BCBS: Bank supervisors must pay greater attention to APIs and open banking risks
The Basel Committee on Banking Supervision (BCBS) published its report on open banking and application programming interfaces (APIs).
The report monitors the evolving trend of open banking observed in Basel Committee member jurisdictions and the use of APIs. It builds upon the findings of the committee’s sound practices paper on “Implications of fintech developments for banks and bank supervisors”.
The BCBS acknowledges that open banking comes with benefits to banks but also various challenges, such as risks to their business models and reputation, and issues regarding data privacy, cyber security and third-party risk management.
Its key findings of the open banking framework includes:
- Traditional banking evolving into open banking;
- Open banking frameworks varying across jurisdictions in terms of stage of development, approach and scope;
- Data privacy laws providing a foundation for an open banking framework;
- Multi-disciplinary features of open banking requiring greater regulatory coordination;
- Open banking bringing potential benefits but also risks and challenges to customers, banks and the banking system;
- Challenges of adapting to the potential changes in business models;
- Challenges of ensuring data and cyber security in an open banking framework;
- The challenges hindering the development of APIs to share customer-permissioned data including the time and cost to build and maintain APIs and the lack of commonly accepted API standards;
- Oversight of third parties which can be limited, especially in cases where banks have no contractual relationship with the third party, or where the third party itself has no regulatory authorisation;
- Assigning liability in the event of financial loss, or in the event of erroneous sharing or loss of sensitive data; and
- Banks facing reputational risk, even in jurisdictions where there are established liability rules.
Overall, the BCBS finds that banks and bank supervisors need to pay greater attention to the risks that accompany: (i) the increased sharing of customer-permissioned data; and (ii) the growing connectivity of various entities involved in the provision of financial services.