Regulatory reform for 21st century payments: balancing innovation, inclusion, and security.
The global payments landscape is evolving at unprecedented speed. Technologies such as open APIs, artificial intelligence (AI), digital assets, central bank digital currencies (CBDCs), and efforts to enhance cross-border payments and modernise infrastructure are reshaping how and who moves money.
These innovations promise greater efficiency, inclusion, and competition, but they also expose systemic vulnerabilities and regulatory blind spots.
To unlock the benefits, forward-looking and agile regulatory reform is essential.
But not all regulators are created equal, what works in one jurisdiction might not work in another. In this blog series, Paylume looks at the challenges for modern-day regulators and key considerations as they navigate the future of financial services.
In the first blog of this series, our Open Banking Lead Lauren Jones dives into some of the unique considerations for regulators when developing open banking or open finance ecosystems.
Open banking: unlocking the data-driven economy
Open banking allows consumers and businesses to share financial data related to transaction accounts, and open finance takes this a step further extending across a wider array of financial products, from savings and insurance to pensions and investment services.
The UK, Brazil and EU have been pioneers in this regard. However, implementation has not come without its challenges. Despite its growing success, open banking often struggles to present a coherent story.
Rationale, adoption, and implementation are all fragmented around the world. While traction is beginning to gain ground in early adoption markets and has laid the foundation for secure data sharing, stimulating fintech innovation and competition, many other markets are still in their infancy.
Emerging economies are looking at the UK and EU implementations and attempting to unlock the value while simultaneously learning from their mistakes and adapting these regulations to their local market dynamics.
Open banking presents real challenges for regulators.
Starting with a clear roadmap
Open banking is often just the start of a journey towards open finance or even open data.
Many regulators struggle to define and articulate this journey which stifles buy-in and strategic development of infrastructure, products, and services.
In many markets, such as the UK, Canada and others, the sole focus has been on open banking, but consumers’ financial lives go far beyond banks and current/transaction accounts. Consumers want a complete financial overview. Starting with open banking can guarantee quicker time to market, but regulators need to understand and communicate to the market the broader approach to open finance so that the private sector can manage its investment.
This often requires collaboration with other regulators in the market. In addition, because of the need for a wider data set to develop innovative products, the continuation of open banking with no clear path to open finance encourages the continual use of screen scraping.
Data privacy and data rights
New actors and new data flows inherently increase risks. Open banking users can be vulnerable to data breaches, cybercrime, and fraud when the regulatory framework fails to address and prepare for these issues. Regulators know that their decisions could leave consumers exposed. For example, cybercriminals may pose as a licensed fintech company.
Additionally, regulators need to consider that fintechs are likely to have weaker security measures compared to banks, and regulators also need to ensure compatibility with existing data privacy regulations.
This can present a unique challenge for markets that do not have existing data protection regulation. Open banking regulation can bake-in a certain level of consumer protection, but it is no replacement for a fully-fledged data protection law.
Industry coordination
Unlike most regulatory programs, in open banking there are entirely new actors that have different and competing priorities. At times, this relationship can be acrimonious especially around data monetisation.
Open banking can commoditise customer data, creating tension between banks and fintechs, and banks may be reluctant to fully cooperate if it erodes their competitive advantage.
Regulators need to consider how they manage these tensions.
In addition, it is best practice for industry standards including APIs, security protocols, customer experience guidelines, and dispute management processes to be developed collaboratively.
An organisation, either existing or purpose-built, is needed to drive collaboration. After go-live, standards evolve rapidly, and coordinating updates across institutions of varied sizes without disrupting integrations is complex.
Purpose-built industry consortia are often a useful tool to manage these processes but can be expensive and slow to manage.
Whilst public figures vary, the UK Open Banking Implementation Entity significantly exceeded initial budget, rising from an expected £20 million to over £150 million as of 2022, and it can be argued that the individual cost of developing all the industry documentation would have been significantly higher. Industry consortia also help to build trust between banks and fintechs.
Understanding what role the regulator should play
Regulators of open banking ecosystems vary in the role they wish to play. Some are solely regulators, such as in Jordan, where they have left the entire market to develop standards and infrastructure.
Meanwhile, others have taken the role of standards-setter or infrastructure provider.
In Brazil, the central bank has coordinated the development of standards to be implemented by the industry and in Kazakhstan the central bank is providing a central API routing mechanism to avoid bilateral connectivity.
Financial regulators have extensive experience overseeing banking regulations but less experience with data, making it challenging to frame data-sharing regimes within their remit.
Security vs. usability
The trade-off between security and usability is well understood philosophically.
In open banking is important because it will only work if it is both secure enough to protect sensitive financial data but easy enough that customers and businesses use it. If security is too cumbersome and effects the user experience, customers will abandon the service, and if usability is too loose, fraud and data breaches will increase.
In the EU, the requirement for Strong Customer Authentication (SCA) has led to convoluted implementations by some banks. Banks are not required to provide new authentication methods beyond what they offer directly to their customers via their online channels.
The use of paper-based Transaction Authentication Number (TAN) authentication is also still used in some markets, which can lead to lengthy authentication processes.
Regulators must balance risk‑based security requirements with incentives that encourage customer adoption of open banking. Successful data‑sharing frameworks clearly assess risk, assign liability, and often use regulatory sandboxes to safely test products and services.
Trust and customer communication
Since the advent of internet banking customers have been warned about the risk of a data breach and to be extremely cautious who they share their data with.
The public’s awareness of data privacy and risks is high.
As of 2023, according to NTT Data, 84% of UK consumers do not believe Open Banking is safe, and 58% do not understand it. A report by the Financial Consumer Agency of Canada shows that only 9% of Canadian consumers have heard of open banking and only 15% felt that they would participate in open banking.
Many argue that consumers do not need to know what open banking is per se, however education about how it works and what the benefits are is important. Open Banking UK launched a consumer-focused YouTube campaign providing content that explains the benefits of Open Banking and why it is safe, and in Australia, a YouTube campaign was also launched informing the public on what the Consumer Data Right is.
Elsewhere, as part of the open banking implementation in Hong Kong there was even a customer communications working group to ensure that all banks and third-party providers were communicating to their customers with the same message to foster trust.
Some markets have even explored using a trust mark or a logo, similar to those for contactless payments, to indicate a licensed and trusted open banking service.
Whether Big Tech can play
Big Tech companies such as Amazon, Facebook and Google already have a role in the financial services space but tend to fall outside of the regulatory scope. Their business models and scale can leverage vast amounts of customer data, helping them gain a strong competitive advantage and can quickly dominate markets.
Conversely, they can be significant users and distributors of open banking services, for example Amazon has recently integrated open banking pay-by-bank capabilities in the online checkout.
In many markets, regulating Big Tech fintech services is complex. In the EU, however, legislation such as the Digital Services Act and Digital Markets Act seeks to oversee their businesses as a whole.
It is important to consider how and where Big Tech can participate in the open banking ecosystem.
Stay tuned for Blog 2 in this series coming soon.
