to commerce data, and paired with Open Banking, lenders can easily corroborate the actual financials of a business.
Combining and cross-referencing multiple data sources allows lenders to form a complete and verifiable understanding of a business customer, far beyond what is available from credit bureaus. Moreover, Codat can also use data to help identify and stop potential fraud, a key barrier to lending. According to a 2019 LexisNexis study, fraud losses as a percentage of revenues amount to 5.8 percent for digital lenders, 4.5 percent for small banks and credit unions, and 2.9 percent for larger banks.
PayPal and American Express recently announced they made strategic investments in Codat. Zettle, a PayPal payments company, uses Codat’s technology to transfer point of sale transaction data into their merchants’ accounting software. “The data connectivity Codat enables is a game changer for small-to-medium businesses who want the flexibility to use their preferred tools to run and grow their business,” said Peter Sanborn of PayPal Ventures.
Codat joined FDATA North America in March 2021. Gabriel MacSweeney, who is in charge of strategic partnerships and commercial strategy for the company, said, “At Codat, we are delighted to lend our voice to discussion on the future of open finance in North America. Joining FDATA North America aligns with our mission to enable all the systems and services that a small business uses to work together seamlessly, and underscores our strategic focus and growth plans in the region.”
Member Spotlight: Experian
While Experian is primarily recognized as one of the three nationwide credit bureaus, the company has a diverse business that provides an array of data and analytical tools. At its core, Experian is committed to helping people and businesses take control of their financial well-being and to seize new opportunities.
In many parts of the world, including the United States, a positive credit history can be the gatekeeper to many of the things we want in life. To this end, Experian has been at the forefront of developing products and services that help consumers gain access to fair and affordable credit and understand their financial health.
Experian’s commitment to creating greater financial opportunity for consumers is evident in some of the company’s most recent innovations, including Experian Boost. This free, first-of-its-kind service relies on consumer-permissioned data and open banking systems, allowing consumers to play an active role in building their credit profiles. Through Experian Boost, consumers can grant Experian permission to access the checking account, savings accounts, or other demand deposit accounts as well as credit cards to identify reoccurring bill payments, such as cell phone payments, internet payments, utility payments, video streaming service payments and more. Experian then adds the positive payments to the consumer’s credit report and an updated credit score is delivered to the consumer in real time. Consumers have complete control over the process and can add, keep or remove accounts at any time.
More than six million consumers have connected to the service since it launched in North America in March 2019. Two out of three users see credit score improvements by using Experian Boost with an average boost of more than 10 points.
Following the successful launch in North America, Experian Boost is now also helping consumers in the U.K. take control of their credit.
“With Experian Boost, we are inviting consumers to play an active role in building their credit profiles, while providing lenders with a more detailed picture of a consumer’s financial situation,” said Alex Lintner, group president Experian Consumer Information Services. “Our role is to help bring financial inclusion to every adult in the world and we are putting consumer needs at the heart of our innovative culture. Experian Boost is just an example of this effort in action.”
Experian has recently expanded its consumer products to help consumers
with the management of their personal financial data. Experian’s Financial Health product leverages open banking technology to provide consumers with a holistic picture of their credit and finances, while offering the ability to monitor their transactions for fraud and spending thresholds. These insights provide consumers with the tools to manage their finances, monitor their financial health and security and meet their financial goals.
Experian also has developed its AccountView product suite, in partnership with Finicity, to enable consumers to more easily share their financial data to support lending and rental decisions in mortgage, personal lending and tenant screening. By leveraging these services, a consumer can provide permission to lenders and screeners to access their financial accounts, including checking, savings, 401K and brokerage accounts. This capability aggregates the transaction history and presents it back as a Verification of Income and Employment (VOIE), Verification of Income (VOI), Verification of Employment (VOE) or Verification of Assets (VOA) report. These reports reduce the number of documents that a consumer must physically present and makes it easier and more efficient for consumers to apply for credit.
Consumer permissioned data and open banking systems leveraged by Experian have played a critical role in the company’s ability to create meaningful change in the lives of consumers, including those in underserved and marginalized communities. As part of its ongoing commitment to consumer financial health, Experian will continue to invest in consumer permissioned data and open banking technologies to help consumers gain access to fair and affordable credit.
Experian employs more than 16,000 and supports clients and consumers in more than 79 countries.
Experian joined FDATA North America and FDATA Europe last year. To learn more about Experian, please visit www.experian.com.
PSR Consultation on Consumer Protections for Interbank Payments
FDATA Response to Payment Systems Regulator Consumer Protection in Interbank Payments: Call for Views (CP21/4)
FDATA appreciates the opportunity to respond to the PSR’s Call for Views on Consumer Protection in Interbank Payments. We address the questions contained in the CfV, and have also provided an overview of our analysis of PSR CP21/4. Below the question responses, please find a table addressing section by section assumptions listed in the CfV for which FDATA members have a rebuttal.
FDATA North America Welcomes Three New Members
Contact: Kerrie Rushton, (202) 365-6338, [email protected]
April 6, 2021, Washington, DC – The Financial Data and Technology Association (FDATA) of North America today announced it has added three new members—BillGO, Codat, and ValidiFI— boosting the organization’s roster of member companies and organizations to 28.
“We’re excited to add BillGO, Codat, and ValidiFI to the growing list of companies united in their belief that that consumers and small businesses should have full control over their own financial data,” said FDATA North America Executive Director Steve Boms. “Financial technology companies are well positioned to help individuals, families, and small businesses improve their financial well-being as they fight their way out of the global economic crisis caused by COVID. Open finance maximizes the potential of fintech to improve financial access and inclusion, and BillGO, Codat, and ValidiFI will be important allies in this effort.”
Boms outlined how consumer-directed finance will improve financial inclusion in a recent Morning Consult op-ed.
The following organizations recently joined FDATA North America:
- BillGO is an award-winning real-time bill management and payments platform that serves more than 30 million consumers and thousands of financial institutions, fintechs, and billers. Visit them at https://www.billgo.com.
- Codat empowers more small businesses around the globe by ensuring their systems and services are interconnected, allowing them to harness their data to access bespoke products. Visit them at https://www.codat.io.
- ValidifI is a technology company that delivers data and payment solutions for companies in the financial services industry and provides insights that help them improve the payment process. Visit them at https://validifi.com.
These firms discussed the importance of FDATA North’s mission to advance data access and open banking in North America:
- BillGO: “Because BillGO believes everyone deserves access to a healthy financial future, we’re thrilled to join the FDATA and work alongside other organizations that share that commitment,” said Jay Plueger, SVP Alliances and Corporate Development at BillGO. “We look forward to collaborating with the FDATA and its members to shape standards and principles that advance our industry while protecting the interests of consumers.”
- Codat: “At Codat, we are delighted to lend our voice to discussion on the future of open finance in North America. Joining FData North America aligns with our mission to enable all the systems and services that an SMB uses to work together seamlessly and underscores our strategic focus and growth plans in the region.” – Gabriel MacSweeney, Strategic Partnerships & Commercial Strategy
- ValidiFI: “Access and insight into the rapidly changing regulatory environment for open banking and finance is crucial,” stated Jesse Berger, ValidiFI President and Chief Operating Officer. “It is vital for the development of innovative financial data and technology products like those offered by ValidiFI and other FDATA members. With FDATA’s support, members are ensuring financial products give consumers and businesses more choices, competitive service offerings, and a better deal.”
Existing FDATA North America members include: air (Alliance for Innovative Regulation), APImetrics, Betterment, Direct ID, Envestnet Yodlee, EQ Bank, Experian, Fiserv, Flinks, Interac, Intuit, Kabbage, Mogo, Morningstsar, M Science, MX, Petal, Plaid, Questrade, Quicken Loans, TransUnion, Trustly, VoPay, Wealthica, Xero, and others.
ABOUT FDATA NORTH AMERICA
FDATA was heavily involved in the UK Open Banking Working Group in 2015. In 2016, the working group’s output was published by Her Majesty’s Treasury as the Open Banking Standard. FDATA North America was founded in early 2018. Its members collectively provide tens of millions of consumers in Canada, the United States and Mexico with aggregation-based tools to better manage their finances.
Member Spotlight: ValidiFI
Can open finance positively impact the traditional financial services sector? ValidiFI has proven it can.
ValidiFI is a technology company that delivers data solutions to business and financial service providers. Simply: through a combination of technology and strategic partnerships, ValidiFI creates better ways to validate and analyze customer information.
ValidiFI’s data—which is sourced from banks, payment processors, financial platforms, and hundreds of thousands of businesses—comprises the most comprehensive lake of financial information in the industry. Financial services firms harness the data to improve account openings, credit decisions, payment processing, fraud detection, and risk segmentation. Businesses of every size—from new startups to public companies—use ValidiFI solutions to increase sales and facilitate payments.
Take managing underwriting and risk, for example.
It is becoming increasingly difficult for financial institutions to properly segment their applicants while identifying who will be a good and bad customer. ValidiFI’s alternative data solutions help firms identify and segment the risk of applicants based on their employment, income, and bank data. ValidiFI’s Payment Instrument (PI) Risk Score analyzes thousands of attributes to enhance the financial profile of the consumer, helping to mitigate fraud, reduce defaults, and reduce returns.
ValidiFI’s tools also help financial services firms stay compliant with government and organizational regulations. Using Bank Account Validation (BAV), firms can adhere to the Consumer Financial Protection Bureau’s payment provisions. ValidiFI also offers comprehensive Account Validation services to help maintain compliance with Nacha’s WEB Debit Rule.
According to ValidiFI, accessing a greater range of data is essential as the United States and Canada climb their way out of the COVID-19 health and economic crisis. ValidiFI said companies that are able to adapt to change by utilizing alternative underwriting methods and data, for example, will recover and advance more successfully.
ValidiFI joined FDATA North America in March 2021.
President and Chief Operating Officer Jesse Berger said, “Access and insight into the rapidly changing regulatory environment for open banking and finance is crucial. It is vital for the development of innovative financial data and technology products like those offered by ValidiFI and other FDATA members. With FDATA’s support, members are ensuring financial products give consumers and businesses more choices and competitive service offerings.”
Leveling up the UK Market
Leveling up the UK Market: Why the FCA has determined the MCI has got to go [but also why API performance matters]
It may seem like a minor change in regulatory policy; it, however, is not. I’ve said that repeatedly about various points in the FCA’s recent consultation on changes to the Regulatory Technical Standards (RTS). It bears repeating, but this time my poetical waxing focuses on a major change to how all banks across the UK market provide access to consumer data: the removal of the modified customer interface (MCI) exemption.
When combined with Secure Customer Authentication (SCA), those banks who took the exemption to providing an API, instead offering up an MCI, ended up with something that basically stopped data access in its tracks. It also rendered passive screen scraping impossible. [Screen scraping is verboten under PSD2, except when an MCI is the only means of accessing the data; it’s also a materially less secure means than API data access as it’s all about repeated security credential sharing.] And for those customers of banks who only offer an MCI, screen scraping is the only way they’re able to access value added services fintechs provide; yet they can’t extract the full value of those services because of how SCA is applied. Why? Because screen-scraping is technically impossible without the customer present to authenticate every data request.
MCIs are the proverbial catch-22, with bad consumer outcomes no matter how you slice it.
Fintechs (third party providers, TPPs under PSD2) have proven business model utility time and again over the last 15 years, pre-PSD2; yet SCA policy is the proverbial looming sword over the TPP business model neck. It is not the lack of proven business model value that threatens the aims of PSD2 to deliver competition and innovation to the market; it is bad policy that threatens to kill fintech.
In short, due to the nature of MCIs, they require a customer be present for every data transfer from the bank to the fintech. Combined, the SCA and 90-day Reauth rules in the MCI scenario result in a near 100% customer attrition rate for the fintech; and a 100% value loss for the end customer.
Before APIs became de rigueur, screen scraping was the norm. Screen scraping access models for TPPs typically involve the Account Information Service provider (AISP) or their Technical Service Provider (as their agent) storing static login credentials, then passing those credentials through the end consumer’s interface when the customer is not present. PSD2 did try to protect the TPP’s right to pass through these security credentials in the Level 1 final text (PSD2 itself), however clarifications in the Regulatory Technical Standards (RTS) step back from this.
The pedantry from my previous article continues. Bear with me here, because this matters – and it proves why the FCA’s proposal to revoke the MCI exemption is such a big deal for end consumer value.
PSD2 Article 67(b) states that the AISPs must ‘ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels’.
However, RTS Chapter II introduces authentication codes, dynamic linking (to enable authorisation in the payment flow) and a requirement to keep the Knowledge, Possession, and Inherence elements of the SCA flow strictly separate to avoid the compromise of one element afflicting another.
Remember Article 10 in the RTS? It says that Payment Service Providers are ‘allowed not to apply SCA’ to AISP access between the initial set up access and the 90-day reauthentication. If a bank applies SCA here, they block the TPP from transmitting personalized security credentials. It’s this point at which the RTS effectively contradicts the intention of PSD2 – particularly in the case of banks offering an MCI.
Instead of using the end-customer’s security credentials (typical screen scraping stuff), the fintech is now obligated to identify itself to the bank in order to access the data via the MCI. This becomes a double challenge when the bank has designed SCA for the MCI in such a way that there is a dynamic element to which only the customer has access. This is especially troublesome as the bank has no obligation not to use SCA for all connections. It is another technology layer fintechs must contend with in order to pass through the authentication gateway, another engineering challenge, and another obstacle to circumvent in what should be obstacle free consented data access.
Compounding insult to injury, the engineering workaround introduces even more security vulnerabilities. If banks fail to address these and implement SCA, fintech (AISP) customer-not-present access is completely inhibited. Moreover, banks are not providing test environments for SCA through their MICs, which causes significant business interruption for both fintechs and the end consumers.
Long story short: while the RTS seeks to improve security measures, SCA as applied to an MCI is inconsistent with the intent of PSD2, and materially impacts continuity of customer service and introduces security vulnerabilities.
The FCA consultation addresses dynamic linking of authentication in section 4.7 of their consultation; it is the justification for eliminating the MCI exemption. By eliminating this exemption, the FCA is pushing to level up the rest of the market to the big nine UK banks mandated under PSD2 to deliver a dedicated API. This is good for the market, and especially good for end consumers. It means less risk of being cut off from data access and services.
And yet. (You were waiting for that, weren’t you?). And yet this is where API performance and conformance are clutch hitters in whether that unblocked data access is a reality.
It’s fair to say that some fintech services require continuous access, otherwise they don’t function. However, not all banks are delivering consistent high-quality performing APIs unilaterally across the UK market. Early on in the UK open banking journey, consistent performance and conformance was a pipe dream; however, both have improved immensely for the big nine in particular under the supervision of the Open Banking Implementation Entity. But banks not mandated under the Competition and Market Authority’s order are not held to the same technical standard, nor the performance and conformance requirements. This fact alone is proof that independent oversight and monitoring are crucial to achieve quality delivery across a single market.
However, relying on banks to provide self-assessment of API performance and conformance is tantamount to leaving the student to mark their own exams: it’s meaningless and subjective. Rather, tech should be used to measure tech, and all parties in the ecosystem should be supervised to the same standard. Going forward, all banks across the UK market should be held to the same API standards that apply under Open Banking, and the FCA would be wise to hold that line for all UK banks once the MCI exemption is removed.
There is another reason why the quality of an API matters: contingency access methods. This contingency method is provided for in the RTS in yet another paradoxically ineffective approach to ensure TPPs have access to data.
Because of inconsistent API implementations (aside from the UK big nine, this inconsistent delivery is true for both the long tail of UK banks as well as financial institutions across the EU as a whole), banks have had to fall back on providing contingent methods of access. RTS Article 33(4) explains the conditions and expectations on the bank in providing contingency methods to access when their dedicated access (the API) fails:
“As part of the contingency mechanism payment service providers referred to in Article 30(1) shall be allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment provider, until the dedicated interface is restored to the level of availability and performance provided for in Article 32.”
TPPs are hopeful that the risks are somewhat mitigated by real rigueur in the exemption process, however the TPP community is very skeptical as to whether the Contingency Access Method is realistic, because it is costly to maintain two types of access methods. Normally, once customers have been migrated to the API access model, they stay there. The wholesale transition of TPPs’ customers to a new Consent, Authentication, and Authorisation flow cannot be reversed easily. Moreover, TPPs cannot maintain direct access (screen scraping) agents for ASPSPs which they are not allowed to use, that can reasonably be expected to function in a crisis. Customers cannot be induced at the ‘touch of a button’ to re-enter credentials for the AISP use case. There Is no scenario under which a PSU will re-authenticate daily, let alone several times a day, to maintain access.
It is more than likely a fintech would remain non-functional while waiting for the ASPSP to fix their API channel. In addition to the technical and customer security issues, there would be material customer communication, confidence, and engagement challenges. Moreover, the bank would be violating RTS Article 32(3) by creating an obstacle to PIS and AIS services. Any faith that contingency access while an API is down is mooted even before we’re out of the gate. Article 33(4) is pointless in the face of reality.
Just one more point about obstacles, and more to the point, what RTS Article 32(3) specifically says that banks are obligated to ensure that their “interface does not create obstacles to the provision of payment initiation and account information services” It ALSO explicitly states that obstacles to the provision of those services may include, among other things, ‘imposing redirection to the [bank’s] authentication or other functions, requiring additional authorisations and registrations.’
Here is where poor API performance and bad customer journeys intersect: in mandatory redirection. Licensed fintechs have a right to access consenting customer account data in order to retrieve information strictly necessary to provide their services under Article 66(2). Banks have a choice to continue to allow for direct access via the customer-facing online banking interface (including mandatory identification of the TPP) or to provide a dedicated API.
Mandatory redirect is a clear violation of Aritlce 32(3), as well as PSD2’s principles of technology and business model neutrality. Mandatory redirect is also excluded under Aritlce 30(2b), in that the interface needs to ensure that the communication session between the bank, the fintech, and the consumer concerned be established and maintained throughout the authentication step. Article 30(2b) explicitly forbids disrupting a TPP session to divert the consumer back to the bank; such a disruption is the very definition of redirection.
The principles of technical and business neutrality enshrined in Article 98 PSD2 would dictate that the banks cannot force PISPs and AISPs to use redirection. Rather, the RTS provides that banks must leave the possibility open to offer the customer an option to use and stay connected to the fintech’s own website for authentication.
Moreover, mandatory redirection only exacerbates the SCA problem. If SCA is imposed in an obstructive manner, and SCA includes mandatory redirection, fintechs will suffer additional negative impacts and restrictive competitive opportunities Mandajtory redirection relegates the noble aims to promote competition and improve customer outcomes to the rubbish bin: it allows banks who offer the poorest customer journey to suffer the least competition.
I mention mandatory redirect to underscore a point: where and how SCA is being placed in the customer journey has been so poorly executed that it necessitates being declared an obstacle. Mandatory redirect is just insult to injury in a line of obstacles to accessing data and hurdles to be cleared in the customer journey. It is time for those obstacles to be removed. The FCA clearly recognizes this, and their proposed elimination of the MCI exemption is proof of it. The UK market – banks, fintechs, and end customers – will profit from this. It’s time the rest of the EU markets saw the same light and upgraded the whole market to API first (based on harmonised, interoperable tech standards across the board).
FDATA North America Sends Letter to Canada’s Department of Finance on Next Steps in Delivery of CDF
March 15, 2021, Washington, DC – Today, the Financial Data and Technology Association (FDATA) of North America submitted comments to Canada’s Department of Finance outlining its key recommendations for next steps in the deliver of Customer-Directed Finance (CDF).
Following the conclusion of the second phase of the CDF advisory committee’s consultations at the end of last year, FDATA North America Executive Director Steve Boms encourages the Department to advance the process of implementing a CDF system in Canada this year by:
- Appointing a full-time, senior staffer at the Department as soon as possible whose sole responsibility will be to oversee the design and delivery of a CDF regime in Canada; and
- Creating a CDF Implementation Entity tasked with the policy design and implementation of open finance in Canada.
Boms noted that FDATA North America and its members “are committed to seeing CDF become a reality for the benefit of Canadian consumers and SMEs. To achieve this goal, and to provide industry with the policy framework under which such a regime can be delivered, we respectfully encourage the Department to begin implementation of a CDF in Canada by appointing a senior staffer within the Department to be responsible for the delivery of CDF and by creating the CDF Implementation Entity as soon as possible.”
FDATA North America Submission to the Department of Finance
ABOUT FDATA NORTH AMERICA
FDATA was heavily involved in the UK Open Banking Working Group in 2015. In 2016, the working group’s output was published by Her Majesty’s Treasury as the Open Banking Standard. FDATA North America was founded in early 2018. Its members collectively provide tens of millions of consumers in Canada, the United States and Mexico with aggregation-based tools to better manage their finances. Existing FDATA North America members include: air (Alliance for Innovative Regulation), API Metrics, Betterment, Codat, Direct ID, Envestnet Yodlee, EQ Bank, Experian, Fiserv, Flinks, Interac, Intuit, Kabbage, Mogo, Morningstsar, M Science, MX, Petal, Plaid, Questrade, Quicken Loans, TransUnion, Trustly, ValidiFI, VoPay, Wealthica, Xero, and others.
CDR Market Participants
A CHOICE NEEDS TO BE MADE
If the current definition of CDR Data remains unchanged; the ability to permit accreditation to all levels of the ecosystem is the only way that compliance with the legislation can occur. This includes accountants, advisers, brokers, bookkeepers, marketplace participants, etc.
Consumer Data Right
A CHOICE NEEDS TO BE MADE
If the current definition of CDR Data remains unchanged; the ability to permit accreditation
to all levels of the eco system is only way that compliance with the legislation can occur. This includes accountants, advisers, brokers, bookkeepers, marketplace participants, etc.