OFA Position on the Joint Regulatory Oversight Committee Report
Position Paper – 24/05/2023
In April, Andrew Griffiths, EST, announced the publication of the Joint Regulatory Oversight Committee (JROC) report on the future of UK open banking. He said “this will be the year of delivery for the next generation of open banking”. JROC was launched in March 2022 to help the UK transition to the next phase of open banking. It’s made up of the Financial Conduct Authority (FCA), Payment Systems Regulator (PSR), Competition & Markets Authority (CMA) and HM Treasury.
The highly anticipated report sets out a range of recommended actions in six areas:
- API performance
- Financial crime
- Consumer protection
- Information flows (between banks and third party providers (TPPs))
- Variable recurring payments (VRPs) beyond sweeping
- The future of the Open Banking Implementation Entity (OBIE)
In this paper, we unpack the what, why, how and when of the report and give our view on the recommended actions.
Overall, we welcome the report as a significant step in securing the future of UK open banking and bridging the gap to open finance.
However, fulfilling the recommendations will require extensive work and resources from regulators, industry and from the Open Banking Implementation Entity (OBIE), which is also preoccupied with its own transition to a ‘future entity’ (as we discuss below).
The timelines are also ambitious. It’s been one month since the report was published and certain items are due for completion Q2 2023.
We urge JROC to publish further information and commit resources to ensure the recommendations are pushed forward.
Application programming interfaces (APIs) are the bedrock of open banking. They enable third party providers to securely connect to banks, so they can access account data and initiate payments on behalf of customers.
JROC is looking at:
- How well bank APIs perform
- How to better collect API performance data
When bank APIs become unavailable, this has a big impact on the companies and consumers using open banking to make payments and view account data. This is why performance needs to be carefully monitored.
API performance data is already collected, but not consistently, and not in real time. The nine largest banks have to report one set of data to the OBIE (published here) on a monthly basis. A larger number of banks have to publish data on their websites (eg here) and report to the FCA quarterly.
The time lag with data reporting, and the inconsistency in what is reported, means problems with API performance (such as outages) are not always picked up or acted on effectively. JROC wants to ‘level up’ by collecting the same data from across the ecosystem.
- JROC has tasked the OBIE with designing a new data collection framework for API availability and performance in Q2 2023.
- Regulators will consult on new reporting requirements, if needed in Q2 2024.
What we think
- Transparent reporting on performance and use of APIs has been incredibly important for tracking the uptake and health of UK open banking.
- Unlike the EU, the UK maintains centralised reporting and publication of API data. This is a key resource for participants.
- We agree that there is a need to expand data collection consistently across more banks.
- However, JROC’s proposed reporting changes will be time consuming, expensive and duplicative for banks and TPPs.
- Aligned with the overall data and technology strategy of the UK regulators, we believe that a technological solution to the data collection, using companies that provide such services is a more appropriate way forward and that this approach will improve the quality, consistency and independence of data, move towards real-time reporting, and reduces costs.
Open banking payments have been developed with security in mind. As a replacement for manual bank transfers, they remove the need to enter payee details, reducing the risk that consumers are tricked into sending money to a fraudster.
In its report, JROC considers:
- How to better collect data on financial crime
- Banks’ alignment with guidance on transaction limits
- Data sharing between banks and TPPs to prevent financial crime
While trade associations like UK Finance publish fraud data for other payment methods, open banking payments lack a similar reporting system. Collecting and publishing better data will allow for more transparency and understanding of the scale and characteristics of fraud.
Recent increases in financial crime have also led banks to reassess their risk approaches. This can impact how they treat open banking payments —for example, blocking or limiting more payments.
Sharing more data between TPPs and banks will also allow participants to understand the financial crime risks of certain payments, enabling better fraud prevention.
- Asking the OBIE to design a data collection framework (Q2 2023) and analyse the data collected (Q3 2023)
- Asking banks to assess whether their payment limits are aligned to FCA guidance (Q2 2023)
- Asking the OBIE and Pay.UK to progress initiatives to enhance data sharing between banks and TPPs (Q4 2023 – Q2 2024)
Asking the FCA and PSR to consult on data sharing and payment limits (Q2 2024)
What we think
- Data is incredibly important when thinking about fraud. We agree with the way data collection is being prioritised by JROC.
- Data on fraud impacting open banking payments should be published in a contextualised manner alongside fraud data impacting other types of payment.
- Any reporting requirements need to be proportionate. Banks and TPPs already report fraud data, including open banking data to the FCA, and this should be improved rather than duplicated.
- Data sharing between TPPs and banks needs to be developed under guidelines to ensure consistent practices and outcomes. For example, consistent understanding of what a certain payment context code or transaction risk indicator means.
- We hope better data sharing and transparency will lead banks to reassess payment limits, especially where low payment limits are preventing consumers from being able to use open banking for high value payments.
As open banking develops and new products and services emerge, JROC is assessing whether consumer protections are keeping pace.
JROC is reviewing:
- The processes in place to help guide consumers if something goes wrong
- Any potential ‘protection gaps’
- Dispute processes for both data and payments use cases
Regulations enabling open banking already ensure a high degree of consumer protection.
However, open banking services have developed rapidly since regulation was introduced in 2017. They are now used to power everything from credit scores to tax payments, and increasingly to make purchases.
The JROC recommendation to look at consumer protections ties in to parallel work by the PSR to unlock account to account payments for retail use to compete with cards. The PSR has highlighted that:
“Retail transactions … add a number of uncertainties (such as a customer paying a certain time before goods or services are delivered) which the consumer’s account provider needs to be able to assess the risk of. These types of factors place demands on the underlying payment infrastructure.”
The JROC report lines up with this work by noting that, “the FCA and the PSR will assess the alignment between dispute processes in open banking and Faster Payments to decide where additional processes should sit.”
- Asking the OBIE to perform a gap analysis of disputes processes by Q4 2023
- Proposing that the FCA and PSR will consult if necessary, on additional dispute process or protection requirements in open banking in Q2 2024
What we think
Ensuring consumer confidence in open banking services is critical and can only be achieved if:
- open banking works well and issues are prevented
- issues that do occur are addressed effectively and in a timely manner
- consumers know what to do and who to speak to if something goes wrong
While increasing user adoption indicates that open banking is working well, we believe work is needed in the following areas:
- Dispute resolution system: while there is guidance on how to address liability between banks and TPPs when something goes wrong (e.g. section 8.329 of the FCA Approach Document), more needs to be done to operationalise the resolution of disputes, by creating standards for communication and efficient communication channels that can be used by all participants.
- Purchase protection: more evidence needs to be gathered before decisions are made on the use of, and demand for, ‘purchase protection’ — the ability for a consumer to escalate an issue about goods and services to their bank; and whether and how this should be replicated for open banking payments. As the JROC report highlights, any further development in this area needs to be “balanced with instating complex and costly processes that inhibit businesses from supporting open banking services”.
Information flows between banks and TPPs
Open banking works by enabling the exchange of information between banks and TPPs via APIs.
To initiate a payment, a TPP sends a payment order (which includes the amount of the payment and the beneficiary) and the bank sends back the “payment status”: which describes the payment’s progress to completion. If the payment has failed, the bank presents an “error code” explaining why it has failed.
JROC’s report looks at:
- The consistency of payment statuses and error codes
- Alignment between messaging in open banking (messages between the TPP and the sending bank) and messaging in faster payments (messages between the sending and receiving bank)
Correct and consistent information about the status of an API request creates certainty for consumers and businesses using open banking. For example, a lack of visibility of a payment’s status can create problems with shipping goods, or providing consumers with confirmation about their transaction, undermining trust and confidence.
JROC has tasked the OBIE to perform a gap analysis of payment statuses in both faster payments and open banking in Q3 2023. Following that, the FCA and PSR will consult on possible requirements, and whether any changes are needed between Q4 2023 and Q2 2024.
What we think
We have previously made a number of recommendations to JROC for payment status codes:
- All banks, including those beyond the CMA9, should implement status codes consistently using the OBIE standards which are based on IS020022.
- A new payment status should be developed that acts as a ‘payment guarantee’. The sending bank would provide a guarantee to the TPP that a payment will be sent to the receiving bank within a predefined amount of time (eg. three seconds), or the payment must be rejected.
In terms of error messages, we have asked that:
- In the event of an error, banks provide end consumers with clear, human-readable, specific, and actionable error messages inside the banking app/website.
- Banks should also give TPPs an unambiguous and clear code and where the error is user-related, a message detailing the specific reason for the error. These messages should be standardised across all providers. This is essential for situations where this information needs to be further conveyed to the merchant, booking platform or similar.
We hope that this feedback will be a good starting point for the OBIE’s gap analysis.
Variable Recurring Payments Beyond Sweeping
Variable recurring payments (VRPs) are the latest development in open banking. They allow customers to set up flexible, recurring payments directly from their bank accounts.
The nine largest UK banks are currently required to support VRPs for limited use cases: payments between accounts in the same name.
This means consumers and businesses can benefit from new ways to save and pay off debt, powered by open banking.
The JROC report highlights an opportunity to develop VRPs beyond sweeping use cases, and use this as a pilot to also develop ‘premium APIs’, where banks are remunerated for giving access to new open banking functionality. So-called ‘non-sweeping VRPs’ could be used to develop an alternative to direct debits and card-on-file payments.
JROC points to the need for a ‘sustainable economic model’ for open banking. This is a move away from the original regulatory competition remedy basis for open banking, which prohibited banks from charging for secure access to payment accounts via APIs. This ‘free access’ was a huge boost for competition, reducing barriers to entry for fintechs, resulting in many new products and services being developed for consumers and businesses.
However, new, fair and proportionate regulation governing access to secure APIs for VRP beyond sweeping is yet to be developed. Commercial partnership between banks and TPPs, with strong regulatory leadership where needed, offers an opportunity to unlock new value from open banking in the near term.
JROC has set out eight actions to boost the development of VRPs and premium APIs. This ranges from a working group the FCA and PSR will set-up in Q2 2023 to look into VRPs beyond sweeping, to the implementation of a multilateral agreement, or rulebook for premium APIs by Q4 2025.
What we think
It’s hugely positive that JROC is focusing on how to push forward industry development of new open banking functionality. We look forward to contributing to JROC’s work in this area. In order to build on recent acceleration in open banking adoption and support the UK’s Fintech innovation, swift action is necessary.
Future of OBIE
The OBIE employs technical experts to develop and maintain standards which help UK banks and TPPs to deliver successful open banking services.
But the OBIE isn’t a permanent body and its future has been in the balance following the end of the Open Banking Roadmap.
One of JROC’s key objectives has been to coordinate the transition of OBIE to a ‘future entity’ and the report outlines its plan to do this, and its design principles for the body.
Having an independent body, focused on development of open banking standards has been key to the success of open banking in the UK.
JROC’s engagement with stakeholders has confirmed that there is “broad consensus on the need to have a successor entity to the current OBIE”.
OBIE doesn’t just need a successor body. It also requires a new mandate — the ability to develop standards that go beyond the original open banking regulation — and a new roadmap.
- Establishing governance arrangements to allow OBIE to undertake activities beyond the CMA order by Q2 2023
- Asking the OBIE to develop a pricing framework for non-order functionality by Q2 2023 (banks are only currently required to pay for OBIE work related to the CMA Order)
- Working with industry to design the future entity (structure, governance and funding) by Q4 2023
- Expecting to transition OBIE to the future entity, starting in Q4 2023
JROC has also confirmed that legislation currently passing through parliament, the Data Protection and Digital Innovation Bill (DPDI), will be used to underpin the future entity (ie. create obligations to fund the entity and a framework to oversee it).
What we think
We are fully supportive of the actions to transition the OBIE to a future entity. In particular, it is positive that during the transition phase, the OBIE will be able to undertake activities that go beyond the CMA order. This will help to maintain momentum in UK open banking, and unlock new benefits for consumers and businesses.
It is important that:
- the OBIE continues to be well funded and resourced while we await transition to the future entity
- The future entity retains a role in developing both payments and data standards
- The future entity has objectives to enhance innovation and competition for the benefit of businesses and consumers
UK open banking is at a turning point. With the publication of this report, Government and Regulators have signalled their intent to ensure the further development of the ecosystem and have provided clear next steps. TPPs, banks and the wider industry must now play their part to move things forwards in these important areas.
Copyright OFA 2022