Banking transactions have evolved from the traditional model with technology disrupting how payments are made. Functions such as international money transfers and loan applications that previously required one to physically visit a financial institution can now be done through mobile phone applications. The convergence of technology and financial services has increased competition within the banking industry as traditional banking customers shift to mobile platforms that ease banking transactions and enhance overall customer experience. Such competition demands that banks tailor their transactions models to meet their customers’ needs.
Open banking is such an attempt. It aims to meet this revolution head-on by giving customers more control over their transactions, by sharing customer-permission data with third-party applications. This allows third-party developers to build solutions around this data and to provide services such as real-time payments and fund transfers which in turn, increase the convenience of banking transactions.
Open banking involves the transmission of customer-related data from a bank to third-party services. For this reason, the Data Protection Act, 2019 (DPA) serves as the key reference point in actualising open banking transactions. Open banking places banks within the purview of the DPA through their roles as data controllers and data processors within the meaning of section 2 of the DPA. The section defines data controllers as “…a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.” On the other hand, a data processor is defined as “…a natural or public authority, agency or other body which processes personal data on behalf of the data controller.”
This section further defines processing to include “…any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as…disclosure by transmission, dissemination, or otherwise making available.”
By the foregoing definitions, banks are both data controllers and processors as their core functions involve the processing and controlling of customer data. Therefore, banks are under an obligation to meet the principles set out to protect personal data under section 25 of the DPA. These principles impose various obligations on data processors and data controllers pertaining to the processing of data. In part, these include the obligation to ensure that personal data is processed in accordance with the right to privacy, in a lawful manner and for explicit purposes amongst other requirements.
While open banking holds a wealth of opportunities for banks to reinvent themselves in the digital age, it simultaneously poses a myriad of risks for the banking industry. To begin with, the third-party applications which provide access to open banking services in some instances have no direct contractual obligation with the customers’ banks which deprives banks of any privity as to the terms and conditions of use and service for these applications as they are independently executed by the customers authorising the transfer of their data.
As a result, banks have no means of controlling the extent or use of customer information, nor can banks verify the integrity of third-party applications which seek access to such information. Consequently, a customer may inadvertently give consent to a malicious application which compromises the security of a bank. Additionally, given that banks may have no contractual relationship with the third-party, it would be difficult to apportion liability in cases of financial loss arising from use of the application.
In light of the foregoing, there are various mitigation measures that banks might employ at an institutional level to monitor and manage the risks associated with third-party applications, as highlighted at the end of the article.
Banks have a fiduciary obligation to keep their customers’ information confidential. In open banking, this duty is essentially waived by customers who instruct and give their consent to the banks to share their information with third-parties. The transmission of such data carries with it the risk of data loss and fraud where there are no secure platforms to transfer such data.
Section 41 of the DPA provides that all data processors and controllers have a duty to integrate necessary safeguards that implement the data protection principles set out in section 25 of the DPA. This means that banks and the third-party applications have an obligation to ensure that their systems do not fall afoul of the provisions of the DPA or occasion any loss to the data subject.
According to Jim Marous in his article “The Future of Banking Depends on Open Banking” published in The Financial Brand, banks that offer open banking services have resorted to the use of Application Programming Interfaces (APIs) so as to ensure the secure transmission of such data. APIs work by providing a structure through which two applications can communicate. For example, an API may be used to communicate with the customer’s bank and a third-party application to complete payment to services provided by the third-party application to the Bank’s customer. While the use of APIs mitigates the risk of data loss, it does not guarantee the safety of such data. For instance, open APIs, which are the preferred APIs to use in open banking, pose a security and legal risk to banks as they allow third-party applications to access the banks customers’ information without any assurance as to the security of the third-party applications. Marous points out that given that there are no contracts between banks and third-party applications, it is hard to determine who is liable in the event of such loss as the parties would not have contracted on:
- the means by which data will be transferred
- the security of the third-party platform
- who bears the risk in the event of data or financial loss occurring after the transmission of such data
In 2015, the European Union adopted the Payment Services Directive (the Directive). The Directive was an attempt to formalise the relationship between banks that provide open banking services and third-party applications by setting industry standards in the conduct of open banking transactions. The industry standards include amongst others:
- imposing upon banks and regulators an obligation to set up a reporting mechanism
- a pronouncement that payment service providers are responsible for the security risks concerned
The adoption of the Directive resulted in the development of Open Banking Europe which was launched in 2017 with the aim of providing a single, standardised and open directory on authorities and third-party providers in open banking. While the adoption of the Directive has reduced the risks of open banking in the European Union by setting standards for the regulation of open banking, no such directive applies in Kenya, bearing in mind that the DPA is a fairly recently enacted statute, with various guidelines and regulations envisaged under the law yet to be rolled out.
Therefore, it is fair to state that banks in Kenya are at a higher risk of incurring liability in the event of data or financial loss occurring from the use of open banking.
In order to mitigate the potential liability arising from open banking, it is recommended that banks should consider:
- developing an open banking policy that outlines the extent to which banks can integrate with third-party applications whilst adhering to the provisions of the DPA
- imposing privacy by default-or-design thresholds to third-party applications before allowing them into their eco-system
- updating their terms of service and use to outline their stance on liability where third-party applications are involved