featured Open Banking

DAPI – Open Banking in MENA – Standards for our Region

Simply put, Open Banking enables consumers and companies to do more with their financial data and accounts in two ways.

First, financial management apps help consumers and companies bring together data from multiple accounts in one place from where it can be analyzed more completely. This way, they get a better understanding of how and where they are spending their money. In turn, such insights help consumers and companies make better financial decisions, access credit on better terms etc. This is known as an “account information” service, where information is being collected from a customer’s accounts (with the customer’s consent) and stored and presented in a single app.

Second, by using apps that make payments simpler and cleaner, consumers and companies can make transfers from their bank accounts more easily. Platforms can automate payroll, top-up peer to peer digital wallets, send money abroad using remittance apps, or pay bills directly from their bank accounts. This is known a “payment initiation” service.

Companies like DAPI – known as aggregators or third party providers (TPPs) – sit between the fintech app community and banks. Through our connectivity with banks across emerging markets we enable our fintech community to develop the same types of compelling apps that were described above and that have become hugely popular in the United States and Europe.

Open Banking is established when banks and financial institutions are required by regulators to enable TPPs to access their platforms. Of course, with this regulation come a number of standards. These are the standards by which banking is effectively “opened” and democratized and financial innovation is spurred for the benefit of consumers.

Since there is so much at stake, such as the security of customer’s data and access to payment systems, developing and adhering to standards is incredibly important.

In markets where Open Banking has been implemented like Europe, UK, Australia, Singapore Bahrain standards were set in three core areas.

First, what common “Open API” standards do banks and TPPs need to have in place to enable secure and stable connectivity between them (technical standards)?

Second, what standards are there around TPP certifications or licensing to ensure that the TPP is properly managed and adheres to best data and security practices?

Third, what standards are there around consumer protection to ensure that consent, authorization, data usage and dispute resolution are front and center at all times?

For us, there is no question that any Open Banking regulatory framework must incorporate strong standards across all 3 pillars.

Standards need to be developed inclusively (by regulators, banks, and TPPs) and be adopted by all ecosystem participants – banks and TPPs. If different banks and TPPs adopt different standards, adoption would be limited and the costs of integration high.  The ecosystem would not thrive.

Aside from Bahrain (and to a degree KSA where SAMA has defined payment initiation and account information services as licensable payment services), regulators across MENA have yet to implement Open Banking frameworks. That process will take time.

For DAPI, the immediate question for our region is what technical standards or codes of conduct should the industry adopt, particularly around enabling account access, prior to the full implementation of Open Banking ie prior to banks being required to enable API connectivity for TPPs. It should not be that innovation in our sector is put on hold pending the implementation of full Open Banking regimes and mandated API connectivity – that’s also not how things developed around the world.

The ecosystem around Open Banking has been allowed to develop across the world prior to the development of full Open Banking regimes. Regulators have to have use-cases around which they can build informed regulatory frameworks. Before imposing costs on banks they need to know that there is consumer demand for Open Banking products. That means there has to be some thinking about how our ecosystem can develop in a pre-regulatory phase – what pre-regulatory standards should apply.

Prior to the implementation of Open Banking regulatory frameworks In Europe, the UK, Australia, and the United States TPPs enabled consumers to access their accounts – with consumer consent at all times – using their user-name and passwords.

Banks typically refer to this as “scraping” – the implication being that scraping, which has been embraced globally by consumers, is a sub-standard means of connectivity. Whilst the ultimate end goal should always be Open API connectivity, regulators, in the EU and Australia for example, have taken progressive positions on alternative means of access i.e. “scraping”.

For example, in March 2020 the Australian Securities and Investment Commission confirmed that it endorsed “scraping” as a means of access for fintechs. In Europe and the UK, this method of access was only stopped earlier this year once banks had complied with their Open API connectivity obligations, i.e. only once alternative connectivity was established for TPPs.

There were no restrictions on forms of non-API alternative access (ie “scraping”) prior to banks being required to open up. In Australia there are no restrictions period.

At DAPI adherence to standards, whether to do with account access, cyber-security, customer consent, and data retention are our holy grail. We think it is of utmost importance to adhere to a pre-regulatory standards framework or code of conduct now and not just when Open Banking frameworks are implemented. Our region’s consumers deserve it.

As regulators within our region move forward to consider Open Banking frameworks we urge them to be inclusive, consultative (listen not just to banks but fintechs and consumers) and practical in how we develop this ecosystem (and practical and relevant standards) both in pre-regulated and regulated environments.